Recent Discussions
High CPU Usage by Microsoft Defender Antivirus on Windows Server 2019 Azure VMs
Hello, I’m running into a recurring issue on Windows Server 2019 Datacenter VMs running in Azure where MsMpEng.exe (Antimalware Service Executable) consistently spikes CPU usage every day. Here’s what I’ve observed so far: Microsoft Defender pulls threat intelligence from the cloud continuously in real-time, in addition to multiple scheduled updates per day. Despite this continuous checking, I’ve noticed a consistent CPU spike only between 4:40 PM and 4:55 PM daily. During this time, Defender consumes 100% CPU. I’ve checked Task Scheduler and Defender scan settings — there are no scans or tasks scheduled during this period. Limiting CPU usage using Set-MpPreference -ScanAvgCPULoadFactor 30 has had no effect on these background maintenance routines. Automatic provisioning via Defender for Cloud is enabled on these Azure VMs, so the MDE agent installs and updates automatically. Logs from Microsoft-Windows-Windows Defender/Operational during the high CPU window: 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence... 10/2/2025 4:49:41 PM 1150 Endpoint Protection client is up and running in a healthy state... These logs confirm that Defender’s cloud intelligence updates and endpoint checks run exactly during the CPU spike window. Even though Defender continuously checks for cloud protection updates throughout the day, the CPU spike occurs only during this particular window. The pattern is consistent across multiple Azure VMs, suggesting this is part of Defender’s automated behavior. Questions for the community: Is this behavior expected for Azure VMs, or could it indicate a bug in Defender on Windows Server 2019? Is there a supported way to throttle, defer, or better manage CPU usage during these maintenance and cloud intelligence routines? Are there recommended best practices for always-on production environments in Azure to avoid performance degradation caused by Defender? Any guidance or advice would be really appreciated. Thanks, Nikunj
Ransomeware query
If any ransomware detection i need following query for advance hunting in defender Look for rapid file modification or creation or deletion 2. Rapid file encryption one 3. look for a ransom note 4. look for encryption algorithms 5. look for double extension 6. Also query for birth time of the fileRegistry modifications
If a file was downloaded, executed, and created a registry entry for persistence, is it enough to just delete the file from its original location? Or does the registry entry also need to be removed? What happens if it is not removed? If a malicious file created an entry under HKLM Run, HKCU Run, or RunOnce, and the file is later deleted but the registry entry is left behind, will the system still try to execute it at startup?
MDE-Onboarding issue
Hello Community, while i am trying to onboard a windows 10 machine into MDE where there is already another AV running which is Kaspersky, i am facing that issue that Microsoft AV is not able to revert its status from disabled into running state (passive mode). even if i am trying to start the service manually, it will revert itself back to the disable status. Did anyone experience that issue before between Defender AV and Kaspersky?
Bad quality of Defender / Intunesdocubannoying
Whenever i need learning.microsoft.com, i found their describing A) very often menulinks, which does not exist (guess its rearranged) B) very often mistakes happen: in this article https://learn.microsoft.com/en-us/defender-endpoint/android-configure-mam several parameters are described with an integer value and the same parameter a Seconds time at the same place as boolean. And so many mistakes morebi found. Well: some companies wanna earn money maybe doing training with their customers, which is necessary onlY, as the docu is unreadable or written so boring that you fall a sleep and understand nothing. Please do more qualityCannot delete a tag added through an Asset rule
Hello, We had created in the past an asset rule to assign a tag to a few machines. Now we are trying to remove the tag but we can't find the right way. We have delete the Asset rule. (it was turned off more than 2 months ago) When I go to the machine details and click on 'Manage tags', I can see a section called 'Manual tags' (there I can add remove tags from the console) and a section called 'Rule-based tags' with the description 'Rule-based tags are automatically added to devices based on rules that you create. You can add, edit or delete a rule in Manage rules.' Going through powershell and the API, it doesn't work either. Even getting the details from a machine only shows the manual tags. How do we remove then such a tag ? Thanks in advance for your help. Marc
how to disable Defender on Windows Server with tamper protection enabled
As a third-party security vendor, when our users enabled tampering protection on Windows Server 2022, we were unable to disable Defender through group policy as before, which resulted in conflicts between third-party anti malware and Defender. Of course, Defender for Endpoint is not onboarded in the system because users do not want to pay for two sets of antivirus software. So in this situation, can only users manually turn off tampering protection? But this is clearly unfriendly for large-scale systems. In addition, installing third-party antivirus software on Windows Server systems that have onboarded Defender for Endpoint seems to have no way to put Defender into passive mode if tampering protection is enabled. We urgently hope that someone can provide some suggestions on this issue!
Azure site recovery cache storage identified with mallware
Hello, I have enable Azure Site recovery on multiple servers. I am using a premium storage account for the cache data required for the replication. Defender is keep being trigger telling that he is detection different Malwares by temporary files that are generated on the cache storage account generated by the replication. The servers, that get replicated, do not detect any mallware on them. What is the reason and what is the solution? Is this a normal behaviour? Thank you
Defender on Windows server only detects - not prevents
Hello, we noticed that on the Windows server Defender only detects things but doesn't block anything. Shouldn't it at least block something? Should we apply ASR rules to the server(all rules or some of them)? It is WindowsServer2019, onboarded using local script(no MDM and Group policies). Defender is primary(and only one) antivirus installed on the server. Example here:
Differentiate actual DfC/DfE license usage on Windows systems
Trying to understand on how the Windows endpoint(server/laptops) licenses are being used in my environment and for that, trying to figure out how to check the number of on-prem/azure cloud systems deployed with Microsoft Defender for Endpoint or Defender for server P2 license? Like where and how can i see which are the assets that are getting configured DfS license and which systems have been configured with MS DfE?Alert Rule Fails on Dynamic Field Parsing in DeviceTvmInfoGathering
Hi, Need Help: Alert Rule Fails but Hunting Query Works (Dynamic Fields Issue) Alert Rule Query Fails When Using parse_json on AdditionalFields — Any Workarounds? Need to get alert when avmode is disabled. KQL: DeviceTvmInfoGathering | where isnotempty(AdditionalFields) | where Timestamp > ago(1h) | extend AF = parse_json(AdditionalFields) | where AF has "AvMode" | extend AvMode = tostring(AF.AvMode) | where AvMode == "2" | extend ReportId = tolong(abs(hash(DeviceId))) | project Timestamp, ReportId, DeviceId, DeviceName, OSPlatform, AvModeHow to fetch dynamic tags in Defender for Endpoint (Machines API or KQL)?
Hi, I'm trying to retrieve all unique tags (both manual and dynamic) in Microsoft Defender for Endpoint and then identify the currently active devices associated with each tag. I have tried below Machines API (/api/machines): This only returns manual tags (machine.tags) and does not include dynamic tags. Advanced Hunting – DeviceInfo table: This seems to contain both manual and dynamic tags, but: There are duplicate entries for the same device. It's not clear how to filter for active devices only or how to get a clean mapping of tag → devices. I need guidance on how to Retrieve all unique tags (manual + dynamic)? Map these tags to the list of currently active devices (without duplicates)? Is there any API or KQL query that can provide this cleanly? Any advice, best practices, or sample queries would be greatly appreciated!
Issue with Missing Endpoint menu in Settings
I know this is a frequent topic, but nothing seems to be working for me. I am a security admin and licensed for Microsoft 365 Business Standard and I have a Defender for Endpoint P2 license assigned to my user ID. The license has been assigned for over 24 hours, I've clicked on menu choices waiting for provisioning, but the Endpoint menu and settings link do not appear. Any other ideas? Thanks for your assistance.Defender API - Get software by ID with a " ' " inside the defender_id
In the list of software I retrieved with the API ("/api/Software") some of the software have an Id with a "'" (apostrophe) in the name i.e. : microsoft-_-portail_d'entreprise when calling, for exemple, Get Software by Id ("/api/Software/{Id}"), so in this case it would be /api/Software/microsoft-_-portail_d'entreprise or if I replace the ' by %27, so /api/Software/microsoft-_-portail_d%27entreprise I always get a status code 400 (malformed). How can make it to work ? Thx
MDE not detecting regsecrets.py from impacket-toolkit
In a recent red-team engagement we got exposed to the regsecrets.py toolkit which made it possible to extract SAM hive without any detection from the MDE. I have tried to use advanced hunting to see if there are any event that would make up for a good custom detection rule but no success yet, please share if you have any queries that works for you. Some information regarding this script: This script is a modification of secretsdump.py that uses a different technique to extract registry secrets (the logic regarding DCSync operations has been removed). It does not write files on the disk and does not perform reg save like operations. This allow recovering the SAM database and the LSA secrets while being less prone to detection by security product. All required keys are accessed using registry queries. To access keys within the SAM and SECURITY hives, the dwOption of https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/8cb48f55-19e1-4ea2-8d76-dd0f6934f0d9 allows passing the REG_OPTION_BACKUP_RESTORE value to disable any ACL checks performed, thus, allowing to access these registry keys normally restricted to the SYSTEM user. Thanks in advance for sharing some experience of detecting this.Using Group policy to auto install Security Intelligence Update for Microsoft Defender Antivirus
Hi Guys, I am trying to get a GPO to automatically install the update without user intervention. I have done the following settings but the update won't install. We currently use Fortinet FortiClient but I still want to keep Defender up to date. Any ideas on where i am going wrong? J.Core Isolation False Positives
Why is there currently no way to white list or even submit Memory Integrity Core Isolation false positives to Microsoft? I have a services that is constantly detected (even though now it has been digitally signed by the vendor). When it is detected it stops the product from working correctly. There is no way to white list this service and the only way to currently work around it is to turn off Core Isolation. But our security teams are wanting to turn Core Isolation back on for users. How do we get this service looked at? I have tried submitting the file to Microsoft who say it isn't malicious but it's still getting detected. I don't have access to the MDE console so can't submit anything directly from there either.[MS Defender for Endpoint] Wanted guidance on Alerts API
Question: Which API is recommended for reliably sharing domain information, especially for integration with external tools? https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info How can I generate or simulate alerts so that the https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info API returns actual domain-related data? What are the best practices for selecting the appropriate API for this use case, considering I cannot use both in my integration? Things I have explored so far, Currently using https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id API. Provides domain-related data in the evidence section. Example response includes entities with entityType as Url containing domain names and URLs both. Alert Response { "id": "da0c5a38e4-3ef4-4c75-a0ad-9af83e866cf1_1", "detectionSource": "WindowsDefenderAtp", "category": "CredentialAccess", "evidence": [ { "entityType": "Url", "url": "pub-8eab0c35f1eb4dacafaaa2b16d81a149.r2.dev" DOMAIN TYPE // ... Other fields }, { "entityType": "Url", "url": "https://example.com" URL TYPE // ... Other fields } ] // ... Other fields } Noticed another API: https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info. Purpose-built for retrieving domains related to alerts. Returns empty data object with no domains or hosts, even when generating alerts by accessing blocked domains. Custom IOC type domain has been added to endpoint indicators list and then accessed the same domain from windows machine. Ref: https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain#create-an-indicator-for-ips-urls-or-domains-from-the-settings-page
Recent Blogs
- As of today, October 14, 2025, Microsoft is officially ending support for Windows 10. This means that Windows 10 devices will no longer receive security or feature updates, nor technical support from...Oct 14, 2025
- We’re excited to announce a key milestone in Defender’s multi-tenant management journey—Microsoft Defender for Endpoint security policies can now be distributed across multiple tenants from the Defen...Aug 07, 2025
