How to Configure CrowdStrike Exclusions for Hyper-V Hosts

Last Updated: February 2025

Overview

Running antivirus software on Hyper-V hosts requires careful configuration to ensure optimal performance and prevent operational issues with virtual machines. Incorrect antivirus configuration can cause virtual machines to go missing, fail to start, or experience significant performance degradation.

This guide provides comprehensive exclusion recommendations for CrowdStrike Falcon when protecting Hyper-V hosts, based on Microsoft’s official antivirus exclusion recommendations for Hyper-V.

⚠️ Important Security Notice: While these exclusions optimize Hyper-V performance and prevent VM operational issues, they reduce CrowdStrike’s security coverage. These configuration changes should be made only on physical systems with the Hyper-V role enabled and systems providing storage for virtual machine files. Carefully evaluate the security risks in your environment and implement compensating controls.

Common Issues Without Proper Exclusions

Without appropriate exclusions, you may experience:

  • Virtual machines appearing as missing or unavailable
  • Error 0x800704C8 when starting or creating VMs
  • Error 0x80070037 (file not found) errors
  • Error 0x800703E3 (I/O operation aborted) errors
  • VM startup failures and crashes
  • Live migration failures
  • Checkpoint/snapshot creation failures
  • Performance degradation in VMs
  • Storage space issues due to locked files
  • Hyper-V replica synchronization problems
  • Cluster shared volume access issues
  • Virtual machine backup failures

Supported Configurations

This guide applies to:

  • All supported versions of Windows Server with Hyper-V role
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows 10/11 Pro, Enterprise, and Education with Hyper-V enabled
  • Hyper-V Server (free hypervisor)
  • Failover clusters running Hyper-V
  • Systems using Hyper-V Replica

Prerequisites

  • CrowdStrike Falcon administrative access
  • Access to the Falcon Console: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (varies by tenant)
  • Hyper-V host configuration documented
  • List of VM storage locations
  • Understanding of your virtualization infrastructure
  • PowerShell administrative access to Hyper-V hosts

Step 1: Access CrowdStrike Falcon Console

  1. Open your browser and navigate to your Falcon Console:
  2. Sign in using your admin credentials
  3. Navigate to Endpoint Security > Configure > Exclusions

Step 2: Identify Virtual Machine Storage Locations

Before configuring exclusions, identify all VM storage locations:

# Get default VM storage paths
Get-VMHost | Select-Object VirtualMachinePath, VirtualHardDiskPath

# List all VMs and their configuration paths
Get-VM | Select-Object Name, Path, ConfigurationLocation

# Get all virtual hard disk locations
Get-VM | Get-VMHardDiskDrive | Select-Object VMName, Path

# Check for Cluster Shared Volumes (if applicable)
Get-ClusterSharedVolume | Select-Object Name, SharedVolumeInfo

Step 3: Configure Virtual Machine File Exclusions

Critical File Type Exclusions

Add these file extensions to global exclusions:

Virtual Hard Disk Files

*.vhd     # Virtual Hard Disk (Gen 1)
*.vhdx    # Virtual Hard Disk v2 (Gen 2)
*.avhd    # Virtual Hard Disk snapshot
*.avhdx   # Virtual Hard Disk v2 snapshot
*.vhds    # VHD Set file (shared VHDX)
*.vhdpmem # Virtual Persistent Memory file

Virtual Machine Configuration Files

*.xml     # VM Configuration (legacy)
*.vmcx    # VM Configuration v2
*.vmrs    # VM Runtime State
*.vmgs    # VM Guest State

Virtual Machine State Files

*.vsv     # Device state file
*.bin     # Memory state file
*.iso     # Virtual Optical Disk images

Resilient File System Files

*.rct     # Resilient Change Tracking
*.mrt     # Modified Region Table

Process-Specific File Associations

Configure exclusions with process associations:

File TypeAssociated Processes
*.vhd, *.vhdx, *.avhd, *.avhdxvmms.exe, vmwp.exe, vmcompute.exe
*.vsvvmms.exe, vmwp.exe, vmcompute.exe
*.binvmwp.exe
*.xmlvmms.exe
*.vmcxvmms.exe
*.vmrsvmms.exe, vmwp.exe, vmcompute.exe
*.vmgsvmms.exe, vmwp.exe, vmcompute.exe

Step 4: Configure Directory Exclusions

Default Hyper-V Directories

Add these default directory exclusions:

%ProgramData%\Microsoft\Windows\Hyper-V\*
%Public%\Documents\Hyper-V\Virtual Hard Disks\*
%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\*

Cluster Shared Volumes

If using Failover Clustering:

C:\ClusterStorage\*

Custom VM Storage Locations

Add exclusions for any custom directories:

[CustomPath]\Virtual Machines\*
[CustomPath]\Virtual Hard Disks\*
[CustomPath]\Snapshots\*
[CustomPath]\Replica\*

SMB 3.0 File Shares

If storing VMs on SMB 3.0 shares:

  • Configure exclusions on the file server hosting the shares
  • Exclude the entire share path containing VM files

Step 5: Configure Process Exclusions

Add these Hyper-V processes to CrowdStrike process exclusions:

Core Hyper-V Processes

%systemroot%\System32\Vmms.exe       # Virtual Machine Management Service
%systemroot%\System32\Vmwp.exe       # Virtual Machine Worker Process
%systemroot%\System32\Vmsp.exe       # VM Security Process (2016+)
%systemroot%\System32\Vmcompute.exe  # VM Compute Process (2019+)

Process Descriptions

ProcessFunctionWindows Version
Vmms.exeManages virtual machinesAll
Vmwp.exeHosts VM worker processesAll
Vmsp.exeHandles VM security2016+
Vmcompute.exeCompute operations2019+

Step 6: Configure Windows Defender Considerations

Note: If using Windows Defender on Hyper-V hosts, many exclusions are automatically configured. Check automatic exclusions:

# View Windows Defender automatic exclusions
Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess

# Verify Hyper-V exclusions are active
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath | Where-Object {$_ -like "*Hyper-V*"}

For a complete list, refer to Windows Defender automatic exclusions.

Step 7: Configure Hyper-V Replica Exclusions

If using Hyper-V Replica, add these additional exclusions:

Replica Storage

[ReplicaStoragePath]\Hyper-V Replica\*

Replica Log Files

*.hrl     # Hyper-V Replica Log files

Replica Processes

Ensure vmms.exe and vmwp.exe are excluded as they handle replication.

Step 8: Configure for Hyper-V Clusters

For clustered Hyper-V environments:

Cluster Directories

C:\ClusterStorage\*
%SystemRoot%\Cluster\*

Cluster Database

%SystemRoot%\Cluster\CLUSDB
%SystemRoot%\Cluster\CLUSDB.blf

Witness Disk (if applicable)

[WitnessDisk]:\*

Live Migration Paths

Ensure all potential migration target paths are excluded on all cluster nodes.

Step 9: Apply and Test Exclusions

  1. Save Configuration: Click Save in the CrowdStrike Console
  2. Policy Propagation: Allow 5-10 minutes for policies to propagate
  3. Verification Steps:
# Test VM operations
Start-VM -Name "TestVM"
Stop-VM -Name "TestVM"

# Test checkpoint creation
Checkpoint-VM -Name "TestVM" -SnapshotName "Test"

# Verify Hyper-V services
Get-Service vmms, vmcompute | Select-Object Name, Status

# Check event logs for errors
Get-EventLog -LogName System -Source "Hyper-V-VMMS" -Newest 10

# Test live migration (if clustered)
Move-VM -Name "TestVM" -DestinationHost "Host2"
  1. Performance Testing:
    • Monitor VM startup times
    • Test VM backup operations
    • Verify storage performance
    • Check live migration speed

Step 10: Configure Host-Specific Settings

Generation 2 VMs

For Generation 2 VMs, ensure UEFI-related files are excluded:

*.vmgs    # Secure Boot and TPM state

Virtual Fiber Channel

If using Virtual Fiber Channel:

%ProgramData%\Microsoft\Windows\Hyper-V\Virtual SAN\*

GPU Partitioning (DDA/GPU-P)

For discrete device assignment:

%ProgramData%\Microsoft\Windows\Hyper-V\DDA\*

Security Best Practices

Compensating Controls for Hyper-V

  1. VM Security:
    • Enable Secure Boot for Gen 2 VMs
    • Use TPM and BitLocker for VMs
    • Implement VM shielding where appropriate
    • Use Host Guardian Service for guarded VMs
  2. Network Security:
    • Configure VM network isolation
    • Use Private VLANs
    • Implement network virtualization
    • Enable port ACLs
  3. Storage Security:
    • Encrypt VM storage using BitLocker
    • Use SMB encryption for network storage
    • Implement storage QoS
    • Regular backup verification
  4. Host Security:
    • Keep hosts fully patched
    • Minimize host attack surface
    • Use Credential Guard
    • Implement Just Enough Administration (JEA)
  5. Monitoring:
    • Monitor Hyper-V event logs
    • Track VM configuration changes
    • Audit administrative actions
    • Monitor excluded directories

Risk Assessment Matrix

ComponentPerformance Impact if ScannedSecurity Risk if ExcludedRecommendation
VHDX filesCritical – VM failuresMediumRequired exclusion
VM config filesCritical – Start failuresLowRequired exclusion
CheckpointsHigh – Backup issuesLowRequired exclusion
VM processesCritical – PerformanceMediumRequired exclusion
CSV pathsCritical – Cluster issuesMediumRequired for clusters
Replica filesHigh – Sync failuresLowRequired if using

Troubleshooting

Common Issues and Solutions

  1. VM fails to start (0x800704C8):
    • Verify VHDX files are excluded
    • Check vmwp.exe process exclusion
    • Review VM configuration path exclusions
  2. File not found errors (0x80070037):
    • Ensure all VM storage paths are excluded
    • Check for moved or renamed VMs
    • Verify CSV exclusions on all nodes
  3. I/O operation aborted (0x800703E3):
    • Confirm process exclusions are active
    • Check for locked VHDX files
    • Review real-time scanning settings
  4. Live migration failures:
    • Verify exclusions on all cluster nodes
    • Check network storage exclusions
    • Ensure vmms.exe is excluded
  5. Checkpoint creation fails:
    • Confirm snapshot directory exclusions
    • Check AVHDX file exclusions
    • Verify sufficient storage space

Diagnostic PowerShell Commands

# Check VM health
Get-VM | Select-Object Name, State, Status, Uptime

# Verify storage paths
Get-VM | ForEach-Object {
    $vm = $_
    Get-VMHardDiskDrive -VM $vm | Select-Object @{N='VM';E={$vm.Name}}, Path
}

# Check for locked files
Get-Process | Where-Object {$_.ProcessName -match "vmms|vmwp|vmcompute"}

# Review Hyper-V events
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Hyper-V-VMMS/Admin'; Level=2,3}

# Test VM operations
Measure-Command {Start-VM -Name "TestVM"}
Measure-Command {Stop-VM -Name "TestVM" -Force}

# Check cluster health (if applicable)
Get-ClusterNode | Select-Object Name, State
Get-ClusterSharedVolume | Select-Object Name, State

Maintenance and Review

Regular Tasks

  • Daily: Monitor VM availability and performance
  • Weekly: Review Hyper-V event logs
  • Monthly: Verify exclusion effectiveness
  • Quarterly: Audit exclusion list
  • After Updates:
    • Windows Server updates
    • Hyper-V integration services updates
    • CrowdStrike sensor updates
    • Cluster updates

Documentation Requirements

Maintain records of:

  • All VM storage locations
  • Custom configuration paths
  • Cluster shared volume paths
  • Network storage locations
  • Replica configuration
  • Performance baselines
  • Incident history

Special Considerations

Nested Virtualization

If using nested virtualization:

  • Apply exclusions to both host levels
  • Consider performance impact
  • Monitor resource consumption

Container Support

For Windows containers on Hyper-V:

%ProgramData%\Microsoft\Windows\Hyper-V\Containers\*
%ProgramData%\Docker\*

Azure Stack HCI

For Azure Stack HCI deployments:

  • Follow standard Hyper-V exclusions
  • Add Storage Spaces Direct paths
  • Consider Azure Arc integration

Virtual Desktop Infrastructure (VDI)

For VDI deployments:

  • Apply exclusions to all session host servers
  • Consider user profile disk exclusions
  • Monitor for profile corruption

Performance Optimization

Best Practices

  1. Storage Configuration:
    • Use fixed-size VHDX for production
    • Align VHDX to storage boundaries
    • Use ReFS for VM storage
    • Enable ODX for storage arrays
  2. Memory Management:
    • Configure appropriate dynamic memory
    • Monitor memory pressure
    • Set realistic memory limits
  3. CPU Configuration:
    • Use NUMA awareness
    • Configure appropriate vCPU counts
    • Monitor CPU ready times

Additional Resources

Disclaimer

⚠️ Security Warning: Implementing these exclusions reduces CrowdStrike Falcon’s ability to detect and prevent threats in excluded locations. This creates potential security vulnerabilities that could be exploited by malicious actors.

Organizations should:

  • Implement comprehensive VM security measures
  • Deploy host-based security within VMs
  • Maintain detailed audit trails
  • Perform regular security assessments
  • Obtain formal risk acceptance from stakeholders
  • Consider defense-in-depth strategies

These exclusions are based on Microsoft’s recommendations for Hyper-V hosts. Your environment may require additional exclusions based on specific configurations, third-party backup solutions, or management tools. Always test thoroughly in a non-production environment before implementing in production. Remember that these exclusions apply only to the Hyper-V host – guest VMs should have their own appropriate antivirus protection.

Last reviewed: February 2025
Applies to: All supported versions of Windows Server with Hyper-V, Windows 10/11 with Hyper-V, CrowdStrike Falcon