From 1224d5ed0d108a93f71a7444f5e081cf282addf4 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 30 Mar 2017 13:34:34 -0700 Subject: [PATCH] update vdi in prep for feedback --- ...e-exclusions-windows-defender-antivirus.md | 14 +++---- ...e-exclusions-windows-defender-antivirus.md | 21 ---------- ...ployment-vdi-windows-defender-antivirus.md | 38 ++++++++++++------- ...hell-cmdlets-windows-defender-antivirus.md | 4 ++ .../use-wmi-windows-defender-antivirus.md | 2 + 5 files changed, 38 insertions(+), 41 deletions(-) diff --git a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md index ebc0cbd396..3010dbe37d 100644 --- a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -12,7 +12,7 @@ localizationpriority: medium author: iaanw --- -# Configure and validate exclusions based on file name, extension, and folder location +# Configure and validate exclusions based on file extension and folder location **Applies to:** @@ -41,12 +41,10 @@ Exclusion | Examples | Exclusion list ---|---|--- Any file with a specific extension | All files with the .test extension, anywhere on the machine | Extension exclusions Any file under a specific folder | All files under the c:\test\sample folder | File and folder exclusions -Any file with a specific file name | The file "sample.test", anywhere on the machine | File and folder exclusions A specific file in a specific folder | The file c:\sample\sample.test only | File and folder exclusions A specific process | The executable file c:\test\process.exe | File and folder exclusions list This means the exclusion lists have the following characteristics: -- If you exclude a file, the exclusion will apply to all versions of that file, regardless of where the file is located. - Folder exclusions will apply to all files and folders under that folder. - File extensions will apply to any file name with the defined extension, regardless of where the file is located. @@ -63,20 +61,22 @@ You can add, remove, and review the lists for exclusions in [Group Policy](#gp), You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) and [validating](#validate) your lists. -By default, local changes made to the lists (by users with administrator privileges) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, Intune, PowerShell, or WMI. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to disable this setting. +By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. + +You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. -## Configure the list of exclusions based on file or folder name or file extension +## Configure the list of exclusions based on folder name or file extension -**Use Group Policy to configure file name, folder, or file extension exclusions:** +**Use Group Policy to configure folder or file extension exclusions:** >[!NOTE] ->The exclusion will apply to any file with the defined file name - regardless of its location. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. +>If you include a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 4e972c4578..86d980313c 100644 --- a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -201,28 +201,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use - - ## Related topics diff --git a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md index 11bd032d6e..54535d3ef1 100644 --- a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md +++ b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md @@ -31,7 +31,20 @@ author: iaanw In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. -Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. For more details on the best configuration options to ensure a good balance between performance and protection, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section. +Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. + +We recommend setting the following when deploying Windows Defender AV in a VDI environment: + +Location | Setting | Suggested configuration +---|---|--- +Client interface | Enable headless UI mode | Enabled +Client interface | Suppress all notifications | Enabled +Scan | Specify the scan type to use for a scheduled scan | Enabled - Quick +Root | Randomize scheduled task times | Enabled +Signature updates | Turn on scan after signature update | Enabled +Scan | Turn on catch up quick scan | Enabled + +For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for Group Policy and System Center Configuration Manager, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section. See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support. @@ -54,8 +67,6 @@ There are three main steps in this guide to help roll out Windows Defender AV pr >[!NOTE] >When you manage Windows with System Center Configuration Manager, Windows Defender AV protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information. -The following table lists the configuration settings that we recommend when deploying Windows Defender AV in a VDI environment: - ## Create and deploy the base image @@ -75,7 +86,9 @@ After creating the image, you should ensure it is fully updated. See [Configure ### Seal the base image When the base image is fully updated, you should run a quick scan on the image. This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted. + >[!NOTE] >Quick scan versus full scan @@ -102,7 +115,7 @@ The following references provide ways you can create and deploy the base image a ## Manage your VMs and base image How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure. -Because Windows Defender AV downloads protection updates every day, [or based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time. +Because Windows Defender AV downloads protection updates every day, or based on your protection update settings, network bandwidth can be a problem if multiple VMs attempt to download updates at the same time. Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb). @@ -112,9 +125,9 @@ Following the guidelines in this means the VMs will only need to download “del If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows: 1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs). 2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this). -3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md). +3. Configure the VMs to pull protection updates from the file share. 4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others. -5. On or just after each Patch Tuesday (the second Tuesday of each month), update your base image with [the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md). Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/). +5. On or just after each Patch Tuesday (the second Tuesday of each month), update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update. Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/). 5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs. A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them. @@ -125,8 +138,8 @@ A benefit to aligning your image update to the monthly Microsoft Update is that If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image. An example: -1. Every night or other time when you can safely take your VMs offline, update your base image with t[the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md). -2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs. +1. Every night or other time when you can safely take your VMs offline, update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update. +2. Run a quick scan on your base image before deploying it to your VMs. @@ -148,7 +161,7 @@ These settings can be configured as part of creating your base image, or as a da Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjuction with [Disable scans from occuring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline). -Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md). +Scheduled scans run in addition to real-time protection and scanning. The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. @@ -170,7 +183,7 @@ The start time of the scan itself is still based on the scheduled scan policy See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch). -See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans. + ### Use quick scans @@ -267,9 +280,6 @@ This setting will prevent a scan from occurring after receiving an update. You c This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan. -DisableCatchupQuickScan, is the setting that I use (set to OFF) to ensure that a quick scan is performed on a VM which has been offline and has missed a schedule scan. - - **Use Group Policy to enable a catch-up scan:** 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -283,6 +293,8 @@ DisableCatchupQuickScan, is the setting that I use (set to OFF) to ensure that a 1. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans. + + **Use Configuration Manager to disable scans after an update:** 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md index 4fde6f96c2..d3d65aa3ad 100644 --- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md @@ -27,6 +27,10 @@ PowerShell cmdlets are most useful in Windows Server environments that don't rel > [!NOTE] > PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367). +Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. + +You can [configure which settings can be overriden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). + PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_. diff --git a/windows/keep-secure/use-wmi-windows-defender-antivirus.md b/windows/keep-secure/use-wmi-windows-defender-antivirus.md index 83c19a8f4f..cc74e07307 100644 --- a/windows/keep-secure/use-wmi-windows-defender-antivirus.md +++ b/windows/keep-secure/use-wmi-windows-defender-antivirus.md @@ -26,7 +26,9 @@ Windows Defender AV has a number of specific WMI classes that can be used to per The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts. +Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI. +You can [configure which settings can be overriden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). ## Related topics