Forum Discussion

HandA's avatar
HandA
Brass Contributor
Dec 16, 2019

WVD Patch Management

Hi there,

 

Would be grateful if someone from MS could advise on the best method for patch management on WVD.  From the following document it is advised to disable automatic updates

https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-customize-master-image 

 

My questions, are therefore as follows

- Is there currently a best practise from MS for keeping the WVD Windows 10 VM's secure from a security patch perspective. I can't see any documentation on this?

- If automatic updates are disabled what is the method by which VM's should be updated. Can this be done via Azure Update Management?

- If automatic updates are disabled how does this impact Windows Defender updates.

 

I am hoping that the solution to this is to constantly keep the 'master image' updated and then re-deploy to the host pool? The architecture of my WVD tenant is a multi-host pool 'pooled desktop' configuration.

 

Thanks

 

 

 

 

15 Replies

  • Jag_Patel's avatar
    Jag_Patel
    Copper Contributor
    Hi All,

    We have similar situation where monthly patches are not being managed and it is causing issue with user performance. We are using personal desktop with FSLogix profiles.

    Is it possible to manage the patches via Intune? what would be the best way to approach this.

    Regards
    Jag
  • Davide Salsi's avatar
    Davide Salsi
    Copper Contributor

    Hi all,

    with MECM CB 1910 and above, it's possibile to update Windows Virtual Desktop Session Host. It's necessary to select "Windows Server, version 1903 and later" from Products section in Software Updates Point Component Properties.

     

    Best regards,

    Davide

  • Yuki398's avatar
    Yuki398
    Copper Contributor

    HandA 

    You can use this ARM Template for updating WVD.

    https://github.com/Azure/RDS-Templates/tree/master/wvd-templates/Update%20existing%20WVD%20host%20pool

    • HandA's avatar
      HandA
      Brass Contributor

      Yuki398 

       

      Hi Yuki398,

       

      Thanks for the link. I've see this and believe this along with applying security & feature updates to the 'master image' is the best method for pooled desktops. If you are using personal desktops that users are modifying (deploying software etc) you cannot remove their persistent vdi's and give them a brand new one every time the OS needs patched. Its not feasible. I think until app attach is in GA its not a straight forward process for applying updates to personal desktops

      • knowlite's avatar
        knowlite
        Iron Contributor
        Hi Gerry,

        Why would App Attach offer a solution to your problem? App attach makes applications seamlessly available through a separate VHD(x) drive integration. This is opposite to users installing their own software.

        I still believe that personal desktops together with FSLogix can be a solution in separating the user data from the OS. If all applications are available in the image, there would not be any issue for the user in a redeployment (for patching etc). This enables you to have a consistent user experience along your users, compared to desktops patching separately etc.
  • knowlite's avatar
    knowlite
    Iron Contributor

    HandA 

     

    HI Gerry,

     

    Best practice is to take your snapshot before the sysprep, patch it, snapshot it again, sysprep and redeploy the WVD pool. You can deploy to the same pool of servers, just make sure to enter the correct total of servers you want to obtain.

    Deletion of the old servers can take place after deployment.

     

    For Defender updates, you can create a scheduled task to execute the following:

    https://www.microsoft.com/en-us/wdsi/defenderupdates

    • HandA's avatar
      HandA
      Brass Contributor

      knowlite 

       

      Thanks for the reply knowlite. I think that is probably the best option for pooled desktops, but for dedicated personal desktops where users will have local admin rights I'm note sure that is going to be the best solution? In the scenario I am looking at, there will likely be deviation on the personal desktops away from the initial 'master image' with respect to applications installed etc.

Resources