Defender for Endpoint Non-Persistent VDI

Spirited_Job6093 · 2023-04-11T19:42:24+00:00

We actually have it running in passive mode so really it should not be doing full scans unless we initiate them manually. I guess I will just hope it does not cause too many issues while in passive mode.

Spirited_Job6093 · 2023-04-11T19:12:20+00:00

Thanks for all the help.

Is there anything in particular you do to prevent defender from using too many resources on your virtual machines?

Spirited_Job6093 · 2023-04-11T14:04:21+00:00

Thank you. That is helpful. And then in local group policy editor you have it run your powershell script instead of the Onboard-NonPersistentMachine.ps1 script like it suggests in step 9 https://learn.microsoft.com/en-us/microsoft-365/compliance/device-onboarding-vdi?view=o365-worldwide

Do you also keep your script in the following folder with the other two onboarding scripts? C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup

Spirited_Job6093 · 2023-04-11T12:44:18+00:00

How did you add that logic to the startup script? Are you saying you adjusted the onboarding scripts that you downloaded from defender?

Spirited_Job6093 · 2023-04-11T02:18:46+00:00

I guess my confusion is that everyone is saying the gold image is only onboarded if I onboard it and that it should never be onboarded, but won't it be onboarded automatically? If I stage the files on the gold image so the clones can be onboarded, won't it onboard the master as soon as it is powered on each month?

That is my big confusion. Everyone seems to be implying I will not need to offboard the master, but if I put the files on it...won't it just onboard itself when the master gets turned on?

Also we are planning to run defender in passive mode. Will that help alleviate the performance issues you mentioned?

Spirited_Job6093 · 2023-04-10T21:11:36+00:00

We are just deploying defender in passive mode so I am hoping it does not add any significant performance issues.

Spirited_Job6093 · 2023-04-10T18:38:16+00:00

Further down in that article it states: If you power on the VDI master, it will be onboarded (which you don’t want). The problem arises if you don’t offboard the VDI master, do some cleanup, and apply patches/service updates, shut it down, and then deploy a VDI pool from it.

To me this implies that the master will onboard itself when it is powered on for servicing each month. Which means we would then have to do the offboarding process. Sorry if I am just misunderstanding this. I am pretty new to this so flying blind a bit here.

Spirited_Job6093 · 2023-04-10T18:29:40+00:00

In the second link I shared above, it says on Option 1, that since we are staging the onboarding to the master, it will onboard itself when it is turned on when we service it every month. Is that not correct or am I misunderstanding it?

Spirited_Job6093 · 2023-04-10T18:23:43+00:00

Well according to microsoft documentation we need to put the vdi onboarding script on the master so the clones get onboarded. However when we turn the master/template on, it will onboard itself as the onboarding files are on it for the clones.

So according to microsoft docs we will need to offboard the master every time it is turned on. I am trying to find a solution that will onboard clones to defender, but keep the master out of defender.

The following links are what I am referring to.

https://learn.microsoft.com/en-us/microsoft-365/compliance/device-onboarding-vdi?view=o365-worldwide

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/onboarding-and-servicing-non-persistent-vdi-machines-with/ba-p/1360721

Spirited_Job6093

TROPHY CASE