My workaround for definition updates were to exclude the processes and directories. I created a blank Appstack and edit the snapvol.cfg. I attach that appstack to our rdsh servers.

In the snapvol.cfg file, make sure it include these:

exclude_path=\ProgramData\Microsoft\Windows Defender

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender

exclude_path=\Program Files\Windows Defender

exclude_path=\Program Files\Microsoft Security Client

exclude_path=\Program Files\Microsoft Anitmalware

exclude_path=%SystemRoot%\system32\MpSigStub.exe

exclude_process_name=Msseces.exe

exclude_process_name=MsMpEng.exe

exclude_process_name=MpCmdRun.exe

exclude_process_name=AM_Delta.exe

(I believe that is all of them)

For windows updates, I follow the process of stopping and disabling the appvol services, restart, install updates, re-enable appvol services and reboot.