Why SharePoint Requires Specific Exclusions
SharePoint Server is a resource intensive application platform. It relies on frequent file writes and database transactions to maintain search indexes and content availability. Microsoft Defender for Endpoint provides robust security by monitoring these activities. However, the default real-time scanning behavior often clashes with the high velocity operations of a SharePoint farm.
When the security agent inspects every file the SharePoint Search Service touches, performance degrades significantly. This conflict causes search crawl delays and failed timer jobs. In some cases, real-time scanning can lock files exactly when SharePoint needs to modify them. This leads to data corruption in the search index or content databases. Implementing targeted exclusions ensures the system remains secure without sacrificing the stability of your collaboration environment.
Navigating the Microsoft Defender Portal
Managing exclusions for a production farm should be done centrally. Open your web browser and navigate to the Microsoft Defender portal. The standard address is security.microsoft.com. Use an account with Security Administrator or Global Administrator privileges to ensure you have the necessary permissions for configuration changes.
Locate the Settings option in the bottom section of the left-hand navigation pane. Once the Settings page opens, select Endpoints from the list of available services. Look for the Configuration Management section in the middle of the screen. Click on Exclusion Lists. This interface allows you to define exclusions that apply across different server groups. Click the Add button to start a new entry. You will be prompted to choose the type of exclusion, such as a file path or a process name. Provide a clear description for each entry to assist other engineers during future audits.
The Microsoft Defender Exclusion List for SharePoint
A standard SharePoint Server farm requires three types of exclusions. These include folder paths, specific file extensions, and executable processes. Each serves a different purpose in reducing scanning overhead while maintaining a strong security posture.
Folder Path Exclusions
Add the primary installation and data directories to your path exclusions. Use the following examples as a baseline for your configuration, adjusting for your specific drive letters.
The Web Server Extensions directory is critical. For SharePoint 2016 and 2019, this is typically located at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16. This folder contains the core binaries and templates used by the web application. Monitoring this directory leads to significant overhead during page rendering.
Exclude the IIS Temporary ASP.NET Files folder. The path is usually C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files. SharePoint uses this location to compile and cache web parts and pages. Scanning this folder causes noticeable latency for end users accessing the site.
Exclude your Search Index location. This is often a custom path configured on a dedicated data drive during the initial farm setup. If you are unsure of the path, check the Search Service Application settings in SharePoint Central Administration. Common paths include E:\SPSearchIndex or similar structured directories. Search indexing involves thousands of small file writes that will trigger constant security alerts if not excluded.
Exclude the ULS Log directory. SharePoint writes diagnostic data to these files constantly. Monitoring this directory provides little security value but consumes significant CPU cycles. The default path is C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\LOGS.
Process Exclusions
Process exclusions tell the security agent to trust the activity originating from specific binaries. This is often more effective than path exclusions for high transaction services.
Exclude the SharePoint Timer Service. The executable name is OWSTIMER.EXE. This process handles background tasks like alerts, workflow cleanup, and site collection maintenance. If this process is slowed by scanning, background tasks will pile up and eventually time out.
Exclude the IIS Worker Process. The executable name is W3WP.EXE. Since this process handles all incoming web traffic, excluding it reduces the latency for every page load. This is especially important for sites with high user concurrency.
Exclude the Search Service processes. These include MSSERI.EXE and noderunner.exe. The noderunner.exe process is particularly important as it handles the heavy lifting for search indexing and query processing. Excluding these processes is the most effective way to resolve search related performance issues.
Exclude the SharePoint Usage Provider. The executable name is mssdmn.exe. This process handles the collection of usage data and health metrics across the farm. Constant scanning of this process can result in inaccurate health reporting or missing usage statistics.
File Extension Exclusions
In addition to specific paths, exclude the file types used by the underlying databases. This applies specifically to the SQL Server instances supporting your SharePoint farm.
Exclude .mdf, .ldf, and .ndf files. These are the primary data and log files for SQL Server. Real-time scanning of these files during database writes can cause transaction timeouts and database offline errors. These files are typically locked by the SQL service, but scanning attempts still consume resources.
Exclude .bak and .trn files. These are used for database backups and transaction log backups. High volume backup operations will trigger heavy scanning if these extensions are not excluded. This often results in backup jobs taking twice as long as necessary.
Verification Procedures
After applying the exclusions in the portal, you must verify that the local servers have received the updates. Policy propagation can take several minutes or longer depending on your network topology and sync intervals.
Using PowerShell for Verification
Open an elevated PowerShell prompt on one of your SharePoint servers. Run the command Get-MpPreference. Review the output for the ExclusionPath and ExclusionProcess lists. Ensure that the paths and process names you entered in the portal appear correctly in this local configuration.
If you do not see the updates, trigger a signature update and policy refresh. Use the command Start-MpSignatureUpdate to force the agent to check for new configurations. You can also restart the Microsoft Defender Antivirus service to force a re-read of the applied policies.
Event Log Inspection
Check the Windows Event Viewer for confirmation of policy application. Navigate to Applications and Services Logs, then Microsoft, then Windows, then Windows Defender. Open the Operational log. Look for Event ID 5007. This event indicates that a configuration change has occurred. The details of the event will list the specific exclusions that were added to the system. This provides an audit trail showing exactly when the changes took effect.
Common Pitfalls and Troubleshooting
Even with a correct list, exclusions may fail to function as expected. This often happens due to minor configuration errors or environmental factors. One common mistake is using UNC paths for folder exclusions. Microsoft Defender for Endpoint generally requires local drive letters. If your search index is on a network share, map it to a local drive letter or exclude the specific process that accesses the share rather than the path.
Another issue involves environment variables. While some systems allow %ProgramFiles%, it is safer to use the literal path like C:\Program Files. The security agent may not always resolve variables correctly depending on the context of the service account running the process. Literal paths eliminate this ambiguity.
Check for inheritance conflicts in your management tools. If your servers are managed by both Intune and Group Policy, the settings might overwrite each other. Ensure that only one management tool is responsible for defining the exclusion list. Use the MDE Client Analyzer tool to identify which policy is winning if you see inconsistent behavior across the farm.
Verify the case sensitivity of your entries. While Windows paths are generally case insensitive, some versions of the security agent have shown sensitivity in process exclusions. Match the casing seen in Task Manager exactly to ensure the exclusion is honored correctly.
Authoritative Vendor Documentation
Always reference the official Microsoft documentation for the most current exclusion recommendations. The specific requirements for SharePoint Server can change with new cumulative updates or security patches. Managed service providers should review these links monthly to ensure client environments remain optimized.
The canonical source for endpoint security is the Microsoft Learn portal. You can find detailed technical articles under the Microsoft Defender for Endpoint section. Search for "Exclusions for Microsoft Defender Antivirus" to see the latest guidance on formatting and supported wildcards. The address https://learn.microsoft.com/en-us/defender-endpoint/ is the primary hub for all configuration guides and best practices for modern security engineers.