Skip to content

Fix policy exclusions

Ensure that exclusions in your endpoint or server threat protection policies aren't a security risk.


We recommend that you make as few exclusions as you can and apply them to as few resources and devices as you can.

This page shows how to fix an endpoint policy, but the steps are the same for endpoint and server policies.

If Account Health Check warns that exclusions are causing a significant security risk, you can fix these automatically or manually.

Fix automatically

If you choose to fix your policy exclusions automatically, we remove any insecure exclusions from your exclusions in all your affected polices. You can check the changes in your audit log.

To remove exclusions automatically, do as follows:

  1. Click Fix automatically in the warning.

    Fix policy exclusions

  2. Confirm that you want to remove your insecure policy exclusions.

Fix manually

To fix your exclusions manually, do as follows:

  1. In the warning, click the arrow beside each exclusion to see why it's risky.

    You might see warnings for multiple exclusions in a policy, or for multiple policies.

    Policy exclusion details

  2. Click the policy name.

    Policy exclusions warning

  3. The Exclusions section of the policy opens. Select each exclusion that's causing a risk and click the cross on the right to delete it.

    Exclusions list

  4. Click Save at the top of the policy page.

  5. Go to Account Health Check. The policy exclusions check now shows that your exclusions are secure.

    Exclusions check with green checkmark