SOLVED

Updating to Windows 10 Multi user 21H2 - MSSENSE.EXE constantly using 25% cpu on new session hosts

Copper Contributor

We have updated golden image VM to Windows 10 Multi User version 21H2 with latest KB updates and latest FsLogix version.

 

When creating new machines the mssense.exe process (some new EDR sensor process with defender?) is using 25% cpu. We have Defender exclusions for VDI and FsLogix in the environment and also best practice VDI defender GPO applied.

 

Disabling windows defender does not help aswell. Still mssense.exe is using 25% cpu.

 

What is this process and what can we do to disable or remedy this cpu usage on it? Or figure out WHAT is is spending time doing?

 

Best Regards 

AT

6 Replies

@ATWVD I am seeing similar issues on our hosts. Currently have a ticket open with MS but so far no luck. Were you able to fix the issue?

@RinoPROITS 

We have an ongoing Azure Support case on this. Latest reply:

"I´m still reviewing the situation with the Defender. I´m not completely sure but I´m suspecting that the Defender Database may have something to do since the Procmon is populated with checking’s on this path:

 

ATWVD_0-1650374709680.png

 

 

However they all show up as a SUCCESS so it seems that is not an error:

 

ATWVD_1-1650374709682.png

 

 

It is something that I have to consult since I´ve found some similar issues on third party sites googling this path although nothing from Microsoft end from the time being:

 

https://forum.restic.net/t/windows-defender-causes-10x-slowdown/925

 

I´ve found some sites saying that you could delete this entries but I´m not confident on doing that since compromising how defender works. I will take a look into it and confirming once I have some deeper insights on this."

@RinoPROITS have you had any progress with MS support or a epiphany on this case?

best response confirmed by ATWVD (Copper Contributor)
Solution
@ATWVD Yes, I actually have. The issue ended up being related to the customer enabling an Azure Policy that installed Defender for servers on the master image (The ASC Policy got activated from the root management group). This caused for corruption on Defender for endpoint on the session host because we auto register the session hosts using a GPO the senseGuid was no longer unique.

A simple test to see if you run into the same issue is to perform off boarding for Defender using the offboarding script on one of the session host, reboot and then onboard the session host again.

If the CPU usage does not go back to 25% usage constantly, it is fixed. I recommend monitoring it for 24hrs.

The final step would be to perform offboarding on the master image and make sure a policy is not installing defender onto the master image again.
Hi,

Thank you! Got time to test this today, and it is exactly the same issue here.

@ATWVD Perfect, glad to hear the issue is resolved for you as well.

1 best response

Accepted Solutions
best response confirmed by ATWVD (Copper Contributor)
Solution
@ATWVD Yes, I actually have. The issue ended up being related to the customer enabling an Azure Policy that installed Defender for servers on the master image (The ASC Policy got activated from the root management group). This caused for corruption on Defender for endpoint on the session host because we auto register the session hosts using a GPO the senseGuid was no longer unique.

A simple test to see if you run into the same issue is to perform off boarding for Defender using the offboarding script on one of the session host, reboot and then onboard the session host again.

If the CPU usage does not go back to 25% usage constantly, it is fixed. I recommend monitoring it for 24hrs.

The final step would be to perform offboarding on the master image and make sure a policy is not installing defender onto the master image again.

View solution in original post