Fix Dev Drive Excluded From Defender Scans Causing False AV Alerts on Windows 11

Your development drive on Windows 11 may be excluded from Microsoft Defender Antivirus scans, leading to false positive alerts for legitimate code, build artifacts, or container images. This exclusion is by design: Windows 11 automatically excludes Dev Drive volumes from real-time and scheduled scanning to improve performance during development tasks. However, this can cause Defender to flag files on other drives that reference or interact with excluded content. This article explains why the exclusion exists, how to verify it, and how to restore scanning for your Dev Drive without losing performance benefits.

Why Windows 11 Excludes Dev Drive from Defender Scans

Dev Drive is a specialized volume type introduced in Windows 11 version 22H2, designed for hosting source code, build outputs, and container data. It uses the ReFS file system and is optimized for file I/O operations common in development workflows, such as cloning repositories, building projects, and running virtualized environments.

Microsoft automatically excludes Dev Drive from Microsoft Defender Antivirus scans to prevent performance degradation during these operations. Real-time scanning of every file read and write on a Dev Drive can slow down builds by 30 percent or more, especially in projects with thousands of small files like node_modules or .git objects.

This exclusion is applied at the volume level, meaning Defender does not scan any file stored on the Dev Drive. The exclusion is set through the Windows Security app and is stored in the Windows Defender registry key. Users are not prompted when this exclusion is created — it happens automatically when a Dev Drive is formatted or attached.

The false alerts occur when a file on a non-excluded drive references an executable, script, or library located on the Dev Drive. For example, a build script on your C: drive may call a compiler located on your Dev Drive. Defender scans the script, sees it invoking an unsigned binary, and flags it as suspicious. The binary itself is never scanned because it lives on the excluded volume.

Steps to Remove the Dev Drive Exclusion from Microsoft Defender

To stop false alerts, you must remove the Dev Drive exclusion from Defender. You can do this through the Windows Security interface, PowerShell, or the Registry Editor. Each method achieves the same result, but PowerShell is the fastest for administrators managing multiple machines.

Method 1: Remove the Exclusion via Windows Security

1. Open Windows Security
   Press the Windows key, type Windows Security, and press Enter. The Windows Security app opens to the Dashboard.
2. Go to Virus & threat protection
   Click the Virus & threat protection tile on the left navigation pane. The main protection settings appear.
3. Access Manage settings
   Under the Virus & threat protection settings section, click Manage settings. The settings page for real-time protection, cloud-delivered protection, and exclusions opens.
4. Open Exclusions
   Scroll down to the Exclusions section. Click Add or remove exclusions. You may see a User Account Control prompt — click Yes to continue.
5. Find and remove the Dev Drive exclusion
   In the Exclusions list, look for an entry that matches your Dev Drive path, such as D:\ or E:\DevDrive. Click the entry, then click Remove. Confirm the removal when prompted.
6. Close Windows Security
   Close the Windows Security app. The exclusion is removed immediately. Defender will now scan the Dev Drive volume on the next scheduled or real-time scan.

Method 2: Remove the Exclusion via PowerShell

1. Open PowerShell as Administrator
   Press the Windows key, type PowerShell, right-click Windows PowerShell in the results, and select Run as administrator. Click Yes on the User Account Control prompt.
2. List current exclusions
   Run the following command to see all excluded paths:
   Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
   The output shows each excluded path on a separate line. Identify the path corresponding to your Dev Drive, for example D:\.
3. Remove the Dev Drive exclusion
   Run the following command, replacing D:\ with your actual Dev Drive path:
   Remove-MpPreference -ExclusionPath "D:\"
   No confirmation message appears if the command succeeds.
4. Verify the exclusion is removed
   Run the list command again:
   Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
   Confirm that the Dev Drive path no longer appears in the output.

Method 3: Remove the Exclusion via Registry Editor

1. Open Registry Editor
   Press Windows key + R, type regedit, and press Enter. Click Yes on the User Account Control prompt.
2. Navigate to the Defender Exclusions key
   In the left pane, navigate to:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
3. Find the Dev Drive exclusion entry
   In the right pane, look for a value whose name matches your Dev Drive path, for example D:\. The data column typically shows a value of 0.
4. Delete the exclusion entry
   Right-click the value name and select Delete. Click Yes to confirm the deletion.
5. Close Registry Editor
   Close the Registry Editor. The change takes effect immediately. No restart is required.

If False Alerts Persist After Removing the Exclusion

False alerts still appear for files on the Dev Drive

After removing the exclusion, Defender begins scanning the Dev Drive on the next scan cycle. However, cached scan results may cause a delay. Force a full scan by opening Windows Security, clicking Virus & threat protection, then under Current threats click Scan options. Select Full scan and click Scan now. This runs a complete scan of all drives, including the Dev Drive, and updates the threat history.

Build performance drops significantly after enabling scanning

If your builds become noticeably slower after removing the exclusion, you can add back a narrower exclusion. Instead of excluding the entire Dev Drive volume, exclude only specific folders that cause the most performance issues, such as node_modules, .git, or bin. To do this, go to Windows Security > Virus & threat protection > Manage settings > Exclusions > Add or remove exclusions > Add an exclusion > Folder. Browse to the specific folder and add it. This keeps scanning active for source code files while skipping the folders that slow builds.

Defender flags a trusted development tool on the Dev Drive

Some development tools, like compilers, debuggers, or package managers, are signed by their publishers but may still be flagged due to heuristic analysis. If you trust the tool, submit it as a false positive through the Microsoft Security Intelligence portal at www.microsoft.com/en-us/wdsi/filesubmission. After submission, the file is analyzed and added to the global whitelist. Alternatively, you can add the specific executable file as an exclusion: Windows Security > Virus & threat protection > Manage settings > Exclusions > Add or remove exclusions > Add an exclusion > File.

Item	Full Dev Drive Exclusion	Per-Folder Exclusion
Description	Excludes the entire volume from all Defender scans	Excludes only specific folders from scans
Performance impact	Maximum build speed, no scan overhead	Moderate build speed, some scan overhead on source files
Security risk	High — all files on the volume are never scanned	Low — only excluded folders are skipped
False alert reduction	Eliminates alerts for files on the Dev Drive but may cause cross-drive alerts	Reduces alerts for known safe folders while scanning other content
Configuration effort	Set once automatically when Dev Drive is created	Requires manual setup for each folder

You can now remove the Dev Drive exclusion from Microsoft Defender to stop false AV alerts on Windows 11. After removal, monitor your build performance and add narrow folder exclusions only if you notice significant slowdowns. For persistent false alerts on trusted tools, use the Microsoft Security Intelligence submission portal to whitelist specific files globally.