VMware Horizon Community
epa80
Hot Shot
Hot Shot

Defender On Instant Clones

Was looking for some feedback from anyone out there using Microsoft Defender on Instant Clones. I'm going off this KB here from Microsoft, just trying to put the pieces together.

 

Onboard non-persistent virtual desktop infrastructure (VDI) devices | Microsoft Docs

 

This part specifically has me a little confused. Waiting for some feedback from Microsoft on what they mean but "single entry" or "multiple entries":

Depending on the method you'd like to implement, follow the appropriate steps:

  • For single entry for each device:

    Select the PowerShell Scripts tab, then click Add (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script Onboard-NonPersistentMachine.ps1. There's no need to specify the other file, as it will be triggered automatically.

  • For multiple entries for each device:

    Select the Scripts tab, then click Add (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script WindowsDefenderATPOnboardingScript.cmd.

 

We have our gold image squared away and ready to go (Defender enabled, up to date, etc), just kind of hung up at this script part. If anyone has gone through this already and has some tips, it would be much appreciated to hear about them.

Reply
0 Kudos
38 Replies
epa80
Hot Shot
Hot Shot

We've configured our test pools to use the newly created intelligence server. Hopefully around 4PM we'll see a difference. Fingers crossed.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

Didn't seem to matter. Around 3:30PM we saw the high disk behavior, even though no apparent tasks seem to be running and we've randomized as much as we can seem to.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

I was on 2 VMs today when the issue started, around 3:40PM. It calmed down around 4:30PM give or take. When I looked in Task Scheduler on both VMs, we saw the tasks for Defender all ran, and finished, in this window:

VM#1

 

epa80_0-1670880706167.png

 

VM#2:

 

 

epa80_1-1670880712714.png

 

 

Our assumption is the clone is going out with the tasks in that ballpark. We have a GPO for Randomization of tasks, but perhaps this isn't in reference to THOSE tasks. We're wondering if we should maybe disable these tasks outright on the gold image.

Reply
0 Kudos
Jubish-Jose
Hot Shot
Hot Shot

Just did some random search and looks like a few users have reported high disk/memory usage because of scheduled scan. Some of them explains how to turn it off - https://www.easeus.com/partition-manager-software/antimalware-service-executable-high-disk-usage.htm... 


-- If you find this reply helpful, please consider accepting it as a solution.
Reply
0 Kudos
epa80
Hot Shot
Hot Shot

We're almost 100% at this point, that it has to do with the tasks in the Windows OS for Defender all, for some reason, having a "next run time" too close to each other across out pool(s). What is perplexing us, is other pools, using the same snap and Defender GPO, seem to have VERY spread-out timings for these tasks. They run the spectrum of time throughout the day, almost like the times get set on say refresh. Whereas our problem pools, they ALWAYS seem to want to run from 3-4PMish. We aren't sure if something happens on the clone parent creation perhaps? Or perhaps because we did a pool republish in place vs. one big mass republish (meaning in the former, the logoffs cause the full repub to go slower, thereby randomizing the times perhaps?).

 

At this point we're basically disabling those tasks via a script until we figure out why the pools go out with the times so close together. We have several settings to randomize tasks in the GPO, but, Microsoft is extremely confusing.

Tags (1)
Jubish-Jose
Hot Shot
Hot Shot

@epa80 Hey mate, curious whether you guys were able to resolve this?


-- If you find this reply helpful, please consider accepting it as a solution.
Reply
0 Kudos
epa80
Hot Shot
Hot Shot

Hi @Jubish-Jose,

 

We have. At the very worst we have a workaround in place that seems to have fixed our issues. We ended up disabling all scheduled tasks related to Defender on the gold image, except for the "Windows Defender Update" task. We also are utilizing a Security Intelligence server per Microsoft's design document. However, we think all of our issues were related to those scheduled tasks. They just hammered us and the issue didn't go away until we disabled them outright in the gold. Microsoft had the opinion that in a non-persistent world, which ours is, those tasks should be benign.

Reply
0 Kudos
rhawkins01
Contributor
Contributor

We came up with a different solution in our non-persistent environment. We use a post-synchronization script to configure some settings on each Instant Clone after its provisioned. We added a step to that document to create a scheduled task that then immediately executes the Defender ATP onboarding powershell and configure our exclusions. This has worked very consistently since we implemented this.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

In our environment we're doing a post-sync task in Horizon as well, a .bat file that runs the script below. We have exclusions provided via a GPO linked to our non-persistent OU.

 

epa80_0-1677245849206.png

 

And these are how our tasks look:

epa80_0-1677246015891.png

 

 

Reply
0 Kudos
jmacdaddy
Enthusiast
Enthusiast

Is Defender Tamper Protection enabled and Real Time protection enabled on your templates?  We are looking at using Defender, but we can't seem to get past step one, which would be to have Defender enabled on the template and running a full scan before shutting it down and onboarding the instant clones.  On the templates we see Real Time protection off and Tamper Protection off with the warning "This setting is managed by your administrator".  The template is AD joined, but currently in an OU with all GPO inheritance blocked.  Supposedly the OSOT was run on this template with the option to disable Defender, but I don't see any local Group Polices enabled that would be turning it off.  In fact I have gone into the local Group Policy and disabled the settings for Disable Defender and Disable Real Time Protection but no change.  The template is not hybrid joined or registered in Azure from what I can see (nothing under work school accounts).  Any insight you can give me would be greatly appreciated.

Reply
0 Kudos
Jubish-Jose
Hot Shot
Hot Shot

OSOT usually disables settings in GPO as well as registry. Please check HKLM\Software\Microsoft\Windows Defender and HKLM\Software\Microsoft\Windows Defender\Real-Time Protection settings. 

For Tamper Protection, I think it has to be enabled from Defender Portal and End Point Manager Portal.

https://hmaslowski.com/home/f/enable-tamper-protection-in-defender-for-endpoint-windows-mac 


-- If you find this reply helpful, please consider accepting it as a solution.
Reply
0 Kudos
epa80
Hot Shot
Hot Shot

This is one of our deployed VMs off our gold, here's howe we look:

epa80_0-1677506298174.png

 

 

epa80_1-1677506326256.png

 

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

The OSOT can really jack up Defender if you used it to disable Defender previously on your gold image (as we did, since we used Trend Micro). These are the steps we had to perform to get it back to working. Apologies if crude, it's what we wrote kind of on the fly and never went back to.

 

Initial Defender setup on a base

Uninstall Trend Micro Deep Security Notifier

 

Local GPO on the base:

Computer Configuration>Administrative Templates>Windows Components>Microsoft Defender Antivirus

Go thru all settings in the subfolders and make sure they are all set as Not Configured

Running the OST set some of these values, but we want everything under Microsoft Defender Antivirus to be Not Configured.

Reboot - don't skip this reboot. you have to do this reboot or the registry changes below won't do enough.

 

Change start up types for these four services. You can't change the startup type for these services in the GUI so go to the registry and change there.

HKLM\System\CurrentControlSet\Services\

 

Windows Security Service

SecurityHealthService

change to 3

 

 

 

Windows Defender Advanced Threat Protection Service (This is used for Onboarding, if Sense is Stopped, the VM is not Onboarded)

Sense

change to 2

 

 

Microsoft Defender Antivirus Service

WinDefend

change to 2

 

 

 

Security Center

wscsvc

change to 2

 

 

Reboot after changing Services registry values

Reply
0 Kudos
jmacdaddy
Enthusiast
Enthusiast

Thank you for that information.  Are your gold image (template) VMs onboarded?  Microsoft says you shouldn't onboard the instant clone Internal Templates and it says if you do onboard the golden image template then "...then you must offboard and clear some data before putting the image back into production."  What has worked best for you?

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

We don't onboard the gold image, no. You'll see above in our post-sync task, we actually run steps to clear any possible onboarding data on VMs as they spin up/are deleted. This was detailed here: Onboard non-persistent virtual desktop infrastructure (VDI) devices - Microsoft Purview (compliance)...

Note

If you have onboarded the master image of your VDI environment (SENSE service is running), then you must offboard and clear some data before putting the image back into production.

  1. Ensure the sensor is stopped by running the command below in a CMD window:

 

sc query sense

 

  1. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip)

 

PsExec.exe -s cmd.exe
cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
del *.* /f /s /q
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
exit

 

Reply
0 Kudos
TomKalabis
Enthusiast
Enthusiast

Hi, 

i have same problem as you, about 7 desktop instant clone desktop pools with Windows 11. 

The Defender is consuming a HUGE CPU ! 

Please do you find a solution ? Simly disable win defender sheduled task in gold image ?

im using non-persistent desktops.

 

Tomas.

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

I'm involved in another thread where this discussion kind of spiraled into. Take a look at that, specifically my last post there.

 

Re: Horizon View 7.12 Postsync Script with Gpupdat... - VMware Technology Network VMTN

Reply
0 Kudos
conneerrr
Contributor
Contributor

I am looking at implementing your method, did you experience the same issues?

Reply
0 Kudos
epa80
Hot Shot
Hot Shot

Sorry not sure what you mean by the same issues. This thread had been a pretty long winding road, I believe everything we encountered is captured through the replies. Let me know if you're asking about something specific, glad to try and help.

Reply
0 Kudos