PATCH MY PC DOCS

Knowledge Base

We’re here to help if needed

Patch My PC – Recommended antivirus exclusions

This article outlines Microsoft’s recommended antivirus exclusions for Configuration Manager, WSUS, and Intune. It documents folders pertinent to content distribution, particularly those within Patch My PC’s scope of third-party updates. We’ve included links to relevant Microsoft documentation for a deeper dive into the topic.

Topics covered in this article:

Patch My PC Publisher

If you are using the on-premises Patch My PC Publisher for third-party patching, kindly ensure the following antivirus exclusion:

More InformationNote: The <InstallDirectory> folder is specified in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Patch My PC Publishing Service:Path

Configuration Manager / WSUS

Server-side

Microsoft recommends quite a few antivirus exclusions when it comes to Configuration Manager (server-side). The Patch My PC Publisher interacts with the following folders:

  • <ContentLib_drive>\SCCMContentLib\*
    • The location the content for the ConfigMgr apps will be published
  • <WSUS_ContentDir>\WSUSContent\*
    • The location the content for the WSUS updates will be published

More InformationNote: The <WSUS_ContentDir> folder is specified in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup:ContentDir

More info on the server-side exclusions Microsoft recommends for ConfigMgr can be found here and WSUS can be found here.

Client-Side

When it comes to clients, these folders should be excluded from antivirus scans:

  • C:\Windows\CCMCache\*
    • The SCCM cache folder stores temporary software packages for application execution
  • C:\Windows\Setup\Scripts\*
    • The location for custom scripts during Windows installation process

More info on the client-side exclusions Microsoft recommends for ConfigMgr can be found here.

Intune

For Win32 apps, Microsoft suggests excluding these folders from antivirus actions on the client side:

On x64 client machines:

    • C:\Program Files (x86)\Microsoft IntuneManagement Extension\Content\*
      • The location content is staged in and detection scripts are executed from.
    • C:\Windows\IMECache\*
      • The location installers are executed from.

On x86 client machines:

  • C:\Program Files\Microsoft Intune Management\Content\*
    • The location content is staged in and detection scripts are executed from.
  • C:\Windows\IMECache\*
    • The location installers are executed from.

For more information on the AV exclusions, see this Microsoft Docs page.

Honorable mentions

This section highlights folders identified by Patch My PC engineers that contain files related to Patch My PC-published applications and updates. If these folders are blocked by antivirus or security software, that may cause issues.

Since there is no Microsoft documentation that explicitly mentions that these directories need to be whitelisted, please proceed with caution if you need to whitelist them.

ConfigMgr / WSUS server-side

  • WSUS_ContentDir\UpdateServicesPackages\*
    • The location 3rd party update content is staged before the cab is copied to the WSUSContent folder
  • %ProgramFiles%\Update Services\LogFiles\WSUSTemp\*
    • The location of the staging area for signing cab files for 3rd party content


ConfigMgr / WSUS client-side

  • C:\Windows\CCM\SystemTemp*
    • This folder stores PowerShell detection scripts used in ConfigMgr Apps packaged by the Patch My PC Publisher.
    • The ConfigMgr agent runs these PowerShell scripts from this location.
      Additionally, unrelated to Patch My PC, PowerShell scripts associated with Configuration Items or Baselines are also executed from this directory.
  • %windir%\SoftwareDistribution\Datastore\*
    • The location for metadata for Windows Server Update Services clients
  • %windir%\SoftwareDistribution\Download\*
    • The location for update content delivered via Windows Server Update Services
    Published On December 14, 2023