Docs
How to Add Exceptions in Windows Defender (Fix Blocked Apps Safely)
Learn how to add Windows Defender exceptions safely when Defender blocks an app, file, folder, or process, and when to report a false positive instead.
How-to for Windows users, IT admins, and MSPs fixing blocked apps or repeated Defender detections without weakening protection more than necessary
Windows Defender exceptions are the supported way to stop Microsoft Defender Antivirus from repeatedly scanning or blocking a trusted file, folder, file type, or process. If Defender is blocking an app you know is safe, the goal is not to turn Defender off completely. The goal is to add the narrowest exception that fixes the problem.
That distinction matters because many "Defender blocked my app" problems are really one of three different issues: a safe app that needs a narrow exclusion, a false positive that should be reported to Microsoft, or a policy-managed environment where local changes will be overridden. This page helps you pick the right fix safely.
What You'll Get
- Add the right Windows Defender exception type for the actual problem
- Fix blocked apps without disabling Defender broadly
- Know when to use a false-positive report or central policy instead of a local exception
Jump To
What Windows Defender exceptions are and when to use them
Windows Defender exceptions tell Microsoft Defender Antivirus to stop scanning a specific file, folder, file type, or process in the normal way. That is useful when Defender is blocking a trusted app, slowing a known-safe workload, or repeatedly flagging a safe internal tool that you have already validated.
Use an exception when all three of these are true:
- you know what object is being blocked or rescanned
- you have validated that it is safe and expected
- you can fix the problem with a narrow scope instead of turning Defender off entirely
If you are still deciding whether the symptom is really a Defender problem, start with the common Defender problems pillar. If your first instinct was to turn Defender off completely, read the disable guide first and then come back here for the narrower fix.
How to add an exception to Windows Defender
For unmanaged Windows 10 and Windows 11 devices, the normal local path is through Windows Security:
- Open Windows Security.
- Select Virus & threat protection.
- Under Virus & threat protection settings, select Manage settings.
- Under Exclusions, select Add or remove exclusions.
- Select Add an exclusion and choose the type that matches the problem.
Microsoft documents these steps and the exclusion types in its Windows Security exclusions guidance. The four main exclusion types are:
| Exclusion type | Best use case | Main risk |
|---|---|---|
| File | One known-safe file keeps getting flagged | Only that file is skipped, but if the file changes you may miss something important |
| Folder | A specific application directory is repeatedly scanned | Broad scope because everything in the folder is skipped |
| File type | A specific extension is causing repeated issues | Usually too broad for general troubleshooting |
| Process | A trusted executable keeps triggering scanning problems for files it opens | Easy to overuse if you do not specify the right process path |
For most blocked-app problems, start with a file or process exclusion before you consider a folder-wide exclusion.
Defender blocked my app: the safest fix path
The safest way to handle "Defender blocked my app" is to confirm what actually did the blocking before you add anything.
Use this order:
- Check whether the block came from Microsoft Defender Antivirus, not SmartScreen or another control.
- Confirm the app or file is trusted, expected, and from the right source.
- Identify whether one file, one folder, one extension, or one process is the real scope.
- Add the narrowest exception that solves the problem.
- Test the app again and verify the change worked.
If the warning is really a reputation prompt such as Windows protected your PC, that is a different control path. Use the SmartScreen guide instead of adding an Antivirus exclusion for the wrong problem.
If the app was quarantined or flagged as malware and you think the verdict itself is wrong, use an exception only as a temporary local workaround. The root-cause path is the false-positive reporting guide.
Which exception type to choose
Choosing the wrong exclusion type is one of the easiest ways to create unnecessary risk.
Use a file exclusion when one installer, executable, or library is the clear problem. Use a process exclusion when a trusted executable opens many files and that activity is what keeps triggering Defender interference. Microsoft's Windows Security guidance notes that files opened by an excluded process can still be scanned by on-demand or scheduled scans unless a file or folder exclusion also covers them, so process exclusions should be chosen intentionally.
Use a folder exclusion only when the application genuinely depends on a whole working directory and you cannot solve the issue with one file or process path. Use a file type exclusion last, because it can affect every file with that extension on the device.
As a practical rule:
- file is safer than folder
- process is usually safer than file type
- specific path is safer than broad pattern
How to verify the exception worked
Do not stop after adding the exclusion. Verify the actual result.
At minimum:
- re-run the blocked app or workflow
- check Protection history in Windows Security
- confirm the same file or process is no longer being blocked repeatedly
If you need a local PowerShell check, review current Defender preferences:
Get-MpPreference | Select-Object ExclusionPath, ExclusionExtension, ExclusionProcess
If the app is still blocked, one of these is usually true:
- the wrong exclusion type was added
- the path was too broad or too narrow
- the block came from another feature, not Defender Antivirus scanning
- the device is managed by policy and the local change will not stick
If the device is managed and local settings keep reverting, switch to the central management guide or the organization-managed troubleshooting page.
When to use a false-positive report instead
An exception fixes the symptom on your device. A false-positive report tries to fix the verdict upstream.
That is the right move when:
- a known-good business app keeps getting detected after updates
- multiple endpoints are seeing the same wrong detection
- you are about to add a broad exclusion just to stop repeated noise
The cleanest pattern is often:
- add a narrow temporary exception if operations are blocked
- report the false positive to Microsoft
- remove the temporary exception if Microsoft corrects the detection
That keeps the local fix small while still addressing the real detection problem. The full workflow lives in how to report and reduce false positives in Microsoft Defender.
Common mistakes with Windows Defender exceptions
Most exception problems are not technical failures. They are scope failures.
Common mistakes include:
- adding a folder exclusion when one file exclusion would have worked
- adding a file type exclusion because it is faster, even though it is much broader
- using an exception before confirming the app is actually safe
- adding an Antivirus exclusion when the block really came from SmartScreen or another policy control
- forgetting to document why the exception exists and when it should be removed
If you manage many endpoints, broad local exceptions also create reporting confusion. One device works, another does not, and no one remembers which local workaround changed what. That is why repeated exception requests usually point to a management or detection-quality problem, not just a one-device issue.
When central management is the better answer
If your team keeps adding exceptions on multiple endpoints, you are no longer dealing with a one-off blocked app. You are managing policy.
Microsoft's Defender exclusions documentation also covers centralized paths for Intune, Group Policy, Configuration Manager, and other managed workflows. That is the better answer when:
- the same app needs the same exception on many devices
- you need an approved and documented exception standard
- local users should not be making exclusion decisions individually
- you need to review and remove stale exceptions later
Use Windows Defender central management for the policy layer. If you want the broader troubleshooting map around blocked apps, continue with common problems with Microsoft Defender.