Importance of Exclusions for Management Infrastructure
Microsoft Defender for Endpoint uses a real-time scanning engine that monitors every file operation. While this is necessary for a strong security posture, it creates a conflict with the high-intensity operations of Microsoft Configuration Manager (SCCM). SCCM servers move massive amounts of data during content distribution and process thousands of small files in their inbox directories.
When the Defender filter driver intercepts these operations, disk latency increases. This latency can cause the SMS_EXECUTIVE service to time out or crash. In many cases, it leads to "Access Denied" errors during package hashing or file moves. Properly configured exclusions allow the security engine to ignore these known, safe processes and directories, ensuring stability without disabling the antivirus entirely.
Navigating the Microsoft Defender Portal
To manage exclusions globally, you must use the Microsoft Defender portal. Open your browser and go to the security.microsoft.com dashboard. Look at the left-hand navigation menu and scroll to the bottom. Click the icon that looks like a gear, which is labeled Settings.
From the Settings page, select the Endpoints option. This opens a new set of categories. Look for the Rules section and click on Indicators. This interface allows you to add specific file hashes, IP addresses, and certificates. For folder and process exclusions based on path names, you typically use the Device configuration area if your devices are managed directly by Defender.
If your site systems are managed via Microsoft Intune, go to the Intune admin center. Select Endpoint security from the sidebar. Click on Antivirus and then select the policy applied to your SCCM servers. Within the Configuration settings tab, expand the Exclusions section to add your paths and processes.
Required Folder Exclusions
The following directories must be excluded on your site servers and distribution points. If you installed SCCM to a non-standard drive, adjust these paths accordingly.
Site Server Directories
Exclude the primary installation folder. This is typically found at C:\Program Files\Microsoft Configuration Manager. This directory contains the binaries, scripts, and logs used by the site server.
Exclude the inbox directory. This is the most active folder on a site server. The path is %SMS_INSTALL_DIR%\Inboxes. Real-time scanning here can stop all communication between the site server and its clients.
Exclude the EasySetupPayload folder. This folder is used during site updates and version upgrades. Scanning these files during an update can cause the upgrade process to fail, potentially corrupting the site installation.
Distribution Point Directories
The Content Library is the most critical exclusion for distribution points. It is located at %SystemDrive%\SCCMContentLib. This folder holds the compressed data for every application and package in your environment.
Exclude the SMSPKG drives. SCCM creates these shares on every drive where content is stored. Paths like D:\SMSPKG or E:\SMSPKG should be added to the exclusion list. Also include SMSPKGSIG and SMSTEMP, which are used during the signature generation and temporary extraction phases.
Client and Site System Directories
On every machine with an SCCM agent, exclude the %Windir%\CCM folder. This is the heart of the client operations. Also exclude %Windir%\CCMCache, as this is where packages are downloaded before execution. Scanning large installers while they are being cached causes significant CPU load for end users.
Required Process Exclusions
Process exclusions prevent the antivirus from intercepting the activity of specific executables. This is often more effective than folder exclusions alone because it covers the process regardless of where it writes data.
Core Services
Exclude Smsexec.exe. This is the primary executive service for the site server. It handles everything from discovery to deployment.
Exclude Ccmexec.exe. This is the host process for the Configuration Manager client. It runs on every managed device in your environment.
Distribution and Maintenance
Exclude Smsdpprov.exe. This process manages the distribution point provider tasks.
Exclude Dpsysmon.exe. This process monitors the health and status of the distribution point.
Exclude Smsbkup.exe. This is the process responsible for site backups. Scanning the backup files as they are being written can lead to incomplete or failed backup sets.
Database and SQL Server Exclusions
Configuration Manager relies on a SQL Server backend. If SQL is running on your site server, you must exclude the database files.
Add exclusions for all .mdf, .ldf, and .ndf file extensions. These represent the data, log, and secondary data files for SQL Server. Scanning these files while the SQL service is active can cause "Locked File" errors, leading to site-wide outages.
Also exclude the directory containing the SQL Server error logs and trace files. High-volume SQL logging can trigger the real-time scanner, creating a feedback loop of high CPU usage.
Verification of Applied Exclusions
Once you have configured the exclusions, you must verify that they are active on the target servers. You can do this through several methods.
PowerShell Validation
Open a PowerShell console as an Administrator. Run the command Get-MpPreference. Scroll through the output to find the ExclusionPath and ExclusionProcess fields. Verify that your SCCM paths and executables appear exactly as you entered them.
Event Viewer Check
Open the Event Viewer on the site server. Navigate to Applications and Services Logs. Expand Microsoft, then Windows, then Windows Defender. Click on the Operational log. Look for Event ID 5007. This event records every time a configuration change is made to the Defender engine. The details will list the specific exclusions that were added.
Performance Monitoring
Use Resource Monitor to watch the disk activity of Smsexec.exe or Ccmexec.exe. If the MsMpEng.exe process (the Defender engine) shows high disk or CPU usage while the SCCM processes are active, the exclusions may not be working correctly.
Common Pitfalls and Troubleshooting
One common mistake is using environment variables that the Defender service cannot resolve. Defender runs under the SYSTEM account. If you use user-specific variables, the exclusion will fail. Always use system-wide variables like %ProgramFiles% or use absolute paths like C:\Program Files\.
Another issue is the improper use of wildcards. Microsoft Defender does not support middle-string wildcards for paths. For example, C:\SCCM\*\Logs is not a valid exclusion path. You must either exclude the parent folder or list each subfolder individually.
Check for policy conflicts. If you use Group Policy to manage some settings and the Defender portal for others, the settings might overwrite each other. Use the command mpcmdrun.exe -listall to see the final merged policy on the local machine.
Authoritative Documentation Sources
The configuration requirements for security software change as new versions of Configuration Manager are released. Always refer to the Microsoft Learn site for the most current guidance.
The primary resource is the Microsoft Defender for Endpoint documentation at https://learn.microsoft.com/en-us/defender-endpoint/. You should also review the "Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients" article on the Microsoft Support site.
For SQL Server specific exclusions, refer to the database engine documentation at https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/security/antivirus-software-on-sql-server. This ensures your backend remains performant and protected.