Windows Defender lets you exclude specific files, folders, file types, or processes via the Windows Security app’s exclusion settings.
A single false-positive detection can stall a whole workflow — the fix is a targeted exclusion in Windows Defender that tells the scanner to skip that file, folder, or process entirely. The process for how to exclude files from Windows Defender lives inside the Windows Security app, and getting there takes about four clicks. But the type of exclusion you choose and where you set it matters: a folder exclusion covers everything inside it, while a file-type exclusion applies across the whole system. Pick wrong, and you either miss the problem or open a wider security gap than you meant to.
What Kinds Of Items Can You Exclude?
Windows Defender’s exclusion system supports four categories in the local Windows Security interface, each with a different scope. The table below lays out what each type covers and when you’d reach for it.
| Exclusion Type | What It Covers | When To Use It |
|---|---|---|
| File | One specific file by its full path | A single false-positive detection on a trusted executable |
| Folder | A directory and everything inside it, including subfolders | A project folder, game directory, or development workspace |
| File Type (extension) | Every file with that extension anywhere on the machine | Temporary .log or .tmp files that trigger repeated scans |
| Process | Files opened by a named process (.exe or .dll) | A known-safe legacy application that Defender flags by behavior |
| Path (Intune / Group Policy) | One folder path per line in a managed policy | Enterprise environments where exclusions must be deployed centrally |
| Extension (Intune / Group Policy) | All files with a listed extension across managed devices | Broad exclusion needed across an entire endpoint fleet |
| Subfolder (inherited from folder exclusion) | Automatically covered when its parent folder is excluded | Any folder exclusion — subfolders are included by default |
Setting Up Windows Defender Exclusions: The Standard Local Path
For a single PC running Windows 10 or Windows 11, the Windows Security app is the only interface you need. The menu path is consistent across recent versions, though the Settings app’s layout varies slightly between releases.
Open Windows Security from the Start menu (or double-click the shield icon in the system tray). Select Virus & threat protection, then under the Virus & threat protection settings heading, click Manage settings. Scroll to Exclusions and click Add or remove exclusions. Click Add an exclusion and pick the type that fits — File, Folder, File type, or Process. Browse to the item or type its name, then confirm. The file or folder appears in the list with a toggle, confirming it is now excluded from scans.
To remove an exclusion later, return to the same Add or remove exclusions page, select the entry, and click Remove. The change takes effect immediately with no restart required. Microsoft’s official documentation for Defender exclusions covers the full scope of each exclusion type and the expected behavior in managed environments.
Enterprise Exclusions Via Intune And Group Policy
In organizations where devices are managed centrally, exclusions set through the local Windows Security UI can be overwritten by policy. Microsoft Intune and Group Policy are the two supported control planes for keeping exclusions consistent across a fleet.
In the Microsoft Intune admin center, navigate to Endpoint security > Antivirus and select Create policy. Choose Windows as the platform and Microsoft Defender Antivirus exclusions as the profile. Under Configuration settings, add Excluded paths (one per line — these are file and folder exclusions in policy form) and Excluded extensions (which apply to any file with that extension regardless of location). Assign the policy to a device group and save. Intune pushes the exclusions on the device’s next sync.
For on-premises environments using Active Directory, the Group Policy Management Console path is Computer Configuration > Administrative templates > Windows components > Microsoft Defender Antivirus > Exclusions. Enable Path Exclusions, click Show, and enter each folder or file path on its own line (fully qualified, including drive letter and extension). Enable Extension Exclusions the same way, entering the extension in the Value name field and 0 as the Value.
File Exclusions Vs. Folder Exclusions — What’s The Difference?
The distinction is simple but easy to get wrong. A file exclusion applies to exactly one file at the path you enter — nothing else. A folder exclusion applies to that folder and everything inside it, including every subfolder at every depth. Microsoft’s Q&A guidance confirms that subfolder coverage is automatic with a folder exclusion; you do not need to list each subfolder separately.
Choose a file exclusion when you need to skip one suspicious-but-trusted executable. Choose a folder exclusion when an entire directory tree — a development environment, a game installation, or a tools folder — is being flagged incorrectly. The folder exclusion is more efficient in those cases but also broader: any malicious file later placed inside that folder will also go unscanned.
Common Mistakes To Avoid With Defender Exclusions
Exclusions are a precision tool, and the most frequent errors come from using too broad a scope or the wrong control plane.
- Using a file-type exclusion for a single file. An extension exclusion applies everywhere on the system — a .log exclusion stops Defender from scanning every .log file, not just the one causing trouble. Use a file exclusion for a single file.
- Setting exclusions locally on a managed device. If your organization uses Intune or Group Policy, a local exclusion may be removed or overwritten on the next policy sync. Always check whether your device is managed before going the local route.
- Forgetting that exclusions reduce protection. Every excluded item is a blind spot. The Huntress analysis of Defender exclusions demonstrates how they can be abused to bypass scanning entirely — scope each exclusion as narrowly as the situation allows.
- Assuming a folder exclusion covers only the top-level files. It covers every subfolder automatically. That is the intended behavior, but it means a folder exclusion is broader than it looks on the surface.
| Management Method | Best For | Exclusion Types Supported |
|---|---|---|
| Windows Security UI | Single PC, home user, quick setup | File, Folder, File Type, Process |
| Microsoft Intune | Enterprise fleet with cloud management | Paths (file/folder), Extensions |
| Group Policy | On-premises domain environment | Paths (file/folder), Extensions |
| PowerShell (Set-MpPreference) | Scripted or automated deployments | Paths (file/folder), Extensions |
| Registry Direct Edit | Remote or one-off configuration | Paths (file/folder), Extensions |
Quick-Reference: Keeping Exclusions Under Control
Whether you manage one PC or a hundred, these checks keep your exclusions effective without creating unnecessary risk.
- Use the narrowest exclusion type that solves the problem — a file exclusion over a folder exclusion, a folder exclusion over an extension exclusion.
- Verify the exclusion works by testing the workflow that was blocked before you added it.
- On managed devices, set exclusions through Intune or Group Policy rather than the local UI to avoid policy conflicts.
- Review your exclusions list periodically — remove any entry that no longer serves a current need.
- Remember that a folder exclusion covers subfolders automatically; you never need to list them separately.
References & Sources
- Microsoft Learn. “Configure custom exclusions for Microsoft Defender Antivirus.” Official documentation covering all exclusion types and management methods for Windows Defender.
- Microsoft Q&A. “How to add an exception to Windows Defender.” Community-verified steps for adding exclusions via the Windows Security UI.
- Huntress. “You Can Run, but You Can’t Hide: Defender Exclusions.” Security analysis of how exclusions can be abused and best practices for scoping them.
- Rackspace Technology. “Set Windows Defender folder exclusions.” Documented Group Policy approach for managing Defender exclusions in enterprise environments.