Forum Discussion
High CPU Usage by Microsoft Defender Antivirus on Windows Server 2019 Azure VMs
Hello,
I’m running into a recurring issue on Windows Server 2019 Datacenter VMs running in Azure where MsMpEng.exe (Antimalware Service Executable) consistently spikes CPU usage every day.
Here’s what I’ve observed so far:
Microsoft Defender pulls threat intelligence from the cloud continuously in real-time, in addition to multiple scheduled updates per day. Despite this continuous checking, I’ve noticed a consistent CPU spike only between 4:40 PM and 4:55 PM daily. During this time, Defender consumes 100% CPU.
I’ve checked Task Scheduler and Defender scan settings — there are no scans or tasks scheduled during this period.
Limiting CPU usage using Set-MpPreference -ScanAvgCPULoadFactor 30 has had no effect on these background maintenance routines.
Automatic provisioning via Defender for Cloud is enabled on these Azure VMs, so the MDE agent installs and updates automatically.
Logs from Microsoft-Windows-Windows Defender/Operational during the high CPU window:
10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence...
10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence...
10/2/2025 4:49:41 PM 1150 Endpoint Protection client is up and running in a healthy state...
These logs confirm that Defender’s cloud intelligence updates and endpoint checks run exactly during the CPU spike window. Even though Defender continuously checks for cloud protection updates throughout the day, the CPU spike occurs only during this particular window.
The pattern is consistent across multiple Azure VMs, suggesting this is part of Defender’s automated behavior.
Questions for the community:
Is this behavior expected for Azure VMs, or could it indicate a bug in Defender on Windows Server 2019?
Is there a supported way to throttle, defer, or better manage CPU usage during these maintenance and cloud intelligence routines?
Are there recommended best practices for always-on production environments in Azure to avoid performance degradation caused by Defender?
Any guidance or advice would be really appreciated.
Thanks,
Nikunj
2 Replies
You are describing behavior that has been observed by many Azure customers using Defender on Windows Server 2019 VMs, and as of October 2025, it is considered expected but somewhat inefficient behavior tied to Defender’s cloud protection synchronization routine. This routine is part of Defender’s “health and intelligence validation” process that runs once daily, regardless of real-time protection being active, and it often results in short but high CPU usage periods.
Here’s what is actually happening. When Defender for Endpoint is provisioned automatically through Defender for Cloud, each VM is linked to a regional cloud backend that performs periodic integrity checks. During that check, Defender revalidates its protection configuration, policy sync, and telemetry connection to the Microsoft Security Intelligence cloud. The logs you shared event 2010 (cloud protection update) followed by event 1150 (healthy state confirmation)... confirm that this process is running. The spike between 4:40 PM and 4:55 PM is likely your tenant’s assigned cloud sync window. It is not a scheduled scan but a resource-intensive metadata verification task that Defender cannot currently offload or throttle using the ScanAvgCPULoadFactor setting because that setting applies only to manual and scheduled scans, not to cloud or background maintenance tasks.
The good news is that the behavior is not a bug, though Microsoft has acknowledged it as an area for optimization. The same pattern is documented internally and discussed in Azure forums, especially for Windows Server 2019 and 2022 VMs managed through Defender for Cloud. The spike typically lasts 10–15 minutes and should not persist beyond that window.
To reduce the impact, there are a fesw supported mitigations. You can:
• Exclude critical workload directories from real-time protection if they are heavily accessed during that window (using Set-MpPreference -ExclusionPath).
• Adjust your VM sizes so that Defender’s spike does not fully consume all cores — larger or burstable SKU types handle this more smoothly.
• Use a custom update schedule for security intelligence updates through Set-MpPreference -SignatureUpdateInterval to shift the window away from peak business hours.
• For mission-critical workloads, you can temporarily offload Defender’s analysis by using Microsoft Defender for Servers Plan 2 with endpoint protection set to passive mode and rely on EDR and Defender for Cloud scanning.In short, this CPU spike is part of Defender’s built-in daily cloud verification routine rather than a malfunction. It cannot be fully disabled or throttled, but adjusting your exclusion lists, scheduling update windows, or using passive mode in Defender for Servers can help smooth out performance in production environments.
Please hit like if you like the solution.Have you conducted a performance analysis on the affected server during or around that time? https://learn.microsoft.com/en-us/defender-endpoint/tune-performance-defender-antivirus
