Configuring Windows Defender AV for VDI

Windows Defender AV for non-persistent instant clone desktops is a lightweight and free AV solution for VDI that is growing in popularity as an alternative to typical third party options as people move to O365 and want to align themselves with Microsoft across their software stack.

Below is a quick guide on how to configure Defender for Endpoint (not ATP) which is a free version of Defender included with E3 O365 licensing using.

A file share is used as the source for definition files. I recently had to setup a proof of concept of this for a client who had been using McAfee ENS and we saw a notable improvement in performance and overall desktop experience.

The guide does not cover how to configure VM’s to use MMPC, WSUS , Cloud based definitons or ATP/MAPS.

Environment: VMWare Instant Clones, Win 10 1909.

What you’ll need

  • 1x SMB file and an endpoint for handling the scheduled tasks needed for Defender definition updates
  • 2x scheduled tasks, one to perform the definition download and unpack, and a second to clean-up old definitions. Both scripts provided.
  • VDI specific Defender settings that are configured on local group policy on the master image, and remaining settings configured on domain group policy.

Before getting started..

  • Check you have the latest ADMX templates for your OS.
  • Use a clean build, ideally with an image that has not had any AV agent previously installed.

Step 1: Setup a share and scheduled tasks to download, unpack and clean-up definitions…

Identify a virtual machine/server/desktop or some endpoint that will be responsible for running the scheduled tasks for fetching definitions and storing them in an SMB file share. The endpoint will require internet access and I refer to this machine as the management VM.

Create an SMB file share to store definitions.

Setup a file share that will store the unpacked definitions. The below example resides in C:\wdav-update on the management VM. I recommend using the same folder names as this will tie together with the download script that will be used later on.

Share permission: Authenticated Users: Read

Folder Permission: Authenticated Users: Read/Execute, SYSTEM: Read/Writed

Get-SMBShareAccess -name wdav-update result should mirror the above

*IMPORTANT* if you provide FULL CONTROL to the folder or share, then you may experience the definitions being automatically purged by the child VM’s after they self-update, making the definitions unavailable at next boot . From my limited testing this behaviour appeared to be by design can’t be controlled by any GPO settings, so avoid this by setting the NTFS permissions correctly.

Create scheduled tasks to download definitions

Microsoft provide the following PS script which handles downloading and unpacking of definitions. There is an alternative script available here but I found the below script does the job and is easier to understand. Adjust the value for $vdmpathbase accordingly, but do not change the [0000…] folder naming convention. This is required otherwise the child VM’s will not be able to parse the folders and will fail to self-update.

$vdmpathbase = "$env:systemdrive\wdav-update\{00000000-0000-0000-0000-"
$vdmpathtime = Get-Date -format "yMMddHHmmss"
$vdmpath = $vdmpathbase + $vdmpathtime + '}'
$vdmpackage = $vdmpath + '\mpam-fe.exe'
New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null
Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage
cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"

Add a clean-up task…

I configured the below task to clean-up any definition files older than 3 days. Configure this as a scheduled task to run daily.

Get-Childitem "C:\wdav-update" |
 Where {$_.CreationTime -lt (get-date).adddays(-3)} | Remove-Item -recurse -force

Tips for configuring the scheduled tasks:

-Configure definition update to run every 2 or 4 hours , typically MS publish new definitions twice per day, around 8-12 hours between each update.

– If the scheduled tasks are failing, ensure the account used to run the task (local SYSTEM or service account) has internet access – you may need to allow unauthenticated traffic from your management machine if using the SYSTEM account. If you use a zScaler/Proxy device and authenticate clients using a .pac file then you may need to launch IE as the SYSTEM account (on your management VM) and configure the .pac file accordinalty. To do this , download PSExec and run the below command to launch IE in the context of SYSTEM, then configure the .pac file in IE settings.

psexec.exe -i -s "c:\program files\internet explorer\iexplore.exe"

Step 2: Configure Defender local group policy settings on your master image

Defender for non-persistent VDI relies on several local group policy settings being baked into your image to ensure they are available at boot time. Configure the following 5 settings via gpedit.msc on your master image.

Location: Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Security Intelligence Updates

IMPORTANT: You must configure Define security intelligence location for VDI clients and Define file shares for downloading security intelligence updates . If you do not configure both, the service will not work.

Values to use:

Define the order of sources for downloading security intelligence: FileShares

Define Security intelligence location for VDI clients: \\yourfileserver\wdav-update

This concludes the minimal settings that are required on the master image.

TIPS FOR LOCAL POLICY CONFIGURATION

  • You may want to use LGPO.exe to export a template of the Defender settings for your environment for quick setup in future, or add to an MDT task-sequence for your image builds.
  • If your master image has picked up policies you don’t need or for some reason you’ve had your hand forced to use a crappy image – you can wipe all the local and domain policy by running the below command (elevated). This will wipe all local policy WARNING – do this at your own peril (it will remove OSOT optimizations and all domain+local policy). Remember to re-join to domain and update policy afterwards.
    • RD /S /Q "%WinDir%\System32\GroupPolicyUsers" && RD /S /Q "%WinDir%\System32\GroupPolicy"

Install A BASELINE set of defender av DEFINITIONS

  • If your enterprise has never used Defender before and/or has used a different AV product to date, then it’s highly likely you’ll have domain policy in place to disable Defender and/or your base image will have no pre-existing Defender engine/definitions installed. In this case, you may have to install a baseline definition pack so the Defender engine is activated in the build. This may not apply to all environments but I experienced VM’s failing to update on their first boot because no existing definitions were installed. If this happens, Download the latest definition set from Microsoft and install the mpam-fe.exe file – this will install a definition pack and give you an engine status/last updated point to work from.

Step 3: Configure Defender domain group policy settings…

There’s a plethora of settings for Defender and I won’t cover every setting here. The high level suggestions are covered in the Microsoft blogs – so refer to these, but also be aware that services like MAPS and ATP rely on many of the options available – and we’re not configuring these services in this blog post – only the ‘barebones’ AV product. Some examples of VDI-friendly settings you may want to use are below.

Important: do not configure any of the settings configured in Step 1 on the master using local policy on our domain group policy.

\Windows Defender Antivirus

  • Turn off windows Defender: Disabled
  • Randomize Scheduled tasks times: Enabled

\Scan

  • Allow users to pause scan: Disabled
  • Check for the latest virus and spyware security intelligence before running a scheduled scan: Enable

\Security Intelligence Updates

  • Specify the interval to check for security intelligence updates: 2 hours

Step 4: Verify that it all works!

So lets recap on what we’ve done;

  • We’ve setup a file share and it’s populating every 2 hours with the latest definition files, unpacked, and ready to be read by our VM’s. We have the necessary NTFS and share permissions in place to make our \wdav-update share accessible from the VM’s and it can be read/written to by the SYSTEM account and/or your service account responsible for running the scheduled tasks.
  • Your master image has the necessary local group policy settings required at boot so the VM’s should be reading from the share and self-updating at every logon, and this should be reflected in the Virus and Threat Protection console in Windows on the VM’s, example below.
  • Your domain group policy settings are configured to manage things like scan times, quarantine behavior, UI and notifications etc and critically you’ve checked the Disable Windows Defender policy is set to disable..!

Spin up your VM’s and check the below log file – search: UpdateEngine – here you can see the subfolders in our definition share being traversed. The log output Skipped verification….Due to PPL is expected and this does not indicate an error. Any errors will be indicated in the entry that begins: UpdateEngine start:

%ProgramData%\Microsoft\Support\mplog.log

Virus & threat protection settings should show Last Update: today’s date

4 thoughts on “Configuring Windows Defender AV for VDI

  1. We’ve been looking to follow this write up for our Horizon instant clone environment (great job BTW), but have run into some hiccups. I installed base definitions into the image, but, whenever we run check for update on the AntiVirus defs, it just spins and spins, eventually landing back at where we were before. Oddly we DO see network connectivity to our shared intelligence server, as well as data traversing to and from, but the damn thing never updates. Is there a key line to focus on/look for in the logs that says communication with the intelligence server is all green? Thanks a lot.

    Reply

    1. Hi Edward, ideally your VM’s should show as ‘up to date’ at boot time – I found (as you have) when you try to manually fetch definitions it egg timers or fails – I’ve no idea why this is, but shortly before I left my last contract, we saw the same thing. I would revisit the mplog file and see if you’re getting the permissions error (mentioned in the article) and try experimenting with using pstools to elevate a cmd prompt and manually update the VM – see what the mplog file reflects when you do this (as this is essentially what should be happening during boot). Another thing I would try is to add ‘Everyone’ read/write NTFS permission to the share + the definition folder- then try the manual update from your VM. You may discover that all of the historical definitions are purged except the latest one (defender does this automatically) – but at least you’ll know it’s something permissions related. With read/execute perms (which I believe is recommended) – this purge action is avoided, so have a look into that…

      At the time I wrote this article, the ‘working’ state I had was not based on the VM’s ability to manually update their defender defs – the VM’s would simply boot and be up to date at boot time. I know exactly what you’re experiencing and it’s a massive pain in the hole – you might want to try and get hold of Jesse @ the Technet blog for Defender and see if he can help? Frankly, it’s a shame MS haven’t offered better documentation arouund building this as there’s lots of people keen to POC it. Good luck!

      Reply

  2. Hey mate,

    Thanks for the post, very informative. We are planning to deploy this in out Horizon instant clones environment. Just a quick question: Don’t we need to configure the Microsoft Defender Security Center and setup End Point Security in the portal? I saw this blog and hence the question. https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/onboarding-and-servicing-non-persistent-vdi-machines-with/ba-p/1360721

    Thanks in advance.

    Reply

    1. Hi mate,
      Thanks, hope it helps you during the implementation. It’s been a couple of years since I wrote this and I would preface my comments by saying that this guide was written based on a proof of concept – so there’s stuff omitted (like your requirement to enrol the VM’s) as well as (I expect) some changes to how this is done. My colleague from the company I did this for pinged me the other day and said they configured this for production eventually without using any local policy on the machine (all the settings driven by domain group policy). I did experiment with enrolling VM’s in Security Centre and got it working but at the time the E5 licensing had not been purchased so I wasn’t able to manage the VM’s once they were enrolled into security centre – so we effectively ran the PoC with zero visibility of the definition status on all the VM’s (which didn’t matter at the time, we were assessing the performance/boot times of the VM’s with Defender vs McAfee).

      Sorry I can’t be much more help but I would say yes, you do need to enrol them into security centre but be mindful of the powershell offboarding/onboarding script needing to be ran and the senseID stuff – I think there’s also a local service for SenseID that needs running too. Let me know how you get on? It’s probably worth me updating this guide! Good luck

      Reply

Leave a Reply to DBaker Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s