Microsoft Defender for Endpoint Exclusions for IIS Guide

Why IIS Requires Specific Defender Exclusions

Microsoft Defender for Endpoint provides robust security by scanning file system changes in real time. While this is essential for security, Internet Information Services (IIS) operates by constantly creating, reading, and deleting small files. These actions occur in high-traffic directories such as the ASP.NET temporary folder and the IIS log directories.

When Defender scans these rapid transactions, it creates a performance bottleneck. The scanning process, handled by the Antimalware Service Executable (MsMpEng.exe), competes for CPU cycles with the IIS Worker Process (w3wp.exe). This competition often results in high CPU utilization and increased latency for web requests. In some cases, the scanner may lock a file during a critical compilation phase, causing the web application to return 500 errors.

Properly configured exclusions tell the security engine to trust specific, low-risk directories and processes. This reduces the overhead on the server while maintaining a high security posture. You are not disabling protection. You are simply fine-tuning the scanner to ignore predictable, high-volume activity that is known to be safe.

Where to Configure Exclusions in the Microsoft Defender Portal

To apply these settings across your production fleet, use the centralized Microsoft Defender portal. This ensures consistency and prevents local configuration drift. Follow these steps to navigate to the correct section.

Step 1: Access Endpoint Settings

Open your web browser and navigate to the Microsoft Defender portal at security.microsoft.com. Use the left-hand navigation menu to find the Settings section near the bottom. Click on Endpoints to open the endpoint management panel.

Step 2: Locate Configuration Management

Within the Endpoints menu, look for the Configuration Management group. Click on the Exclusions link. This page lists all global exclusions currently applied to your managed devices. If you use Microsoft Intune for policy management, you may need to apply these settings through an Endpoint Security policy instead.

Step 3: Add the Exclusion Entry

Click the Add button or the plus icon to create a new exclusion. A side panel will appear. You will need to select the type of exclusion, such as File, Folder, Process, or Extension. For IIS, you will primarily use Folder and Process exclusions. Enter the path or name exactly as it appears on the server and click Save.

Recommended Exclusion List for IIS Web Servers

Use the following paths and processes to optimize your IIS environment. These are based on standard vendor recommendations for Windows Server and ASP.NET workloads.

Folder Exclusions

Add these directories to the folder exclusion list. Ensure that you include subfolders if the UI provides that option.

1. %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files. This folder is used by the system to store compiled DLLs for web applications. Scanning this folder causes significant lag during application pool recycles.
2. %SystemRoot%\System32\Inetsrv\Config. This directory contains the configuration files for IIS. Frequent reads of applicationHost.config should not be delayed by security scans.
3. C:\inetpub\temp\IIS Temporary Compressed Files. If you use static or dynamic compression, IIS stores the compressed versions of files here. Defender should not re-scan these files every time they are served to a client.
4. C:\inetpub\logs\LogFiles. IIS logs are constantly updated. Scanning active log files can lead to file lock contention, preventing IIS from writing new log entries.

Process Exclusions

Excluding the process itself allows Defender to trust the actions taken by that specific executable. This is often more effective than folder exclusions alone.

1. %SystemRoot%\System32\inetsrv\w3wp.exe. This is the primary IIS Worker Process. It handles all web requests. Excluding this process reduces the overhead of monitoring every request handled by your web apps.
2. %SystemRoot%\System32\inetsrv\iisreset.exe. While this process runs infrequently, excluding it ensures that manual or automated service restarts occur without interference.

Verification Methods for Exclusion Policies

Once you have saved the exclusions in the portal, you must verify that they have reached the target servers. Policy propagation can take anywhere from a few minutes to an hour depending on your environment.

Using PowerShell

The fastest way to check current exclusions on a local server is through PowerShell. Open a terminal with administrative privileges and run the following command. Get-MpPreference | Select-Object -ExpandProperty ExclusionPath. This will return a list of all active folder and file exclusions. To check processes, use Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess.

Checking the Event Log

The Windows Event Viewer records when security settings are updated. Open Event Viewer and navigate to Applications and Services Logs. Go to Microsoft, then Windows, then Windows Defender, and finally Operational. Look for Event ID 5007. This event indicates that a configuration change has been made. The details tab will show exactly which paths were added to the exclusion list.

Defender Portal Status

Return to the Microsoft Defender portal and check the Device Inventory. Click on a specific server and look at the Configuration discovery tab. This section should show the status of applied policies. If the policy is marked as Succeeded, the exclusions are likely active on the machine.

Common Pitfalls and Troubleshooting

Exclusions can fail to work for several reasons. One common mistake is using incorrect environment variables. Microsoft Defender for Endpoint supports many system variables like %SystemRoot%, but it does not support user-specific variables like %UserProfile%. Always use the full absolute path if you are unsure.

Another issue involves policy conflicts. If you have exclusions defined in a local Group Policy Object (GPO) and a different set in the Defender Portal, the settings might merge or one might override the other. Use the PowerShell command mentioned above to see the final resulting set of active exclusions.

Case sensitivity is generally not an issue on Windows systems, but trailing backslashes can be. Some versions of the engine prefer C:\inetpub\logs while others might require C:\inetpub\logs\. Standard practice is to provide the path without the trailing slash unless you are specifically targeting a directory structure that requires it. If the server still shows high CPU usage for MsMpEng.exe, check if a third-party backup agent or database process is active and also requires exclusions.

Authoritative Documentation and Resources

Microsoft frequently updates the UI and recommended paths for security products. For the most current technical specifications and a complete list of Windows Server exclusions, refer to the official documentation. The canonical source for this information is found at https://learn.microsoft.com/en-us/defender-endpoint/. Search specifically for "Configure and validate exclusions for Microsoft Defender Antivirus scans" to find the detailed reference tables for different server roles including IIS, SQL Server, and Domain Controllers.