High CPU Usage by Microsoft Defender Antivirus on Windows Server 2019 Azure VMs

You are describing behavior that has been observed by many Azure customers using Defender on Windows Server 2019 VMs, and as of October 2025, it is considered expected but somewhat inefficient behavior tied to Defender’s cloud protection synchronization routine. This routine is part of Defender’s “health and intelligence validation” process that runs once daily, regardless of real-time protection being active, and it often results in short but high CPU usage periods.

Here’s what is actually happening. When Defender for Endpoint is provisioned automatically through Defender for Cloud, each VM is linked to a regional cloud backend that performs periodic integrity checks. During that check, Defender revalidates its protection configuration, policy sync, and telemetry connection to the Microsoft Security Intelligence cloud. The logs you shared event 2010 (cloud protection update) followed by event 1150 (healthy state confirmation)...  confirm that this process is running. The spike between 4:40 PM and 4:55 PM is likely your tenant’s assigned cloud sync window. It is not a scheduled scan but a resource-intensive metadata verification task that Defender cannot currently offload or throttle using the ScanAvgCPULoadFactor setting because that setting applies only to manual and scheduled scans, not to cloud or background maintenance tasks.

The good news is that the behavior is not a bug, though Microsoft has acknowledged it as an area for optimization. The same pattern is documented internally and discussed in Azure forums, especially for Windows Server 2019 and 2022 VMs managed through Defender for Cloud. The spike typically lasts 10–15 minutes and should not persist beyond that window.

To reduce the impact, there are a fesw supported mitigations. You can:
• Exclude critical workload directories from real-time protection if they are heavily accessed during that window (using Set-MpPreference -ExclusionPath).
• Adjust your VM sizes so that Defender’s spike does not fully consume all cores — larger or burstable SKU types handle this more smoothly.
• Use a custom update schedule for security intelligence updates through Set-MpPreference -SignatureUpdateInterval to shift the window away from peak business hours.
• For mission-critical workloads, you can temporarily offload Defender’s analysis by using Microsoft Defender for Servers Plan 2 with endpoint protection set to passive mode and rely on EDR and Defender for Cloud scanning.

In short, this CPU spike is part of Defender’s built-in daily cloud verification routine rather than a malfunction. It cannot be fully disabled or throttled, but adjusting your exclusion lists, scheduling update windows, or using passive mode in Defender for Servers can help smooth out performance in production environments.

Please hit like if you like the solution.