Forum Discussion
Very High Increase in CPU activity after Update Microsoft Defender for Identity sensor
All our servers that are running this sensor (DCs, Certificate servers, AD Connect servers) showed a massive increase in average CPU utilization from virtually straight after the sensor was automatically updated to version 2.254.19112.470 (late night UK time).
Two of our DCs are sitting on 100% CPU today and we can't find anything to resolve it.
Has anyone else seen this since running this version and if so what actions did you take ?
How would we go back to rolling back to the previous version when it appears it will just be automatically updated soon after ?
This is our monitoring of CPU utilization from one of the majorly affected DCs but every server with the sensor had the exact same graph showing a major increase in CPU at the same date and time i.e. just after the sensor was updated.
Hi,
Ack on that.
We spotted the issue. in some sensors a thread might hog between 0 to 100% of a single core.
We are working on a fix.
Note that the sensor has a job limiter which should make sure to leave at least 15% of CPU free at all times,
It will limit CPU usage down to 10% of total machine if needed (with the price of dropping traffic) , so if you are really hitting 100% CPU please check if there is something else that is also consuming the CPU which was not expected.
7 Replies
- EliOfek
Microsoft
A fix was deployed from the cloud. The effected sensors should restart with a new configuration that will eliminate the runaway thread issue and you should see the CPU going back to normal
Same issue here on multiple servers (Server 2016 and 2019). It started the moment the sensors updated.
Our MS support call was answered pretty quickly. I have had to provide some diagnostic logs for them but they did mention other customers had reported something similar.
From my experience when you get an immediate change in behaviour to all servers an app was updated on it usually points to some change in the build ... planned or unplanned.
I am seeing this on 3 domain controllers all server 2019. Glad I am not alone.
We are seeing this issue too, across multiple customers and multiple Server OS's all with the same agent version of 2.254.19112.470
The automatic update to version 2.254.19112.470 took place around 11.45pm UK time on January 12th 2026.
Sorry - that install date was in the title but I had to delete it - then I couldn't edit the post to add it back in.
- EliOfek
Hi,
Ack on that.
We spotted the issue. in some sensors a thread might hog between 0 to 100% of a single core.
We are working on a fix.
Note that the sensor has a job limiter which should make sure to leave at least 15% of CPU free at all times,
It will limit CPU usage down to 10% of total machine if needed (with the price of dropping traffic) , so if you are really hitting 100% CPU please check if there is something else that is also consuming the CPU which was not expected.
