deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 11:23:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update deployment-vdi-windows-defender-antivirus.md

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire
2019-06-03 12:37:42 -07:00
committed by GitHub
parent b746037bcf
commit aded94bd5e
1 changed files with 1 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
View File

@ -51,7 +51,7 @@ This guide will show you how to configure your VMs for optimal protection and pe
In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines. In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines.
For more information about how this works, see the blog [BLOG TITLE](URL) or whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](URL). This whitepaper also looks at performance testing and provides guidance on how you can test antivirus performance on your own VDI. For more information about how this works, see the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](URL). This whitepaper also looks at performance testing and provides guidance on how you can test antivirus performance on your own VDI.
You can set this feature with Intune, Group Policy, or PowerShell. You can set this feature with Intune, Group Policy, or PowerShell.
@ -205,113 +205,3 @@ On Windows Server 2016, Windows Defender Antivirus will automatically deliver th
- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) - [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript)
<!--> We recommend setting the following when deploying Windows Defender Antivirus in a VDI environment:
Location | Setting | Suggested configuration
---|---|---
Security Intelligence Updates | Define security intelligence location for VDI clients | Enabled - *Enter a file share that contains the latest definition packages*
Security Intelligence Updates | Turn on scan after signature update | Enabled
Client interface | Enable headless UI mode | Enabled
Client interface | Suppress all notifications | Enabled
Scan | Specify the scan type to use for a scheduled scan | Enabled - Quick
Scan | Turn on catch up quick scan | Enabled
Root | Randomize scheduled task times | Enabled
For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for System Center Configuration Manager and Group Policy, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
-->
<!-->
## Create and deploy the base image
The main steps in this section include:
1. Create your standard base image according to your requirements
2. Apply Windows Defender AV protection updates to your base image
3. Seal or “lock” the image to create a “known-good” image
4. Deploy your image to your VMs
### Create the base image
First, you should create your base image according to your business needs, applying or installing the relevant line of business (LOB) apps and settings as you normally would. Typically, this would involve creating a VHD or customized .iso, depending on how you will deploy the image to your VMs.
### Apply protection updates to the base image
After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender Antivirus protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches.
### Seal the base image
When the base image is fully updated, you should run a quick scan on the image.
After running a scan and buliding the cache, remove the machine GUID that uniquely identifies the device in telemetry for both Windows Defender Antivirus and the Microsoft Security Removal Tool. This key is located here:
'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT'
Remove the string found in the 'GUID' value
This “sealing” or “locking” of the image helps Windows Defender Antivirus build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted.
You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md).
>[!NOTE]
><b>Quick scan versus full scan</b>
>Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
>Therefore, when considering performance especially for creating a new or updated image in preparation for deployment it makes sense to use a quick scan only.
>A full scan, however, can be useful on a VM that has encountered a malware threat to identify if there are any inactive components lying around and help perform a thorough clean-up.
### Deploy the base image
You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs.
The following references provide ways you can create and deploy the base image across your VDI:
- [Single image management for Virtual Desktop Collections](https://blogs.technet.microsoft.com/enterprisemobility/2012/10/29/single-image-management-for-virtual-desktop-collections-in-windows-server-2012/)
- [Using Hyper-V to create a Base OS image that can be used for VMs and VHDs](https://blogs.technet.microsoft.com/haroldwong/2011/06/12/using-hyper-v-to-create-a-base-os-image-that-can-be-used-for-vms-and-boot-to-vhd/)
- [Plan for Hyper-V security in Windows Server 2016]( https://technet.microsoft.com/windows-server-docs/compute/hyper-v/plan/plan-for-hyper-v-security-in-windows-server-2016)
- [Create a virtual machine in Hyper-V (with a VHD)](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v)
- [Build Virtual Desktop templates]( https://technet.microsoft.com/library/dn645526(v=ws.11).aspx)
## Manage your VMs and base image
How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure.
Because Windows Defender Antivirus downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.
Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb).
### Manage updates for persistent VDIs
If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows:
1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs).
2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this).
3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md).
4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others.
5. On or just after each Patch Tuesday (the second Tuesday of each month), [update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md) Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
6. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them.
### Manage updates for non-persistent VDIs
If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image.
An example:
1. Every night or other time when you can safely take your VMs offline, update your base image with the latest [protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md).
2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
-->