How to Audit Microsoft Defender Antivirus Exclusions with PowerShell and Identify Their Source

Estimated reading time: 3 minutes

Microsoft Defender Antivirus is a cornerstone of endpoint protection, but exclusions—whether for performance, compatibility, or policy reasons—can introduce risk if not properly managed. As IT admins, we need visibility not just into what exclusions exist, but where they originate: local policy, Group Policy (GPO), Microsoft Endpoint Manager (Intune), or Configuration Manager (SCCM).

In this post, I’ll walk you through how to use PowerShell to enumerate all current Defender exclusions on a Windows device and determine their source of application.

Step 1: Retrieve Defender Exclusions with PowerShell

Start by launching PowerShell as an administrator. Then run:

Get-MpPreference | Select-Object -ExpandProperty ExclusionPath

You can also retrieve other types of exclusions:

Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess
Get-MpPreference | Select-Object -ExpandProperty ExclusionExtension
Get-MpPreference | Select-Object -ExpandProperty ExclusionIpAddress

This will return all exclusions currently active on the device. However, this doesn’t tell you where they came from.

Step 2: Determine the Source of Defender Settings

Microsoft Defender settings can be applied via:

• Local Group Policy
• Domain Group Policy (GPO)
• Microsoft Endpoint Manager (Intune)
• System Center Configuration Manager (SCCM)
• Local PowerShell scripts or manual configuration

To identify the source, use the following techniques:

1. Check for GPO-applied settings

Run:

Get-GPOReport -All -ReportType Xml | Select-String -Pattern "Exclusion"

Or use RSOP.msc or gpresult:

gpresult /h gpresult.html

Open the HTML report and look under:

Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Exclusions

If exclusions are listed here, they’re applied via GPO.

2. Check for Intune-applied settings

Intune settings are stored in the registry under:

HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Antivirus

You can inspect this with:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Antivirus"

If exclusions are present here, they’re likely applied via Intune.

3. Check for SCCM-applied settings

SCCM typically applies policies via WMI. You can query:

Get-WmiObject -Namespace "root\ccm\policy\machine\actualconfig" -Class CCM_AntivirusSettings

Look for exclusion entries in the output. If present, SCCM is the source.

Step 3: Cross-Reference with Registry

Some exclusions may be visible in the registry:

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions"

This can help confirm whether exclusions were manually added or pushed via script.

Bonus: Combine and Annotate

You can build a script that pulls exclusions and annotates their likely source:

$exclusions = Get-MpPreference
$gpoExclusions = gpresult /h gpresult.html
$intuneReg = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device\Antivirus"
$sccmWMI = Get-WmiObject -Namespace "root\ccm\policy\machine\actualconfig" -Class CCM_AntivirusSettings

# Logic to compare and annotate each exclusion

This requires some parsing and logic, but it’s doable if you want a full audit trail.

Final Thoughts

Understanding where Defender exclusions come from is critical for security hygiene. PowerShell gives you the visibility, but pairing it with GPO, Intune, and SCCM checks completes the picture. If you’re managing endpoints across multiple platforms, consider centralizing exclusion audits into a scheduled task or dashboard.

For more on exclusion management across platforms, Microsoft has a detailed reference guide worth bookmarking: