[platform] making the Defender configuration script expand paths only once

(cherry picked from commit c7679a8c40eb4f9640d009c141b382c2ca2b3b64)

IJ-CR-149419

GitOrigin-RevId: 2ad4dd17438bad9032d6dd7b2925fb3d4d561785

bin/win/defender-exclusions.ps1

@@ -15,17 +15,15 @@ if ($args.Count -eq 0) {
 try {
   Import-Module Defender
 
-  # returns `$true` when a path is already covered by the exclusion list
-  function Test-Excluded ([string] $path, [string[]] $exclusions) {
+  # expands paths in the exclusion list
+  function Expand-Excluded ([string[]] $exclusions) {
+    $result = @()
     foreach ($exclusion in $exclusions) {
       try {
         $expanded = [System.Environment]::ExpandEnvironmentVariables($exclusion)
         $resolvedPaths = Resolve-Path -Path $expanded -ErrorAction Stop
         foreach ($resolved in $resolvedPaths) {
-          $resolvedStr = $resolved.ProviderPath.ToString()
-          if ([cultureinfo]::InvariantCulture.CompareInfo.IsPrefix($path, $resolvedStr, @("IgnoreCase"))) {
-            return $true
-          }
+          $result += $resolved.ProviderPath.ToString()
         }
       } catch [System.Management.Automation.ItemNotFoundException] {
       } catch [System.Management.Automation.DriveNotFoundException] {
@@ -33,13 +31,24 @@ try {
       } catch [System.UnauthorizedAccessException] {
       }
     }
+    return $result
+  }
 
+  # returns `$true` when a path is already covered by the exclusion list
+  function Test-Excluded ([string] $path, [string[]] $exclusions) {
+    foreach ($exclusion in $exclusions) {
+      if ([cultureinfo]::InvariantCulture.CompareInfo.IsPrefix($path, $exclusion, @("IgnoreCase"))) {
+        return $true
+      }
+    }
     return $false
   }
 
   $exclusions = (Get-MpPreference).ExclusionPath
   if (-not $exclusions) {
     $exclusions = @()
+  } else {
+    $exclusions = Expand-Excluded $exclusions
   }
 
   foreach ($path in $args) {