Q. When using Windows Defender with Windows Server 2016 do I need to manually add exceptions as roles are added?
A. No. Windows Defender in Windows Server 2016 features automatic exclusions as documented at https://technet.microsoft.com/en-us/library/dn913616.aspx. As the article explains the various roles that require exclusions automatically enable the exclusions on the firewall as roles are enabled. To disable this behavior of automatic exclusions use:
Set-MpPreference –DisableAutoExclusions $true