Merge pull request #2272 from YongRhee-MSFT/docs-editor/deployment-vdi-microsoft-defen-1735251536

Update deployment-vdi-microsoft-defender-antivirus.md

Author: denisebmsft

defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md

@@ -2,7 +2,7 @@
 title: Configure Microsoft Defender Antivirus on a remote desktop or virtual desktop infrastructure environment
 description: Get an overview of how to configure Microsoft Defender Antivirus in a remote desktop or non-persistent virtual desktop environment.
 ms.localizationpriority: medium
-ms.date: 10/28/2024
+ms.date: 12/30/2024
 ms.topic: conceptual
 author: denisebmsft
 ms.author: deniseb
@@ -31,19 +31,16 @@ search.appverid: met150
 
 - Windows
 
-This article is designed for customers who are using Microsoft Defender Antivirus capabilities only. If you have Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus alongside other device protection capabilities), also go through [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](configure-endpoints-vdi.md).
+This article is designed for customers who are using Microsoft Defender Antivirus capabilities only. If you have Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus alongside other device protection capabilities), see [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](configure-endpoints-vdi.md).
 
-You can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent virtual desktop infrastructure (VDI) environment. Following the guidance in this article, you can configure updates to download directly to your RDS or VDI environments when a user signs in.
+You can use Microsoft Defender Antivirus in a remote desktop (RDS) or non-persistent virtual desktop infrastructure (VDI) environment. Using the guidance in this article, you can configure updates to download directly to your RDS or VDI environments whenever a user signs in.
 
 This guide describes how to configure Microsoft Defender Antivirus on your VMs for optimal protection and performance, including how to:
 
 - [Set up a dedicated VDI file share for security intelligence updates](#set-up-a-dedicated-vdi-file-share-for-security-intelligence)
-- [Randomize scheduled scans](#randomize-scheduled-scans)
-- [Use quick scans](#use-quick-scans)
-- [Prevent notifications](#prevent-notifications)
-- [Disable scans from occurring after every update](#disable-scans-after-an-update)
-- [Scan out-of-date machines or machines that were offline for a while](#scan-vms-that-have-been-offline)
-- [Apply exclusions](#exclusions)
+- [Download and unpackage the latest updates](#download-and-unpackage-the-latest-updates)
+- [Configure Microsoft Defender Antivirus settings](#microsoft-defender-antivirus-configuration-settings)
+- [Run the Windows Defender Cache Maintenance scheduled task](#run-the-windows-defender-cache-maintenance-scheduled-task)
 
 > [!IMPORTANT]
 > Although a VDI can be hosted on Windows Server 2012 or Windows Server 2016, virtual machines (VMs) should be running Windows 10, version 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
@@ -60,27 +57,26 @@ In Windows 10, version 1903, Microsoft introduced the shared security intelligen
 
 3. Select **Administrative templates**. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
 
-4. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. 
+4. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
 
-   A field automatically appears.
-
-5. Enter `\\<Windows File Server shared location\>\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
+5. In the field, type `\\<File Server shared location\>\wdav-update`. (For help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates).)
 
 6. Select **OK**, and then deploy the Group Policy Object to the VMs you want to test.
 
 ### PowerShell
 
 1. On each RDS or VDI device, use the following cmdlet to enable the feature: 
 
-   `Set-MpPreference -SharedSignaturesPath \\<Windows File Server shared location>\wdav-update`
+   `Set-MpPreference -SharedSignaturesPath \\<File Server shared location>\wdav-update`
 
 2. Push the update as you normally would push PowerShell-based configuration policies onto your VMs. (See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section in this article. Look for the *shared location* entry.) 
 
 ## Download and unpackage the latest updates
 
-Now you can get started on downloading and installing new updates. We've created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you're familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts).
+Now you can get started on downloading and installing new updates. This section contains a sample PowerShell script that you can use. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task. Or, if you're familiar with using PowerShell scripts in Azure, Intune, or Configuration Manager, you could use those scripts instead.
 
 ```PowerShell
+
 $vdmpathbase = "$env:systemdrive\wdav-update\{00000000-0000-0000-0000-"
 $vdmpathtime = Get-Date -format "yMMddHHmmss"
 $vdmpath = $vdmpathbase + $vdmpathtime + '}'
@@ -91,6 +87,7 @@ New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null
 Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage
 
 Start-Process -FilePath $vdmpackage -WorkingDirectory $vdmpath -ArgumentList "/x"
+
 ```
 
 You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs receive the new update. We suggest starting with once a day, but you should experiment with increasing or decreasing the frequency to understand the impact.
@@ -116,7 +113,7 @@ You can also set up your single server or machine to fetch the updates on behalf
    > [!NOTE]
    > An NTFS permission is added for **Authenticated Users:Read:**.
 
-   For this example, the file share is `\\WindowsFileServer.fqdn\mdatp$\wdav-update`.
+   For this example, the file share is `\\FileServer.fqdn\mdatp$\wdav-update`.
 
 ### Set a scheduled task to run the PowerShell script
 
@@ -158,102 +155,171 @@ If you would prefer to do everything manually, here's what to do to replicate th
    > [!NOTE]
    > The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
 
-## Randomize scheduled scans
+## Microsoft Defender Antivirus configuration settings
 
-Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md).
+It's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.  It's optimized for VDI environments.
 
-The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization causes Microsoft Defender Antivirus to start a scan on each machine within a four-hour window from the time set for the scheduled scan.
+> [!TIP]
+> The latest Windows group policy administrative templates are available in [Create and manage Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
 
-See [Schedule scans](schedule-antivirus-scans.md) for other configuration options available for scheduled scans.
+### Root
 
-## Use quick scans
+- Configure detection for potentially unwanted applications: `Enabled - Block`
 
-You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they're designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy.
+- Configure local administrator merge behavior for lists: `Disabled`
 
-1. In your Group Policy Editor, go to **Administrative templates** \> **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**.
+- Control whether or not exclusions are visible to Local Admins: `Enabled`
 
-2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting.
+- Turn off routine remediation: `Disabled`
 
-3. Set the policy to **Enabled**, and then under **Options**, select  **Quick scan**.
+- Randomize scheduled scans: `Enabled`
 
-4. Select **OK**.
+### Client Interface
 
-5. Deploy your Group Policy object as you usually do.
+- Enable headless UI mode: `Enabled`
 
-## Prevent notifications
+   > [!NOTE]
+   > This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization.
 
-Sometimes, Microsoft Defender Antivirus notifications are sent to or persist across multiple sessions. To help avoid user confusion, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications using Group Policy.
+- Suppress all notifications: `Enabled`
 
-1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Client Interface**.
+> [!NOTE]
+> Sometimes, Microsoft Defender Antivirus notifications are sent to or persist across multiple sessions. To help avoid user confusion, you can lock down the Microsoft Defender Antivirus user interface.
+> Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up when scans are done or remediation actions are taken. However, your security operations team sees the results of a scan if an attack is detected and stopped. Alerts, such as an initial access alert, are generated, and appear in the [Microsoft Defender portal](https://security.microsoft.com).
 
-2. Select **Suppress all notifications** and then edit the policy settings.
+### MAPS
 
-3. Set the policy to **Enabled**, and then select **OK**.
+- Join Microsoft MAPS (Turn on cloud-delivered protection): `Enabled - Advanced MAPS`
 
-4. Deploy your Group Policy object as you usually do.
+- Send file samples when further analysis is required: `Send all samples (more secure)` or `Send safe sample (less secure)`
 
-Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up when scans are done or remediation actions are taken. However, your security operations team sees the results of a scan if an attack is detected and stopped. Alerts, such as an initial access alert, are generated, and appear in the [Microsoft Defender portal](https://security.microsoft.com).
+### MPEngine
 
-## Disable scans after an update
+- Configure extended cloud check: `20`
 
-Disabling a scan after an update prevents a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
+- Select cloud protection level: `Enabled - High`
 
-> [!IMPORTANT]
-> Running scans after an update helps ensure your VMs are protected with the latest security intelligence updates. Disabling this option reduces the protection level of your VMs and should only be used when first creating or deploying the base image.
+- Enable file hash computation feature: `Enabled`
 
-1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Security Intelligence Updates**.
+> [!NOTE]
+> "Enable file hash computation feature" is only needed if using Indicators – File hash.  It can cause higher amount of CPU utilization, since it has to parse thru each binary on disk to get the file hash.
 
-2. Select **Turn on scan after security intelligence update** and then edit the policy setting.
+### Real-time protection
 
-3. Set the policy to **Disabled**.
+- Configure monitoring for incoming and outgoing file and program activity: `Enabled – bi-directional (full on-access)`
 
-4. Select **OK**.
+- Monitor file and program activity on your computer: `Enabled`
 
-5. Deploy your Group Policy object as you usually do.
+- Scan all downloaded files and attachments: `Enabled`
 
-This policy prevents a scan from running immediately after an update.
+- Turn on behavior monitoring: `Enabled`
 
-## Disable the `ScanOnlyIfIdle` option
+- Turn on process scanning whenever real-time protection is enabled: `Enabled`
 
-Use the following cmdlet, to stop a quick or scheduled scan whenever the device goes idle if it is in passive mode.
+- Turn on raw volume write notifications: `Enabled`
 
-```PowerShell
-Set-MpPreference -ScanOnlyIfIdleEnabled $false
-```
+### Scans
+
+- Check for the latest virus and spyware security intelligence before running a scheduled scan: `Enabled`
+
+- Scan archive files: `Enabled`
+
+- Scan network files: `Not configured`
+
+- Scan packed executables: `Enabled`
+
+- Scan removable drives: `Enabled`
+
+- Turn on catch-up full scan (Disable catch-up full scan): `Not configured`
+
+- Turn on catch-up quick scan (Disable catchup quick scan): `Not configured`
+
+   > [!NOTE]
+   > If you want to harden, you could change "Turn on catch-up quick scan" to enabled, which will help when VMs have been offline, and have missed two or more consecutive scheduled scans.  But since it is running a scheduled scan, it will use additional CPU.
+
+- Turn on e-mail scanning: `Enabled`
+
+- Turn on heuristics: `Enabled`
+
+- Turn on reparse point scanning: `Enabled`
+
+#### General scheduled scan settings
+
+- Configure low CPU priority for scheduled scans (Use low CPU priority for scheduled scans): `Not configured`
+
+- Specify the maximum percentage of CPU utilization during a scan (CPU usage limit per scan): `50`
 
-You can also disable the `ScanOnlyIfIdle` option in Microsoft Defender Antivirus by configuration via local or domain group policy. This setting prevents significant CPU contention in high density environments.
+- Start the scheduled scan only when computer is on but not in use (ScanOnlyIfIdle): `Not configured`
 
-For more information, see [Start the scheduled scan only when computer is on but not in use](https://admx.help/?Category=SystemCenterEndpointProtection&Policy=Microsoft.Policies.Antimalware::scan_scanonlyifidle).
+- Use the following cmdlet, to stop a quick or scheduled scan whenever the device goes idle if it is in passive mode.
 
-## Scan VMs that have been offline
+   ```powershell
 
-1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Scan**.
+   Set-MpPreference -ScanOnlyIfIdleEnabled $false
 
-2. Select **Turn on catch-up quick scan** and then edit the policy setting.
+   ```
+
+> [!TIP]
+> The setting, "Start the scheduled scan only when computer is on but not in use" prevents significant CPU contention in high-density environments.
+
+#### Daily quick scan
+
+- Specify the interval to run quick scans per day: `Not configured`
+
+- Specify the time for a daily quick scan (Run daily quick scan at): `12 PM`
+
+#### Run a weekly scheduled scan (quick or full)
+
+- Specify the scan type to use for a scheduled scan (Scan type): `Not configured`
+
+- Specify the time of day to run a scheduled scan (Day of week to run scheduled scan): `Not configured`
+
+- Specify the day of the week to run a scheduled scan (Time of day to run a scheduled scan): `Not configured`
+
+### Security Intelligence Updates
+
+- Turn on scan after security intelligence update (Disable scans after an update): `Disabled`
 
-3. Set the policy to **Enabled**.
+   > [!NOTE]
+   > Disabling a scan after a security intelligence update prevents a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
+
+   > [!IMPORTANT]
+   > Running scans after an update helps ensure your VMs are protected with the latest security intelligence updates. Disabling this option reduces the protection level of your VMs and should only be used when first creating or deploying the base image.
+
+- Specify the interval to check for security intelligence updates (Enter how often to check for security intelligence updates): `Enabled - 8`
+
+- Leave other settings in their default state
+
+### Threats
+
+- Specify threat alert levels at which default action shouldn't be taken when detected: `Enabled`
 
-4. Select **OK**.
+- Set `Severe (5)`, `High (4)`, `Medium (2)`, and `Low (1)` all to `Quarantine (2)`, as shown in the following table:
 
-5. Deploy your Group Policy Object as you usually do.
+   |Value name|Value |
+   | -------- | -------- |
+   |`1` (Low) |`2` |
+   |`2` (Medium) |`2`|
+   |`4` (High) |`2`|
+   |`5` (Severe) |`2`|
 
-This policy forces a scan if the VM missed two or more consecutive scheduled scans.
+### Attack surface reduction rules
 
-## Enable headless UI mode
+Configure all available rules to `Audit`.
 
-1. In your Group Policy Editor, go to **Windows components** \> **Microsoft Defender Antivirus** \> **Client Interface**.
+### Enable network protection
 
-2. Select **Enable headless UI mode** and edit the policy.
+Prevent users and apps from accessing dangerous websites (Enable network protection): `Enabled - Audit mode`.
 
-3. Set the policy to **Enabled**.
+### SmartScreen for Microsoft Edge
 
-4. Select **OK**.
+- Require SmartScreen for Microsoft Edge: `Yes`
 
-5. Deploy your Group Policy Object as you usually do.
+- Block malicious site access: `Yes`
 
-This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization.
+- Block unverified file download: `Yes`
 
-## Run the "Windows Defender Cache Maintenance" scheduled task
+## Run the Windows Defender Cache Maintenance scheduled task
 
 Optimize the "Windows Defender Cache Maintenance" scheduled task for non-persistent and/or persistent VDI environments. Run this task on the main image before sealing.
 
@@ -263,10 +329,21 @@ Optimize the "Windows Defender Cache Maintenance" scheduled task for non-persist
 
 3. Select **Run**, and let the scheduled task finish.
 
-## Exclusions
+   > [!WARNING]
+   > If you do not do this, it can cause higher cpu utilization while the cache maintenance task is running on each of the VMs.
+
+### Enable tamper protection
+
+Enable tamper protection to prevent Microsoft Defender Antivirus from being disabled in the [Microsoft Defender portal](https://security.microsoft.com).
+
+### Exclusions
 
 If you think you need to add exclusions, see [Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).
 
+## Next step
+
+If you're also deploying [endpoint detection and response](overview-endpoint-detection-response.md) (EDR) to your Windows-based VDI VMs, see [Onboard non-persistent virtual desktop infrastructure (VDI) devices in Microsoft Defender XDR](/defender-endpoint/configure-endpoints-vdi).
+
 ## See also
 
 - [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633)