cons. If you have great processes in place to patch your systems regularly, if they are
running Server Core or Nano Server, and if people don’t log on locally, you would
probably be fine without malware. If you don’t have a good patch strategy, if you are
not running Server Core or Nano Server, and if administrators do log on to the servers
and browse the Web, then malware protection is probably a good idea! If you do opt to
use malware protection, ensure that you have processes in place to keep its signatures
updated and that it is supported to run on Hyper-V. Microsoft provides enterprise
malware protection with System Center Endpoint Protection and the in-box Windows
Defender in Windows Server 2016. As roles are enabled in Windows Server 2016,
exceptions are automatically configured in Windows Defender, and if System Center
Endpoint Protection is used, there are built-in templates for various server roles
including Hyper-V.
What is important is that you still run malware protection within the virtual
machines. You need malware protection running in the guest operating systems
configured to whatever guidelines exist for the workload. Even if you run malware
protection on the Hyper-V host, this does not protect the virtual machine guest
operating system. Special scenarios need to be considered—for example, VDI
environments with many desktops that are created and deleted very quickly and that
have different malware protection requirements than regular, long-term servers.
When using a solution such as Configuration Manager and Endpoint Protection, there
is a built-in randomized delay when performing periodic actions to avoid the action
running at the same time across many VMs on the same piece of hardware, which
would cause resource peaks. Investigate the various solutions available and tailor your
solution based on the services offered.