Forum Discussion
WVD not onboarding to Defender - execution policy to blame?
I want my multi-user session hosts to get onboarded to Defender for Endpoint using the single entry for each device option. I'm following the instructions at https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-vdi?view=o365-worldwide#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1 I have configured a local group policy object on the golden image to run the onboarding script at startup. But the VM is NOT getting onboarded at startup. However, if I run the script manually from C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup, it works -- but only after I answer Y to the prompt to change the execution policy.
I have also tried configuring a GPO in my Azure AD DS domain, as described in https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboard-windows-10-multi-session-device?view=o365-worldwide, and I think I'm running into the same problem that way because the onboarding script is not digitally signed.
What exactly should I be doing on the golden image regarding execution policy to allow the Defender onboarding script to run on startup on brand new machines created from the image?
4 Replies
Have you checked this article, to make sure your setup is correct: https://sokolovtech.com/wvd/20-microsoft-defender-for-endpoint-mdatp-and-windows-virtual-desktop-wvd-protection-part-1
I would suggest going through this article and checking if you have configured everything as described in this article.
ellengur No, but to be honest I gave up trying. We don't deploy that many session hosts, so I just built manual onboarding into our deployment procedures.
- thanks for the quick update
