We've configured our test pools to use the newly created intelligence server. Hopefully around 4PM we'll see a difference. Fingers crossed.

Didn't seem to matter. Around 3:30PM we saw the high disk behavior, even though no apparent tasks seem to be running and we've randomized as much as we can seem to.

I was on 2 VMs today when the issue started, around 3:40PM. It calmed down around 4:30PM give or take. When I looked in Task Scheduler on both VMs, we saw the tasks for Defender all ran, and finished, in this window:

VM#1

VM#2:

Our assumption is the clone is going out with the tasks in that ballpark. We have a GPO for Randomization of tasks, but perhaps this isn't in reference to THOSE tasks. We're wondering if we should maybe disable these tasks outright on the gold image.

Just did some random search and looks like a few users have reported high disk/memory usage because of scheduled scan. Some of them explains how to turn it off - https://www.easeus.com/partition-manager-software/antimalware-service-executable-high-disk-usage.htm... 

We're almost 100% at this point, that it has to do with the tasks in the Windows OS for Defender all, for some reason, having a "next run time" too close to each other across out pool(s). What is perplexing us, is other pools, using the same snap and Defender GPO, seem to have VERY spread-out timings for these tasks. They run the spectrum of time throughout the day, almost like the times get set on say refresh. Whereas our problem pools, they ALWAYS seem to want to run from 3-4PMish. We aren't sure if something happens on the clone parent creation perhaps? Or perhaps because we did a pool republish in place vs. one big mass republish (meaning in the former, the logoffs cause the full repub to go slower, thereby randomizing the times perhaps?).

At this point we're basically disabling those tasks via a script until we figure out why the pools go out with the times so close together. We have several settings to randomize tasks in the GPO, but, Microsoft is extremely confusing.

@epa80 Hey mate, curious whether you guys were able to resolve this?

Hi @Jubish-Jose,

We have. At the very worst we have a workaround in place that seems to have fixed our issues. We ended up disabling all scheduled tasks related to Defender on the gold image, except for the "Windows Defender Update" task. We also are utilizing a Security Intelligence server per Microsoft's design document. However, we think all of our issues were related to those scheduled tasks. They just hammered us and the issue didn't go away until we disabled them outright in the gold. Microsoft had the opinion that in a non-persistent world, which ours is, those tasks should be benign.

We came up with a different solution in our non-persistent environment. We use a post-synchronization script to configure some settings on each Instant Clone after its provisioned. We added a step to that document to create a scheduled task that then immediately executes the Defender ATP onboarding powershell and configure our exclusions. This has worked very consistently since we implemented this.

In our environment we're doing a post-sync task in Horizon as well, a .bat file that runs the script below. We have exclusions provided via a GPO linked to our non-persistent OU.

And these are how our tasks look:

Is Defender Tamper Protection enabled and Real Time protection enabled on your templates?  We are looking at using Defender, but we can't seem to get past step one, which would be to have Defender enabled on the template and running a full scan before shutting it down and onboarding the instant clones.  On the templates we see Real Time protection off and Tamper Protection off with the warning "This setting is managed by your administrator".  The template is AD joined, but currently in an OU with all GPO inheritance blocked.  Supposedly the OSOT was run on this template with the option to disable Defender, but I don't see any local Group Polices enabled that would be turning it off.  In fact I have gone into the local Group Policy and disabled the settings for Disable Defender and Disable Real Time Protection but no change.  The template is not hybrid joined or registered in Azure from what I can see (nothing under work school accounts).  Any insight you can give me would be greatly appreciated.

OSOT usually disables settings in GPO as well as registry. Please check HKLM\Software\Microsoft\Windows Defender and HKLM\Software\Microsoft\Windows Defender\Real-Time Protection settings. 

For Tamper Protection, I think it has to be enabled from Defender Portal and End Point Manager Portal.

https://hmaslowski.com/home/f/enable-tamper-protection-in-defender-for-endpoint-windows-mac 

This is one of our deployed VMs off our gold, here's howe we look:

The OSOT can really jack up Defender if you used it to disable Defender previously on your gold image (as we did, since we used Trend Micro). These are the steps we had to perform to get it back to working. Apologies if crude, it's what we wrote kind of on the fly and never went back to.

Initial Defender setup on a base

Uninstall Trend Micro Deep Security Notifier

Local GPO on the base:

Computer Configuration>Administrative Templates>Windows Components>Microsoft Defender Antivirus

Go thru all settings in the subfolders and make sure they are all set as Not Configured

Running the OST set some of these values, but we want everything under Microsoft Defender Antivirus to be Not Configured.

Reboot - don't skip this reboot. you have to do this reboot or the registry changes below won't do enough.

Change start up types for these four services. You can't change the startup type for these services in the GUI so go to the registry and change there.

HKLM\System\CurrentControlSet\Services\

Windows Security Service

SecurityHealthService

change to 3

Windows Defender Advanced Threat Protection Service (This is used for Onboarding, if Sense is Stopped, the VM is not Onboarded)

Sense

change to 2

Microsoft Defender Antivirus Service

WinDefend

change to 2

Security Center

wscsvc

change to 2

Reboot after changing Services registry values

Thank you for that information.  Are your gold image (template) VMs onboarded?  Microsoft says you shouldn't onboard the instant clone Internal Templates and it says if you do onboard the golden image template then "...then you must offboard and clear some data before putting the image back into production."  What has worked best for you?

We don't onboard the gold image, no. You'll see above in our post-sync task, we actually run steps to clear any possible onboarding data on VMs as they spin up/are deleted. This was detailed here: Onboard non-persistent virtual desktop infrastructure (VDI) devices - Microsoft Purview (compliance)...

Note

If you have onboarded the master image of your VDI environment (SENSE service is running), then you must offboard and clear some data before putting the image back into production.

1. Ensure the sensor is stopped by running the command below in a CMD window:

sc query sense

1. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip)

PsExec.exe -s cmd.exe
cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
del *.* /f /s /q
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
exit

Hi, 

i have same problem as you, about 7 desktop instant clone desktop pools with Windows 11. 

The Defender is consuming a HUGE CPU ! 

Please do you find a solution ? Simly disable win defender sheduled task in gold image ?

im using non-persistent desktops.

Tomas.

I'm involved in another thread where this discussion kind of spiraled into. Take a look at that, specifically my last post there.

Re: Horizon View 7.12 Postsync Script with Gpupdat... - VMware Technology Network VMTN