Forum Discussion

ATWVD's avatar
ATWVD
Copper Contributor
Mar 22, 2022

Updating to Windows 10 Multi user 21H2 - MSSENSE.EXE constantly using 25% cpu on new session hosts

We have updated golden image VM to Windows 10 Multi User version 21H2 with latest KB updates and latest FsLogix version.

 

When creating new machines the mssense.exe process (some new EDR sensor process with defender?) is using 25% cpu. We have Defender exclusions for VDI and FsLogix in the environment and also best practice VDI defender GPO applied.

 

Disabling windows defender does not help aswell. Still mssense.exe is using 25% cpu.

 

What is this process and what can we do to disable or remedy this cpu usage on it? Or figure out WHAT is is spending time doing?

 

Best Regards 

AT

  • ATWVD Yes, I actually have. The issue ended up being related to the customer enabling an Azure Policy that installed Defender for servers on the master image (The ASC Policy got activated from the root management group). This caused for corruption on Defender for endpoint on the session host because we auto register the session hosts using a GPO the senseGuid was no longer unique.

    A simple test to see if you run into the same issue is to perform off boarding for Defender using the offboarding script on one of the session host, reboot and then onboard the session host again.

    If the CPU usage does not go back to 25% usage constantly, it is fixed. I recommend monitoring it for 24hrs.

    The final step would be to perform offboarding on the master image and make sure a policy is not installing defender onto the master image again.
  • RinoPROITS's avatar
    RinoPROITS
    Copper Contributor

    ATWVD I am seeing similar issues on our hosts. Currently have a ticket open with MS but so far no luck. Were you able to fix the issue?

    • ATWVD's avatar
      ATWVD
      Copper Contributor

      RinoPROITS 

      We have an ongoing Azure Support case on this. Latest reply:

      "I´m still reviewing the situation with the Defender. I´m not completely sure but I´m suspecting that the Defender Database may have something to do since the Procmon is populated with checking’s on this path:

       

       

       

      However they all show up as a SUCCESS so it seems that is not an error:

       

       

       

      It is something that I have to consult since I´ve found some similar issues on third party sites googling this path although nothing from Microsoft end from the time being:

       

      https://forum.restic.net/t/windows-defender-causes-10x-slowdown/925

       

      I´ve found some sites saying that you could delete this entries but I´m not confident on doing that since compromising how defender works. I will take a look into it and confirming once I have some deeper insights on this."

    • ATWVD's avatar
      ATWVD
      Copper Contributor

      RinoPROITS have you had any progress with MS support or a epiphany on this case?

      • RinoPROITS's avatar
        RinoPROITS
        Copper Contributor
        ATWVD Yes, I actually have. The issue ended up being related to the customer enabling an Azure Policy that installed Defender for servers on the master image (The ASC Policy got activated from the root management group). This caused for corruption on Defender for endpoint on the session host because we auto register the session hosts using a GPO the senseGuid was no longer unique.

        A simple test to see if you run into the same issue is to perform off boarding for Defender using the offboarding script on one of the session host, reboot and then onboard the session host again.

        If the CPU usage does not go back to 25% usage constantly, it is fixed. I recommend monitoring it for 24hrs.

        The final step would be to perform offboarding on the master image and make sure a policy is not installing defender onto the master image again.

Resources