Windows Virtual Desktop support is now generally available

Published Jan 28 2021 10:02 AM 15.2K Views

Microsoft is committed to continually extending Microsoft Defender for Endpoint capabilities across all the endpoints you need to secure, and today we’re excited to announce that Defender for Endpoint for Windows Virtual Desktop is now generally available! In this post we’ll briefly go over what this means, and what the experience looks like in the Microsoft Defender Security Center.

Defender for Endpoint now supports Windows Virtual Desktop for Windows 10 Enterprise multi-session (listed here as “Microsoft Windows 10 Enterprise for Virtual Desktops”)




Single session scenarios on Windows 10 Enterprise are fully supported and onboarding your Windows Virtual Desktop machines into Defender for Endpoint has not changed.


There are several new items in the Microsoft Defender Security Center that you’ll see have been added to support Windows Virtual Desktop, we’ll detail them in the following sections.


Device Inventory Page

On the device inventory page, select “filters” to see a new “Windows 10 WVD” filter under OS Platform that you can use to view only Windows Virtual Desktop machines. Identify Windows Virtual Desktop machines by looking for “Windows 10 WVD” in the OS platform column of the table.




Device Page

On the device page in the left fly out, you’ll also see that Windows Virtual Desktop is reflected under the device details section. Under “OS” you’ll see “Windows 10 WVD x64” indicating that it’s a Windows Virtual Desktop machine.




The device page will also show the number of logged on users in the past 30 days on the overview tab.




Selecting the “See all users” link will allow you to see the complete list of users. You’ll have a number of columns at your disposal including “Logon Type,” which for Windows Virtual Desktop will be “logon type 10” or “RemoteInteractive.”




The changes thus far are there to help you identify Windows Virtual Desktop machines in the Microsoft Defender Security Center. The data that is collected, and the investigation experience that you are used to with all other supported endpoint types, remains mostly unchanged. You can expect the majority of the functionality and capabilities such as the device page, response actions, threat and vulnerability management, Microsoft Secure Score for Devices, software inventory, etc. to all still work in the same way they do for Windows 10 and other supported devices. However, there are some things to take note of in a few key areas of the security center which we’ll walk through below.


Machine Timeline

The machine timeline will be populated with cyber telemetry from all active user sessions on the Windows Virtual Desktop machine. This allows analysts to see all events happening on the machine and also gives the option to investigate timeline events that are specific to a particular user session. As an example, I’ve flagged a couple of events in the machine timeline from five different users who are logged on concurrently to a Windows Virtual Desktop machine:




If you want to see all activity related to a specific user, simply search for the username to display all associated cyber telemetry:




All of the machine timeline capabilities such as search, filters, flagging, columns, time span, etc. still work the same way as they do with other devices.


Advanced Hunting

All of the cyber telemetry data reported by Windows Virtual Desktop machines will be available in advanced hunting. For example, you may want to see process events or image loads related to a specific user session and this can be accomplished by using columns that are already present in the advanced hunting schema:




Perhaps you want to check browser network events by user on a Windows Virtual Desktop host for the last 24 hours:




For the last example, you may want to check for currently logged on users via the DeviceInfo table, as you can see here at 1/13/2021 1:25:19 there are five users concurrently logged on to this specific Windows Virtual Desktop host:




These are just a few examples that target all or specific user sessions for data insights via advanced hunting. Continue to reference the schema and use your imagination and creativity for unique data insights!


Incidents and Alerts

This experience in the portal remains unchanged, here is an example alert that is triggered for a user on a Windows Virtual Desktop machine:




Note on licensing: When using Windows 10 Enterprise multi-session, depending on your requirements, you can choose to either have all users licensed through Microsoft Defender for Endpoint (per user), Windows Enterprise E5, Microsoft 365 Security, or Microsoft 365 E5, or have the VM licensed through Azure Defender.

We’re excited to share this milestone with everyone, and we hope this better enables organizations who are embracing user productivity virtualization to protect these unique Windows Virtual Desktop assets. Let us know what you think by leaving a comment below!


If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints, sign up for a free trial of Microsoft Defender for Endpoint today.

Jesse Esquivel, Program Manager
Microsoft Defender for Endpoint



Defender for Endpoint now supports Windows Virtual Desktop with up to 50 concurrent user connections for Windows 10 Enterprise multi-session


Does this mean the software limits the density of the vm. With 60 users there are 10 unprotected. The 50 concurrent connections may be a sizing issue in some high usage scenarios.


Hi Robert, Defender for Endpoint does not limit the number of users that can log on to a WVD machine. 

New Contributor

Hi, so what happen when there are more than 50 concurrent connection ? 


Hi Munir - nothing happens if there are more than 50 concurrent connections, Defender for endpoint does not limit the number of connections or stop working.  We removed this statement from the post.


Can you compare and contrast using Defender for WVD vs. Microsoft Antimalware (Microsoft Antimalware for Azure | Microsoft Docs)? I got a recommendation from the Azure portal today to install endpoint protection for one of my WVD VMs, and the links took me to a place to install Microsoft Antimalware.


Hi David,


This article is about using Microsoft Defender for EndpointMicrosoft Defender for Endpoint - Windows security | Microsoft Docs on Windows 10 multi session running on Windows Virtual Desktop. Among many other things, it includes and extends Defender Antivirus, offering a broad range of security capabilities beyond antimalware. You can obtain Microsoft Defender for Endpoint in various ways, in fact Azure Defender has an integrated license for Microsoft Defender for Endpoint (Windows only).


If you're interested in learning more about how Microsoft Defender Antivirus and Microsoft Defender for Endpoint work together, here's a great article: Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint - Wind...


Microsoft Antimalware for Azure provides an antivirus solution for servers running on Azure, and can either install (2008 R2, 2012 R2) AV or activate (2016 and above) the built-in AV (Defender Antivirus). This extension can activate Defender Antivirus and configure it in a "headless" way, that is in a default state with automatic updates.

To illustrate the extension model and purpose, there are 3rd party extensions available that offer similar functionality such as Install Symantec Endpoint Protection on a Windows VM in Azure - Azure Virtual Machines | Microsoft D...

Occasional Contributor

Do you always confirm that point ?

Note on licensing: When using Windows 10 Enterprise multi-session, depending on your requirements, you can choose to either have all users licensed through Microsoft Defender for Endpoint (per user), Windows Enterprise E5, Microsoft 365 Security, or Microsoft 365 E5, or have the WVD VM licensed through Azure Defender.


Thank you

Version history
Last update:
‎Feb 22 2021 10:02 AM
Updated by: