Search the Community

Hi everyone, I hope that someone may be able to shed some light on this topic. We've been getting reports from users who have a specific model that see spikes in CPU activity on 100% when the quick scan from Windows Defender starts. The notebook gets practically unusable in the next 10-20 minutes because of a huge lag in responsiveness. I've noticed that even though Defender will report the scan as finished, the sluggishness continues for several more minutes and finally ends after some time. The odd thing is that this is widely reported only on a specific model from Lenovo (ThinkPad P1 Gen2) We are using SCCM 1806 and Windows 10 1809 The CPU usage for the antimalware scan is limited to 30% by SCCM and the usage stays around this number, but the scan causes other processes to spike We've noticed the scan to cause other processes to spike: Skype for Business, Windows interrupts (this struck me as quite odd), Chrome, IntelliJ and others We've tried excluding the whole drive from the scans - still happens We've tried excluding some processes used daily by some users (browser, development IDE, etc...) - still happens Updated everything from the Lenovo System Update tool 2-3 weeks ago with one user - still happens Windows event log shows nothing of value I was not able to find anything in EndpointProtectionAgent.log that would indicate an issue What is really confusing to me: Out of all devices, only some users with P1 Gen2 models are reporting this issue Some users experience this on a daily basis, while others have seen it only a handful of times in the past several months The spike of CPU load for System interrupts in some cases leads me towards a possible driver issue, but I cannot pinpoint what exactly I was not able to find any relevant information in the event viewer. The log files at C:\ProgramData\Microsoft\Windows Defender\Support do not seem much of use as well. I was not able to find information on the path of the scanned items or a way to produce a log with increased verbosity that is in readable format. Is there any way we can troubleshoot this further with more details and pinpoint the exact cause of this problem?

Hi I have a question about the Fallback Source for definition updates. I have set “Updates distributed from configuration manager” first and next “Updates distributed from Microsoft Malware Protection center” (MPC). Definition updates from SCCM are installed every day as expected when a computer are on an internal network, but when I set a computer on a external network it does not fallback to MPC after the AuGracePeriod is over. In the registry I notice that the following is set: InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC. What I did not expect was the InternalDefinitionUpdateServer to be present at all when I set “Updates distributed from configuration manager”. I was sure that the InternalDefinitionUpdateServer only was set if choosing WSUS for update? The expected behavior was that MPC was contacted after AuGracePeriod. But that does not happen and I suspect that the InternalDefinitionUpdateServer is the issue? Anyone know the best practice of setting up the fallback and why InternalDefinitionUpdateServer is set by both the choices “Updates distributed from configuration manager” and by “Updates distributed from WSUS”.