When you install Microsoft Exchange 2019 on Windows 2019 or 2022 server it is suggested to add some exclusions to Windows Defender. Since the list is quite large, use PowerShell to add exclusions. Exclusion list can be found at Running Windows antivirus software on Exchange servers | Microsoft Learn
SECURITY PRECAUTION - Don't just blindly copy below commands and exclusions but check them. If anyone manipulated the below list on this site without my knowledge you will end adding exclusions you don't want to have.
- Run PowerShell on Windows 2019/2022 Exchange 2019 server as administrator.
# Define the exclusion paths
$folderExclusions = @(
"$env:SystemRoot\Cluster",
"$env:ExchangeInstallPath\ClientAccess\OAB",
"$env:ExchangeInstallPath\FIP-FS",
"$env:ExchangeInstallPath\GroupMetrics",
"$env:ExchangeInstallPath\Logging",
"$env:ExchangeInstallPath\Mailbox",
"$env:ExchangeInstallPath\TransportRoles\Data\Adam",
"$env:ExchangeInstallPath\TransportRoles\Data\IpFilter",
"$env:ExchangeInstallPath\TransportRoles\Data\Queue",
"$env:ExchangeInstallPath\TransportRoles\Data\SenderReputation",
"$env:ExchangeInstallPath\TransportRoles\Data\Temp",
"$env:ExchangeInstallPath\TransportRoles\Logs",
"$env:ExchangeInstallPath\TransportRoles\Pickup",
"$env:ExchangeInstallPath\TransportRoles\Replay",
"$env:ExchangeInstallPath\UnifiedMessaging\Grammars",
"$env:ExchangeInstallPath\UnifiedMessaging\Prompts",
"$env:ExchangeInstallPath\UnifiedMessaging\Temp",
"$env:ExchangeInstallPath\UnifiedMessaging\Voicemail",
"$env:ExchangeInstallPath\Working\OleConverter",
"$env:SystemDrive\inetpub\temp\IIS Temporary Compressed Files"
)
# Add folder exclusions
foreach ($folder in $folderExclusions) {
Add-MpPreference -ExclusionPath $folder
}
# Define the exclusion processes
$processExclusions = @(
"ComplianceAuditService.exe",
"Dsamain.exe",
"EdgeTransport.exe",
"fms.exe",
"hostcontrollerservice.exe",
"inetinfo.exe",
"Microsoft.Exchange.AntispamUpdateSvc.exe",
"Microsoft.Exchange.ContentFilter.Wrapper.exe",
"Microsoft.Exchange.Diagnostics.Service.exe",
"Microsoft.Exchange.Directory.TopologyService.exe",
"Microsoft.Exchange.EdgeCredentialSvc.exe",
"Microsoft.Exchange.EdgeSyncSvc.exe",
"Microsoft.Exchange.Imap4.exe",
"Microsoft.Exchange.Imap4service.exe",
"Microsoft.Exchange.Notifications.Broker.exe",
"Microsoft.Exchange.Pop3.exe",
"Microsoft.Exchange.Pop3service.exe",
"Microsoft.Exchange.ProtectedServiceHost.exe",
"Microsoft.Exchange.RPCClientAccess.Service.exe",
"Microsoft.Exchange.Search.Service.exe",
"Microsoft.Exchange.Servicehost.exe",
"Microsoft.Exchange.Store.Service.exe",
"Microsoft.Exchange.Store.Worker.exe",
"Microsoft.Exchange.UM.CallRouter.exe",
"MSExchangeCompliance.exe",
"MSExchangeDagMgmt.exe",
"MSExchangeDelivery.exe",
"MSExchangeFrontendTransport.exe",
"MSExchangeHMHost.exe",
"MSExchangeHMWorker.exe",
"MSExchangeMailboxAssistants.exe",
"MSExchangeMailboxReplication.exe",
"MSExchangeRepl.exe",
"MSExchangeSubmission.exe",
"MSExchangeTransport.exe",
"MSExchangeTransportLogSearch.exe",
"MSExchangeThrottling.exe",
"Noderunner.exe",
"OleConverter.exe",
"ParserServer.exe",
"ScanEngineTest.exe",
"ScanningProcess.exe",
"UmService.exe",
"UmWorkerProcess.exe",
"UpdateService.exe",
"wsbexchange.exe"
)
# Add process exclusions
foreach ($process in $processExclusions) {
Add-MpPreference -ExclusionProcess $process
}
# Define the file extension exclusions
$extensionExclusions = @(
".config",
".chk",
".edb",
".jfm",
".jrs",
".log",
".que",
".dsc",
".txt",
".cfg",
".grxml",
".lzx"
)
# Add file extension exclusions
foreach ($extension in $extensionExclusions) {
Add-MpPreference -ExclusionExtension $extension
}
# Output current exclusions to verify
Get-MpPreference | Select-Object -Property ExclusionPath, ExclusionProcess, ExclusionExtension
