How to Configure CrowdStrike Exclusions for SCCM (Configuration Manager)

Last Updated: February 2025

Overview

When running Microsoft System Center Configuration Manager (SCCM) alongside CrowdStrike Falcon, proper exclusion configuration is critical for optimal performance and stability. Antivirus real-time protection can interfere with Configuration Manager operations, causing deployment failures, inventory issues, and system instability.

This guide provides comprehensive exclusion recommendations for CrowdStrike Falcon when protecting SCCM site servers, site systems, and clients, based on Microsoft’s official recommendations.

⚠️ Important Security Notice: While these exclusions improve SCCM performance and prevent operational conflicts, they reduce CrowdStrike’s security coverage. Each exclusion creates a potential blind spot that could be exploited by threat actors. Carefully evaluate the risks in your environment and implement compensating controls where possible.

Common Issues Without Proper Exclusions

Without appropriate exclusions, you may experience:

  • Remote site system components fail to install
  • Configuration Manager client installation failures through client push
  • Inaccurate or missing client inventory information
  • Backlogs in site server Inboxes folders
  • Software Center not populating or starting correctly
  • Software deployment failures to clients
  • Inaccurate compliance data for deployments
  • Database verification errors (0x80004005)
  • Performance degradation on site servers and management points

Prerequisites

  • CrowdStrike Falcon administrative access
  • Access to the Falcon Console: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (varies by tenant)
  • Configuration Manager installation paths documented
  • Understanding of your SCCM hierarchy and roles

Step 1: Access CrowdStrike Falcon Console

  1. Open your browser and navigate to your Falcon Console:
  2. Sign in using your admin credentials
  3. Navigate to Endpoint Security > Configure > Exclusions

Step 2: Configure Site Server Exclusions

Default Installation Paths

Note: These are default paths. Verify your actual installation locations before configuring exclusions.

  • ConfigMgr Installation: %ProgramFiles%\Microsoft Configuration Manager
  • MP Installation: %ProgramFiles%\SMS_CCM
  • Client Installation: %Windir%\CCM
  • Content Library Drive: Varies (default is C:\)

Required Site Server Folder Exclusions

In the CrowdStrike Console:

  1. Select Machine Learning Exclusions tab
  2. Click Create Exclusion
  3. Select the appropriate host group for your site servers
  4. Add the following folder exclusions:
%ProgramFiles%\Microsoft Configuration Manager\Inboxes\*
%ProgramFiles%\Microsoft Configuration Manager\Logs\*
%ProgramFiles%\Microsoft Configuration Manager\EasySetupPayload\*
[ContentLib_drive]\SCCMContentLib\*
  1. Click Create Exclusion
  2. Repeat the process on the Sensor Visibility tab

Note: If using a remote content library, the SCCMContentLib folder won’t be on the site server.

Step 3: Configure Site System Exclusions

Management Point Exclusions

Add these folder exclusions for Management Points:

%ProgramFiles%\SMS_CCM\ServiceData\*
%ProgramFiles%\Microsoft Configuration Manager\MP\OUTBOXES\*
[Installation_drive]\SMS\MP\OUTBOXES\*

File Exclusion:

POL00000.pol in %ProgramFiles%\SMS_CCM\PolReqStaging

Important: Disable scanning of outgoing files on Management Points. In CrowdStrike, ensure only incoming files are scanned for MP servers.

Distribution Point Exclusions

Add these folder exclusions for Distribution Points:

%Windir%\CCM\ServiceData\*
[ContentLib_drive]\SCCMContentLib\*
[ContentLib_drive]\SMS_DP$\*
[ContentLib_drive]\SMSPKG[Drive_Letter]$\*
[ContentLib_drive]\SMSPKG\*
[ContentLib_drive]\SMSPKGSIG\*
[ContentLib_drive]\SMSSIG$\*

Step 4: Configure Client Exclusions

Folder Exclusions for SCCM Clients

Add these exclusions for all systems with the Configuration Manager client:

%Windir%\CCM\*.sdf
%Windir%\CCM\ServiceData\*
%Windir%\CCM\ScriptStore\*
C:\Windows\CCMCache\*
C:\Windows\CCMSetup\*
%Windir%\CCM\Logs\*
C:\Windows\Setup\Scripts\*
C:\Windows\SMSTSPostUpgrade\*
C:\Program Files\Microsoft Policy Platform\authorityDb\*.sdf
%Windir%\CCM\temp\*

Step 5: Configure Process Exclusions

Note: Process exclusions are only necessary if CrowdStrike considers Configuration Manager executables as high-risk processes.

Site and Site System Process Exclusions

In the Process Exclusions section, add:

%ProgramFiles%\Microsoft Configuration Manager\bin\x64\Smsexec.exe
%ProgramFiles%\Microsoft Configuration Manager\bin\x64\Sitecomp.exe
%ProgramFiles%\Microsoft Configuration Manager\bin\x64\Smswriter.exe
%ProgramFiles%\Microsoft Configuration Manager\bin\x64\Cmupdate.exe
%ProgramFiles%\Microsoft Configuration Manager\bin\x64\Smssqlbkup.exe
%ProgramFiles%\SMS_CCM\Ccmexec.exe

Client Process Exclusions

%Windir%\CCM\Ccmexec.exe
%Windir%\CCM\Ccmrepair.exe
%Windir%\CCM\ScClient.exe
%Windir%\CCM\CcmAADBroker.exe
%Windir%\CCM\RemCtrl\CmRcService.exe
%windir%\CCMSetup\Ccmsetup.exe
%windir%\CCMSetup\autoupgrade\Ccmsetup*.exe

Note: Starting in Configuration Manager version 1910, the autoupgrade file format changed to Ccmsetup.<PackageID>.<PackageVersion>.exe

Step 6: Configure SQL Server Exclusions

For site database servers, refer to Microsoft’s guidelines for antivirus software on SQL Server systems. Additional database-specific exclusions may be required based on your SQL Server configuration.

Step 7: Apply and Test Exclusions

  1. After creating all exclusions, click Save in the CrowdStrike Console
  2. Allow 5-10 minutes for policies to propagate to endpoints
  3. Test in a non-production environment first:
  4. Verify SCCM client installation works
  5. Test software deployments
  6. Check inventory collection
  7. Monitor site server performance
  8. Review CrowdStrike and SCCM logs for any remaining conflicts
  9. Gradually roll out to production after successful testing

Security Considerations and Best Practices

Risk Mitigation Strategies

  1. Compensating Controls:
  2. Enable Windows Defender Application Control on excluded paths where possible
  3. Implement enhanced monitoring on excluded directories
  4. Use SCCM’s built-in security features and compliance baselines
  5. Regular Reviews:
  6. Audit exclusions quarterly
  7. Remove unnecessary exclusions after SCCM upgrades or changes
  8. Document all exclusions and their business justification
  9. Principle of Least Privilege:
  10. Only exclude what’s absolutely necessary
  11. Use specific file paths rather than wildcards when possible
  12. Apply exclusions only to affected host groups, not globally
  13. Monitoring:
  14. Set up alerts for suspicious activity in excluded paths
  15. Monitor SCCM logs for unusual behavior
  16. Track file changes in excluded directories using SIEM

Performance vs. Security Trade-offs

Exclusion TypePerformance ImpactSecurity RiskRecommendation
Inboxes foldersHigh improvementMediumRequired for stability
Cache foldersHigh improvementLowRecommended
Process exclusionsMedium improvementHighUse sparingly
Content LibraryHigh improvementMediumRequired for DPs
Log foldersLow improvementLowOptional

Troubleshooting

If Issues Persist After Applying Exclusions:

  1. Verify exclusion syntax – Ensure paths use correct variables and wildcards
  2. Check policy application – Confirm exclusions are active on affected systems
  3. Review both ML and Sensor Visibility tabs – Some exclusions need to be in both
  4. Temporarily disable prevention – Test if CrowdStrike is still the cause
  5. Contact support – Engage both Microsoft and CrowdStrike support if needed

Common Mistakes to Avoid:

  • ❌ Using incorrect path variables
  • ❌ Forgetting to apply exclusions to both ML and Sensor Visibility
  • ❌ Not testing in non-production first
  • ❌ Over-excluding (creating unnecessary security gaps)
  • ❌ Not documenting exclusions for audit purposes

Maintenance and Updates

Review exclusions after:

  • SCCM version upgrades
  • CrowdStrike sensor updates
  • Major Windows updates
  • Changes to SCCM hierarchy

Keep documentation updated with:

  • Current exclusion list
  • Business justification for each exclusion
  • Date of last review
  • Risk acceptance from security team

Additional Resources

Disclaimer

⚠️ Security Warning: Implementing these exclusions will reduce CrowdStrike Falcon’s ability to detect and prevent threats in the excluded locations. This creates potential security vulnerabilities that could be exploited by malicious actors. Organizations should:

  • Carefully evaluate the security risks against operational requirements
  • Implement compensating security controls where possible
  • Maintain detailed documentation of all exclusions
  • Regularly review and validate the continued need for exclusions
  • Obtain formal risk acceptance from appropriate stakeholders

The exclusions in this guide are recommendations based on Microsoft’s guidelines and common SCCM deployment scenarios. Your specific environment may require different or additional exclusions. Always test thoroughly in a non-production environment before implementing in production.

Last reviewed: February 2025
Applies to: Configuration Manager (current branch), CrowdStrike Falcon