Microsoft is committed to continually extending Microsoft Defender for Endpoint capabilities across all the endpoints you need to secure, and today we’re excited to announce that Defender for Endpoint for Windows Virtual Desktop is now generally available! In this post we’ll briefly go over what this means, and what the experience looks like in the Microsoft Defender Security Center.
Defender for Endpoint now supports Windows Virtual Desktop for Windows 10 Enterprise multi-session (listed here as “Microsoft Windows 10 Enterprise for Virtual Desktops”)
Single session scenarios on Windows 10 Enterprise are fully supported and onboarding your Windows Virtual Desktop machines into Defender for Endpoint has not changed.
There are several new items in the Microsoft Defender Security Center that you’ll see have been added to support Windows Virtual Desktop, we’ll detail them in the following sections.
Device Inventory Page
On the device inventory page, select “filters” to see a new “Windows 10 WVD” filter under OS Platform that you can use to view only Windows Virtual Desktop machines. Identify Windows Virtual Desktop machines by looking for “Windows 10 WVD” in the OS platform column of the table.
On the device page in the left fly out, you’ll also see that Windows Virtual Desktop is reflected under the device details section. Under “OS” you’ll see “Windows 10 WVD x64” indicating that it’s a Windows Virtual Desktop machine.
The device page will also show the number of logged on users in the past 30 days on the overview tab.
Selecting the “See all users” link will allow you to see the complete list of users. You’ll have a number of columns at your disposal including “Logon Type,” which for Windows Virtual Desktop will be “logon type 10” or “RemoteInteractive.”
The changes thus far are there to help you identify Windows Virtual Desktop machines in the Microsoft Defender Security Center. The data that is collected, and the investigation experience that you are used to with all other supported endpoint types, remains mostly unchanged. You can expect the majority of the functionality and capabilities such as the device page, response actions, threat and vulnerability management, Microsoft Secure Score for Devices, software inventory, etc. to all still work in the same way they do for Windows 10 and other supported devices. However, there are some things to take note of in a few key areas of the security center which we’ll walk through below.
The machine timeline will be populated with cyber telemetry from all active user sessions on the Windows Virtual Desktop machine. This allows analysts to see all events happening on the machine and also gives the option to investigate timeline events that are specific to a particular user session. As an example, I’ve flagged a couple of events in the machine timeline from five different users who are logged on concurrently to a Windows Virtual Desktop machine:
If you want to see all activity related to a specific user, simply search for the username to display all associated cyber telemetry:
All of the machine timeline capabilities such as search, filters, flagging, columns, time span, etc. still work the same way as they do with other devices.
All of the cyber telemetry data reported by Windows Virtual Desktop machines will be available in advanced hunting. For example, you may want to see process events or image loads related to a specific user session and this can be accomplished by using columns that are already present in the advanced hunting schema:
Perhaps you want to check browser network events by user on a Windows Virtual Desktop host for the last 24 hours:
For the last example, you may want to check for currently logged on users via the DeviceInfo table, as you can see here at 1/13/2021 1:25:19 there are five users concurrently logged on to this specific Windows Virtual Desktop host:
These are just a few examples that target all or specific user sessions for data insights via advanced hunting. Continue to reference the schema and use your imagination and creativity for unique data insights!
Incidents and Alerts
This experience in the portal remains unchanged, here is an example alert that is triggered for a user on a Windows Virtual Desktop machine:
Note on licensing: When using Windows 10 Enterprise multi-session, depending on your requirements, you can choose to either have all users licensed through Microsoft Defender for Endpoint (per user), Windows Enterprise E5, Microsoft 365 Security, or Microsoft 365 E5, or have the VM licensed through Azure Defender.
We’re excited to share this milestone with everyone, and we hope this better enables organizations who are embracing user productivity virtualization to protect these unique Windows Virtual Desktop assets. Let us know what you think by leaving a comment below!
If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints, sign up for a free trial of Microsoft Defender for Endpoint today.
Jesse Esquivel, Program Manager Microsoft Defender for Endpoint