Forum Discussion
Updating to Windows 10 Multi user 21H2 - MSSENSE.EXE constantly using 25% cpu on new session hosts
We have updated golden image VM to Windows 10 Multi User version 21H2 with latest KB updates and latest FsLogix version.
When creating new machines the mssense.exe process (some new EDR sensor process with defender?) is using 25% cpu. We have Defender exclusions for VDI and FsLogix in the environment and also best practice VDI defender GPO applied.
Disabling windows defender does not help aswell. Still mssense.exe is using 25% cpu.
What is this process and what can we do to disable or remedy this cpu usage on it? Or figure out WHAT is is spending time doing?
Best Regards
AT
- ATWVD Yes, I actually have. The issue ended up being related to the customer enabling an Azure Policy that installed Defender for servers on the master image (The ASC Policy got activated from the root management group). This caused for corruption on Defender for endpoint on the session host because we auto register the session hosts using a GPO the senseGuid was no longer unique.
A simple test to see if you run into the same issue is to perform off boarding for Defender using the offboarding script on one of the session host, reboot and then onboard the session host again.
If the CPU usage does not go back to 25% usage constantly, it is fixed. I recommend monitoring it for 24hrs.
The final step would be to perform offboarding on the master image and make sure a policy is not installing defender onto the master image again.
- RinoPROITSCopper Contributor
ATWVD I am seeing similar issues on our hosts. Currently have a ticket open with MS but so far no luck. Were you able to fix the issue?
- ATWVDCopper Contributor
RinoPROITS
We have an ongoing Azure Support case on this. Latest reply:"I´m still reviewing the situation with the Defender. I´m not completely sure but I´m suspecting that the Defender Database may have something to do since the Procmon is populated with checking’s on this path:
However they all show up as a SUCCESS so it seems that is not an error:
It is something that I have to consult since I´ve found some similar issues on third party sites googling this path although nothing from Microsoft end from the time being:
https://forum.restic.net/t/windows-defender-causes-10x-slowdown/925
I´ve found some sites saying that you could delete this entries but I´m not confident on doing that since compromising how defender works. I will take a look into it and confirming once I have some deeper insights on this."
- ATWVDCopper Contributor
RinoPROITS have you had any progress with MS support or a epiphany on this case?
- RinoPROITSCopper ContributorATWVD Yes, I actually have. The issue ended up being related to the customer enabling an Azure Policy that installed Defender for servers on the master image (The ASC Policy got activated from the root management group). This caused for corruption on Defender for endpoint on the session host because we auto register the session hosts using a GPO the senseGuid was no longer unique.
A simple test to see if you run into the same issue is to perform off boarding for Defender using the offboarding script on one of the session host, reboot and then onboard the session host again.
If the CPU usage does not go back to 25% usage constantly, it is fixed. I recommend monitoring it for 24hrs.
The final step would be to perform offboarding on the master image and make sure a policy is not installing defender onto the master image again.