Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Microsoft Defender for Business and Microsoft Defender for Endpoint
Environment: Microsoft Defender Security Portal
Summary: This article explains how to configure the required Windows process path and service name exclusion rules so Microsoft Defender for Endpoint can use selective isolation and keep the Huntress Agent connected to the Huntress Dashboard during Microsoft containment actions.
In This Article:
Overview
Before You Begin
Configure Huntress Isolation Exclusions
Huntress Exclusion Values
Important Behaviors and Limitations
Troubleshoot Huntress Agent Communication
Overview
Microsoft Defender for Endpoint can isolate devices as part of Microsoft Defender XDR's Automatic Attack Disruption, a containment capability that restricts communication from potentially compromised endpoints while an incident is being addressed.
For partners using Huntress alongside Microsoft Defender for Endpoint, this behavior is important to understand, as device isolation can disrupt communication between the Huntress Agent and the Huntress Dashboard if the appropriate isolation exclusions are not configured in advance.
Microsoft Defender for Endpoint supports two isolation modes: full and selective.
In full isolation, all traffic is blocked except essential Defender communications, and exclusions do not apply. In selective isolation, administrators can define exclusions that allow critical security or management tools to continue functioning while the device remains isolated.
Microsoft states that when an isolation exclusion rule is defined, Automatic Attack Disruption uses selective isolation by default and applies the configured exclusion rules. In practice, this means that properly configured Huntress exclusions can keep the Huntress Agent connected during Microsoft-driven isolation events, helping preserve visibility and response capability.
This article explains how to configure the required Huntress exclusions so Microsoft Defender for Endpoint isolation can coexist more cleanly with Huntress during containment actions.
Before You Begin
Before configuring exclusions, verify that you meet the following requirements:
You have Security Administrator or Manage Security Settings permissions (or higher) in Microsoft Defender
You have turned on isolation exclusions in the Defender settings
To turn on isolation exclusions:
Log in to the Microsoft Defender Security Portal
Go to Settings > Endpoints > Optional Features
Toggle Isolation Exclusion Rules to On
Important: When you turn on isolation exclusions, default Microsoft exclusions (such as Microsoft Teams, Outlook, and Skype) no longer apply automatically. The exclusions list starts empty, and you must manually define any rules you need.
Configure Huntress Isolation Exclusions
To ensure traffic flows correctly during selective isolation, create a separate isolation exclusion rule for each Huntress process path and service name.
Defender applies all matching rules. Because conditions within a single rule use AND logic, and undefined conditions are treated as unrestricted, using separate rules is the cleanest way to ensure Defender allows the intended Huntress traffic.
In the Microsoft Defender Security Portal, go to Settings > Endpoints > Isolation Exclusion Rules
On the Windows rules tab, select Add exclusion rule
Enter the required rule details for a Huntress component (refer to the values in the Huntress Exclusion Values section)
Set the direction to Outbound. (When the device initiates an outbound connection, return traffic is automatically accepted, so you do not need separate inbound rules)
Save your changes
Repeat these steps for each process path and service name
Huntress Exclusion Values
Create separate rules for the following Windows process paths and service names.
Process Path Exclusions
Create a separate rule for each of these process paths:
C:\Program Files\Huntress\HuntressAgent.exeC:\Program Files\Huntress\HuntressUpdater.exeC:\Program Files\Huntress\Rio\Rio.exeC:\Program Files\Huntress\hUpdate.exe(only required for legacy installations)
Service Name Exclusions
Create a separate rule for each of these Windows service short names:
HuntressAgentHuntressUpdaterHuntressRio
Important Behaviors and Limitations
Keep the following behaviors in mind when managing your integration:
Full isolation ignores exclusions: Exclusions only apply during selective isolation. In full isolation mode, Defender blocks all traffic except essential Defender communications
Exclusions apply only to new isolation requests: Changes to isolation exclusion rules do not affect devices that are already isolated. If you modify rules, you must release and re-isolate the device to apply the updated exclusions
Troubleshoot Huntress Agent Communication
If a device loses communication with the Huntress platform during isolation, verify the following:
You created the exclusion rules for both process paths and service names
You created each Huntress exclusion as a separate rule
Defender is using selective isolation rather than full isolation
The endpoint can establish outbound connections on port
443(verify that external firewalls, proxies, or DNS filters are not blocking this traffic)If you modified the exclusion rules while the device was already isolated, you released and re-isolated the device to apply the new rules
Relevant Articles: