In prior releases of Windows Server Microsoft shipped basic malware protection through its Windows Defender software. For full protection either System Center EndPoint Protection, or, a third party antivirus solution was required. With Windows Server 2016, Windows Defender matured into a fully fledged antivirus solution. It has now been re-branded as Windows Defender Antivirus.
Regardless of whether you choose Windows Defender Antivirus, or, a third-party antivirus solution you need to be sure these products are not scanning critical Exchange components. Microsoft publishes an extensive list of file, folder and, process exclusions to include in your antivirus configuration.
There are eighty-four exclusions in total.
Adding these exclusions are critical to the health and performance of Exchange. Without these exclusions antivirus software could lock or quarantine files and processes critical to the operation of Exchange.
In this article we explore how to add the required 84 exclusions to Windows Defender Antivirus. We also have a basic script to automate adding these exclusions for you.
Let’s get started!
Adding Exchange exclusions with PowerShell
Adding 84 exceptions manually through the graphical user interface would be time consuming, tedious and, prone to human error. This only magnifies with the number of Exchange servers we need to deploy. Windows Defender can be managed through multiple methods (such as System Center or Group Policy). However, for this article we will explore adding the required exclusions using PowerShell.
To add an exclusion via PowerShell we can use the Add-MpPreference cmdlet. For a folder exclusion we combine this with the -ExclusionPath parameter. For example, a folder exclusion may look like this.
C:\> Add-MpPreference -ExclusionPath %SystemRoot%\Cluster
A folder exclusion not only excludes the folder and its files but also all sub-folders. [Read more…] about Required Exchange exclusions for Windows Defender Antivirus