Last Updated: February 2025
Overview
When running Microsoft System Center Configuration Manager (SCCM) alongside CrowdStrike Falcon, proper exclusion configuration is critical for optimal performance and stability. Antivirus real-time protection can interfere with Configuration Manager operations, causing deployment failures, inventory issues, and system instability.
This guide provides comprehensive exclusion recommendations for CrowdStrike Falcon when protecting SCCM site servers, site systems, and clients, based on Microsoft’s official recommendations.
⚠️ Important Security Notice: While these exclusions improve SCCM performance and prevent operational conflicts, they reduce CrowdStrike’s security coverage. Each exclusion creates a potential blind spot that could be exploited by threat actors. Carefully evaluate the risks in your environment and implement compensating controls where possible.
Common Issues Without Proper Exclusions
Without appropriate exclusions, you may experience:
- Remote site system components fail to install
- Configuration Manager client installation failures through client push
- Inaccurate or missing client inventory information
- Backlogs in site server Inboxes folders
- Software Center not populating or starting correctly
- Software deployment failures to clients
- Inaccurate compliance data for deployments
- Database verification errors (0x80004005)
- Performance degradation on site servers and management points
Prerequisites
- CrowdStrike Falcon administrative access
- Access to the Falcon Console: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (varies by tenant)
- Configuration Manager installation paths documented
- Understanding of your SCCM hierarchy and roles
Step 1: Access CrowdStrike Falcon Console
- Open your browser and navigate to your Falcon Console:
- Primary: https://falcon.crowdstrike.com- US-2:https://falcon.us-2.crowdstrike.com/
- (Contact your CrowdStrike administrator if unsure of your tenant location)
- Sign in using your admin credentials
- Navigate to Endpoint Security > Configure > Exclusions
Step 2: Configure Site Server Exclusions
Default Installation Paths
Note: These are default paths. Verify your actual installation locations before configuring exclusions.
- ConfigMgr Installation:
%ProgramFiles%\Microsoft Configuration Manager - MP Installation:
%ProgramFiles%\SMS_CCM - Client Installation:
%Windir%\CCM - Content Library Drive: Varies (default is C:\)
Required Site Server Folder Exclusions
In the CrowdStrike Console:
- Select Machine Learning Exclusions tab
- Click Create Exclusion
- Select the appropriate host group for your site servers
- Add the following folder exclusions:
%ProgramFiles%\Microsoft Configuration Manager\Inboxes\* %ProgramFiles%\Microsoft Configuration Manager\Logs\* %ProgramFiles%\Microsoft Configuration Manager\EasySetupPayload\* [ContentLib_drive]\SCCMContentLib\*- - Click Create Exclusion
- Repeat the process on the Sensor Visibility tab
Step 3: Configure Site System Exclusions
Management Point Exclusions
Add these folder exclusions for Management Points:
%ProgramFiles%\\SMS_CCM\\ServiceData\\*
%ProgramFiles%\\Microsoft Configuration Manager\\MP\\OUTBOXES\\*
[Installation_drive]\\SMS\\MP\\OUTBOXES\\*File Exclusion:
POL00000.pol in %ProgramFiles%\\SMS_CCM\\PolReqStagingImportant: Disable scanning of outgoing files on Management Points. In CrowdStrike, ensure only incoming files are scanned for MP servers.
Distribution Point Exclusions
Add these folder exclusions for Distribution Points:
%Windir%\\CCM\\ServiceData\\*
[ContentLib_drive]\\SCCMContentLib\\*
[ContentLib_drive]\\SMS_DP\$\\*
[ContentLib_drive]\\SMSPKG[Drive_Letter]\$\\*
[ContentLib_drive]\\SMSPKG\\*
[ContentLib_drive]\\SMSPKGSIG\\*
[ContentLib_drive]\\SMSSIG\$\\*Step 4: Configure Client Exclusions
Folder Exclusions for SCCM Clients
Add these exclusions for all systems with the Configuration Manager client:
%Windir%\\CCM\\*.sdf
%Windir%\\CCM\\ServiceData\\*
%Windir%\\CCM\\ScriptStore\\*
C:\\Windows\\CCMCache\\*
C:\\Windows\\CCMSetup\\*
%Windir%\\CCM\\Logs\\*
C:\\Windows\\Setup\\Scripts\\*
C:\\Windows\\SMSTSPostUpgrade\\*
C:\\Program Files\\Microsoft Policy Platform\\authorityDb\\*.sdf
%Windir%\\CCM\\temp\\*Step 5: Configure Process Exclusions
Note: Process exclusions are only necessary if CrowdStrike considers Configuration Manager executables as high-risk processes.
Site and Site System Process Exclusions
In the Process Exclusions section, add:
%ProgramFiles%\\Microsoft Configuration Manager\\bin\\x64\\Smsexec.exe
%ProgramFiles%\\Microsoft Configuration Manager\\bin\\x64\\Sitecomp.exe
%ProgramFiles%\\Microsoft Configuration Manager\\bin\\x64\\Smswriter.exe
%ProgramFiles%\\Microsoft Configuration Manager\\bin\\x64\\Cmupdate.exe
%ProgramFiles%\\Microsoft Configuration Manager\\bin\\x64\\Smssqlbkup.exe
%ProgramFiles%\\SMS_CCM\\Ccmexec.exeClient Process Exclusions
%Windir%\\CCM\\Ccmexec.exe
%Windir%\\CCM\\Ccmrepair.exe
%Windir%\\CCM\\ScClient.exe
%Windir%\\CCM\\CcmAADBroker.exe
%Windir%\\CCM\\RemCtrl\\CmRcService.exe
%windir%\\CCMSetup\\Ccmsetup.exe
%windir%\\CCMSetup\\autoupgrade\\Ccmsetup*.exeCcmsetup...exe
Step 6: Configure SQL Server Exclusions
For site database servers, refer to Microsoft’s guidelines for antivirus software on SQL Server systems. Additional database-specific exclusions may be required based on your SQL Server configuration.
Step 7: Apply and Test Exclusions
- After creating all exclusions, click Save in the CrowdStrike Console
- Allow 5-10 minutes for policies to propagate to endpoints
- Test in a non-production environment first: - Verify SCCM client installation works
- Test software deployments
- Check inventory collection
- Monitor site server performance
- Review CrowdStrike and SCCM logs for any remaining conflicts
- Gradually roll out to production after successful testing
Security Considerations and Best Practices
Risk Mitigation Strategies
- Compensating Controls:
- Enable Windows Defender Application Control on excluded paths where possible
- Implement enhanced monitoring on excluded directories
- Use SCCM’s built-in security features and compliance baselines
- Regular Reviews:
- Audit exclusions quarterly
- Remove unnecessary exclusions after SCCM upgrades or changes
- Document all exclusions and their business justification
- Principle of Least Privilege:
- Only exclude what’s absolutely necessary
- Use specific file paths rather than wildcards when possible
- Apply exclusions only to affected host groups, not globally
- Monitoring:
- Set up alerts for suspicious activity in excluded paths
- Monitor SCCM logs for unusual behavior
- Track file changes in excluded directories using SIEM
Performance vs. Security Trade-offs
| Exclusion Type | Performance Impact | Security Risk | Recommendation |
|---|---|---|---|
| Inboxes folders | High improvement | Medium | Required for stability |
| Cache folders | High improvement | Low | Recommended |
| Process exclusions | Medium improvement | High | Use sparingly |
| Content Library | High improvement | Medium | Required for DPs |
| Log folders | Low improvement | Low | Optional |
Troubleshooting
If Issues Persist After Applying Exclusions:
- Verify exclusion syntax – Ensure paths use correct variables and wildcards
- Check policy application – Confirm exclusions are active on affected systems
- Review both ML and Sensor Visibility tabs – Some exclusions need to be in both
- Temporarily disable prevention – Test if CrowdStrike is still the cause
- Contact support – Engage both Microsoft and CrowdStrike support if needed
Common Mistakes to Avoid:
- ❌ Using incorrect path variables
- ❌ Forgetting to apply exclusions to both ML and Sensor Visibility
- ❌ Not testing in non-production first
- ❌ Over-excluding (creating unnecessary security gaps)
- ❌ Not documenting exclusions for audit purposes
Maintenance and Updates
Review exclusions after:
- SCCM version upgrades
- CrowdStrike sensor updates
- Major Windows updates
- Changes to SCCM hierarchy
Keep documentation updated with:
- Current exclusion list
- Business justification for each exclusion
- Date of last review
- Risk acceptance from security team
The CrowdStrike Falcon Admin Cheat Sheet
Quick-reference commands, pre-built exclusion templates for SQL Server, SCCM, Exchange, and Domain Controllers, plus sensor health check scripts.
CrowdStrike Falcon Cheat Sheet — Commands, exclusion templates, and health scripts
Additional Resources
- Microsoft: Recommended antivirus exclusions for Configuration Manager
- CrowdStrike Falcon Documentation
- Configuration Manager Technical Documentation
Disclaimer
⚠️ Security Warning: Implementing these exclusions will reduce CrowdStrike Falcon’s ability to detect and prevent threats in the excluded locations. This creates potential security vulnerabilities that could be exploited by malicious actors. Organizations should:
- Carefully evaluate the security risks against operational requirements
- Implement compensating security controls where possible
- Maintain detailed documentation of all exclusions
- Regularly review and validate the continued need for exclusions
- Obtain formal risk acceptance from appropriate stakeholders
The exclusions in this guide are recommendations based on Microsoft’s guidelines and common SCCM deployment scenarios. Your specific environment may require different or additional exclusions. Always test thoroughly in a non-production environment before implementing in production.
- Last reviewed: February 2025
- Applies to: Configuration Manager (current branch), CrowdStrike Falcon