Microsoft
MicrosoftWe believe we've identified what was causing our VMs to see a disk usage crush inside Windows on deployment. One of our security admins was seeing inside the Defender/Sentinel console a task being kicked off on all the deployed VMs, but we couldn't find it on them. It was really driving us nuts. We decided to crack open the gold image and look there for something else, and we happened upon it. It's disabled now, but last night this task "Windows Defender Scheduled Scan" was enabled:
Again, on the deployed VMs OFF THIS SNAPSHOT, the task isn't there. We're still not sure what whacks it after deployment, but it certainly kicks off after deployment. This was the action he was seeing in the console that we were trying to track down, and eventually did back to that task:
If anyone else has run into this, I'd love to hear any input/feedback on your experience. This has been a real doozy. We also were NOT running scans inside the gold image before last night, we ran a Quick Scan before sealing it, and it sounds like we'll make that part of our image process.
Thanks.
