Onboard non-persistent virtual desktop infrastructure devices

Applies to:

Warning

Endpoint data loss prevention support for Windows Virtual Desktop supports single session scenarios. Multi-session scenarios on Windows Virtual Desktop are currently not supported.

Tip

If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Onboard VDI devices

Microsoft 365 supports non-persistent virtual desktop infrastructure (VDI) session onboarding.

Note

To onboard non-persistent VDI sessions, VDI devices must be on Windows 10 1809 or higher.

There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:

  • Instant early onboarding of short-lived sessions, which must be onboarded to Microsoft 365 prior to the actual provisioning.
  • The device name is typically reused for new sessions.

VDI devices can appear in the Microsoft Purview compliance portal as either:

  • Single entry for each device. Note that in this case, the same device name must be configured when the session is created, for example using an unattended answer file.
  • Multiple entries for each device - one for each session.

The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries.

Warning

For environments where there are low resource configurations, the VDI boot procedure might slow the device onboarding process.

  1. Get the VDI configuration package .zip file (DeviceCompliancePackage.zip) from Microsoft Purview compliance portal.

  2. In the navigation pane, select Settings > Device onboarding > Onboarding.

  3. In the Deployment method field, select VDI onboarding scripts for non-persistent endpoints.

  4. Click Download package and save the .zip file.

  5. Copy the files from the DeviceCompliancePackage folder extracted from the .zip file into the golden image under the path C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup.

  6. If you are not implementing a single entry for each device, copy DeviceComplianceOnboardingScript.cmd.

  7. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and DeviceComplianceOnboardingScript.cmd.

    Note

    If you don't see the C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup folder, it might be hidden. You'll need to choose the Show hidden files and folders option from File Explorer.

  8. Open a Local Group Policy Editor window and navigate to Computer Configuration > Windows Settings > Scripts > Startup.

    Note

    Domain Group Policy may also be used for onboarding non-persistent VDI devices.

  9. Depending on the method you'd like to implement, follow the appropriate steps:

    For single entry for each device

    Select the PowerShell Scripts tab, then click Add (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script Onboard-NonPersistentMachine.ps1.

    For multiple entries for each device:

    Select the Scripts tab, then click Add (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script DeviceComplianceOnboardingScript.cmd.

  10. Test your solution:

    1. Create a pool with one device.
    2. Log on to device.
    3. Log off from device.
    4. Log on to device with another user.
    5. For single entry for each device: Check only one entry in Microsoft Defender Security Center. For multiple entries for each device: Check multiple entries in Microsoft Defender Security Center.
  11. Click Devices list on the Navigation pane.

  12. Use the search function by entering the device name and select Device as search type.

Updating non-persistent virtual desktop infrastructure (VDI) images

As a best practice, we recommend using offline servicing tools to patch golden images.

For example, you can use the below commands to install an update while the image remains offline:

DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit

For more information on DISM commands and offline servicing, please refer to the articles below:

If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:

  1. After booting the golden image for online servicing or patching, run an offboarding script to turn off the Microsoft 365 device monitoring sensor. For more information, see Offboard devices using a local script.

  2. Ensure the sensor is stopped by running the command below in a CMD window:

    sc query sense
    
  3. Service the image as needed.

  4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:

    PsExec.exe -s cmd.exe
    cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
    del *.* /f /s /q
    REG DELETE "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
    exit
    
  5. Re-seal the golden image as you normally would.