Blog Post

Microsoft Defender for Endpoint Blog
8 MIN READ

Configuring Microsoft Defender Antivirus for non-persistent VDI machines

JesseEsquivel's avatar
JesseEsquivel
Icon for Microsoft rankMicrosoft
Jun 25, 2020
Updated 3/23/2023 to focus on the shared security intelligence feature for VDI.   Virtual Desktop Infrastructure (VDI) brings an interesting dynamic when tuning the platform. The delicate balance...
Updated Mar 23, 2023
Version 23.0
Microsoft Defender Antivirus
VDI
Edward Ansbro's avatar
Edward Ansbro
Copper Contributor
Nov 29, 2022

I just came across this thread and was hoping to get some feedback on an issue we're having with Onboarding our Horizon Instant Clone desktops into Defender.

 

In a nutshell:

  1. We are NOT using a shared intelligence server, we are allowing the desktops to pull down updates directly from WU.
  2. We are utilizing a post-sync task on the Horizon pool that runs a script that:
    Clears any onboarding data in place (gold image is clear but we do this anyway)
    Runs the Onboard NonPersistent Powershell

The thing we're running into, is we see a very high utilization number on the disk inside our VMs. Unfortunately, we're unable to trigger this on demand, it seems a bit random. Last night I republished a pool of 700 desktops. It got through the first 480ish no problem, running the task and all, when all of a sudden the remaining ones were not finishing their tasks and they errored out. When I looked into it, the VMs were showing the disk at 100% like this:

 

Is there a "bottleneck" where X devices onboarding at once can hit a wall? Or are we suffering the consequences of not having the shared intelligence server? We did speak with a Microsoft rep on this, and he led us to believe a shared intelligence box in our environment wasn't necessary. That allowing WU to handle the updates would be sufficient.

 

Thanks in advance.