What needs to be excluded and why
Microsoft Defender for Endpoint provides deep visibility into system activity by intercepting file I/O operations and memory allocations. For a Hyper-V host, this interception adds significant latency to the virtualization stack. Virtual Machine Hard Disk (VHDX) files are essentially large database files that undergo constant, high-speed random writes during normal guest operation.
If the Defender scanner locks a VHDX file during a guest write operation, the virtual machine may experience i/o timeout errors. These errors often lead to blue screens inside the guest operating system or volume corruption. Additionally, the scanner's overhead can trigger disk queue spikes that affect every other virtual machine sharing the same physical storage volume.
The Virtual Machine Worker Process (Vmwp.exe) also requires direct, low-latency access to the host's physical memory. Scanning this process can cause significant CPU spikes that degrade the performance of the entire host. These conflicts often manifest as sluggish console response times or mysterious network drops within the virtual environment.
Live migration is another critical area of concern for security engineers. During a migration, the memory state of a running virtual machine is transferred across the network. If the security agent attempts to inspect this state mid-transfer, the migration window may close. This results in a failed migration and potential downtime for the application running within the virtual machine.
Where to add the exclusions in the Microsoft Defender portal
Centralized management of exclusions occurs within the Microsoft 365 Defender portal. Open your web browser and navigate to security.microsoft.com. Use the left-hand navigation pane to find the Settings icon near the bottom of the list. Click on Settings and then select Endpoints from the available options.
Once inside the Endpoints settings, look for the Configuration Management section. Click on the Exclusions link to open the management interface. This screen displays all active exclusions and allows you to create new ones for your environment. You will see a button labeled Add exclusion which opens a side panel for data entry.
Choose the appropriate type for each exclusion: File, Folder, or Process. You must define these exclusions here to ensure they are pushed to the cloud-managed devices. After entering the details, you can assign the exclusion to specific device groups. This ensures that your Hyper-V hosts receive the virtualization exclusions while your standard file servers or workstations do not.
The actual exclusion list
A complete exclusion strategy requires a combination of process, folder, and file extension definitions. Applying only one type often results in incomplete protection and continued performance issues.
Process exclusions
Start by excluding the core virtualization processes that handle guest execution. Add %systemroot%\System32\Vmms.exe to your process exclusion list. This service manages the state of all virtual machines and handles configuration requests. Next, add %systemroot%\System32\Vmwp.exe to the process exclusions. This is the Virtual Machine Worker Process that runs for every active virtual machine.
If you use the Hyper-V Shielded VM feature, you should also exclude %systemroot%\System32\Vmsp.exe. For hosts running Windows Server 2019 or later, add %systemroot%\System32\Vmcompute.exe to cover the Host Compute Service. These processes are trusted components and frequently interact with high-volume data streams that should not be throttled.
Folder and directory exclusions
Folder exclusions must cover the locations where your virtual disks and configuration files are stored. By default, Hyper-V uses %ProgramData%\Microsoft\Windows\Hyper-V for its primary configurations. You should also exclude any custom paths where you have stored your Virtual Hard Disks and Snapshot files. For instance, if you use a dedicated volume, exclude D:\Hyper-V\Virtual Machines\* to ensure all nested files are covered.
If your environment uses Cluster Shared Volumes, ensure you exclude C:\ClusterStorage\* to prevent scanning traffic on the shared storage fabric. This is critical for preventing latency in high-availability clusters. You should also exclude the default directory for virtual machine snapshots, which is often %ProgramData%\Microsoft\Windows\Hyper-V\Snapshots unless manually redirected.
File extension exclusions
Finally, configure file extension exclusions to act as a safety net for your storage. Add .vhd, .vhdx, .avhd, and .avhdx to the list. These extensions represent the primary storage and differencing disks for your virtual environment. You should also include .vsv for saved state files and .iso for disk images. These binary formats are large and do not benefit from real-time signature-based scanning during runtime.
Verification
Verifying that your exclusions are active prevents future troubleshooting headaches and ensures your security policy is effective. Use the following methods to confirm the configuration on your hosts.
Using PowerShell
The most direct method is using PowerShell on a target Hyper-V host. Open a PowerShell window as an Administrator and execute the command Get-MpPreference. Look for the sections titled ExclusionPath, ExclusionProcess, and ExclusionExtension to see the live configuration. If these fields are empty, the host has not yet received the policy from the Defender portal.
Checking Event Logs
The Windows Event Viewer provides a historical record of configuration updates. Navigate to the Applications and Services Logs folder. Drill down into Microsoft, then Windows, then Windows Defender, and select the Operational log. Look for Event ID 5007 to find entries where the protection settings were modified. This log entry will confirm the timestamp and the specific user or system that applied the new exclusions.
Registry validation
You can also check the local registry to see what the agent has registered as active. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions. This key contains subkeys for Extensions, Paths, and Processes. While you should not edit these directly, they serve as a definitive source of truth for what the local engine is currently ignoring during its scans.
Common pitfalls and what to do if the exclusion is not honored
The most frequent mistake is using incorrect wildcard syntax in the portal. Defender for Endpoint handles wildcards differently than standard command-line tools. For example, excluding C:\VMs without a trailing backslash might only exclude the folder itself rather than the contents. Always use C:\VMs\* to ensure all subdirectories and files are covered by the rule properly.
Another common pitfall is the conflict between local and cloud-based policies. If a server was previously managed by Group Policy, those local settings might take precedence over the portal configuration. Use the Get-MpPreference command to check if DisableLocalAdminMerge is set to true. If it is, local exclusions added by server admins will be ignored in favor of the centralized policy.
Typos in process names or paths can silently break your optimization strategy. Defender will not alert you if you exclude a path that does not exist on the host. Double-check that you are using the correct system variables or absolute paths for your specific server versions. If performance issues persist, use the MDE Client Analyzer tool to generate a detailed report on which files are still being scanned.
Where to find the vendor's authoritative documentation
Microsoft maintains a living document for all Defender for Endpoint requirements. As the Windows Server platform evolves, these exclusion recommendations may change to include new services or file formats. The primary resource for these updates is the Microsoft Learn site. You can access the canonical documentation at https://learn.microsoft.com/en-us/defender-endpoint/.
This site includes specific sections for server-side configurations and troubleshooting performance. It also provides guidance on how to use the Performance Analyzer for Microsoft Defender. This tool helps you identify the top files and processes causing scan overhead in your specific environment. Regular audits of this documentation ensure your security settings remain aligned with current best practices for virtualization hosts.