Hey everybody! My name is Brandon McMillan and I am a Microsoft Endpoint Configuration Manager (ConfigMgr) PFE at Microsoft. ConfigMgr Current Branch has been the standard service-based model since December 2015 with the release of version 1511. You may have noticed that with the continuous improvements, your antivirus exclusions also need to be kept up to date. I hope this will provide you with important antivirus exclusions you could consider implementing within a Current Branch environment.
This blog will provide a comprehensive list of the following referenced support articles we have released along with other recommendations you could consider for your environment. Please reference the following articles for further guidance.
Update: Apr 22th, 2020
IMPORTANT: Antivirus real-time protection can cause many problems on Configuration Manager site servers, site systems, and clients. We recommend to always test before implementing any of these changes in a production environment. We strongly encourage you to evaluate the risks that are associated with implementing these changes. We recommend that you temporarily apply these procedures to evaluate a system. If you choose to implement these changes in your environment, ensure you take any additional precautions necessary. Please refer to your antivirus vendor’s documentation for further guidance and recommendations.
The recommendations for each section are separated between "Operational" and "Performance" levels. Operational recommendations are highly encouraged to be added to your exclusions list. Performance recommendations should only be considered if you are experiencing such issues that may be a result of your antivirus product.
The following information will cover what could be recommended for your environment.
Details on the variables referenced:
Core Exclusions for Supported Versions of Windows
For further information regarding recommended exclusions for server roles such as a Domain Controller, DFS, DHCP, or DNS, please refer to the article below.
ConfigMgr Core Installation Exclusions (All Versions)
ConfigMgr Core Installation Exclusions (Current Branch Versions)
ConfigMgr Management Point Exclusions
The following recommendations are dependent on the state of the system when the Management Point role is assigned. Please review the current state of your environment to determine which of the following paths should be excluded.
ConfigMgr Content Library Exclusions
ConfigMgr Imaging Exclusions
ConfigMgr Process Exclusions
ConfigMgr Client Exclusions
SQL Server Exclusions
SQL Server Reporting Services (SSRS) Exclusions
SSRS for SQL 2016 and below
SSRS for SQL 2017+
IIS Compressed Files
IIS Worker Process
WSUS Offline Scanning Exclusions - Microsoft Baseline Security Analyzer (MBSA)
There are four distinctive methods to choose when using MBSA and WSUS offline scanning. Method 1 has the least amount of risk. If this method does not work for you, we recommend you use Method 2. Methods 3 and 4 may increase your security risk. We recommend that you use Methods 3 or 4 only if required and ensure you please take necessary precautions.
MBSA was largely used in situations where neither Microsoft Update nor a local WSUS/ConfigMgr server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016.
The following script may help you as an alternative to MBSA’s patch-compliance checking with later versions of Windows:
I received numerous feedback on this post and I wanted to highlight the contributions from the following individuals: Max Baldt, David Coulter, Aaron Ellison, Julie Andreacola, and Klaus Kreyenberg.
Special thanks to Kevin Kasalonis, Cameron Cox, Clifton Hughes, Rushi Faldu, and Santos Martinez.
Brandon McMillan, Premier Field Engineer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.