Merge branch 'main' into docs-editor/schedule-antivirus-scans-1745951460

Author: emmwalshh

.github/workflows/StaleBranch.yml

@@ -2,6 +2,7 @@ name: (Scheduled) Stale branch removal
 
 permissions:
   contents: write
+  pull-requests: read
 
 # This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml.
 # On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted.

defender-endpoint/troubleshoot-mdav-scan-issues.md

@@ -13,7 +13,7 @@ ms.collection:
 ms.topic: troubleshooting
 ms.subservice: ngp
 search.appverid: met150
-ms.date: 03/11/2025
+ms.date: 04/29/2025
 ---
 
 # Troubleshoot Microsoft Defender Antivirus scan issues
@@ -34,6 +34,20 @@ Understanding why a scan is launched can help identify what settings are applied
 | Catch up scan | Launched when a scheduled scan was missed twice |
 | Manually launched | A scan is launched manually by using any of the following methods: <br/>- Command Prompt: `MpCmdRun -scan -scantype` <br/>- [Taking a response action on a device](/defender-endpoint/respond-machine-alerts#run-microsoft-defender-antivirus-scan-on-devices) in the Microsoft Defender portal <br/>- Using the Windows Security app or Microsoft Defender app on the device |
 
+## CPU performance and scan throttling in Microsoft Defender Antivirus
+
+Microsoft Defender Antivirus includes several configurable settings to manage CPU usage during scans. These settings help balance system performance and security by controlling how aggressively Defender uses system resources. If you use Group Policy, these settings are found under `Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Scan`. To check current value of these settings on a machine use the `Get-MpPreference` PowerShell command.
+
+The key settings to be aware of are listed in the following table:
+
+| Setting | Details |
+|--|--|
+| `ScanOnlyIfIdle` | **Description**: When enabled, Microsoft Defender Antivirus only performs scans when the system is idle.<br/><br/>**Purpose**: This minimizes performance impact during active use by deferring scans until the system is not in use.<br/><br/>**Typical Use Case**: Ideal for environments where user experience is a priority and scans can be delayed without compromising security.<br/><br/>**Policy Name**:<br/>**Group Policy**: Not available. <br/>- **Intune**: `./Device/Vendor/MSFT/Defender/Configuration/ScanOnlyIfIdleEnabled` <br/><br/>**Default**: True (Enabled) |
+| `DisableCpuThrottleOnIdleScans` | **Description**: When set to `true`, this disables CPU throttling during idle-time scans.<br/><br/>**Purpose**: Allows Defender to use more CPU resources when the system is idle, potentially completing scans faster.<br/><br/>**Interaction with Other Settings**: Works with `ScanOnlyIfIdle`. If both are enabled, scans run only when idle and aren't throttled.<br/><br/>**Policy Name**:<br/>- **Group Policy**: Not available.<br/>- **Intune**: `./Device/Vendor/MSFT/Defender/Configuration/DisableCpuThrottleOnIdleScans`<br/><br/>**Default**: True (Enabled) |
+| `AvgCPULoadFactor` | **Description**: Specifies the average CPU load (as a percentage) that Microsoft Defender Antivirus shouldn't exceed during scans. This setting doesn't apply to real time protection scans.<br/><br/>**Purpose**: Helps maintain overall system responsiveness by limiting Defender's CPU usage.<br/><br/>**Example**: A value of `50` means Microsoft Defender Antivirus attempts to keep its CPU usage below 50% during scans.<br/><br/>**Interaction with Other Settings**: This setting is influenced by `DisableCpuThrottleOnIdleScans` and `ThrottleForScheduledScanOnly`, which can override or limit when throttling is applied.<br/><br/>**Policy Name**: <br/>- **Group Policy**: `Specify the maximum percentage of CPU utilization during a scan`<br/>- **Intune**: `./Device/Vendor/MSFT/Policy/Config/Defender/AvgCPULoadFactor` |
+| `ThrottleForScheduledScanOnly` | **Description**: When enabled, CPU throttling is applied only to scheduled scans, not to manual scans.<br/><br/>**Purpose**: Ensures that scheduled scans are less intrusive, while allowing manual scans to run at full speed if needed.<br/><br/>**Interaction with Other Settings**: When used with `AvgCPULoadFactor`, throttling limits only apply to scheduled scans. Manual scans ignore the CPU load factor and might use more resources.<br/><br/>**Policy Name**:<br/>- **Group Policy**: `Cpu throttling type` <br/>- **Intune**: `./Device/Vendor/MSFT/Policy/Config/Defender/ThrottleForScheduledScanOnly`<br/><br/>**Default**: True (Enabled) |
+| `EnableLowCpuPriority` | **Description**: This policy setting allows you to enable or disable low CPU priority for scheduled scans.<br/><br/>**Purpose**: Helps reduce the impact of scans on system performance by allowing other processes to take precedence over Microsoft Defender Antivirus's scanning tasks.<br/><br/>**Interaction with Other Settings**: Complements `AvgCPULoadFactor` and `ThrottleForScheduledScanOnly` by further deprioritizing Microsoft Defender Antivirus's CPU usage. It's especially useful in environments where maintaining responsiveness during scans is critical.<br/><br/>**Policy Name**: <br/>- **Group Policy**: `Configure low CPU priority for scheduled scans`<br/>- **Intune**: `./Device/Vendor/MSFT/Policy/Config/Defender/EnableLowCPUPriority`<br/><br/>**Default**: False (Disabled) |
+
 ## Policies that impact scanning
 
 Understanding the policies applied to the scan enables you to understand the behavior of the scan and what can be tuned to remediate scan challenges.
@@ -73,7 +87,7 @@ In an Intune policy and in [Defender for Endpoint Security Settings Management](
 
    Settings: `Scan Parameter`; `Schedule Scan Day`; and `Schedule Scan Time`
 
-If you are using Group Policy to manage your devices, see [Configure Microsoft Defender Antivirus with Group Policy](/defender-endpoint/use-group-policy-microsoft-defender-antivirus#group-policy-settings-and-resources)
+If you're using Group Policy to manage your devices, see [Configure Microsoft Defender Antivirus with Group Policy](/defender-endpoint/use-group-policy-microsoft-defender-antivirus#group-policy-settings-and-resources)
 
 For information about troubleshooting antivirus settings, see [Troubleshoot Microsoft Defender Antivirus settings](/defender-endpoint/troubleshoot-settings)
 

defender-vulnerability-management/TOC.yml

@@ -42,6 +42,8 @@
             href: tvm-hardware-and-firmware.md
       - name: Authenticated scan for Windows
         href: windows-authenticated-scan.md
+      - name: Understand retention logic 
+        href: retention-logic-mdvm.md
     - name: Detect and assess threats
       items:
       - name: Dashboard insights