streamlined-connectivity-processes.md

author	limwainstein
ms.author	lwainstein
ms.date	02/24/2026
ms.topic	include
ms.service	defender-endpoint

Select the tab for information about exclusions for that operating system.

Windows

The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table.

OS	Exclusions
Windows 11 Windows 10, version 1803 or later (See Windows 10 release information) Windows 10, version 1703 or 1709 with KB4493441 installed Windows Server 2025 Azure Stack HCI OS, version 23H2 and later Windows Server 2022 Windows Server 2019 Windows Server, version 1803 Windows Server 2016 running the modern unified solution Windows Server 2012 R2 running the modern unified solution	EDR exclusions: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe C:\Program Files\Windows Defender Advanced Threat Protection\SenseNdr.exe C:\Program Files\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection C:\Program Files\Windows Defender Advanced Threat Protection\SenseTVM.exe C:\Program Files\Windows Defender Advanced Threat Protection\SenseTracer.exe C:\Program Files\Windows Defender Advanced Threat Protection\SenseDlpProcessor.exe Registry path: HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\* Antivirus exclusions: C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Windows Defender\NisSrv.exe C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe C:\Program Files\Windows Defender\MpCmdRun.exe C:\Program Files\Windows Defender\MpDefenderCoreService.exe C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MsMpEng.exe C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\NisSrv.exe C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\ConfigSecurityPolicy.exe C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpCopyAccelerator.exe C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpCmdRun.exe C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDefenderCoreService.exe C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\mpextms.exe Endpoint Data Loss Prevention (Endpoint DLP) exclusions: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDlpService.exe C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MpDlpCmd.exe C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\MipDlp.exe C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.*\DlpUserAgent.exe
Windows Server 2016 or Windows Server 2012 R2 running the modern unified solution	The following additional exclusions are required after updating the Sense EDR component using KB5005292: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseTVM.exe
Windows 8.1 Windows 7 Windows Server 2008 R2 SP1	C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe ( Monitoring Host Temporary Files 6\45 can be different numbered subfolders.) C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe

macOS

For macOS devices, the following table lists processes to exclude in your non-Microsoft antivirus/antimalware solution:

Process	Location
wdavdaemon_enterprise EDR engine	/Library/Application Support/Microsoft/Defender/
wdavdaemon_unprivileged Antivirus engine	/Library/Application Support/Microsoft/Defender/
telemetryd_v1 Telemetry daemon for EDR	/Library/Application Support/Microsoft/Defender/
Netext Network extension	/Library/SystemExtensions/*/com.microsoft.wdav.netext.systemextension/Contents/MacOS/
Epsext Endpoint security extension	/Library/SystemExtensions/*/com.microsoft.wdav.epsext.systemextension/Contents/MacOS/
msupdate Microsoft AutoUpdate update tool	/Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app/Contents/MacOS

Linux

For Linux servers, the following table lists processes to exclude in your non-Microsoft antivirus/antimalware solution:

Process	Location
wdavdaemon Core daemon (service). Uses FANotify for both antimalware and EDR purposes (TALPA on older RHEL).	/opt/microsoft/mdatp/sbin/
wdavdaemon enterprise EDR engine. Used for enrichment.	/opt/microsoft/mdatp/sbin/
wdavdaemon unprivileged Antivirus engine	/opt/microsoft/mdatp/sbin/
crashpad_handler Collects crash dumps	/opt/microsoft/mdatp/sbin/
mdatp Command line utility	/opt/microsoft/mdatp/sbin/Wdavdaemonclient
mde_netfilter Packet filter for Network protection, also used for response capabilities	/opt/microsoft/mde_netfilter/sbin

---