Demystifying AV in a VDI Environment
In this post, we’ll focus on how your AV provider can influence VDI performance. Like everyone, I have AV preferences based on my previous experience.
It’s up to you which AV you use, I can only provide you with some thoughts and insights.
You still need exclusions, even if you’re using a behavior-based AV/EDR/XDR solution.
I can provide you with enough support articles from official sources to underline this.
Table of Contents
I tried to highlight my experience in the following table:
| Best for XDR & Performance | Crowdstrike Defender (fully onboarded with Defender for Endpoint Plan 2) |
| Good for XDR but awful for performance | SentinelOne Cortex XDR |
Now we’re getting to the point where we are pimping your AV solution in order to maintain performance.
For this, we need to differentiate between MultiSession OS (Terminal Server based on WS2025, WS2022, etc. or W11 MultiSession-OS on Azure/Azure Local) and SingleSession OS (Windows 10 -> get rid of that, or Windows 11).
Guide when using a 3rd Party AV Provider
Multisession OS
1. Get rid of Windows Defender
Nope, your 3rd party AV is not able to disable Defender.
Technical explanation: Windows Security Center (WSC) is simply not available on a Server OS.
It can’t register itself as a different provider, hence can’t disable Defender.
Note:
This also applies to non-VDI environments. Your file server, Exchange Server, etc., behave the same.
This can be achieved with the following PowerShell cmdlet:
Uninstall-WindowsFeature Windows-Defender
Note: The behaviour on Windows Server 2016 is different. I won’t cover this, as you should get rid of that OS.
Note 2: You could also only disable Defender Real-time Protection via Powershell. This is a manual task and can’t be managed via GPO. It usually also re-enables after boot.
To be honest, I never had this use case. It was always only either/or. Also, if I’m not using a product, why should I leave it installed?
2. Install the AV provider of your choice
Guide for Crowdstrike:
The cmdlet differs when using non-persistent machines. For persistent machines, there’s no difference compared to the rest of your infrastructure.
Cmdlet for Crowdstrike non-persistent VDI:
WindowsSensor.exe /CSID=xxxx /VDI=1
3. Enable your required policies, block modes, and configure exclusions
I’ll get to references at the end of the blog.
SingleSession OS
1. You can’t fully uninstall Defender.
There are some ways, like using a custom deployment and excluding Defender in the first place.
Other shady workarounds are known but highly not advisable.
2. Install the AV provider of your choice.
You can use the same method as above.
The cmdlet differs when using non-persistent machines. For persistent machines, there’s no difference compared to your other clients.
Cmdlet for Crowdstrike non-persistent VDI:
WindowsSensor.exe /install CID=<your CID> VDI=1
3. Enable your required policies, block modes, and configure exclusions
Turn on your desired policies and your AV provider will register itself in the WSC as a security provider. The required policy for CS to register itself in WSC is the Prevention Policy.
4. Check Defender
Assure Defender is running in passive mode or completely disabled.
Big note
Defender switches automatically into passive mode if another AV provider registers itself AND Smart App Control is enabled.
If you want to use Smart App Control, you need to onboard your VDIs.
Smart App Control doesn’t require a license, but onboarding your devices does (Plan 1 or Plan 2).
If you don’t onboard your devices, PowerShell output states Defender is still running in passive mode, but I’m not really sure about that.
As of writing today, I’ll update this part as soon as I have a response from the MSFT Product Team.
Even bigger performance note
Defender is consuming considerable memory and CPU cycles on every VDI as the MsSense and other services “passively” scan every action on the Windows endpoint.
This means Defender is still scanning all files. This can lead in some cases to locked files, preventing some software from operating correctly.
Also, if you use Defender in passive mode, be sure to exclude MsSense.exe and the Defender program folder from your 3rd party AV provider.
In general, Microsoft Defender Antivirus can be set to passive mode only on endpoints that are onboarded to Defender for Endpoint.
Guide when using Microsoft Defender for Endpoint
There’s no difference between MultiSession OS and SingleSession OS from a configuration perspective.
- Download the onboarding script from security.microsoft.com
- Onboard your VDIs
There are different ways to onboard your device:- Domain Group Policy
- Onboard only your clones at boot. It’s best practice to keep master and clones in separate domain OUs.
- Local Group Policy
- Don’t do this. Explanation follows.
- Domain Group Policy
- Use cool management tools like Citrix WEM
- The onboarding script runs as an external task after boot. Exclusions are made immediately and the boot process is not slowed down. Definitely my preferred way.
Notes:
Avoid local group policies. Using this method would mean placing the script on your master. Of course, you can exclude the hostname of the master, but why even make this effort?
99% of the environments I’ve analyzed where this was done had an onboarded master image.
Offboarding your master before rolling it out requires manual interaction via PSEXEC.
The SenseGUID is unique and onboarding your master/golden image in either way is simply wrong.
EntraID-joined-only devices don’t have the option to be managed via GPO. This means you have two options:
- Use Citrix WEM
- Onboard your devices into Intune
- Join them when adding the VDIs to the host pool
- Manually via the Azure extension (needs to be run via PS)
az vm extension set --publisher Microsoft.Azure.ActiveDirectory --name AADLoginForWindows --resource-group xxx --vm-name xxx --settings '{"mdmId": "0000000a-0000-0000-c000-000000000000"}'
For non-persistent devices, in each situation you need to be sure your VDIs have a unique entry in your AV security portal.
Not doing so (duplicate entries) will cause abnormal behaviour, and this behaviour is very hard to verify.
OS and AV Mode Reference Table
| Windows version | Primary antivirus/antimalware solution | Microsoft Defender Antivirus state |
|---|---|---|
| Windows 10 | Microsoft Defender Antivirus | Active mode |
| Windows 11 | ||
| Windows 10 | A non-Microsoft antivirus/antimalware solution | Disabled mode (happens automatically) In Windows 11 (clean install), if Smart App Control is enabled, Microsoft Defender Antivirus goes into passive mode |
| Windows 11 | ||
| Windows Server 2022 | Microsoft Defender Antivirus | Active mode |
| Windows Server 2019 | ||
| Windows Server 2025 | A non-Microsoft antivirus/antimalware solution | Disabled (set manually) |
| Windows Server 2022 | ||
| Windows Server 2019 |
Configure your exclusions
FSLogix
https://learn.microsoft.com/en-us/fslogix/overview-prerequisites
Citrix-specific exclusions
https://community.citrix.com/tech-zone/build/tech-papers/antivirus-best-practices/
3rd-party exclusions
Shoutout to John Billekens, who created an index with an exclusion list for most products.
Other AV Specific Settings/Recommendations:
- Don’t perform full scans on your clones. I had cases where AV was performing a full scan on boot.
- Seal your master Image using a Framework like BISF
- Perform a full scan on your master.
- Certain “intelligent” AVs have ignored exclusions in the past. Keep this in mind. This can only be solved by support.
- When using versioning, go with N-2.
Crowdstrike
- The VDI flag will prevent the sensor from assigning a unique sensor ID to the host.
- When reinstalling the Falcon agent to seal your image, it’s best practice to leave the image “on” for 30 mins before powering down. That way, the Falcon agent can fetch any IOA/IOC exclusions you’ve configured and avoid race conditions on next start.
- Assign the same exclusion policy to the master and clones.
The NO_START=1 flag is used only for templates, not for VDI images. If you’re doing so, remove it from your install line. NO_START=1 tells the sensor not to start until the next boot. It prevents a sensor ID from being assigned so a snapshot can be taken. It is valid only once!
The support area is only accessible for existing customers.
Defender
- For tuning and analyze your settings, you can use the Performance Analyze tool.
- For a guide on how to configure Defender, I can reference:
Palo Alto Cortex
- A guide can be found here:
SentinelOne (S1)
- The support area is only accessible for existing customers.
As always, feel free to drop a comment and leave your thoughts.