Microsoft Defender ATP now in preview on Windows 10 Enterprise multi-session


We are happy to announce on Microsoft Defender Advanced Threat Protection (MDATP) support on Windows Virtual Desktop enabling both single and multi-session scenarios. 


The support for Multi-user session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM while the single session scenarios are fully supported.


The support applies to the following operating systems: 

  • Windows 10 Enterprise multi-session, version 1809 or later
  • Windows 10 Enterprise, version 1809 or later
  • Windows 7 Enterprise
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2


Onboarding WVD devices to MDATP is done via the existing device onboarding process, follow the relevant onboarding instructions per the platform you are using:



17 Replies

Hi, I need to onboard 12 VM's and I am using the local script, but with the local script, I can onboard only 10 VMs. How should I onboard the remaining 2 VMs? @PieterWigleven 

There is no counter in the script, 1-10 computers is just a recommendation, preventing you from being sneaker admin.

I'm running the script from a network share through the "Run PowerShell script" from Azure VM portal (removed the lines about confirmation) whenever we roll-out new WVD.
So far we have more than 40 machines onboarded with same script.

@Olaf Thyssen Awesome. Thanks very much for the reply. I don't know why this information is not in the documentation. Have you tried URL blocking with this? My plan is to onboard all the 12 VMs and apply the URL blocking for them.

@gadmin285  I've done this with custom indicators, and it works fine. However, you might want to look into the Cyren webfilter if you want to block more than just a few unwanted sites..

@Sentry23 I think to use Cyren we should have a license. check the screenshot once. Also what's the use of Cyren?need license of web filtering.PNG

@gadmin285 It looks as if you need to acquire it still. If you have it, it provides an easy way to just block whole categories of websites (such as adult content, violence, etc), instead of having to add each site by hand in a custom rule.

@PieterWigleven Any idea how the licensing will work for Windows 10 Multisession in WVD?  I'm reading in the MDATP docs that if I have an E5 license, I can use MDATP on up to 5 concurrent devices; does this include a WVD session hosts running Windows 10 Multisession?  Or do I need to add the session host VM to Azure Security Center to achieve licensing requirements?



I agree, the ambiguity around product releases and public preview and trials is just getting out of hand at Microsoft!


Try and get answers from MS Distributors and they are in the same boat. Product Team you guys are doing a great job in getting new products out - but why not feed info to your users (beta users) on how to go about deploying new products.


We are looking at E5 users or standalone Defender Advanced Threat Protection. But have no clarity on how licensing in WVD will be compliant/work!

@limaecho @Jeff_Bryant I've checked it's part of your existing E5 per User licensing. A user needs have a valid E5 license when accessing a session on Win10 Enterprise multi-session. A license is only used when an user has an active session. With per User licensing you always have access to concurrent 5 devices (or sessions). 



Hi Pieter so if I install ATP on my Session Host Image and deploy session host using that. Then I have one user that has a Microsoft 365 Premium license and another user that has Microsoft 365 E5 license - are you saying that the user session with Microsoft 365 Premium licence will not be protected?

@limaecho It's the same as with physical devices. If a device is enrolled in MDATP the user that access it needs a valid E5 license. This is in order to be compliant from a licensing perspective. 

Thanks - apologies as MDATP is a new product and I am yet to get my trial activation email - so not really skilled in understanding how it works on physical devices.

What if we put the session host in Azure Security Center - I believe VM protection in Azure Security covers MDATP? Would that cover all user sessions connecting to the host?

Its all a bit confusing!!
@limaecho No worries, we are happy to help. Once the device (or VM) is enrolled all users that connect benefit from MDATP. This can be through MDATP or ASC.

The Microsoft Defender for Endpoints (FKA Microsoft Defender ATP) licensing is getting quite complex now. Just to confirm, what would be valid options for WVD:


- Per user (for up to five concurrent devices):

  • Windows 10 Enterprise E5
  • Windows 10 Education A5
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
  • Microsoft 365 E5 Security
  • Microsoft 365 A5 (M365 A5)
  • Microsoft Defender for Endpoints standalone retail (via CSP)

Per server (Session Host? --> also valid for WVD multi-session, up to 25 users??)

  • Azure Security Center Standard plan (per node)
  • Microsoft Defender for Servers, one per covered Server (via CSP + extra license requirement for a minimum of 50 licenses for products like Windows 10 E5 / Microsoft 365 E5 / Microsoft 365 E5 Security etc.)

 Can someone comment on this? Thanks!

@ Since a couple of days WVD seems not completely supported anymore? See attached screenshot.


Did I mis an anouncement around this?

With relation to AVD/Windows 10 Multi-session, is there any planned support for third party browsers for web filtering?