vda Posted June 2, 2020 Report post Posted June 2, 2020 Hi everyone, I hope that someone may be able to shed some light on this topic. We've been getting reports from users who have a specific model that see spikes in CPU activity on 100% when the quick scan from Windows Defender starts. The notebook gets practically unusable in the next 10-20 minutes because of a huge lag in responsiveness. I've noticed that even though Defender will report the scan as finished, the sluggishness continues for several more minutes and finally ends after some time. The odd thing is that this is widely reported only on a specific model from Lenovo (ThinkPad P1 Gen2) We are using SCCM 1806 and Windows 10 1809 The CPU usage for the antimalware scan is limited to 30% by SCCM and the usage stays around this number, but the scan causes other processes to spike We've noticed the scan to cause other processes to spike: Skype for Business, Windows interrupts (this struck me as quite odd), Chrome, IntelliJ and others We've tried excluding the whole drive from the scans - still happens We've tried excluding some processes used daily by some users (browser, development IDE, etc...) - still happens Updated everything from the Lenovo System Update tool 2-3 weeks ago with one user - still happens Windows event log shows nothing of value I was not able to find anything in EndpointProtectionAgent.log that would indicate an issue What is really confusing to me: Out of all devices, only some users with P1 Gen2 models are reporting this issue Some users experience this on a daily basis, while others have seen it only a handful of times in the past several months The spike of CPU load for System interrupts in some cases leads me towards a possible driver issue, but I cannot pinpoint what exactly I was not able to find any relevant information in the event viewer. The log files at C:\ProgramData\Microsoft\Windows Defender\Support do not seem much of use as well. I was not able to find information on the path of the scanned items or a way to produce a log with increased verbosity that is in readable format. Is there any way we can troubleshoot this further with more details and pinpoint the exact cause of this problem? Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted June 2, 2020 Report post Posted June 2, 2020 i feel your pain, if you'd like to pm me some numbers of users affected i can ask Lenovo Engineering to take a look cheers niall Quote Share this post Link to post Share on other sites More sharing options...
Ranjithckm7 Posted June 10, 2020 Report post Posted June 10, 2020 Is there any progress on this issue? I have similar scenario in my environment Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted June 10, 2020 Report post Posted June 10, 2020 are these Lenovo's patched up with the latest BIOS and firmware updates ? Quote Share this post Link to post Share on other sites More sharing options...
Ranjithckm7 Posted June 11, 2020 Report post Posted June 11, 2020 Yes. Using Thin installer. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted June 11, 2020 Report post Posted June 11, 2020 are you also using the same version of Windows 10 as the original poster ? have you tried a newer release (like 1909 or 2004) Quote Share this post Link to post Share on other sites More sharing options...
Ranjithckm7 Posted June 11, 2020 Report post Posted June 11, 2020 We're in 1909. We're not prepared to go 2004. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted June 11, 2020 Report post Posted June 11, 2020 and you are seeing it only on ThinkPad P1 Gen2 ? have you looked into any of the bios settings to see if enabling/disabling anything secure related (for testing) changes the behaviour ? Quote Share this post Link to post Share on other sites More sharing options...
Ranjithckm7 Posted June 11, 2020 Report post Posted June 11, 2020 I think the model is P52. I haven't tried really. Quote Share this post Link to post Share on other sites More sharing options...
vda Posted June 11, 2020 Report post Posted June 11, 2020 No update so far. We've opened a support request with Microsoft as well, but still no answer from them. Odd things seem to happen with this model in our environment. We have two people that reported crashes on Skype for Business during conference calls with audio/video/screen sharing as well, which is something that rarely happens in general, but this particular model seems to exhibit this once every several days. I tried doing a crash dump analysis, but this seems a bit over my expertise. What was interesting is that apart from regular Windows/Office DDLs, the stack trace included both DLLs from Intel and NVIDIA. I seem to recall that this model has a setting for hybrid graphics in the BIOS, so I will check how these devices are configured in the BIOS and see if switching to a different mode will yield some changes. Another thing that I am planning on exploring is ProcDump. . Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted June 11, 2020 Report post Posted June 11, 2020 this is what I got from Joe @ Lenovo https://forums.lenovo.com/t5/Enterprise-Client-Management/Windows-defender-scans-cause-100-CPU-usage-on-P1-Gen2-model/m-p/5018214 For my next test, I patched the 1909 factory preload with the May 2020 cumulative update. After doing this, I could not reproduce the problem. i guess it's your post also ? have you tried this ? Quote Share this post Link to post Share on other sites More sharing options...
vda Posted June 12, 2020 Report post Posted June 12, 2020 Yep, that's my post. Unfortunately, the issue is still present. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted June 12, 2020 Report post Posted June 12, 2020 but are you testing on windows 10 1909 with the may update ? Quote Share this post Link to post Share on other sites More sharing options...
vda Posted June 12, 2020 Report post Posted June 12, 2020 Apologies, my answer was a bit unclear on the matter. I updated my devices with the may update, but on Windows 10 1809. I have not tried with 1909 yet. Quote Share this post Link to post Share on other sites More sharing options...
vda Posted June 22, 2020 Report post Posted June 22, 2020 So the oddest of things happened: the issue does not manifest itself anymore. Users have reported that they haven't seen the issue in the past week or two, whereas some of them saw it on a daily basis. Apart from a change in the antimalware platform version to 4.18.2005.5-0 (previous was 4.18.2005.4-0) and the deployment of May updates, I cannot think of anything else that has been changed. I lean towards the antimalware platform version being the actual fix to the problem, since we also tried the May updates before and saw the issue still persisted. Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted June 22, 2020 Report post Posted June 22, 2020 thanks for the update ! Quote Share this post Link to post Share on other sites More sharing options...
Alslinet Posted August 20, 2020 Report post Posted August 20, 2020 A tip i got from Microsoft Support was to disable scan only if idle. Turns out they changed something back in June/July and now a lot of people have problems with CPU usage. Quote Share this post Link to post Share on other sites More sharing options...