View Blog

Aug 2023

How to Create Path Exclusion Policies for Windows Defender Using Intune

You’ve just deployed a new application or client-side extension to your Windows laptops and suddenly their system performance and battery life begin to crater. The culprit could be Windows Defender. Windows Defender automatically scans new software and its activities for potential threats as part of its real-time scanning feature. Naturally, this scanning process will manifest as higher CPU usage. If the new software handles a lot of data, such as in the case of a web filter client app, it could create perpetual CPU spikes that can degrade system performance and consume battery power.

If you trust the new software you've installed and don't want Windows Defender to continuously monitor it (and thereby use up CPU resources), you can set an exclusion path for it. An exclusion path tells Windows Defender to skip scanning the files and activities associated with a specific directory where trusted applications are installed. You can create an exclusion path policy using either Group Policy or an MDM such as Intune. Exclusions should always be used judiciously to maintain a strong security posture so only use them when you need to.

Creating Path Exclusions with Group Policy

Let’s use a scenario in which I need to create an exclusion path for a web filter client application simply called WebFilter. Create a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions and enable “Path Exclusions.”  Once enabled you must then add the path(s) to be excluded. In this case there are two paths.

C:\Program Files (x86)\WebFilter\AuthenticationAgent\bin

C:\Program Files (x86)\WebFilter\MobileZoneAgent\bin

The policy configuration is shown below.


Another option is to create a process exclusion which would exclude a designated process or executable from being scanned. In this case the process path might be C:\ProgramFiles\WebFilter\WebFilter.exe. You can also use wildcards in a process exclusion list such as C:\ProgramFiles\WebFilter\*

Creating Path Exclusions with Group Policy

Using the Microsoft Intune Center, go to Devices > Configuration Profiles > and create a new profile using Windows 10 and later as the Platform and Administrative Templates for the Profile type. Name the policy and then navigate to Computer Configuration > Windows Components > Microsoft Defender Antivirus and Enable “Path Exclusions” as I did earlier with Group Policy as shown below.

You will then be prompted to provide the exclusion paths as shown below. Process Exclusions are also available if you want to go that way.

After implementing these path exclusions, you should witness a notable decrease in CPU utilization, effectively resolving the issue of CPU spikes and battery depletion.

Comments (0)

No Comments!