Onboard non-persistent virtual desktop infrastructure (VDI) devices

Applies to:

  • Virtual desktop infrastructure (VDI) devices


Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported.

Want to experience Defender for Endpoint? Sign up for a free trial.

Onboard non-persistent virtual desktop infrastructure (VDI) devices

Defender for Endpoint supports non-persistent VDI session onboarding.


To onboard non-persistent VDI sessions, VDI devices must be Windows 10 or Windows Server 2019.

While other Windows versions might work, only Windows 10 and Windows Server 2019 are supported.

There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:

  • Instant early onboarding of a short-lived sessions, which must be onboarded to Defender for Endpoint prior to the actual provisioning.
  • The device name is typically reused for new sessions.

VDI devices can appear in Defender for Endpoint portal as either:

  • Single entry for each device.
    Note that in this case, the same device name must be configured when the session is created, for example using an unattended answer file.
  • Multiple entries for each device - one for each session.

The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries.


For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding.

  1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you downloaded from the service onboarding wizard. You can also get the package from Microsoft Defender Security Center:

    1. In the navigation pane, select Settings > Onboarding.

    2. Select Windows 10 as the operating system.

    3. In the Deployment method field, select VDI onboarding scripts for non-persistent endpoints.

    4. Click Download package and save the .zip file.

  2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the golden/master image under the path C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup.

    1. If you are not implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd.

    2. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.


    If you don't see the C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be hidden. You'll need to choose the Show hidden files and folders option from File Explorer.

  3. Open a Local Group Policy Editor window and navigate to Computer Configuration > Windows Settings > Scripts > Startup.


    Domain Group Policy may also be used for onboarding non-persistent VDI devices.

  4. Depending on the method you'd like to implement, follow the appropriate steps:
    For single entry for each device:

    Select the PowerShell Scripts tab, then click Add (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script Onboard-NonPersistentMachine.ps1.

    For multiple entries for each device:

    Select the Scripts tab, then click Add (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script WindowsDefenderATPOnboardingScript.cmd.

  5. Test your solution:

    1. Create a pool with one device.

    2. Logon to device.

    3. Logoff from device.

    4. Logon to device with another user.

    5. For single entry for each device: Check only one entry in Microsoft Defender Security Center.
      For multiple entries for each device: Check multiple entries in Microsoft Defender Security Center.

  6. Click Devices list on the Navigation pane.

  7. Use the search function by entering the device name and select Device as search type.

Updating non-persistent virtual desktop infrastructure (VDI) images

As a best practice, we recommend using offline servicing tools to patch golden/master images.
For example, you can use the below commands to install an update while the image remains offline:

DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing" 
DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit

For more information on DISM commands and offline servicing, please refer to the articles below:

If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:

  1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Defender for Endpoint sensor. For more information, see Offboard devices using a local script.

  2. Ensure the sensor is stopped by running the command below in a CMD window:

    sc query sense
  3. Service the image as needed.

  4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:

    PsExec.exe -s cmd.exe
    cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
    del *.* /f /s /q
    REG DELETE “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
  5. Re-seal the golden/master image as you normally would.