High CPU Usage by Microsoft Defender Antivirus on Windows Server 2019 Azure VMs

Hello,

I’m running into a recurring issue on Windows Server 2019 Datacenter VMs running in Azure where MsMpEng.exe (Antimalware Service Executable) consistently spikes CPU usage every day.

Here’s what I’ve observed so far:

Microsoft Defender pulls threat intelligence from the cloud continuously in real-time, in addition to multiple scheduled updates per day. Despite this continuous checking, I’ve noticed a consistent CPU spike only between 4:40 PM and 4:55 PM daily. During this time, Defender consumes 100% CPU.

I’ve checked Task Scheduler and Defender scan settings — there are no scans or tasks scheduled during this period.

Limiting CPU usage using Set-MpPreference -ScanAvgCPULoadFactor 30 has had no effect on these background maintenance routines.

Automatic provisioning via Defender for Cloud is enabled on these Azure VMs, so the MDE agent installs and updates automatically.

Logs from Microsoft-Windows-Windows Defender/Operational during the high CPU window:

10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence...
10/2/2025 4:41:57 PM 2010 Microsoft Defender Antivirus used cloud protection to get additional security intelligence...
10/2/2025 4:49:41 PM 1150 Endpoint Protection client is up and running in a healthy state...

These logs confirm that Defender’s cloud intelligence updates and endpoint checks run exactly during the CPU spike window. Even though Defender continuously checks for cloud protection updates throughout the day, the CPU spike occurs only during this particular window.

The pattern is consistent across multiple Azure VMs, suggesting this is part of Defender’s automated behavior.

Questions for the community:

Is this behavior expected for Azure VMs, or could it indicate a bug in Defender on Windows Server 2019?

Is there a supported way to throttle, defer, or better manage CPU usage during these maintenance and cloud intelligence routines?

Are there recommended best practices for always-on production environments in Azure to avoid performance degradation caused by Defender?

Any guidance or advice would be really appreciated.

Thanks,
Nikunj