Onboarding non-persistent virtual desktop infrastructure devices

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Onboard non-persistent virtual desktop infrastructure (VDI) devices

Defender for Endpoint supports non-persistent VDI session onboarding.

There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:

  • Instant early onboarding of a short-lived session, which must be onboarded to Defender for Endpoint prior to the actual provisioning.
  • The device name is typically reused for new sessions.

VDI devices can appear in Defender for Endpoint portal as either:

  • Single entry for each device.

    Note

    In this case, the same device name must be configured when the session is created, for example using an unattended answer file.

  • Multiple entries for each device - one for each session.

The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries.

Warning

For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding.

For Windows 10 or Windows Server 2019

  1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) that you downloaded from the service onboarding wizard. You can also get the package from the Microsoft 365 Defender portal:

    1. In the navigation pane, select Settings > Endpoints > Device management > Onboarding.

    2. Select Windows 10 as the operating system.

    3. In the Deployment method field, select VDI onboarding scripts for non-persistent endpoints.

    4. Click Download package and save the .zip file.

  2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the golden/master image under the path C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup.

    1. If you aren't implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd.

    2. If you're implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.

    Note

    If you don't see the C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be hidden. You'll need to choose the Show hidden files and folders option from File Explorer.

  3. Open a Local Group Policy Editor window and navigate to Computer Configuration > Windows Settings > Scripts > Startup.

    Note

    Domain Group Policy may also be used for onboarding non-persistent VDI devices.

  4. Depending on the method you'd like to implement, follow the appropriate steps:

    • For single entry for each device:

      Select the PowerShell Scripts tab, then click Add (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script Onboard-NonPersistentMachine.ps1. There's no need to specify the other file, as it will be triggered automatically.

    • For multiple entries for each device:

      Select the Scripts tab, then click Add (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script WindowsDefenderATPOnboardingScript.cmd.

  5. Test your solution:

    1. Create a pool with one device.

    2. Log on to device.

    3. Log off from device.

    4. Log on to device with another user.

    5. Depending on the method you'd like to implement, follow the appropriate steps:

    • For single entry for each device:

      Check only one entry in Microsoft 365 Defender portal.

    • For multiple entries for each device:

      Check multiple entries in Microsoft 365 Defender portal.

  6. Click Devices list on the Navigation pane.

  7. Use the search function by entering the device name and select Device as search type.

For downlevel SKUs

Note

The following registry is relevant only when the aim is to achieve a 'Single entry for each device'.

  1. Set registry value to:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging]
    "VDI"="NonPersistent"
    

    or using command line:

    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v VDI /t REG_SZ /d "NonPersistent" /f
    
  2. Follow the server onboarding process.

Updating non-persistent virtual desktop infrastructure (VDI) images

As a best practice, we recommend using offline servicing tools to patch golden/master images.
For example, you can use the below commands to install an update while the image remains offline:

DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing" 
DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit

For more information on DISM commands and offline servicing, refer to the articles below:

If offline servicing isn't a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:

  1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Defender for Endpoint sensor. For more information, see Offboard devices using a local script.

  2. Ensure the sensor is stopped by running the command below in a CMD window:

    sc query sense
    
  3. Service the image as needed.

  4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:

    PsExec.exe -s cmd.exe
    cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
    del *.* /f /s /q
    REG DELETE “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
    exit
    
  5. Reseal the golden/master image as you normally would.