Microsoft Defender for Endpoint | Microsoft Community Hub

Forum Widgets

Latest Discussions

High CPU Usage by Microsoft Defender Antivirus on Windows Server 2019 Azure VMs
Hello, I’m running into a recurring issue on Windows Server 2019 Datacenter VMs running in Azure where MsMpEng.exe (Antimalware Service Executable) consistently spikes CPU usage every day. Here’s what I’ve observed so far: Microsoft Defender pulls threat intelligence from the cloud continuously in real-time, in addition to multiple scheduled updates per day. Despite this continuous checking, I’ve noticed a consistent CPU spike only between 4:40 PM and 4:55 PM daily. During this time, Defender consumes 100% CPU. I’ve checked Task Scheduler and Defender scan settings — there are no scans or tasks scheduled during this period. Limiting CPU usage using Set-MpPreference -ScanAvgCPULoadFactor 30 has had no effect on these background maintenance routines. Automatic provisioning via Defender for Cloud is enabled on these Azure VMs, so the MDE agent installs and updates automatically. Logs from Microsoft-Windows-Windows Defender/Operational during the high CPU window: 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:49:41 PM 1150 Endpoint Protection client is up and running in a healthy state... These logs confirm that Defender’s cloud intelligence updates and endpoint checks run exactly during the CPU spike window. Even though Defender continuously checks for cloud protection updates throughout the day, the CPU spike occurs only during this particular window. The pattern is consistent across multiple Azure VMs, suggesting this is part of Defender’s automated behavior. Questions for the community: Is this behavior expected for Azure VMs, or could it indicate a bug in Defender on Windows Server 2019? Is there a supported way to throttle, defer, or better manage CPU usage during these maintenance and cloud intelligence routines? Are there recommended best practices for always-on production environments in Azure to avoid performance degradation caused by Defender? Any guidance or advice would be really appreciated. Thanks, Nikunj
Solved
nsojitra
Copper Contributor
Oct 15, 2025
264Views
1like
4Comments
ASR rules enabled after onboarding Windows server
Hello, I tested onboarding Windows Server 2019 to Defender using local script and noticed that after onboarding some ASR rules are already enabled in Block mode by default: Block Office applications from creating executable content 3b576869-a4ec-4529-8536-b80a7769e899 Block execution of potentially obfuscated scripts 5beb7efe-fd9a-4556-801d-275e5ffc04cc Block Office applications from injecting code into other processes 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 Block Win32 API calls from Office macros 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b Block credential stealing from the Windows local security authority subsystem (lsass.exe) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block executable content from email client and webmail be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 Block JavaScript or VBScript from launching downloaded executable content d3e037e1-3eb8-44c8-a917-57927947596d Block all Office applications from creating child processes d4f940ab-401b-4efc-aadc-ad5f3c50688a I haven't applied any group policies yet to it. The server is domain joined. Could it happen that it pulls the configuration from another place? Thanks
Solved
djolenole
Brass Contributor
Oct 08, 2025
102Views
0likes
2Comments
Can't update Defender app on macOS
Hello, We started getting this situation where Defender for macOS can't be updated: Microsoft Defender 101.25072 Current Version: 101.25062 Installed: 2025-08-05 Update error: The update could not be installed at this time. Please try again later. Microsoft AutoUpdate is up to date. Operating System Version: 15.6.1 Device managed by Mosyle MDM. All of our active users have been updated to 15.6.1 (and this problem was observed on OS versions from 15.1 to 15.6.1) What could be causing this? And what can we do about it?
Solved
djolenole
Brass Contributor
Sep 10, 2025
2.9KViews
5likes
7Comments
KQL query
I wanted to best KQL query to check registry modifications, run key value , startup items in defender
Solved
Yogeesh143
Copper Contributor
Sep 09, 2025
127Views
0likes
3Comments
Endpoint settings missing in Microsoft Defender for Endpoint
Hi, I am currently using the Microsoft 365 Developer program and is trying to setup an Intune and Microsoft defender for endpoint tenant however when i am trying to integrate Defender with Intune, the endpoint setting is not showing in the settings despite that i have the Security administrator role. Is this expected when using the developer program or am i missing something? Would appreciate your kind advise.
Solved
777LDV777
Copper Contributor
Sep 08, 2025
124Views
0likes
1Comment
MS Defender - Installation Error version 101.25072 on macOS
Dear experts, The latest version of MS Defender can't be installed. I'm getting an error message since release date (5th Aug). I have tested to restart the computer, tested with different networks, same issue 🙁
Solved
Yassin Koleilat
Brass Contributor
Aug 29, 2025
6KViews
6likes
22Comments
What does "deprecated" mean in the Defender Antivirus for Linux settings?
When you create a Microsoft Defender Antivirus policy for Linux in the Endpoint Security Policies blade of the Defender admin center, there are two settings in the Antivirus Engine section that have "(deprecated)" after them: "Enable real-time protection (deprecated)" and "Enable passive mode (deprecated)": What exactly does "deprecated" mean in this context? I can't imagine that the features themselves are deprecated; are we supposed to be configuring them elsewhere?
Solved
RyanSteele-CoV
Iron Contributor
Aug 20, 2025
159Views
0likes
2Comments
Get-MpPerformanceReport empty processpath
Hi, anyone knows why we sometimes get empty processpath when using Get-MpPerformanceReport to get top processes? Some say it could be Defender for Endpoint, but I would like to be sure what it is. Any ideas on how to get more info? Thank you in advance and don't hesitate if you have any questions
Solved
lalanc01
Iron Contributor
Aug 13, 2025
125Views
0likes
1Comment
Defender detection caused by monitoring script
Dear Community We use PRGT, which monitors various things for our customers. One of our customers uses Microsoft Defender, which issued an alert for “SmokeLoader.” After some research, we found that this is caused by two of our scripts, which establish a connection to our servers and query various things. This raised the question of how we can best whitelist this, since the detection comes from “WinRM” and not directly from the script itself. However, the script itself establishes a connection to the servers and requests some information. Are there any sensible measures that can be taken here, because only whitelisting the script (folder or hash) makes limited sense here, since the detection in this case was for the WinRM process. So the behavior analysis would kick in again. Thank you for your time! Best regards, SleeperHead
Solved
SleeperHead
Copper Contributor
Aug 07, 2025
107Views
0likes
1Comment
When is a device considered deleted or inactive in the DeviceInfo table?
Hi, I’m trying to better understand how device lifecycle is handled within Microsoft Defender for Endpoint, specifically in the context of Advanced Hunting via the DeviceInfo table. When can we consider a device as deleted or removed from the DeviceInfo table? How long do offboarded or inactive devices remain in the DeviceInfo table before they are automatically purged? Are there specific values (e.g., onboardingStatus, lastSeen, isActive, etc.) or time-based thresholds that should be used to determine if a device is no longer active? Any guidance or documentation references would be greatly appreciated!
Solved
vinaygowlla
Copper Contributor
Aug 07, 2025
126Views
0likes
1Comment

Resources

Tags

defender14 Topics
MDATP13 Topics
Defender for Endpoint13 Topics
ATP10 Topics
defender atp10 Topics
security7 Topics
Defender Advanced Threat Protection6 Topics
microsoft defender for endpoint6 Topics
Microsoft Defender ATP5 Topics
MDE5 Topics