When you install Microsoft Exchange 2019 on Windows 2019 or 2022 server it is suggested to add some exclusions to Windows Defender. Since the list is quite large, use PowerShell to add exclusions. Exclusion list can be found at Running Windows antivirus software on Exchange servers | Microsoft Learn
SECURITY PRECAUTION - Don't just blindly copy below commands and exclusions but check them. If anyone manipulated the below list on this site without my knowledge you will end adding exclusions you don't want to have.
- Run PowerShell on Windows 2019/2022 Exchange 2019 server as administrator.
# Define the exclusion paths with environment variables
$folderExclusions = @(
"%SystemRoot%\Cluster",
"%ExchangeInstallPath%\ClientAccess\OAB",
"%ExchangeInstallPath%\FIP-FS",
"%ExchangeInstallPath%\GroupMetrics",
"%ExchangeInstallPath%\Logging",
"%ExchangeInstallPath%\Mailbox",
"%ExchangeInstallPath%\TransportRoles\Data\Adam",
"%ExchangeInstallPath%\TransportRoles\Data\IpFilter",
"%ExchangeInstallPath%\TransportRoles\Data\Queue",
"%ExchangeInstallPath%\TransportRoles\Data\SenderReputation",
"%ExchangeInstallPath%\TransportRoles\Data\Temp",
"%ExchangeInstallPath%\TransportRoles\Logs",
"%ExchangeInstallPath%\TransportRoles\Pickup",
"%ExchangeInstallPath%\TransportRoles\Replay",
"%ExchangeInstallPath%\UnifiedMessaging\Grammars",
"%ExchangeInstallPath%\UnifiedMessaging\Prompts",
"%ExchangeInstallPath%\UnifiedMessaging\Temp",
"%ExchangeInstallPath%\UnifiedMessaging\Voicemail",
"%ExchangeInstallPath%\Working\OleConverter",
"%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files"
)
# Define the exclusion processes
$processExclusions = @(
"ComplianceAuditService.exe",
"Dsamain.exe",
"EdgeTransport.exe",
"fms.exe",
"hostcontrollerservice.exe",
"inetinfo.exe",
"Microsoft.Exchange.AntispamUpdateSvc.exe",
"Microsoft.Exchange.ContentFilter.Wrapper.exe",
"Microsoft.Exchange.Diagnostics.Service.exe",
"Microsoft.Exchange.Directory.TopologyService.exe",
"Microsoft.Exchange.EdgeCredentialSvc.exe",
"Microsoft.Exchange.EdgeSyncSvc.exe",
"Microsoft.Exchange.Imap4.exe",
"Microsoft.Exchange.Imap4service.exe",
"Microsoft.Exchange.Notifications.Broker.exe",
"Microsoft.Exchange.Pop3.exe",
"Microsoft.Exchange.Pop3service.exe",
"Microsoft.Exchange.ProtectedServiceHost.exe",
"Microsoft.Exchange.RPCClientAccess.Service.exe",
"Microsoft.Exchange.Search.Service.exe",
"Microsoft.Exchange.Servicehost.exe",
"Microsoft.Exchange.Store.Service.exe",
"Microsoft.Exchange.Store.Worker.exe",
"Microsoft.Exchange.UM.CallRouter.exe",
"MSExchangeCompliance.exe",
"MSExchangeDagMgmt.exe",
"MSExchangeDelivery.exe",
"MSExchangeFrontendTransport.exe",
"MSExchangeHMHost.exe",
"MSExchangeHMWorker.exe",
"MSExchangeMailboxAssistants.exe",
"MSExchangeMailboxReplication.exe",
"MSExchangeRepl.exe",
"MSExchangeSubmission.exe",
"MSExchangeTransport.exe",
"MSExchangeTransportLogSearch.exe",
"MSExchangeThrottling.exe",
"Noderunner.exe",
"OleConverter.exe",
"ParserServer.exe",
"ScanEngineTest.exe",
"ScanningProcess.exe",
"UmService.exe",
"UmWorkerProcess.exe",
"UpdateService.exe",
"wsbexchange.exe"
)
# Define the exclusion extensions
$extensionExclusions = @(
".config",
".chk",
".edb",
".jfm",
".jrs",
".log",
".que",
".dsc",
".txt",
".cfg",
".grxml",
".lzx"
)
# Registry paths for exclusions
$regPathFolders = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths"
$regPathProcesses = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Processes"
$regPathExtensions = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions"
# Add folder exclusions as REG_SZ with a value of 0
foreach ($folder in $folderExclusions) {
New-ItemProperty -Path $regPathFolders -Name $folder -Value 0 -PropertyType String -Force
}
# Add process exclusions as REG_SZ with a value of 0
foreach ($process in $processExclusions) {
New-ItemProperty -Path $regPathProcesses -Name $process -Value 0 -PropertyType String -Force
}
# Add extension exclusions as REG_SZ with a value of 0
foreach ($extension in $extensionExclusions) {
New-ItemProperty -Path $regPathExtensions -Name $extension -Value 0 -PropertyType String -Force
}
Write-Host "Exclusions added to Local Group Policy as REG_SZ with value 0."