DeltaPulse now has a public MCP server. Add / integrate this tool with your Copilot Agent(s).

MCP Documentation

(Updated) Microsoft Defender Antivirus: Change to exclusion storage when using MDE security settings management

Message ID
MC1227621
View in Message Center
Service
Microsoft Defender XDR
Category
Plan for Change
Tags
Major Change Feature updateAdmin impact
Rollout
March 2026

Summary

Starting March 2026, Microsoft Defender Antivirus with MDE security settings will stop storing readable exclusions in the local registry. Organizations must use PowerShell cmdlets like Get-MpPreference to retrieve settings. Registry-based monitoring will no longer work; update scripts and notify teams accordingly.

Details

Updated February 13, 2026: We have updated the content. Thank you for your patience. 

[Introduction]

Microsoft Defender Antivirus on Windows is updating how antivirus configuration settings, such as exclusions, are stored when Microsoft Defender for Endpoint (MDE) security settings management is enabled. Starting with platform release 4.18.25110.6, devices using MDE security settings management will no longer store readable exclusion values in the local device registry. Organizations must retrieve configuration using supported Microsoft Defender PowerShell cmdlets, such as Get-MpPreference.

[When this will happen:]

General Availability (Worldwide): We will begin rolling out early March 2026 and expect to complete by late March 2026.

[How this affects your organization:]

Who is affected:

  • Organizations using Microsoft Defender for Endpoint security settings management.
  • Admins or tools relying on registry-based monitoring of antivirus settings.

What will happen:

  • Defender antivirus configuration, such as exclusions, values will no longer be readable from the local device registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender. As such registry‑based extractions will no longer be supported.
  • Supported Microsoft Defender PowerShell cmdlets (such as Get-MpPreference) will become the required method to retrieve antivirus configuration settings.
  • Devices not using MDE configuration management are not affected.
  • The feature is on by default for tenants using MDE configuration management.

[What you can do to prepare:]

  • Update monitoring workflows and scripts to use supported PowerShell cmdlets such as:
    • Get-MpPreference
    • Get-MpComputerStatus
  • Review internal documentation on retrieving antivirus settings.
  • Notify helpdesk or monitoring teams that registry-based queries will no longer return exclusion data.

Learn more: Troubleshoot Microsoft Defender Antivirus settings - Microsoft Defender for Endpoint | Microsoft Learn (will be updated to reflect this change)

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Change History

Show
February 14, 2026 at 2:30 AM Updated
Title
Previous
Microsoft Defender Antivirus: Change to exclusion storage when using MDE configuration management
New
(Updated) Microsoft Defender Antivirus: Change to exclusion storage when using MDE security settings management
Summary
Previous
Starting March 2026, Microsoft Defender Antivirus with MDE configuration management will stop storing readable exclusion values in the local registry. Organizations must use supported PowerShell cmdlets like Get-MpPreference to retrieve antivirus settings. Registry-based monitoring will no longer work for affected devices.
New
Starting March 2026, Microsoft Defender Antivirus with MDE security settings will stop storing readable exclusions in the local registry. Organizations must use PowerShell cmdlets like Get-MpPreference to retrieve settings. Registry-based monitoring will no longer work; update scripts and notify teams accordingly.
Last Updated Date
Previous
2026-02-06T00:41:26.143Z
New
2026-02-13T23:00:20.803Z
Tags
Previous
Feature update,Admin impact
New
Updated message,Feature update,Admin impact
Body Content
Previous

[Introduction]

Microsoft Defender Antivirus on Windows is updating how antivirus configuration settings, such as exclusions, are stored when Microsoft Defender for Endpoint (MDE) configuration management is enabled. Starting with platform release 4.18.25110.6, devices using MDE configuration management will no longer store readable exclusion values in the local device registry. Organizations must retrieve configuration using supported Microsoft Defender PowerShell cmdlets, such as Get-MpPreference.

[When this will happen:]

General Availability (Worldwide): We will begin rolling out early March 2026 and expect to complete by late March 2026.

[How this affects your organization:]

Who is affected:

  • Organizations using Microsoft Defender for Endpoint configuration management.
  • Admins or tools relying on registry-based monitoring of antivirus settings.

What will happen:

  • Antivirus exclusion values will no longer be readable from the local device registry.
  • Registry‑based extraction of exclusions will no longer be supported.
  • Supported Microsoft Defender PowerShell cmdlets (such as Get-MpPreference) will become the required method to retrieve antivirus configuration settings.
  • Devices not using MDE configuration management are not affected.
  • The feature is on by default for tenants using MDE configuration management.

[What you can do to prepare:]

  • Update monitoring workflows and scripts to use supported PowerShell cmdlets such as:
    • Get-MpPreference
    • Get-MpComputerStatus
  • Review internal documentation on retrieving antivirus settings.
  • Notify helpdesk or monitoring teams that registry-based queries will no longer return exclusion data.

Learn more: Troubleshoot Microsoft Defender Antivirus settings - Microsoft Defender for Endpoint | Microsoft Learn (will be updated to reflect this change)

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

New

Updated February 13, 2026: We have updated the content. Thank you for your patience. 

[Introduction]

Microsoft Defender Antivirus on Windows is updating how antivirus configuration settings, such as exclusions, are stored when Microsoft Defender for Endpoint (MDE) security settings management is enabled. Starting with platform release 4.18.25110.6, devices using MDE security settings management will no longer store readable exclusion values in the local device registry. Organizations must retrieve configuration using supported Microsoft Defender PowerShell cmdlets, such as Get-MpPreference.

[When this will happen:]

General Availability (Worldwide): We will begin rolling out early March 2026 and expect to complete by late March 2026.

[How this affects your organization:]

Who is affected:

  • Organizations using Microsoft Defender for Endpoint security settings management.
  • Admins or tools relying on registry-based monitoring of antivirus settings.

What will happen:

  • Defender antivirus configuration, such as exclusions, values will no longer be readable from the local device registry: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender. As such registry‑based extractions will no longer be supported.
  • Supported Microsoft Defender PowerShell cmdlets (such as Get-MpPreference) will become the required method to retrieve antivirus configuration settings.
  • Devices not using MDE configuration management are not affected.
  • The feature is on by default for tenants using MDE configuration management.

[What you can do to prepare:]

  • Update monitoring workflows and scripts to use supported PowerShell cmdlets such as:
    • Get-MpPreference
    • Get-MpComputerStatus
  • Review internal documentation on retrieving antivirus settings.
  • Notify helpdesk or monitoring teams that registry-based queries will no longer return exclusion data.

Learn more: Troubleshoot Microsoft Defender Antivirus settings - Microsoft Defender for Endpoint | Microsoft Learn (will be updated to reflect this change)

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.