Patch My PC – Recommended antivirus exclusions
This article outlines Microsoft’s recommended antivirus exclusions for Configuration Manager, WSUS, and Intune. It documents folders pertinent to content distribution, particularly those within Patch My PC’s scope of third-party updates. We’ve included links to relevant Microsoft documentation for a deeper dive into the topic.
Topics covered in this article:
Configuration Manager / WSUS
Server-side
Microsoft recommends quite a few antivirus exclusions when it comes to Configuration Manager (server-side). The Patch My PC Publisher interacts with the following folders:- ContentLib_drive\SCCMContentLib – The location the content for the ConfigMgr apps will be published
- %Systemroot%\WSUS\WSUSContent – The location the content for the WSUS updates will be published
- %Systemroot%\WSUS\UpdateServicesPackages – The location 3rd party update content is staged before the cab is copied to the WSUSContent folder
- %ProgramFiles%\Update Services\LogFiles\WSUSTemp – The location of the staging area for signing cab files for 3rd party content
Client-Side
When it comes to clients, these folders should be excluded from antivirus scans:
- C:\Windows\CCMCache – The SCCM cache folder stores temporary software packages for application execution
- C:\Windows\Setup\Scripts – The location for custom scripts during Windows installation process
- C:\Windows\SoftwareDistribution\Datastore – The location for metadata for Windows Server Update Services clients
- C:\Windows\SoftwareDistribution\Download – The location for update content delivered via Windows Server Update Services
More info on the client-side exclusions Microsoft recommends for ConfigMgr can be found here.
Intune
For Win32 apps, Microsoft suggests excluding these folders from antivirus actions on the client side:
On x64 client machines:
- C:\Program Files (x86)\Microsoft IntuneManagement Extension\Content – The location content is staged in and detection scripts are executed from.
- C:\Windows\IMECache – The location installers are executed from.
On x86 client machines:
- C:\Program Files\Microsoft Intune Management\Content – The location content is staged in and detection scripts are executed from.
- C:\Windows\IMECache – The location installers are executed from.
More information on the exclusions Microsoft recommends for Intune can be found here.