Microsoft Defender Antivirus is a cornerstone of endpoint protection, but exclusions—whether for performance, compatibility, or policy reasons—can introduce risk if not properly managed. As IT admins, we need visibility not just into what exclusions exist, but where they originate: local policy, Group Policy (GPO), Microsoft Endpoint Manager (Intune), or Configuration Manager (SCCM).
In this post, I’ll walk you through how to use PowerShell to enumerate all current Defender exclusions on a Windows device and determine their source of application.
Step 1: Retrieve Defender Exclusions with PowerShell
Start by launching PowerShell as an administrator. Then run:
Get-MpPreference | Select-Object -ExpandProperty ExclusionPathYou can also retrieve other types of exclusions:
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess
Get-MpPreference | Select-Object -ExpandProperty ExclusionExtension
Get-MpPreference | Select-Object -ExpandProperty ExclusionIpAddressThis will return all exclusions currently active on the device. However, this doesn’t tell you where they came from.
Step 2: Determine the Source of Defender Settings
Microsoft Defender settings can be applied via:
- Local Group Policy
- Domain Group Policy (GPO)
- Microsoft Endpoint Manager (Intune)
- System Center Configuration Manager (SCCM)
- Local PowerShell scripts or manual configuration
To identify the source, use the following techniques:
1. Check for GPO-applied settings
Run:
Get-GPOReport -All -ReportType Xml | Select-String -Pattern "Exclusion"Or use RSOP.msc or gpresult:
gpresult /h gpresult.htmlOpen the HTML report and look under:
Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Exclusions
If exclusions are listed here, they’re applied via GPO.
2. Check for Intune-applied settings
Intune settings are stored in the registry under:
HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\AntivirusYou can inspect this with:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Antivirus"If exclusions are present here, they’re likely applied via Intune.
3. Check for SCCM-applied settings
SCCM typically applies policies via WMI. You can query:
Get-WmiObject -Namespace "root\ccm\policy\machine\actualconfig" -Class CCM_AntivirusSettingsLook for exclusion entries in the output. If present, SCCM is the source.
Step 3: Cross-Reference with Registry
Some exclusions may be visible in the registry:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions"This can help confirm whether exclusions were manually added or pushed via script.
Bonus: Combine and Annotate
You can build a script that pulls exclusions and annotates their likely source:
$exclusions = Get-MpPreference
$gpoExclusions = gpresult /h gpresult.html
$intuneReg = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Antivirus"
$sccmWMI = Get-WmiObject -Namespace "root\ccm\policy\machine\actualconfig" -Class CCM_AntivirusSettings
# Logic to compare and annotate each exclusionThis requires some parsing and logic, but it’s doable if you want a full audit trail.
Final Thoughts
Understanding where Defender exclusions come from is critical for security hygiene. PowerShell gives you the visibility, but pairing it with GPO, Intune, and SCCM checks completes the picture. If you’re managing endpoints across multiple platforms, consider centralizing exclusion audits into a scheduled task or dashboard.
For more on exclusion management across platforms, Microsoft has a detailed reference guide worth bookmarking:
https://learn.microsoft.com/en-us/defender-endpoint/configure-exclusions-microsoft-defender-antivirus
About The Author
Discover more from TechyGeeksHome
Subscribe to get the latest posts sent to your email.