April 26, 2026

Azure Virtual Desktop: Onboarding AVD session hosts to Microsoft Defender for Endpoint

By Aavisek Choudhury Azure Virtual Desktop 0 Comments

Azure Virtual Desktop (AVD) has become the go-to solution for enterprises delivering scalable, secure, and cost-effective virtual desktops in the cloud. However, running Windows session hosts in the cloud does not make them immune to threats — quite the opposite. With users connecting from diverse endpoints and networks, AVD environments present an attractive target for attackers.

Microsoft Defender for Endpoint (MDE) is the enterprise-grade EDR/XDR solution that provides comprehensive protection across your AVD fleet: threat detection, vulnerability management, attack surface reduction, and automated investigation & response. This guide walks you through onboarding your AVD Windows session hosts to MDE — covering both persistent and non-persistent (pooled/ephemeral) VMs — with production-grade best practices.

Why Microsoft Defender for Endpoint for AVD?

Traditional AV solutions were not designed with VDI in mind. MDE solves several VDI-specific challenges:

Challenge	MDE Solution
Boot storms from AV scans on shared sessions	Cloud-delivered, behavior-based detection reduces local scan overhead
Non-persistent VMs lose agent config on reimage	Golden image onboarding + Intune/MEM push ensures every new VM is covered
Lateral movement across session hosts	Network protection & EDR telemetry across the entire AVD fleet
Compliance & audit requirements	Unified Security Center dashboard with centralized alerts & vulnerability data
Mixed OS versions (Win10 / Win11 multi-session)	Single MDE portal covers all Windows versions with consistent policy

Prerequisites

Ensure the following are in place before you begin:

Licensing

Microsoft 365 E5, E5 Security, or Microsoft Defender for Endpoint Plan 2 (standalone)
Microsoft 365 A5 / G5 for Education / Government variants also supported

💡 Tip: AVD session hosts consuming MDE are licensed per user (not per device) when the user holds a qualifying M365 license. Verify your EA/CSP agreement covers virtual machine endpoints.

Azure & AVD Requirements

AVD host pool deployed (pooled or personal)
Session hosts running Windows 10 21H2+ or Windows 11 multi-session
Entra ID joined or Hybrid Azure AD joined session hosts
Outbound HTTPS (443) access to MDE service endpoints from the VNet/subnet
Microsoft Intune (recommended) or Group Policy (GPO) for policy management

Permissions

Global Administrator or Security Administrator in Microsoft Entra ID
Contributor or Owner on the Azure subscription hosting AVD
Access to Microsoft Defender portal: security.microsoft.com

Onboarding Architecture Overview

There are three primary onboarding paths for AVD session hosts. Choose based on your management toolchain:

Method	Best For	Persistent VMs	Non-Persistent VMs
Microsoft Intune / MEM	Cloud-native, Azure AD joined AVD	✅	✅ (Golden image + MDM)
Group Policy (GPO)	Hybrid AD environments, on-prem DC	✅	✅ (Startup script)
Local Script (manual)	Testing, PoC, small deployments	✅	⚠️ Not recommended at scale

⚠️ Important: For non-persistent (pooled) AVD hosts, onboarding must be baked into the golden image or deployed via MDM/GPO startup script. Agent-based onboarding via manual script is not suitable for ephemeral VMs.

Step-by-Step Onboarding Guide

Step 1: Verify MDE Tenant Configuration

Before onboarding any device, confirm your MDE tenant is correctly configured:

Navigate to https://security.microsoft.com
Go to Settings > Endpoints > Onboarding
Confirm the region matches your AVD deployment region (data residency)
Under ‘Device management’ confirm your preferred onboarding method

🔐 Note: MDE data residency cannot be changed after initial configuration. Ensure the region aligns with your compliance requirements before onboarding the first device.

Step 2: Configure AVD Session Hosts for VDI Mode

AVD hosts should be configured with VDI-specific MDE settings to optimize performance in shared, multi-session environments. Apply these registry keys via GPO or Intune:

# PowerShell – Apply VDI-optimized MDE registry settings
# Run on golden image or via startup script
$RegPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection'
New-Item -Path $RegPath -Force | Out-Null
# Enable VDI mode (non-persistent)
Set-ItemProperty -Path $RegPath -Name 'ForceDefenderPassiveMode' -Value 0 -Type DWORD
# Disable sample submission (optional, for data sovereignty)
Set-ItemProperty -Path $RegPath -Name 'DisableBlockAtFirstSeen' -Value 0 -Type DWORD
# Set device tag for AVD identification in MDE portal
$TagPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging'
New-Item -Path $TagPath -Force | Out-Null
Set-ItemProperty -Path $TagPath -Name 'Group' -Value 'AVD-SessionHosts' -Type String
Write-Output 'MDE VDI registry settings applied successfully.'

Step 3: Download the Onboarding Package

Download the onboarding package from the Defender portal:

Go to security.microsoft.com > Settings > Endpoints > Onboarding
Select operating system: Windows 10 and 11
Select deployment method: Mobile Device Management / Microsoft Intune OR Group Policy
Click ‘Download onboarding package’ — this downloads a .zip containing the onboarding script/policy

📋 Note: The onboarding package is tenant-specific. Do not share it across tenants. It contains your tenant’s MDE workspace ID and key.

Step 4a: Onboard via Microsoft Intune (Recommended for Cloud-Native AVD)

4a.1 — Create MDE Connector in Intune

In Intune admin center (intune.microsoft.com), go to Endpoint security > Microsoft Defender for Endpoint
Click ‘Open the Microsoft Defender Security Center’ and complete the connector setup
Back in Intune, enable ‘Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint’
Set compliance policy to mark devices without MDE as non-compliant (recommended)

4a.2 — Create Configuration Profile for MDE Onboarding

// Intune Configuration Profile – MDE Onboarding for AVD
// Navigate: Intune > Devices > Configuration profiles > Create profile
Platform: Windows 10 and later
Profile type: Templates > Microsoft Defender for Endpoint (desktop devices running Windows 10 or later)
Settings:
Microsoft Defender for Endpoint client configuration package type: Onboard
Sample sharing for all files: Block
Expedite telemetry reporting frequency: Enable
Assignment: Assign to AVD Device Group (or dynamic group targeting AVD session hosts)

4a.3 — Create Dynamic Device Group for AVD Hosts
Create an Entra ID dynamic group to automatically capture AVD session hosts:

// Dynamic Group Rule – targets Azure AD joined AVD session hosts
// Adjust the displayName prefix to match your host pool naming convention
(device.displayName -startsWith "AVD-") and
(device.deviceOSType -eq "Windows") and
(device.managementType -eq "MDM")

Step 4b: Onboard via Group Policy (Hybrid AD Environments)

For AVD host pools joined to on-premises AD (Hybrid Azure AD Join), use GPO-based onboarding:

Extract the downloaded onboarding package ZIP to a network share accessible by session hosts
Open Group Policy Management Console (GPMC) on your domain controller
Create a new GPO and link it to the OU containing your AVD session host computer objects
Navigate to: Computer Configuration > Preferences > Windows Settings > Files
Copy WindowsDefenderATP.onboarding from the package to C:\Windows\System32 on each host

GPO Startup Script (for Non-Persistent Pools)

# Startup Script: MDE-Onboard-AVD.ps1
# GPO Path: Computer Config > Windows Settings > Scripts > Startup

$OnboardingScript = '\\fileserver\MDE\WindowsDefenderATPLocalOnboardingScript.cmd'
$RegPath = 'HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status'

# Check if already onboarded
$OnboardStatus = Get-ItemProperty -Path $RegPath -Name 'OnboardingState' -ErrorAction SilentlyContinue

if ($OnboardStatus.OnboardingState -ne 1) {
    Write-EventLog -LogName Application -Source 'MDE-AVD-Onboard' -EventId 1001 \
        -Message 'MDE not onboarded. Running onboarding script...' -EntryType Information
    & $OnboardingScript
} else {
    Write-EventLog -LogName Application -Source 'MDE-AVD-Onboard' -EventId 1000 \
        -Message 'MDE already onboarded. Skipping.' -EntryType Information
}

Step 5: Golden Image Integration (Non-Persistent Pools)

For pooled (non-persistent) AVD host pools, MDE must be embedded in the golden image so every new session host spawned from the Shared Image Gallery (SIG) is immediately protected:

# Golden Image Preparation – Run on your AVD image build VM
# (Azure VM Image Builder, Packer, or manual golden image process)

# 1. Run Windows Update to get latest Defender platform
Install-Module PSWindowsUpdate -Force
Get-WUInstall -MicrosoftUpdate -AcceptAll -AutoReboot

# 2. Update Microsoft Defender Antivirus signatures
Update-MpSignature

# 3. Apply MDE VDI registry settings (from Step 2)
. .\Set-MDEVDISettings.ps1

# 4. Copy onboarding package to image
Copy-Item .\WindowsDefenderATPLocalOnboardingScript.cmd C:\Windows\Setup\Scripts\

# 5. Create RunOnce for first-boot onboarding
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' \
    -Name 'MDEOnboard' \
    -Value 'C:\Windows\Setup\Scripts\WindowsDefenderATPLocalOnboardingScript.cmd'

# 6. Sysprep the image (do NOT run MDE onboarding before sysprep)
# MDE onboarding happens on FIRST BOOT after sysprep — not during image capture
Write-Output 'Golden image prepared. Ready for sysprep.'

🚫 Critical: Never run the MDE onboarding script BEFORE sysprep. If onboarded before sysprep, all cloned VMs share the same device identity in MDE, causing data conflicts and licensing issues. Onboarding must occur on first boot post-sysprep.

Step 6: Configure MDE Policies for AVD

Post-onboarding, apply AVD-specific MDE policies in the Defender portal:

Attack Surface Reduction (ASR) Rules

Apply via Intune Endpoint Security > Attack surface reduction:

ASR Rule	Recommended Mode for AVD
Block credential stealing from Windows LSASS	Block
Block process creations from PSExec and WMI	Audit (then Block after testing)
Block Office macros from creating child processes	Block
Block untrusted/unsigned processes from USB	Block
Block executable content from email/webmail client	Block
Use advanced protection against ransomware	Block

💡 Tip: Start ASR rules in Audit mode for 2-4 weeks on AVD hosts. Review the MDE portal for false positives before switching to Block. LOB applications running in AVD sessions often trigger ASR rules unexpectedly.

Step 7: Verify Onboarding

Use the following methods to confirm session hosts are successfully reporting to MDE:

Method 1: MDE Portal

Go to security.microsoft.com > Assets > Devices
Filter by Device group: AVD-SessionHosts (if tag was applied in Step 2)
Confirm devices show ‘Active’ sensor status and recent ‘Last seen’ timestamp

# Run on a session host to check MDE onboarding status

$SenseStatus = Get-Service -Name 'Sense' -ErrorAction SilentlyContinue
$RegPath = 'HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status'
$OnboardState = (Get-ItemProperty -Path $RegPath -ErrorAction SilentlyContinue).OnboardingState

Write-Output "Sense Service Status : $($SenseStatus.Status)"
Write-Output "MDE Onboarding State : $(if ($OnboardState -eq 1) {'ONBOARDED'} else {'NOT ONBOARDED'})"

# Expected output:
# Sense Service Status : Running
# MDE Onboarding State : ONBOARDED

Method 2: Local PowerShell Check

# Run this on a test session host to trigger a test alert in MDE
# Source: Microsoft official detection test

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden \
    $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile(
    'http://127.0.0.1/1.exe', 'C:\test-MDATP-test\invoice.exe');
    Start-Process 'C:\test-MDATP-test\invoice.exe'

# A test alert titled 'MDATP Test Alert' should appear in the MDE portal within 20 minutes

Method 3: Detection Test

# Run on a session host to check MDE onboarding status

$SenseStatus = Get-Service -Name 'Sense' -ErrorAction SilentlyContinue
$RegPath = 'HKLM:\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status'
$OnboardState = (Get-ItemProperty -Path $RegPath -ErrorAction SilentlyContinue).OnboardingState

Write-Output "Sense Service Status : $($SenseStatus.Status)"
Write-Output "MDE Onboarding State : $(if ($OnboardState -eq 1) {'ONBOARDED'} else {'NOT ONBOARDED'})"

# Expected output:
# Sense Service Status : Running
# MDE Onboarding State : ONBOARDED

Troubleshooting Common Issues

Symptom	Likely Cause	Resolution
Device not appearing in MDE portal after 24h	Connectivity issue to MDE endpoints	Check NSG/firewall rules — allow TCP 443 to *.endpoint.security.microsoft.com
‘Sense’ service not starting	Missing onboarding config or corrupted install	Re-run onboarding script; check Event Viewer > Applications > WinDefend
All pooled VMs show same device in MDE	Onboarding ran before sysprep	Rebuild golden image; ensure onboarding runs on first boot post-sysprep
ASR rules blocking LOB application	Application behavior triggers ASR heuristics	Add process/path exclusion in MDE > Settings > Endpoints > Exclusions
High CPU on session hosts after onboarding	Full scan running during session	Schedule scans during maintenance window via Intune AV policy

Ongoing Monitoring & Maintenance

Once onboarded, establish operational hygiene to keep your AVD fleet secure:

Weekly

Review MDE Vulnerability Management dashboard for critical CVEs on AVD session hosts
Check device health report — flag any hosts with ‘Inactive’ sensor status
Review ASR audit events for potential rule refinements

Monthly

Update golden image with latest Windows and Defender platform updates
Review MDE incidents and alerts scoped to AVD device group
Audit MDE exclusions — remove any stale or overly broad exclusions
Validate compliance policy: ensure all AVD hosts meet MDE health baseline

Quarterly

Run Microsoft Secure Score review scoped to endpoint security
Test incident response runbook against a simulated AVD threat scenario
Review MDE licensing consumption against active AVD user count

Conclusion

Onboarding your Azure Virtual Desktop session hosts to Microsoft Defender for Endpoint is a foundational security control for any enterprise AVD deployment. With the right approach — golden image integration for non-persistent pools, Intune-based policy management, VDI-optimized settings, and proper ASR tuning — you can achieve comprehensive EDR coverage across your entire AVD fleet without impacting user experience.

The investment in MDE onboarding pays dividends immediately: unified visibility across endpoints, automated threat investigation, and the ability to correlate AVD-specific threats within the broader Microsoft Defender XDR ecosystem. Whether your AVD environment serves hundreds or tens of thousands of users, MDE scales with you.

🔗 Reference Links: Microsoft Docs – Onboard Windows devices using Microsoft Endpoint Configuration Manager: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/onboarding | VDI onboarding guide: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints-vdi

About This Guide

This technical blog post was produced by Aavisek Choudhury an enterprise AVD Architect and Microsoft MVP for AVD and W365. It reflects real-world deployment experience with Azure Virtual Desktop and Microsoft Defender for Endpoint in large-scale enterprise environments. Always validate against the latest Microsoft documentation before deploying to production.

Post Views: 189

5.00 avg. rating (97% score) - 1 vote