Configuration Manager Current Branch Antivirus Exclusions

Hey everybody!  My name is Brandon McMillan and I am a System Center Configuration Manager (ConfigMgr) PFE at Microsoft. ConfigMgr Current Branch has been the standard service based model since December 2015 with the release of version 1511.  You may have noticed that with the continuous improvements, your antivirus exclusions also need to be kept up to date.  I hope this will provide you with important antivirus exclusions you could implement within a Current Branch environment.

This blog will provide a comprehensive list of support articles we have released along with other recommendations you could consider for your environment.  Please reference the following support articles for further guidance.

  • 822158: Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows - Last Review: Jan 26, 2018
  • 327453: Recommended antivirus exclusions for Configuration Manager 2012 and Current Branch Site Servers, Site Systems, and Clients - Last Review: May 10, 2019
  • 309422: How to choose antivirus software to run on computers that are running SQL Server - Last Review: Oct 31, 2018
  • 250355: Antivirus software that is not cluster-aware may cause problems with Cluster Services - Last Review: Dec 15, 2011
  • 817442: A 0-byte file may be returned when compression is enabled on a server that is running IIS - Last Review: May 23, 2014
  • 900638: Multiple symptoms occur if an antivirus scan occurs while the file or the file is copied - Last Review: Apr 17, 2018

Last Updated: Jun 7, 2019

Added a separate section for SQL Reporting Services (SSRS) recommendations.  Also added new paths to consider for SSRS on SQL 2017+.  Thanks again to Todd Mote for the feedback.  The updates to the blog are highlighted in blue.

Update from: May 13, 2019

We recently updated our support article on ConfigMgr antivirus exclusions - 327453.  We added a non-comprehensive list of possible symptoms you may experience within the support article that you should review for troubleshooting purposes.

Update from: April 29, 2019

Added the "ISVTemp" path under "ConfigMgr Core Installation Exclusions (Current Branch Versions)" for third-party updates.  Thanks again to D. Klassen for the feedback.

Update from: Mar 29, 2019

Corrected path for "ccmsetup.exe" under "ConfigMgr Process Exclusions".  Thanks again to skatterbrainz for the feedback.

IMPORTANT: Antivirus real-time protection can cause many problems on Configuration Manager site servers, site systems, and clients. We recommend to always test before implementing any of these changes in a production environment.  We strongly encourage you to evaluate the risks that are associated with implementing these changes.  We recommend that you temporarily apply these procedures to evaluate a systemIf you choose to implement these changes in your environment, ensure you take any additional precautions necessary.  Please refer to your antivirus vendor’s documentation for further guidance and recommendations.

The recommendations for each section are separated between "Operational" and "Performance" levels.  Operational recommendations are highly encouraged to be added to your exclusions list.  Performance recommendations should only be considered if you are experiencing such issues that may be a result of your antivirus product.

The following information will cover what could be recommended for your environment.

Details on the variables referenced:

  1. <InstallDrive> can be multiple drives in some environments, so it is best to use a wildcard if possible for the antivirus solution you have deployed throughout your environment.  Please refer to your vendor’s documentation for further instructions.
  2.  <InstanceName> is the name of the SQL instance you are using in your environment.  Please be aware if you use any named SQL instances or the default, "MSSQLServer".
  3.  <SQL Version> is the version of SQL you are using in your environment.  This may also differ between each SQL service referenced between versions SQL Server 2005-2008 R2 and SQL Server 2012+.  Please be aware of what version you have installed.  309422 and the article below can provide you with more details.

How to determine the version, edition and update level of SQL Server and its components

Core Exclusions for Supported Versions of Windows

  • Operational
    • %allusersprofile%\NTUser.pol
    • %windir%\Security\Database\*.chk
    • %windir%\Security\Database\*.cmtx
    • %windir%\Security\Database\*.csv
    • %windir%\Security\Database\*.edb
    • %windir%\Security\Database\*.jrs
    • %windir%\Security\Database\*.log
    • %windir%\Security\Database\*.sdb
    • %windir%\Security\Database\*.xml
    • %windir%\SoftwareDistribution\Datastore\Datastore.edb
    • %windir%\SoftwareDistribution\Datastore\Logs\edb.chk
    • %windir%\SoftwareDistribution\Datastore\Logs\edb*.jrs
    • %windir%\SoftwareDistribution\Datastore\Logs\edb*.log
    • %windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
    • %windir%\System32\GroupPolicy\Machine\Registry.pol
    • %windir%\System32\GroupPolicy\User\Registry.pol

Reference: 822158

ConfigMgr Core Installation Exclusions (All Versions)

  • Operational
    • <InstallDrive>\Program Files\Microsoft Configuration Manager\Inboxes\*.*
    • <InstallDrive>\Program Files\Microsoft Configuration Manager\
    • <InstallDrive>\Program Files\Microsoft Configuration Manager\Logs
    • <InstallDrive>\Program Files\Microsoft Configuration Manager\MP\OUTBOXES
    • <InstallDrive>\Program Files\SMS\MP\OUTBOXES
    • <InstallDrive>\Program Files\SMS_CCM\Logs
    • <InstallDrive>\Program Files\SMS_CCM\ServiceData

References: 327453, SCCM 2012 Antivirus Exclusions

ConfigMgr Core Installation Exclusions (Current Branch Versions)

  • Applicable to 1511+
    • Operational
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\cd.latest
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\EasySetupPayload
    • Performance
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\AdminUIContentPayload
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\AdminUIContentStaging
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\CMUStaging
  • Applicable to 1602+
    • Performance
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\CMUClient
  • Applicable to 1610+
    • Performance
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\PilotingUpgrade
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\RLAStaging
  • Applicable to 1702+
    • Performance
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\CMProviderLog
  • Applicable to 1806+
    • Performance
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\ISVTemp

Reference: 327453

ConfigMgr Content Library Exclusions

  • Operational
    • <InstallDrive>\SMS_DP$
    • <InstallDrive>\SMSPKG<DriveLetter>$
    • <InstallDrive>\SMSPKG
    • <InstallDrive>\SMSPKGC$
    • <InstallDrive>\SMSPKGSIG
    • <InstallDrive>\SMSSIG$
  • Performance
    • <InstallDrive>\SCCMContentLib
    • <InstallDrive>\<ConfigMgr Backup Directory>
      • Ex. D:\SCCMBackup
    • <InstallDrive>\<ConfigMgr Package Source Files>
      • Ex. D:\SCCMSource

Reference: 327453

ConfigMgr Imaging Exclusions

  • Operational
    • <InstallDrive>\ConfigMgr_OfflineImageServicing
    • %windir%\TEMP\BootImages
  • Performance
    • %SystemDrive%\_SMSTaskSequence

Reference: SCCM 2012 Antivirus Exclusions

ConfigMgr Process Exclusions

NOTE***Process Exclusions are necessary only when aggressive antivirus programs consider System Center Configuration Manager executables (.exe) to be high risk processes.

  • Operational
    • Client Side
      • %windir%\CCM\Ccmexec.exe
      • %windir%\CCM\CmRcService.exe
      • %windir%\CCM\Ccmrepair.exe
      • %windir%\ccmsetup\ccmsetup.exe
    • Server Side
      • %windir%\CCM\Ccmexec.exe
      • %windir%\SMS_CCM\Ccmexec.exe
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Cmupdate.exe
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Sitecomp.exe
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Smsexec.exe
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Smssqlbbkup.exe
      • <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Smswriter.exe
      • <InstallDrive>\SMS_<SQLFQDN>\bin\x64\Smssqlbbkup.exe

Reference: 327453

ConfigMgr Client Exclusions

  • Operational
    • %windir%\CCM\*.sdf
    • %windir%\CCM\Logs
    • %windir%\CCM\ServiceData
    • %windir%\CCMCache
    • %windir%\CCMSetup
  • Performance
    • %windir%\CCM\SystemTemp

Reference: 327453

SQL Server Exclusions

  • Operational
    • SQL Server Process Exclusions
      • SQLServr.exe
        • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version><InstanceName>\MSSQL\Binn\SQLServr.exe
      • MSMDSrv.exe
        • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\OLAP\Bin\MSMDSrv.exe
    • SQL Server data files
      • *.mdf
      • *.ldf
      • *.ndf
    • SQL Server backup files
      • *.bak
      • *.trn
    • SQL Audit files
      • *.sqlaudit
    • SQL Query files
      • *.sql
    • SQL Trace Files
      • *.trc
    • Analysis Services data files
      • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\OLAP\Backup
      • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\OLAP\Data
      • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\OLAP\Log
    • Full-Text catalog files
      • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\MSSQL\FTData
    • Replication Files
      • <InstallDrive>\Program Files (x86)\Microsoft SQL Server\<SQL Version>\COM
      • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>\COM
    • Replication Snapshot Files
      • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\MSSQL\ReplData
      • These files typically have file name extensions of the following:
        • *.sch
        • *.idx
        • *.bcp
        • *.pre
        • *.cft
        • *.dri
        • *.trg
        • *.prc
    • Checkpoint and delta files
      • No specific file extension for the files
      • Files are present under the folder structure identified by the container of type FILE_STREAM from sys.database_files
    • DBCC CHECKDB Files
      • Files will be of the format <Database_data_filename.extension>_MSSQL_DBCC<database_id_of_snapshot>
      • For more information, see the following article:
        • 2974455 DBCC CHECKDB behavior when the SQL Server database is located on an ReFS volume
    • Exception Dump Files
      • *.mdmp
    • Extended Event Files
      • *.xel
      • *.xem
    • Filestream data files
      • SQL 2008 and later versions
    • In-memory OLTP Files
      • Present in a xtp sub-folder under the DATA directory for the instance
      • File formats include the following:
        • xtp_<t/p>_<dbid>_<objid>.c
        • xtp_<t/p>_<dbid>_<objid>.dll
        • xtp_<t/p>_<dbid>_<objid>.obj
        • xtp_<t/p>_<dbid>_<objid>.out
        • xtp_<t/p>_<dbid>_<objid>.pdb
        • xtp_<t/p>_<dbid>_<objid>.xml
    • Remote Blob Storage files
      • SQL 2008 and later versions
    • Windows Failover Clustering (If applicable)
      • <Quorum Drive> (Ex. Q:\)
      • %windir%\Cluster
      • MSDTC directory in the MSDTC drive

References: 309422, 250355, 2974455 

SQL Server Reporting Services (SSRS) Exclusions

  • Operational
    • SSRS for SQL 2016 and below 
      • Process Exclusions
        • ReportingServicesService.exe
          • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
      • Reporting Services Files
        • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\Reporting Services\LogFiles
        • <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\Reporting Services\RSTempFiles
    • SSRS for SQL 2017+
      • Process Exclusions
        • ReportingServicesService.exe
          • <InstallDrive>\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\Bin\ReportingServicesService.exe
      • Reporting Services Files
        • <InstallDrive>\Program Files\Microsoft SQL Server Reporting Services\SSRS\LogFiles
        • <InstallDrive>\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\RSTempFiles

References: 309422, 250355, 2974455 

IIS Exclusions

  • Operational
    • IIS Compressed Files
      • IIS 6.0:
        • %SystemRoot%\IIS Temporary Compressed Files
      • IIS 7.0+:
        • %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
    • IIS Worker Process
      • %windir%\System32\inetsrv\w3wp.exe
      • %windir%\SysWOW64\inetsrv\w3wp.exe

Reference: 817442

WSUS Exclusions

  • Operational
    • %SystemRoot%\SoftwareDistribution\Datastore
    • %SystemRoot%\SoftwareDistribution\Download
    • %ProgramFiles%\Update Services\LogFiles\WSUSTemp
    • <InstallDrive>\WSUS\UpdateServiceDBFiles
    • <InstallDrive>\WSUS\WSUSContent

References: Designed for Optimized Performance, Windows Exclusions for Windows Defender

WSUS Offline Scanning Exclusions - Microsoft Baseline Security Analyzer (MBSA)

NOTE: There are four distinctive methods to choose when using MBSA and WSUS offline scanning.  Method 1 has the least amount of risk. If this method does not work for you, we recommend you use Method 2.  Methods 3 and 4 may increase your security risk.  We recommend that you use Methods 3 or only if required and ensure you please take necessary precautions.

  • Method 1:
    • Exclude the following files from scanning:
  • Method 2:
    • Exclude all *.cab files from scanning
  • Method 3:
    • Exclude all archived files from antivirus scanning
      • %windir%\SoftwareDistribution\ScanFile
  • Method 4:
    • Exclude the folder where the file or the file is located
    • Exclude the path of the file or the file on the local computer

MBSA was largely used in situations where neither Microsoft Update nor a local WSUS/SCCM server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016.

A script can help you with an alternative to MBSA’s patch-compliance checking:


I received numerous feedback on this post and I wanted to highlight the contributions from the following individuals: Max Baldt, David Coulter, Aaron Ellison, and Julie Andreacola.

Special thanks to Kevin Kasalonis, Cameron CoxClifton Hughes, Rushi Faldu, and Santos Martinez.

Thank you!

Brandon McMillan, Premier Field Engineer

Additional References:

  1. Microsoft All Inclusive Exclusion List:
  2. Configuration Manager 2012 Antivirus Exclusions:
  3. Configuration Manager 2007 Antivirus Exclusions:
  4. Install Reporting Services for SQL 2017 or later:
  5. What Has Changed in Configuration Manager 2012:
  6. Windows Exclusions for Windows Defender:

Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use.

Comments (19)
  1. Scott Metzel says:

    Thank you for the concise list and for breaking down the exclusions by version; it’s great to have this in one spot. Could this be published on as part of the standard ConfigMgr documentation and kept up to date as new versions are released / as things change?

    1. BK McMillan says:

      Hey Scott! Thank you for the feedback. I really appreciate it. That is the end state goal. In the mean time, I did add this to the Microsoft Antivirus Exclusion Wiki page.

    2. A.Marshall says:

      My two cents to reinforce this and bump Scott’s request from 2017. This is excellent detail and remains critical to the ConfigMgr product, not optional as some vendors may suggest. Please pursue the formal documentation in addition to weblog/wiki content references for general consumption, thanks.

      1. BK McMillan says:

        Hey A. Marshall! Thank you for your response and feedback. I am definitely trying to pursue this to be published to MS Docs. I will keep the community in the loop once we have transitioned the content officially to our formal Docs site. Thank you again for the response!

  2. Adam says:

    Any chance of getting updated Templates for these recommendations? I don’t think the ones in ConfigMgr have changed in a long time.

    1. BK McMillan says:

      Hey Adam! Thank you for your response. You are correct, the templates you see in the “EPTemplates\Archive” folder have not been updated. We have only been updating the SCEP templates you see in the parent “EPTemplates” folder that is delivered with the installation of the Admin Console.

      My recommendation to have the archived templates updated with newer versions of ConfigMgr is to submit a request on User Voice:

  3. Scott Breen says:

    This is a really well-written update. Really appreciate the guidance 🙂

    1. BK McMillan says:

      Hey Scott! Thank you so much for your feedback :).

    1. how about the steps for implementation

      1. BK McMillan says:

        Hey Sudershan! I would recommend you refer to your antivirus vendor’s documentation for implementation steps. We can only recommend what may help you if your environment may be unstable due to existing antivirus policies in place. For Windows Defender, you can reference our documentation on MS Docs:

  4. Under the section “ConfigMgr Process Exclusions” where it shows “operational” / “client side” includes: %windir%\CCM\Ccmsetup.exe, shouldn’t that be %windir%\ccmsetup\ccmsetup.exe ?

    1. BK McMillan says:

      Hey skatterbrainz! Your name is ironic for this mistake. I have corrected the path. Thank you again for your feedback and checking out the article!

  5. D.Klassen says:

    This list is very useful, Thank you!

    I think the download path for third party Updates is missing.

    There should be an exclusion for:
    \Program Files\Microsoft Configuration Manager\ISVTemp\*.*

    1. BK McMillan says:

      Hey D. Klassen! Many thanks for your feedback and kind words. As I do not see this currently in any KB’s, I’ll add this as a “Performance” based recommendation for Current Branch versions. Thanks again for your response.

  6. Todd Mote says:

    This is a great resource! A template, as others have suggested, that keeps in step with this blog would be great! I’ll second that and vote for a UserVoice if there is one. Some review of SQL Reporting Services exclusions is needed now that it is a separate install and has its own path. \Program Files\Microsoft SQL Server Reporting Services

    1. BK McMillan says:

      Hey Todd! Thanks for the feedback and apologies for the delay. You are correct. We have not added the latest changes to SSRS for SQL 2017 in the SQL support article – 309422. I’ll make the adjustments to the blog here soon. I’m not sure when we may be updating that article as of yet. We do have a UserVoice Idea on updating the SCEP templates. You can vote it up here:

  7. pavelek_g says:

    Have you ever reviewed the need of having those excludes on the AV software?
    I mean that the AV software is evolving and the impact on most of the crucial processes is minimized or even none which makes most of the excludes obsolete (the exclusion come in most cases from 2012-2015). From security perspective the excludes bring only potential attack vector, as none of the mentioned paths will be protected afterwards, which opens a gate for malware to reside in. So maybe from potential performance gain you have a large security loss implementing the exclusions blindly as you point them in the article.
    Each exclude needs to be evaluated with the respective av managing team and any performance impact of the av product needs to be checked as first .

    1. BK McMillan says:

      Hey pavelek_g! Thank you for your insight and feedback. You do bring up valid points and suggestions. The main intent of the blog was to collectively reference the support KB’s we established across multiple technologies as ConfigMgr is a tool with many components. We have listed specific disclaimers that these recommendations should be thoroughly tested. Ultimately the responsibility lies with the consumer to determine with their AV vendor what will be the most operationally secure configuration for their environment.

Comments are closed.

Skip to main content