Creating policy for Defender for Servers

Copper Contributor

Hello,

Some time ago we enabled Defender for Servers for virtual machines in our tenant. Some users reported me that DfS is using a lot of CPU usage in their machines and it blocks some files and proccesses from being executed. I have questions:

- can we create a policy to set maximum CPU usage for Defender for Servers for specified subscription?

- can we disable quarantine and any other detection for selectied machines to ALERT only but not take any action?

I checked we can set CPU usage by PS command but these machines are removed and added every week, so we would like to automate this process.

3 Replies
Sounds like you onboarded the servers but haven't configured them yet which can be done using GPO, SCCM or local script/PS. MDE Attach (aka "security settings management) might be an option for you where onboarded servers can be configured via Intune (https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration).

From there you can set max CPU usage, add exclusions and do much much more to finetune MDAV/MDE.

Additionally, verify if a Full Scan is scheduled, as it can be quite demanding on resources. Microsoft advises against scheduling Full Scans because they can be initiated automatically or manually when malware is detected. More information is available here: Schedule regular quick and full scans with Microsoft Defender Antivirus - Microsoft Defender for End...

If u are all linked to the defender cloud portal then there could be an issue with the cloud portal. If internet is available the portal will continue to scan all machines are connected in your cloud portal so that will increase there background CPU usage. Try these steps advice all cloud uses to install malwarebytes and use that that to scan all machines even in your machine because your machine could be infected and that will cause issues for your uses connected to the cloud I'm assuming your machine is the server service for others to connect in cloud so there's a good chance your machine is infected and if so any machine on your defender cloud may also experience issues through cloud but it will show as CPU drain a lagging machines, hope this helps