From 04e2d46c5b0994aefda58e659b99e89164de1dad Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 13 Jan 2021 13:06:18 -0800
Subject: [PATCH] Update defender-endpoint-false-positives-negatives.md

---
 ...nder-endpoint-false-positives-negatives.md | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 61db33647d..f9216bbfe8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -85,6 +85,33 @@ To define exclusions across Microsoft Defender for Endpoint, you must perform at
 
 You must perform both kinds of tasks because Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR), [attack surface reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
 
+### Exclusions for Microsoft Defender Antivirus
+
+In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions.
+
+> [!TIP]
+> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus).
+
+#### Use Microsoft Endpoint Manager to manage antivirus exclusions for existing policies
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to the next procedure).
+3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**.
+4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions.
+5. Choose **Review + save**, and then choose **Save**.
+
+#### Use Microsoft Endpoint Manager to create an antivirus policy with exclusions
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. 
+3. Select a platform (such as Windows 10 and later, macOS, or Windows 10 and Windows Server).
+4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**.
+5. Specify a name and description for the profile, and then choose **Next**.
+6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**.
+7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags]( Use role-based access control (RBAC) and scope tags for distributed IT in Intune | Microsoft Docs).)
+8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](Assign device profiles in Microsoft Intune - Azure | Microsoft Docs).)
+9. On the **Review + create** tab, review the settings, and then choose **Create**.
+
+
 
 ## Review or define indicators