How to Bulk Reset Exclusions in Windows Defender

In the aftermath of a malware attack, you often end up with unwanted exclusion entries in Microsoft Defender Antivirus. Exclusions may exist for a folder, file, file type, or process. These exclusions can be cleared by opening the Virus and Threat Protection page in Windows Security.

defender exclusions list

Select each entry and click on the “Remove” button. However, if there are many exclusion entries and you want to clear all of them automatically, you can use PowerShell.

Clear Exclusions and Allowed Threats in Defender

Use the following PowerShell code to quickly clear the exclusions and allowed threats (if any).

Open PowerShell (admin). Please copy the following commands and paste them into the PowerShell window.

foreach ($Path in $Paths) { Remove-MpPreference -ExclusionPath $Path -Verbose}
foreach ($Extension in $Extensions) { Remove-MpPreference -ExclusionExtension $Extension -Verbose}
foreach ($Process in $Processes) { Remove-MpPreference -ExclusionProcess $Process -Verbose}
$ThreatIds = (Get-MpPreference).ThreatIDDefaultAction_Ids
Foreach ($ThreatId in $ThreatIds) { Remove-MpPreference -ThreatIDDefaultAction_Ids $ThreatId -Verbose }

powershell reset exclusions

The above code snippet clears all the exclusions and also the allowed threats. Note that it doesn’t clear exclusions configured via group policy. Also, the above code snippet doesn’t remove the exclusion entries for Controlled folder access, as they’re stored separately.

If the above PowerShell code can’t remove the exclusions, it may be because the Exclusions are configured via GPO or registry-based policies. In that case, see the article Fix: Cannot Delete Microsoft Defender Exclusions to clear them en masse.

More Information

The Microsoft Defender antivirus exclusions are stored in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions

And the allowed threats are stored in the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Threats

See also: Accidentally Allowed a Threat in Windows Defender. What to do now?

These two keys can’t be modified directly when Microsoft Defender Antivirus is running. However, the above PowerShell code can clear them.

One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded in 2005.

Leave a Reply