How to Stop Microsoft Defender From Blocking a File (Allowlist, Exclusions, and MDE Indicators)
How to Stop Microsoft Defender From Blocking or Running a File (Without Disabling Protection)
If youโve ever said โDefender is opening my file,โ whatโs usually happening is one of these:
- Defender is scanning the file (normal behavior).
- Defender is quarantining or blocking a legitimate file (false positive).
- You want to stop a file from running (intentional block).
You cannot stop Defender from scanning entirely without weakening protection. What you can control is whether a specific file is allowed, excluded from detection, or blocked from executing.
Step 1: Decide your goal
| Goal | Best enterprise method | Use when |
|---|---|---|
| Stop Defender from quarantining a trusted file | Defender for Endpoint file indicator: Allow | You manage endpoints centrally and need a clean allowlist |
| Stop Defender from detecting a file in a specific location | Intune Defender AV exclusions | You need a scoped exception (path/process/extension) |
| Prevent a file from running on devices | Defender for Endpoint file indicator: Block | You want an org-wide execution block |
| One-off testing only | Local PowerShell exclusion | Lab or short-term validation |
Scenario A: Defender is quarantining a file you trust (false positive)
Option A1: Allow the file using Defender for Endpoint (preferred)
This is the cleanest way to stop detections centrally without creating broad exclusions.
Microsoft Defender portal
- Go to Settings
- Go to Endpoints
- Go to Indicators
- Choose Files
- Add the file SHA256 hash (preferred)
- Set Action = Allow
- Set the scope (All devices or specific device groups)
- Save
Enterprise notes
- Hash allowlisting is version-specific. If the vendor updates the file, the hash changes and you must update the indicator.
- If the file has already been flagged across endpoints, allow changes can take time to normalize depending on cached verdicts and policy sync.
Verify
- Test on a pilot device: download/copy the file again (fresh copy if possible).
- Confirm it no longer quarantines.
- Check the device timeline and alerts to confirm the indicator was applied.
Option A2: Use Intune-managed Defender AV exclusions (tight scope)
Use this when you do not have MDE indicators available, or you need a narrow exception by path/process.
Intune admin center
- Endpoint security โ Antivirus
- Create policy
- Platform: Windows 10 and later
- Profile: Microsoft Defender Antivirus
- Configure Exclusions
- Path exclusion (best when you can target one exact path)
- Process exclusion (good for known app binaries)
- Extension exclusion (highest risk, avoid if possible)
- Assign to a pilot group, then broader rings
Good exclusion examples
- Path:
C:\Program Files\Vendor\App\app.exe - Process:
C:\Program Files\Vendor\App\app.exe
Avoid
- Excluding
C:\or large application folders - Extension exclusions like
.exeor broad custom extensions used widely
Verify
- On a test machine, run:
- Windows Security โ Virus & threat protection โ Protection history
- Confirm no new quarantines for that file
- Confirm the policy applies:
- Intune device โ Device configuration โ Per-setting status
- Or review MDM/Defender event logs if youโre troubleshooting deeper
Option A3: Local PowerShell exclusion (lab / short-term only)
# Add exclusions (run as admin)
Add-MpPreference -ExclusionPath "C:\Apps\Vendor\App.exe"
Add-MpPreference -ExclusionProcess "C:\Apps\Vendor\App.exe"
Add-MpPreference -ExclusionExtension ".vendorpkg"
# Check what is configured
Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess, ExclusionExtension
Rollback
Remove-MpPreference -ExclusionPath "C:\Apps\Vendor\App.exe"
Remove-MpPreference -ExclusionProcess "C:\Apps\Vendor\App.exe"
Remove-MpPreference -ExclusionExtension ".vendorpkg"
Scenario B: You want to prevent a file from running (block execution)
Block the file using Defender for Endpoint (org-wide control)
This is how you stop a known-bad or unwanted binary from launching.
Microsoft Defender portal
- Settings โ Endpoints โ Indicators
- Files
- Add SHA256
- Set Action = Block (or โAlert and blockโ if you want extra visibility)
- Scope to device groups (pilot first), then expand
- Save
Verify
- Copy the file to a test machine in scope.
- Attempt to run it.
- Confirm it is blocked and an alert/event appears in Defender.
Troubleshooting checklist (when it still quarantines or still runs)
If a trusted file is still being quarantined
- Confirm the hash matches the exact file being detected (SHA256 recommended).
- Confirm the device is in scope for the indicator or exclusion policy.
- Confirm the device has checked in and policy sync occurred.
- If the file changes frequently, your allow indicator may be outdated.
If a blocked file still runs
- Confirm the device is onboarded to the endpoint protection service that enforces indicators.
- Confirm the file hash is correct and matches the executed binary.
- Confirm you are not only blocking a different variant of the same tool.
Recommended enterprise approach
- Pilot first (small device group).
- For trusted files: Allow via indicator rather than broad exclusions.
- Use Intune exclusions only when absolutely necessary and keep them narrow.
- For unwanted binaries: Block via indicator with logging enabled so you can prove enforcement.
- Document the rollback: remove indicator or exclusion, then validate on a test device.
