Fix policy exclusions

Ensure that exclusions in your endpoint or server threat protection policies aren't a security risk.

This page shows how to fix an endpoint policy, but the steps are the same for endpoint and server policies.

If Account Health Check warns that exclusions are causing a significant security risk, you can fix these automatically or manually.

Fix automatically

If you choose to fix your policy exclusions automatically, we remove any insecure exclusions from your exclusions in all your affected polices. You can check the changes in your audit log.

To remove exclusions automatically, do as follows:

1. Click Fix automatically in the warning.

   

2. Confirm that you want to remove your insecure policy exclusions.

3. When Account Health Check refreshes, it no longer shows insecure exclusions.

   The green checkmark means we haven't found the exclusions we check for. We only check for very insecure exclusions. You should regularly check that your exclusions are secure and needed.

   

Fix manually

To fix your exclusions manually, do as follows:

1. In the warning, click the arrow beside each exclusion to see why it's risky.

   You might see warnings for multiple exclusions in a policy, or for multiple policies.

   

2. Click the policy name.

   

3. The Exclusions section of the policy opens. Select each exclusion that's causing a risk and click the cross on the right to delete it.

   

4. Click Save at the top of the policy page.

5. Go to Dashboards > Account Health Check. The policy exclusions check no longer shows insecure exclusions.

   The green checkmark means we haven't found the exclusions we check for. We only check for very insecure exclusions. You should regularly check that your exclusions are secure and needed.