WVD not onboarding to Defender - execution policy to blame?


I want my multi-user session hosts to get onboarded to Defender for Endpoint using the single entry for each device option. I'm following the instructions at Onboard non-persistent virtual desktop infrastructure (VDI) devices | Microsoft Docs. I have configured a local group policy object on the golden image to run the onboarding script at startup. But the VM is NOT getting onboarded at startup. However, if I run the script manually from C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup, it works -- but only after I answer Y to the prompt to change the execution policy.


I have also tried configuring a GPO in my Azure AD DS domain, as described in Onboard Windows 10 multi-session devices in Windows Virtual Desktop | Microsoft Docs, and I think I'm running into the same problem that way because the onboarding script is not digitally signed.


What exactly should I be doing on the golden image regarding execution policy to allow the Defender onboarding script to run on startup on brand new machines created from the image?

4 Replies

@David Schrag did you ever get this resolved? fighting the same issue here





@ellengur No, but to be honest I gave up trying. We don't deploy that many session hosts, so I just built manual onboarding into our deployment procedures.

thanks for the quick update

Have you checked this article, to make sure your setup is correct: https://sokolovtech.com/wvd/20-microsoft-defender-for-endpoint-mdatp-and-windows-virtual-desktop-wvd...


I would suggest going through this article and checking if you have configured everything as described in this article.