When you compile code frequently, Microsoft Defender Antivirus scans every new file in your build output folder. This real-time scanning can slow down builds by 20 to 50 percent because Defender checks each executable and library as it is written. The scan is triggered by file write and rename operations inside the folder. This article shows you how to add an exclusion for that specific build folder so Defender leaves it alone during development.
Key Takeaways: Add a Folder Exclusion to Microsoft Defender
- Windows Security > Virus & threat protection > Manage settings > Add or remove exclusions: The main path to add a folder exclusion for your build output.
- PowerShell command Add-MpPreference -ExclusionPath: Lets you add an exclusion without opening the Settings UI, useful for scripting.
- Group Policy > Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions: Used to deploy exclusions across multiple machines in an organization.
Understanding Real-Time Scanning and Build Folders
Microsoft Defender Antivirus monitors file system activity in real time. When a compiler writes a new executable, DLL, or object file, Defender checks the file for malware before allowing the write to complete. This behavior is controlled by the Real-time protection setting in Windows Security.
Build folders like bin\Debug, obj, or out contain files that are generated and overwritten hundreds of times per build. Each file write triggers a scan. On a large project with thousands of output files, the cumulative scan time adds seconds or minutes to every build.
Excluding the build folder tells Defender to skip real-time scanning for that path and all subfolders. The exclusion applies to real-time scanning only. Scheduled scans and on-demand scans still check the folder unless you also exclude it from those scan types.
Steps to Exclude a Build Folder in Windows Security
This method uses the Windows Security app. It works on Windows 11 Home, Pro, and Enterprise editions.
- Open Windows Security
Press the Windows key, type Windows Security, and press Enter. The app opens to the Home tab showing your device status. - Go to Virus & threat protection
Click the Virus & threat protection tile on the left navigation bar or the main panel. - Open Manage settings
Under the Virus & threat protection settings section, click Manage settings. - Scroll to Exclusions
Scroll down past Real-time protection, Cloud-delivered protection, and Automatic sample submission until you see the Exclusions heading. - Click Add or remove exclusions
Click the Add or remove exclusions link. A User Account Control prompt appears — click Yes to continue. - Add an exclusion
Click the Add an exclusion button and choose Folder from the dropdown menu. - Select your build folder
In the Select Folder dialog, navigate to your build output folder, select it, and click Select Folder. The folder path now appears in the Exclusions list.
After adding the exclusion, build your project again. You should see a noticeable reduction in build time because Defender no longer scans files written to that folder.
Steps to Exclude a Build Folder Using PowerShell
Use PowerShell to add an exclusion without navigating the Settings UI. This method is useful for automation scripts or when you need to add exclusions on multiple machines.
- Open PowerShell as administrator
Press the Windows key, type PowerShell, right-click Windows PowerShell or PowerShell, and select Run as administrator. Click Yes in the UAC prompt. - Run the Add-MpPreference command
Type the following command and press Enter:Add-MpPreference -ExclusionPath "C:\Projects\MyApp\bin\Debug"
Replace the path with the actual full path to your build folder. Use double backslashes or single forward slashes in the path. - Verify the exclusion
RunGet-MpPreference | Select-Object -ExpandProperty ExclusionPathto confirm your folder appears in the list.
PowerShell exclusions are stored in the same location as those added through Windows Security. You can remove an exclusion later with Remove-MpPreference -ExclusionPath "path".
Steps to Exclude a Build Folder Using Group Policy
In enterprise environments, IT administrators can deploy exclusions through Group Policy. This method applies the exclusion to all computers in the domain that receive the policy.
- Open Group Policy Management Console
On a domain controller or machine with RSAT installed, run gpmc.msc to open the Group Policy Management Console. - Edit or create a policy
Right-click the target Organizational Unit and select Create a GPO in this domain, and Link it here. Name the policy something like “Defender Build Folder Exclusion”. Right-click the new GPO and select Edit. - Navigate to the Exclusion policy
Go to Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions. - Configure folder exclusion
Double-click Path Exclusions. Select Enabled. Under Options, click Show. In the Value Name column, enter a number like 1. In the Value column, enter the full folder path, for example C:\Projects\MyApp\bin\Debug. Click OK and then OK again. - Run gpupdate on client machines
On each target computer, open a Command Prompt as administrator and rungpupdate /force. The exclusion is applied after the policy updates.
Group Policy exclusions override local settings. If a user later tries to remove the exclusion through Windows Security, it reappears after the next policy refresh.
Common Issues and Limitations with Build Folder Exclusions
Exclusion Not Applying to Subfolders
By default, a folder exclusion in Defender applies to all subfolders. If you notice that files in subfolders are still being scanned, verify that you added the correct parent folder. For example, exclude C:\Projects\MyApp\bin instead of C:\Projects\MyApp\bin\Debug to cover both Debug and Release configurations.
Build Output in Symbolic Links or Junctions
If your build folder is a symbolic link or a directory junction, Defender may not follow the link when applying the exclusion. In this case, add the exclusion for the real target path, not the link path. Right-click the folder, select Properties, and check the Location tab to find the actual path.
Defender Still Scanning During Scheduled Scans
The exclusion methods above apply to real-time scanning only. To exclude the folder from scheduled scans, add the same path to the exclusion list for scheduled scans. Use PowerShell with the -ExclusionPath parameter — it applies to all scan types. Alternatively, in Group Policy, the same Path Exclusions setting covers both real-time and scheduled scans.
Exclusion Not Working After Windows Update
Occasionally, a Windows Update resets Defender settings. After a major update, open Windows Security and verify your exclusions are still present. If they are missing, re-add them using one of the methods above.
Build Folder Exclusion Methods Comparison
| Item | Windows Security UI | PowerShell |
|---|---|---|
| Access method | Settings app with mouse clicks | Command line with admin rights |
| Best for | Single machine, one-time setup | Multiple machines, scripting, automation |
| Requires admin rights | Yes, UAC prompt | Yes, run as administrator |
| Supports remote deployment | No | Yes, via PowerShell Remoting |
| Applies to all scan types | Real-time only | Real-time and scheduled |
Adding a folder exclusion for your build output is a quick way to reduce compile times on Windows 11. Use the Windows Security UI for a single machine or PowerShell for scripted deployments. If you work with multiple build configurations, exclude the parent folder to cover all subfolders. After adding the exclusion, run a full build to confirm the performance improvement. For even faster builds, consider disabling Defender temporarily during builds using the Set-MpPreference -DisableRealtimeMonitoring $true command in a build script, but remember to re-enable it after the build completes.