How To Windows

How to Prevent Windows Defender From Removing Files 

By Arpita 5 min read
Recommended: Download Windows Speedup Tool to quickly fix PC issues.

Windows Defender (Microsoft Defender Antivirus) protects millions of PCs, but occasionally it will quarantine or remove files you know are safe: development builds, custom scripts, utilities, or installer packages. When that happens repeatedly it disrupts your workflow. The correct approach is to teach Defender that the file (or folder, or process) is trusted, or to submit a false positive to Microsoft — not to circumvent protection.

Below we’ll show three safe, supported approaches: restore-and-allow for files already quarantined, add exclusions so Defender skips specified files/folders/processes/extensions, and configure Controlled folder access so legitimate apps can write without being blocked. We’ll also cover temporary, careful toggles (for short tests) and how administrators should manage exclusions centrally.

Prevent Windows Defender From Removing Files 

You must be signed in as an administrator to change Defender settings or add exclusions. If you are working in a corporate or school environment, you will need your IT admin’s approval and help — many tenants enforce exclusions or block changes remotely. Before excluding anything, verify the file is genuinely safe by scanning it with multiple tools or submitting it to Microsoft for analysis; excluding a malware file permanently exposes your PC.

Step 1: Restore a file that Defender already quarantined and allow it on the device

If Defender already removed or quarantined a file, restore it from Protection history and mark it allowed so future scans won’t remove it.

  1. Open Settings → Privacy & security → Windows Security and click Open Windows Security.
  2. Click Virus & threat protection, then under Current threats choose Protection history.
  3. Find the quarantined item, expand it, and confirm the file path and why Defender flagged it. Only proceed if you are certain the file is safe.
  4. Click Actions and choose Restore or Allow on device. Confirm the prompts.

Restoring returns the file to its original location and registers it as allowed for that device. If Defender later flags the same file again, proceed to add a permanent exclusion (next step).

Step 2: Add an exclusion (file, folder, process, or extension) — GUI and PowerShell

Exclusions tell Defender to skip scanning specific files, folders, processes, or file extensions. Prefer folder or process exclusions over single files if the app produces new files repeatedly.

To add an exclusion using the Windows Security UI:

  1. Open Windows Security → Virus & threat protection → Manage settings under Virus & threat protection settings.
  2. Scroll to Exclusions and click Add or remove exclusions.
  3. Click Add an exclusion and choose File, Folder, File type, or Process. Navigate to the target and confirm.

To add exclusions using PowerShell (faster and scriptable):

  1. Open Windows Terminal (Admin) or PowerShell (Admin).
  2. Run one of these example commands:
    • Exclude a single folder: Add-MpPreference -ExclusionPath "C:\Projects\MyTool\output"
    • Exclude a single executable/process: Add-MpPreference -ExclusionProcess "C:\Projects\MyTool\build\mytool.exe"
    • Exclude by file extension: Add-MpPreference -ExclusionExtension ".tmpproj"
  3. Confirm with: Get-MpPreference | Select-Object -ExpandProperty ExclusionPath

Important: use path or process exclusions only for trusted code. Excluding broad locations (like entire user folders) increases attack surface.

Step 3: Allow an app through Controlled folder access (for write operations)

If Defender’s Ransomware protection (Controlled folder access) blocks an app from saving files, whitelist the app rather than excluding the whole folder.

  1. Open Windows Security → Virus & threat protection.
  2. Under Ransomware protection, click Manage ransomware protection.
  3. Ensure Controlled folder access is On only if you use the feature.
  4. Click Allow an app through Controlled folder access → Add an allowed app. Browse to and select the application EXE that should be allowed to write.

This lets the specific application save files in protected folders while Defender still protects the folder from unknown threats.

Step 4: Temporarily disable real-time protection for short tests (use sparingly)

If you need a short window to test an installer or debugging workflow, you can temporarily turn off real-time protection, but re-enable it immediately after the test.

  1. Open Windows Security → Virus & threat protection → Manage settings.
  2. Toggle Real-time protection off. Perform your test quickly, then toggle it back on.

Do not leave real-time protection off for general use. If you must keep it off for a lengthy period, use exclusions instead.

Step 5: If Defender deletes a file permanently — restore from backup or use PowerShell to list threats

If the file was removed rather than quarantined, restore it from backup or cloud storage. To inspect Defender’s detections with PowerShell, run:

Get-MpThreatDetection
Get-MpPreference

Use Restore-MpThreat -Name "<ThreatName>" to restore a quarantined item if it’s listed by name (only if you audited it and are sure it’s safe).

Step 6: Submit a false positive to Microsoft

If Defender repeatedly flags a safe file, submit it to Microsoft for analysis so the engine can be updated and future users won’t be affected.

  1. Upload the file to Microsoft’s Security Intelligence submission portal (search “Microsoft submit a file for analysis”).
  2. Provide context about the file and why you believe it’s safe.
  3. Wait for Microsoft to respond — if it’s a false positive they will update definitions or provide guidance.

This is the long-term, community-safe solution for repeated false positives.

Step 7: For managed environments — use Group Policy, Intune, or Endpoint Manager

Do not add local exclusions on corporate machines without IT approval. Admins should use central management to apply exclusions so security posture is consistent.

  • In Group Policy (Windows Server/AD), configure Defender exclusions under:
    Computer Configuration → Administrative Templates → Microsoft Defender Antivirus → Exclusions
  • In Microsoft Intune / Endpoint Manager, create device configuration or Endpoint Protection profiles to add exclusions, Controlled folder access whitelists, and policies.

Central management ensures auditability and reduces risk from ad-hoc local exclusions.

Step 8: Audit and document any exclusions

Every exclusion increases risk. Keep a short log or documentation of the exclusions you added, including who approved them and why. Periodically review exclusions and remove any that are no longer required.

Warnings and best practices

  1. Never exclude files or folders unless you are absolutely sure they are safe.
  2. Prefer process or application allowlisting (Controlled folder access allow) over broad folder exclusions.
  3. Use PowerShell or Group Policy for repeatable, auditable changes.
  4. Re-enable real-time protection immediately after any temporary test window.
  5. Submit repeated false positives to Microsoft so the underlying detection can be fixed for everyone.

Wrapping up

When Defender removes files you need, the right fix is to restore and explicitly allow those items or add precise exclusions, not to disable protections permanently. Use folder or process exclusions and Controlled folder access to give trusted apps the permissions they need, and submit false positives to Microsoft so the detection improves for everyone. If you are on a managed device, coordinate with your IT admin so changes are made safely and centrally.

Arpita

With a background in Computer Science, she is passionate about sharing practical programming tips and tech know-how. From writing clean code to solving everyday tech problems, she breaks down complex topics into approachable guides that help others learn and grow.

Must Read: How to Create a ChromeOS Flex Bootable USB Drive

X