MDE for Non‑Persistent VDI — Implementation Guide & Best Practices.
1. Overview: Microsoft Defender for Endpoint (MDE) for Non‑Persistent VDI Non‑persistent VDI instances are reset or reprovisioned frequently. To ensure immediate protection and clean device inventory, MDE provides a dedicated onboarding path that calculates a persistent device ID and onboard early in the boot process. Key considerations: Use the VDI onboarding package and choose the single‑entry method (recommended) to avoid duplicate devices when hosts are recreated with the same name. Place the onboarding script in the golden image but ensure it executes only on child VMs (first boot) after the final hostname is assigned and the last reboot completes. Never fully onboard or boot the golden/template/replica image into production; if it happens, offboard and clean registry artifacts before resealing. Consider enabling the portal feature “Hide potential duplicate device records” to reduce inventory noise during transition periods. 2. Stage the scripts in the Golden Image (do NOT onboard the image) Goal: Ensure early, reliable onboarding of pooled VDI instances without tattooing the master image. Download the Windows onboarding package (Deployment method: VDI onboarding scripts for non‑persistent endpoints). Extract and copy the files to: C\Windows\System32\GroupPolicy\Machine\Scripts\Startup Configure Local/Domain GPO to run the PowerShell script at startup (SYSTEM, highest privileges). For single‑entry, add Onboard-NonPersistentMachine.ps1 on the PowerShell Scripts tab. Ensure the script runs only after final hostname and the last reboot in your provisioning flow to prevent duplicate objects. Example (Domain GPO scheduled task at startup as SYSTEM): Program/Script: C\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Arguments: -ExecutionPolicy Bypass -File \srvshare\onboard\Onboard-NonPersistentMachine.ps1 3. Never Onboard the Golden/Template/Replica VM If the golden image was accidentally onboarded (Sense service started), you must offboard and clean before resealing: sc query sense del "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber\*.*" /f /s /q reg delete "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f Run the official offboarding script for your tenant before cleanup, when available. 4. (Optional) Tag Devices Automatically from the Image Tags simplify scoping of device groups and policies. Add a DeviceTagging registry value during image build: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v Group /t REG_SZ /d "VDI-NonPersistent" /f Tag appears after device info refresh; a reboot accelerates reporting. 5. Performance & AV Configuration for VDI (Important) 5.1 Shared Security Intelligence & Cache Maintenance Purpose: Reduce CPU and disk spikes at sign‑in by offloading unpackaging of definitions to a shared source and by pre‑running cache maintenance on the master image. Step‑by‑step GPO configuration: Create a secure UNC share for definition packages (e.g., \srvshare\WDAV-Update) and grant read to VDI computer accounts. GPO → Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Security Intelligence Updates → Enable “Define security intelligence location for VDI clients” and set \srvshare\WDAV-Update. In the same node, set update cadence (daily time) and enable randomization to avoid I/O storms. PowerShell examples: Set-MpPreference -SignatureUpdateInterval 4 Set-MpPreference -SignatureFallbackOrder "InternalDefinitionUpdateServer|MicrosoftUpdateServer" Run Windows Defender Cache Maintenance on the golden image before sealing: schtasks /Run /TN "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" 5.2 FSLogix Exclusions Why exclusions matter: FSLogix mounts user profiles as VHD/VHDX files. Scanning these at attach/detach causes logon delays, black screens, and app launch slowness. Paths and extensions to exclude: %TEMP%\*.VHD %TEMP%\*.VHDX %Windir%\TEMP\*.VHD %Windir%\TEMP\*.VHDX \\<storage>\<share>\*.VHD \\<storage>\<share>\*.VHDX \\<storage>\<share>\*.VHD.lock \\<storage>\<share>\*.VHD.meta \\<storage>\<share>\*.VHD.metadata \\<storage>\<share>\*.VHDX.lock \\<storage>\<share>\*.VHDX.meta \\<storage>\<share>\*.VHDX.metadata GPO: Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Exclusions (File/Folder and Extension). PowerShell examples: Add-MpPreference -ExclusionExtension VHD,VHDX Add-MpPreference -ExclusionPath "C:\ProgramData\FSLogix","\\storage\fslogix-share\*.VHD*" 5.3 General Scan Posture Real‑time & cloud‑delivered protection (GPO): Enable Real‑time protection, Cloud‑delivered protection, Join MAPS, and “Block at first sight.” Scheduled scans (GPO): Daily Quick Scan (e.g., 02:00) with randomization window. Weekly Full Scan (e.g., Sunday 03:00). Consider “Start the scheduled scan only when computer is on but not in use” to reduce user impact. CPU throttling settings: Set-MpPreference -ScanAvgCPULoadFactor 30 # 5..100 (0 = no throttling) Additional scheduling/throttling options (Intune/Policy CSP as applicable): ScanOnlyIfIdleEnabled = True DisableCpuThrottleOnIdleScans = True ThrottleForScheduledScanOnly = True EnableLowCPUPriority = True Validation commands: Get-MpPreference | fl ScanAvgCPULoadFactor,ScanScheduleQuickScanTime,SignatureUpdateInterval Get-MpComputerStatus | fl AMServiceEnabled,AntivirusSignatureVersion,RealTimeProtectionEnabled 6. Validate Onboarding After first boot of a pooled VM, verify device appears in Defender portal (Assets → Devices). For single‑entry method, reboot/redeploy a few instances with the same hostname and confirm one device object is reused. Optionally enable “Hide potential duplicate device records” (Settings → Endpoints → Advanced features). This is like only filtering the view of Devices list does actual remove the records from the MDE portal. Run a detection test if needed (per Microsoft guidance) to verify sensor connectivity. 7. Quick Checklist — Build Step Download VDI onboarding package from Defender portal. Copy scripts to Startup folder in golden image; configure GPO/Task to run PS1 at boot as SYSTEM. Do NOT onboard/boot the golden image into production; if it happens, offboard + clean senseGuid & Cyber cache. (Optional) Set DeviceTagging registry value for scoping (e.g., VDI-NonPersistent). Configure Shared Security Intelligence path; schedule updates; run Cache Maintenance on master image. Apply FSLogix AV exclusions (paths + extensions). Set scan posture (RTP + cloud, schedules, CPU throttling). Validate onboarding behavior and inventory cleanliness. 8. Summary & Best Practices Checklist for golden image: Script staged, not executed on master; executes only on child VMs at final boot stage. Shared Security Intelligence path configured; cache maintenance pre-run. FSLogix exclusions present prior to first user logon. RTP and cloud protection enabled; scans scheduled with randomization; CPU load factor tuned. Common pitfalls & fixes: Golden image onboarded → Offboard + clean registry/cache; reseal. Script runs before final hostname → Duplicate device records. Delay script until last reboot/final rename. No exclusions for FSLogix → Long logons/black screens. Add VHD/VHDX exclusions and share paths. Simultaneous scans across hosts → Enable randomization; schedule during off‑hours. References Onboard non‑persistent VDI devices: https://learn.microsoft.com/en-us/defender-endpoint/configure-endpoints-vdi Onboard Windows devices in Azure Virtual Desktop: https://learn.microsoft.com/en-us/defender-endpoint/onboard-windows-multi-session-device Configure Microsoft Defender Antivirus on RDS/VDI: https://learn.microsoft.com/en-us/defender-endpoint/deployment-vdi-microsoft-defender-antivirus FSLogix prerequisites (AV exclusions): https://learn.microsoft.com/en-us/fslogix/overview-prerequisites Configure AV exclusions (file/extension/folder): https://learn.microsoft.com/en-us/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus Create and manage device tags: https://learn.microsoft.com/en-us/defender-endpoint/machine-tags Advanced features (hide duplicate records): https://learn.microsoft.com/en-us/defender-endpoint/advanced-features Schedule antivirus scans using Group Policy: https://learn.microsoft.com/en-us/defender-endpoint/schedule-antivirus-scans-group-policy Troubleshoot MDAV scan issues (CPU throttling, idle scans): https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-mdav-scan-issues
New Teams not loading with FSLogix 2210 HF4, Horizon non-persistent VDI
Hi all, We've been testing the latest Teams 2.1 Bootstrapper on our non-persistent Horizon VDI machines but having issues once we bring FSLogix into the mix. We are able to deploy new Teams onto our base image and when using a local profile it launches and runs as expected from the shortcut in the Start Menu. Similarly on our physical PCs Classic Teams > New Teams upgrades without issue (we're not running FSLogix on physical machines... yet) When logging in with FSLogix enabled (frxtray shows version 2.9.8228.50276) the Teams shortcut is present, however clicking it produces a white progress bar and no further action. We have updated our Redirections.xml to one we found here https://www.jeffriechers.com/wiki/teams-2-1-with-fslogix-setup-guide/comment-page-1/ If we look at the properties of the Windows Store App for Teams it returns 16KB, which seems wrong? Looking in Event Viewer AppxPackaging log we see this error, can't find much online relating to it. App manifest validation warning: Declared namespace http://schemas.microsoft.com/appx/manifest/uap/windows10/7 is inapplicable, it will be ignored during manifest processing. I note from another thread that there's a GPO for ODFC called IncludeTeams that needs to be turned on to roam the new Teams cache etc. https://learn.microsoft.com/en-us/microsoftteams/new-teams-vdi-requirements-deploy HKEY_LOCAL_MACHINE\SOFTWARE\Policies\FSLogix\ODFC\IncludeTeams However we don't use ODFC as FSLogix is in single-profile mode as recommended here... https://learn.microsoft.com/en-us/fslogix/tutorial-configure-odfc-containers Using the ODFC container in a dual container configuration isn't necessary or recommended. So my question is: does anyone have new Teams 2.1 working with FSLogix HF4 and single container profile? is ODFC required for Teams 2.1 to operate? If so is there any definitive MS documentation to say this as it seems rather vague and support are not giving us any further information has anyone got a stable non-persistent VDI desktop working with Teams 2.1 and FSLogix in general? Any input much appreciated as it feels like we've hit a wall here at present. The MS documentation suggests Hotfix 4 is meant to be the supported configuration for Teams 2.x but struggling to find evidence of a working setup. As an aside the reason we're running FSLogix in the first place is in order for OneDrive client to be deployed onto our non-persistent VDI machines as Microsoft don't support Roaming Profiles for this (which is what we used for roaming user data previously)(Azure) Virtual Desktop Optimization Tool now available
Optimizing images has always been an important component of preparing images as part of a traditional Remote Desktop Services (RDS) infrastructure or virtual desktop infrastructure (VDI). Optimizing session hosts, in particular, can increase user density and eventually lower costs. With the Virtual Desktop Optimization Tool, you can optimize your Windows 10, version 2004 multi- and single-session deployments in Windows Virtual Desktop. Note: The information in this post is community-driven; nothing has yet been officially launched by the Windows Virtual Desktop product team. Credit goes to Robert M. Smith and Tim Muessig from Microsoft, previously known as the VDIGuys, for creating this tool and make it available for free for the community. Windows 10 multi-session image name change As noted in recent announcements, Office 365 ProPlus is now Microsoft 365 apps for Enterprise. With this name change, we have updated the Windows Virtual Desktop image names in Azure Marketplace. As a result, when you are looking for an image in the Azure Marketplace image gallery, you should begin by selecting Windows 10 Enterprise multi-session, version 2004 + Microsoft 365 Apps – Gen1 as your baseline image. How the Virtual Desktop Optimization Tool works The (Windows) Virtual Desktop Optimization Tool disables services in the operating system that you most likely won’t need for your Windows Virtual Desktop session host. To make sure that your line-of-business (LOB) applications continue running as they should, there are some preliminary steps that should first performed. Note: There are settings default disabled when you run the scrip out of the box such as AppX Packages for the Windows Calculator. We strongly suggest analyzing the tool via the JSON files that include the default settings. This also gives you the opportunity to enable them before running the tool so they remain untouched. I'll explain more about this later on in the article. The full list of enhancements for native Windows services will be available soon. Bookmark Run and tune your Remote Desktop Services environment for the latest updates. Expected performance gains Windows Virtual Desktop value-added services provider and Microsoft partner LoginVSI performed early tests with the Virtual Desktop Optimization Too and gained over 100 users in their internal benchmarking lab environment with a Windows 10, version 2004 single session. We, therefore, assume that this gain will also be possible with Windows 10 Enterprise multi-session. VSImax asserts a maximum number of users that are able to log on to the virtual desktop hosts pool as part of the underlying infrastructure. That number is the "sweet spot" as going over that number will decrease performance for all users. (Thanks to LoginVSI for sharing these results with us.) Note: We recommend you use simulation tools to test your deployment using both stress tests and real-life usage simulations to ensure that your system is responsive and resilient enough to meet user needs Remember to vary the load size to avoid surprises. Desktops in the Cloud on Performance Optimizations for Windows Virtual Desktop with Robert and Tim (aka VDI Guys) We recently had the creators of the Virtual Desktop Optimization tool as guests on our Desktops in the Cloud video-podcast. Robert and Tim explained everything you should know, as well as best practices and lessons learned. A must watch in extension to this article. Watch it below. How to use the Virtual Desktop Optimization Tool The Virtual Desktop Optimization Tool makes it possible to disable uncommon services for virtual desktop environments, such as Windows Virtual Desktop. Note: We recommend that you run the script after the Sysprep (System Preparation) process, most likely as startup script w with a large set of virtual machines. This is due to the AppX Packages that conflict and most likely the sysprep will fail. Download all scripts from the Virtual-Desktop-Optimization-Tool GitHub repository. Select Clone or download, followed by Download ZIP. Unzip the folder to your Windows Virtual Desktop session host(s) to a specified folder (e.g. C:\Optimize or C:\Temp). Note: You could also run the scripts as part of your image management procedure e.g. Azure image Builder (AIB) or Azure DevOps. Important information before running the tool There are settings default disabled when you run the scrip out of the box such as AppX Packages for the Windows Calculator. We strongly suggest analyzing the tool via the JSON files that include the default settings. This also gives you the opportunity to enable them before running the tool so they remain untouched. You can find the JSON file in the Windows built number folder, under ConfigurationFiles - e.g. C:\Optimize\2004\ConfigurationFiles. You've to put the settings to Enabled - that you want to keep as default. Below is the example file for AppX Packages, there are JSON files for Services and scheduled tasks as well. Another option is to remove the while entry out of the JSON file. AppxPackages.json - Example Windows Calculator App { "AppxPackage": "Microsoft.WindowsCalculator", "VDIState": "Enabled", "URL": "https://www.microsoft.com/en-us/p/windows-calculator/9wzdncrfhvn5", "Description": "Microsoft Calculator app" }, Services.json - example Windows Update Service { "Name": "UsoSvc", "VDIState": "Enabled", "Description": "Update Orchestrator service, manages Windows Updates. If stopped, your devices will not be able to download and install the latest updates." }, Prepare to launch Windows PowerShell and select Run as Administrator. In PowerShell, change the directory to the folder to which you downloaded the scripts, e.g. C:\Optimize or your own specific folder. Run the following command: Set-ExecutionPolicy -ExecutionPolicy Bypass Run the Virtual Desktop Optimization Tool using the following command: .\Win10_VirtualDesktop_Optimize.ps1 -WindowsVersion 2004 -Verbose Note: When you use a different version of Windows 10, you must change the WindowsVersion parameter. Version 1803 and later are supported for Windows 10 Enterprise. Windows 10 multi-session support is only available with Windows 10, version 2004 and later. Select Yes when prompted to reboot the session hosts(s). Start your Windows Virtual Desktop session. As you can see in the Task Manager comparison below, the number of threads and handles has decreased noticeably after running the Virtual Desktop Optimization Tool. Do you have any problems with orphaned Start Menu shortcuts after running the tool? Have the user open Task Manager, then end the following two processes: ShellExperienceHost.exe StartMenuExperienceHost.exe Have them check the Start Menu and they should be gone. Happy optimizing! 🙂 Let us know your feedback on the tool in the comment section below. Prefer to watch and learn? There’s also a video on Azure Academy available later this week by Dean Cefola. You can find it here.
"The paramter is incorrent" error in new Teams client (VDI)
Hello We have a serious issue with the new Teams client in our VDI (Horizon) environment. After running fine for a while (can be multiple hours up to days) Teams crashes / vanishes with the following error. We suspect it might happen during an automatic update. The same error is displayed when trying to launch ms-teams.exe from that path manually. This never happened with classic Teams. We have no idea what causes this and how to fix it, any help is appreciated.New Teams Desktop Not Consistently Opening for Meeting Links (VDI)
I have a user where clicking to join scheduled meetings in Outlook doesn't consistently open Teams desktop. The times that it fails to open (basically nothing happens), they have to click "Continue in Browser", which is a worse experience. We can't seem to find a pattern, other than if they click to join from the little pop-up window after a meeting as started, Teams desktop opens every time. I understand that Teams for VDI is its own animal and maybe we just need to wait to see if whatever is going on is fixed in a newer version, but I thought I'd check to see if this is a common issue.InstallAppXPackages not working (Microsoft Store, MSEdge Apps, AppX)
Running FSLogix version: 2210 hotfix 3 (2.9.8784.63912) The problem: Microsoft Edge "Apps" and apps installed through Microsoft Store (such as "TypeClipboard") do not persist after logoff on dedicated machines (assigned user always logs into same machine). Workaround: User must reinstall Microsoft Edge "Apps" and apps from Microsoft Store every time they sign-in with a new Windows session. Attempted solution #1: InstallAppXPackages=1 The outcome of attempted solution: Seems to be 100% ineffective, problem remains unresolved. I do confirm the `AppData\Roaming\FSLogix\AppxPackages.xml` file is being correctly written within the Profile Container. Attempted solution #2: Exclude `AppData\Local\Packages` with Copy=0 Attempted solution #3: Exclude `AppData\Local\Packages` with Copy=3 Outcome of attempted solutions 2 and 3: Ineffective, problem remains unresolved. Solutions 2 and 3 reversed. Solution 1 still in effect at time of writing. Machines OS: Windows 10 22H2 ADMX configuration is as follows: Logging\Log Keeping Period = 3 Profile Containers\Container and Directory Naming\Flip Flop Profile Directory Name = 1 Profile Containers\Container and Directory Naming\Volume Type = VHDX Profile Containers\Enabled = 1 Profile Containers\Install Appx Packages = 1 Profile Containers\Is Dynamic = 1 Profile Containers\Locked Retry Count = 3 Profile Containers\Locked Retry Interval = 15 Profile Containers\Reattach Count = 3 Profile Containers\Reattach Interval = 15 Profile Containers\Size In MBs = 76800 # 75 GB Profile Containers\VHD Locations = \\contoso.lan\FSLData # DFS share used Profile Containers\Roam Identity = 1 # Workaround for Microsoft 365 re-auth issue, environment lacks true SSO configuration Profile Containers\Keep Local Directory (after logoff) = 1 # Applicable to assigned dedicated machines only Profile Containers\Redirection XML Source Folder = \\contoso.lan\FSLCfgDedi # Applicable to assigned dedicated machines only Profile Containers\Reboot On User Logoff = Reboot only on any FSLogix Profile logoff (3) # Applied only to test machine for time savings during troubleshooting Redirection XML being used here: <?xml version="1.0" encoding="UTF-8"?> <FrxProfileFolderRedirection ExcludeCommonFolders="33"> <Excludes> <Exclude Copy="0">AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\Logs</Exclude> <Exclude Copy="0">AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\PerfLogs</Exclude> <Exclude Copy="0">AppData\Local\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\WV2Profile_tfw\WebStorage</Exclude> <Exclude Copy="0">AppData\Local\Publishers\8wekyb3d8bbwe\TeamsSharedConfig\meeting-addin</Exclude> </Excludes> <Includes> <Include>AppData\Roaming\Microsoft</Include> <Include>AppData\Local\Microsoft\Office</Include> <Include>AppData\Local\Microsoft\Credentials</Include> </Includes> </FrxProfileFolderRedirection> Things that DO work: Profile Container in general (creates in SMB repo if not exists, mounts, stores user data, dismounts on logoff) Persistence of Microsoft 365 authentication and user customizations (OneDrive, new MSTeams, Office apps, Outlook) Persistence of general application customizations Persistence of pinned Taskbar and Start Menu items Redirection XML setting ExcludeCommonFolders=33 Redirection XML excludes and includes Writing this post feels like preaching to the choir / beating a horse vibe after having done a lot of Googling on this.VM optimized version doesn't display Analytics across Teams
Multiple users reporting (and validated) that when using VM Optimized New Teams, they're unable to see Analytics when clicking the "..." in the center-column. These features all appear to work fine in the desktop versions and on the web-app. Analytics ARE available by clicking "... > Manage Channel > Analytics", and even the "Across channels"-button. But clicking the "Analytics across teams" also results in a blank page. Currently running:MS Teams does not retain device settings in VDI
Hi All, We implemented MS Teams a while ago to be available in our VDI environment. Several users noticed that their device settings are not retained. We have implemented MS Teams by Microsoft best practice; Teams for Virtualized Desktop Infrastructure - Microsoft Teams | Microsoft Docs Anyone else also faced this issue?
