Windows Defender Full Scan renders devices unusable for 6-7 hours (while scan is running)


We are using Microsoft Defender for Endpoint and configured daily quick scans and weekly full scans. The quick scans don't create any problems but the full scans are a big problem. Devices are not usable while the scan is running, e.g. one click in MS Teams takes about one minute to complete. We are using the defaults recommended by Microsoft in our configuration profiles.


What are the recommended settings for fine tuning full scans (e.g. ScanAvgCPULoadFactor) or are there specifi settings which are to be disabled in order to improve performance (e.g. DisableArchiveScanning).


Thank you!

7 Replies
Hi @Kiril Valev ,
Why dont you let them full scan in midnight?
Best regards
Thank you! The laptops of our users are turned off at midnight and the catch-up scans start the next morning.
Hi @Kiril Valev ,
is it possible to use wake on lan?`
Best regards
Hm, I think this is not an option to remotely start a device when the user is e.g at home.
Hello – there are a few touch points here which I hope help answer your question

1. Full scans are somewhat repetitive for a modern security solution (assuming RTP is always on – and CP/TP are enabled – full scans will not provide additional value from a prevention/protection perspective).
2. Task scheduler does not schedule scans, but it does in fact support “waking up” a device when tasks reach their deadline.
3. Performance impact during a scan can be controlled through CPU usage and caps. Increasing the amount of CPU usage will allow the scan to finish faster but will slow your computer down temporarily (less resources allocated to you as a user). Adversely, lowering the CPU cap (allotting less CPU resources to the scans) will allow you to maintain user performance but will increase the duration of the scanning.

Microsoft is always working to make the scans quicker, while maintaining high security standards.
You probably do not need to schedule a recurring full scan. That should be reserved for when you have reason to investigate a specific device. With MDE and EDR, you are unlikely to get much value from it. If you do need to do it, I usually set ScanAvgCPULoadFactor to nearer 25% (not an exact science), but it's going to take hours for little return if real time threat protection is active anyway.