Forum Discussion
WVD Patch Management
Hi there,
Would be grateful if someone from MS could advise on the best method for patch management on WVD. From the following document it is advised to disable automatic updates
https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-customize-master-image
My questions, are therefore as follows
- Is there currently a best practise from MS for keeping the WVD Windows 10 VM's secure from a security patch perspective. I can't see any documentation on this?
- If automatic updates are disabled what is the method by which VM's should be updated. Can this be done via Azure Update Management?
- If automatic updates are disabled how does this impact Windows Defender updates.
I am hoping that the solution to this is to constantly keep the 'master image' updated and then re-deploy to the host pool? The architecture of my WVD tenant is a multi-host pool 'pooled desktop' configuration.
Thanks
15 Replies
- Jag_PatelCopper ContributorHi All,
We have similar situation where monthly patches are not being managed and it is causing issue with user performance. We are using personal desktop with FSLogix profiles.
Is it possible to manage the patches via Intune? what would be the best way to approach this.
Regards
Jag - Davide SalsiCopper Contributor
Hi all,
with MECM CB 1910 and above, it's possibile to update Windows Virtual Desktop Session Host. It's necessary to select "Windows Server, version 1903 and later" from Products section in Software Updates Point Component Properties.
Best regards,
Davide
- Yuki398Copper Contributor
You can use this ARM Template for updating WVD.
https://github.com/Azure/RDS-Templates/tree/master/wvd-templates/Update%20existing%20WVD%20host%20pool
- HandABrass Contributor
Hi Yuki398,
Thanks for the link. I've see this and believe this along with applying security & feature updates to the 'master image' is the best method for pooled desktops. If you are using personal desktops that users are modifying (deploying software etc) you cannot remove their persistent vdi's and give them a brand new one every time the OS needs patched. Its not feasible. I think until app attach is in GA its not a straight forward process for applying updates to personal desktops
- knowliteIron ContributorHi Gerry,
Why would App Attach offer a solution to your problem? App attach makes applications seamlessly available through a separate VHD(x) drive integration. This is opposite to users installing their own software.
I still believe that personal desktops together with FSLogix can be a solution in separating the user data from the OS. If all applications are available in the image, there would not be any issue for the user in a redeployment (for patching etc). This enables you to have a consistent user experience along your users, compared to desktops patching separately etc.
- knowliteIron Contributor
HI Gerry,
Best practice is to take your snapshot before the sysprep, patch it, snapshot it again, sysprep and redeploy the WVD pool. You can deploy to the same pool of servers, just make sure to enter the correct total of servers you want to obtain.
Deletion of the old servers can take place after deployment.
For Defender updates, you can create a scheduled task to execute the following:
https://www.microsoft.com/en-us/wdsi/defenderupdates
- HandABrass Contributor
Thanks for the reply knowlite. I think that is probably the best option for pooled desktops, but for dedicated personal desktops where users will have local admin rights I'm note sure that is going to be the best solution? In the scenario I am looking at, there will likely be deviation on the personal desktops away from the initial 'master image' with respect to applications installed etc.