Blog Post

Microsoft Defender for Endpoint Blog
8 MIN READ

Configuring Microsoft Defender Antivirus for non-persistent VDI machines

JesseEsquivel's avatar
JesseEsquivel
Icon for Microsoft rankMicrosoft
Jun 25, 2020
Updated 3/23/2023 to focus on the shared security intelligence feature for VDI.   Virtual Desktop Infrastructure (VDI) brings an interesting dynamic when tuning the platform. The delicate balance...
Updated Mar 23, 2023
Version 23.0
Microsoft Defender Antivirus
VDI
Edward Ansbro's avatar
Edward Ansbro
Copper Contributor
Nov 30, 2022

Hi JesseEsquivel,

 

1st of all thanks for the reply. Very much appreciate your feedback.

 

We have multiple VDI pools that we're attempting to get on Defender. At the most basic level, we have Defender installed and active on our gold image. For the sake of this discussion, we'll say the image is fully patched up Windows 10 20H2 as of October 1st, including any Defender patches/updates we have. We then published all of our pools with said image, and in the other pools, we don't SEEM to be seeing this issue. Now there are several difference/possible differences:

 

  1. The different pools technically have different images. Yes, we try to keep them identical except when software requirements differ, but by and large they are similar. Similar though does not mean EXACT.
  2. The different pools are on different back-end hardware. This problem pool lives on hardware with 8180 processors, the pools we don't feel it in, live on 8280 processors. All are on vSan storage from VMware.
  3. The pools where we don't see the issue are not performing any onboarding whatsoever, Defender just runs as is from the gold image.
  4. ALL of the pools are sharing one VDI GPO for settings/exclusions whether onboarded or not. I could certainly see this GPO needing to be fine-tuned. It is basically a copy of the GPO our server group uses for Defender, with our VDI exclusions piled on, but it wouldn't shock me if we need this cleaned up.

Point #3 is where I keep going back to the onboarding as a possible culprit, but perhaps it's time we circled back to looking at the shard intelligence server.

 

I'm on a virtual desktop still that got created/onboarded last night and rode through the high disk usage (it's the screenshot I provided), and this is how it looks now. Keep in mind I've just been connected to this, I haven't really done any work with it. Just been squatting on it. Disk you can see is down, expected. Memory seems high to me but, maybe it's expected:

 

For contacting Microsoft support, can you recommend any certain team/verbiage to use to get a solid group to look into this with us? The reason I ask, is it feels like we're always kind of getting contacts from Microsoft that aren't familiar with what we're trying to do, Defender on VDI non persistent. Almost like they're seeing it for the 1st or 2nd time. Like I said, it was a Microsoft contact who actually told us to just go straight to WU for Defender intelligence updates, even though we made them aware of the shared intelligence deployment write up.

 

In regard to your line about making sure the latest Defender software is on the gold image, in a VDI world where you have a gold image you have to update/snapshot and then push the update, is it reasonable to do this monthly/bi-monthly? That's really the shortest maintenance window we can get in our environment. If these aren't quick enough, can it be problematic?

 

Again, thanks very much for the reply.