Limit Windows Defender CPU Usage

%3CLINGO-SUB%20id%3D%22lingo-sub-1511280%22%20slang%3D%22en-US%22%3ELimit%20Windows%20Defender%20CPU%20Usage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1511280%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20the%20problem%20that%20our%20Clients%20use%20too%20much%20CPU%20during%20a%20FullScan.%20Actually%2C%20the%20usage%20is%20limited%20to%2020%25%2C%20but%20the%20setting%20seems%20to%20have%20no%20effect.%20Whether%20I%20set%20it%20via%20Configuration%20Manager%20or%20GPO%2C%20the%20result%20is%20the%20same.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20a%20similar%20problem%20or%20even%20better...%20a%20solution%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22HighCPU.PNG%22%20style%3D%22width%3A%20993px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F204317iE051D9CBC829C280%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22HighCPU.PNG%22%20alt%3D%22HighCPU.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1516144%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20Windows%20Defender%20CPU%20Usage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1516144%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F438858%22%20target%3D%22_blank%22%3E%40philippwree%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETry%20changing%20the%20setting%20via%20registry.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGo%20to%20%3CEM%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindows%20Defender%5CScan%3C%2FEM%3E.%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECreate%20a%20new%20registry%20DWORD%2C%20name%20it%26nbsp%3B%3CSTRONG%3EAvgCPULoadFactor%3C%2FSTRONG%3E%20and%20set%20it%20to%2020%20on%20Decimal%20base.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EReboot%20the%20system.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESee%20if%20that%20helps%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1521267%22%20slang%3D%22de-DE%22%3ESubject%3A%20Limit%20Windows%20Defender%20CPU%20Usage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1521267%22%20slang%3D%22de-DE%22%3E%3CP%3EHave%20the%20same%20problem%20as%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F438858%22%20target%3D%22_blank%22%3E%40philippwree%3C%2FA%3E!%3C%2FP%3E%3CP%3EIn%20the%20Configuration%20Manager%2C%20we%20defined%20a%20CPU%20load%20of%2030%25%20for%20our%20windows%20servers%20in%20the%20default%20defender%20policy.%26nbsp%3B%3CSPAN%3EThe%20setting%20has%20also%20been%20correctly%20transmitted%20to%20the%20agents.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EChecked%20local%20via%20powershell%20%22Get-MpPreference%22%20and%20in%20the%20registry%20%22HKEY_LOCAL_MACHINE%20-%20SOFTWARE%20-%20Microsoft%20-%20Windows%20Defender%20-%20Scan%20%22%20AvgCPULoadFactor%22.%20The%20values%20are%20correctly%20limited%20to%2030%25.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDespite%20the%20throttling%2C%20the%20process%20%22MsMpEng.exe%22%20uses%20up%20to%20100%25%20CPU%20for%20scheduled%20and%20manual%20defender%20scans%20(full%20and%20quick).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPossibly%20a%20bug%20in%20a%20microsoft%20defender%20update%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1622486%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20Windows%20Defender%20CPU%20Usage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1622486%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20you%20find%20any%20solution%20for%20the%20Windows%20Defender%20problem%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F438858%22%20target%3D%22_blank%22%3E%40philippwree%3C%2FA%3E%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20currently%20distributing%20the%20load%20on%20our%20host%20by%20running%20the%20scans%20of%20the%20VMs%20at%20different%20times.%20However%2C%20we%20still%20have%20the%20problem%20with%20the%20load%20on%20the%20CPU.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1778523%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20Windows%20Defender%20CPU%20Usage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1778523%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F438858%22%20target%3D%22_blank%22%3E%40philippwree%3C%2FA%3E%26nbsp%3BWe%20have%20the%20same%20issue%2C%20CPU%20limit%20is%20completely%20ignored.%20Is%20there%20a%20solution%20anywhere%3F%20iv%20been%20searching%20but%20cant%20find%20anything%20usefull%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1779264%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20Windows%20Defender%20CPU%20Usage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1779264%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F831637%22%20target%3D%22_blank%22%3E%40Daniel_Larsson%3C%2FA%3E%26nbsp%3BIn%20your%20antimalware%20policy%20under%20%E2%80%9CScheduled%20Scans%E2%80%9D%2C%20switch%20the%20option%20%E2%80%9CStart%20a%20scheduled%20scan%20only%20when%20the%20computer%20is%20idle%E2%80%9D%20to%20no.%20That%20solved%20the%20problem%20for%20us.%3CBR%20%2F%3EIt%20seems%20that%20the%20check%20by%20Microsoft%20is%20flawed.%20If%20Endpoint%20thinks%20the%20system%20is%20idle%2C%20he%20ignores%20the%20CPU%20limit.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221329E006-9EF4-4761-B969-6E6C6AB87146.jpeg%22%20style%3D%22width%3A%20582px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226645iD97331A354117AFB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%221329E006-9EF4-4761-B969-6E6C6AB87146.jpeg%22%20alt%3D%221329E006-9EF4-4761-B969-6E6C6AB87146.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2064201%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20Windows%20Defender%20CPU%20Usage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2064201%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F728277%22%20target%3D%22_blank%22%3E%40mongrel15%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EChanging%20the%20following%20setting%20to%20NO%20doesn't%20make%20any%20difference%20for%20us%20-%26nbsp%3B%20%22%3CSPAN%3EStart%20a%20scheduled%20scan%20only%20when%20the%20computer%20is%20idle%E2%80%9D%20%2F%20%22%E2%80%9CScanOnlyIfIdle%E2%80%9D%26nbsp%3B%20doesn't%20make%20any%20difference%20for%20us.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20tried%20setting%20%22AvgCPULoadFactor%22n%20in%20the%20registry%20to%201%25%20and%20it%20would%20still%20hit%20up%20to%2068%25.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I have the problem that our Clients use too much CPU during a FullScan. Actually, the usage is limited to 20%, but the setting seems to have no effect. Whether I set it via Configuration Manager or GPO, the result is the same.

 

Does anyone have a similar problem or even better... a solution?

 

HighCPU.PNG

6 Replies

Hello @philippwree,

 

Try changing the setting via registry.

 

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan.  

 

Create a new registry DWORD, name it AvgCPULoadFactor and set it to 20 on Decimal base.

 

Reboot the system.

 

See if that helps you!

Have the same problem as @philippwree!

In the Configuration Manager, we defined a CPU load of 30% for our windows servers in the default defender policy. The setting has also been correctly transmitted to the agents.

Checked local via powershell "Get-MpPreference" and in the registry "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows Defender \ Scan \ AvgCPULoadFactor". The values ​​are correctly limited to 30%.

 

Despite the throttling, the process "MsMpEng.exe" uses up to 100% CPU for scheduled and manual defender scans (full and quick).

 

Possibly a bug in a microsoft defender update?

Did you find any solution for the Windows Defender problem @philippwree?

 

We are currently distributing the load on our host by running the scans of the VMs at different times. However, we still have the problem with the load on the CPU.

@philippwree We have the same issue, CPU limit is completely ignored. Is there a solution anywhere? iv been searching but cant find anything usefull

@Daniel_Larsson In your antimalware policy under “Scheduled Scans”, switch the option “Start a scheduled scan only when the computer is idle” to no. That solved the problem for us.
It seems that the check by Microsoft is flawed. If Endpoint thinks the system is idle, he ignores the CPU limit.

 

1329E006-9EF4-4761-B969-6E6C6AB87146.jpeg

@mongrel15 

Changing the following setting to NO doesn't make any difference for us -  "Start a scheduled scan only when the computer is idle” / "“ScanOnlyIfIdle”  doesn't make any difference for us.

 

I tried setting "AvgCPULoadFactor"n in the registry to 1% and it would still hit up to 68%.