Exclusions set on a host cannot be cleared by the Huntress agent, so if you see a "Source: Host" exclusion making your agent non-compliant in Managed AV (Microsoft Defender) you'll need to manually remove them to become compliant again.
Open up Windows Security Center (click on the start button and type "Windows Security Center")
Click on Virus & threat protection
Click on Manage Settings
Scroll down and click on Add or remove exclusions
For each exclusion you wish to remove move your mouse over the exclusion until a down arrow appears, click on that, then click the Remove button that appears
Using PowerShell:
# set exclusions to default $pathExclusions = Get-MpPreference | select ExclusionPath foreach ($exclusion in $pathExclusions) { if ($exclusion.ExclusionPath -ne $null) { Remove-MpPreference -ExclusionPath $exclusion.ExclusionPath } } $extensionExclusion = Get-MpPreference | select ExclusionExtension foreach ($exclusion in $extensionExclusion) { if ($exclusion.ExclusionExtension -ne $null) { Remove-MpPreference -ExclusionExtension $exclusion.ExclusionExtension } } $processExclusions = Get-MpPreference | select ExclusionProcess foreach ($exclusion in $processExclusions) { if ($exclusion.ExclusionProcess -ne $null) { Remove-MpPreference -ExclusionProcess $exclusion.ExclusionProcess } }
Comments
4 comments
Question - "Exclusions set on a host cannot be cleared by the Huntress agent..." - is this a decided-upon limitation/policy of the Huntress agent, or a limitation by Microsoft regarding the management of Defender exclusions created by different users on the system?
Thanks for the great question Thomas! It was a policy that Huntress decided upon so that we don't clear any exclusions the partner had set previously.
Huntress should add an option to override existing exclusions, it's hardly managed or enforced if you allow existing exceptions to remain and they can only be remediated by manually connecting to the device and removing them in the GUI.
Intune manages these exclusions, but when I go to edit the policy Intune gives an error. Anyone else have this problem?
Please sign in to leave a comment.