WVD Patch Management

Brass Contributor

Hi there,

 

Would be grateful if someone from MS could advise on the best method for patch management on WVD.  From the following document it is advised to disable automatic updates

https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-customize-master-image 

 

My questions, are therefore as follows

- Is there currently a best practise from MS for keeping the WVD Windows 10 VM's secure from a security patch perspective. I can't see any documentation on this?

- If automatic updates are disabled what is the method by which VM's should be updated. Can this be done via Azure Update Management?

- If automatic updates are disabled how does this impact Windows Defender updates.

 

I am hoping that the solution to this is to constantly keep the 'master image' updated and then re-deploy to the host pool? The architecture of my WVD tenant is a multi-host pool 'pooled desktop' configuration.

 

Thanks

 

 

 

 

15 Replies

@HandA 

 

HI Gerry,

 

Best practice is to take your snapshot before the sysprep, patch it, snapshot it again, sysprep and redeploy the WVD pool. You can deploy to the same pool of servers, just make sure to enter the correct total of servers you want to obtain.

Deletion of the old servers can take place after deployment.

 

For Defender updates, you can create a scheduled task to execute the following:

https://www.microsoft.com/en-us/wdsi/defenderupdates

@knowlite 

 

Thanks for the reply knowlite. I think that is probably the best option for pooled desktops, but for dedicated personal desktops where users will have local admin rights I'm note sure that is going to be the best solution? In the scenario I am looking at, there will likely be deviation on the personal desktops away from the initial 'master image' with respect to applications installed etc.

@Yuki398 

 

Hi Yuki398,

 

Thanks for the link. I've see this and believe this along with applying security & feature updates to the 'master image' is the best method for pooled desktops. If you are using personal desktops that users are modifying (deploying software etc) you cannot remove their persistent vdi's and give them a brand new one every time the OS needs patched. Its not feasible. I think until app attach is in GA its not a straight forward process for applying updates to personal desktops

Hi Gerry,

Why would App Attach offer a solution to your problem? App attach makes applications seamlessly available through a separate VHD(x) drive integration. This is opposite to users installing their own software.

I still believe that personal desktops together with FSLogix can be a solution in separating the user data from the OS. If all applications are available in the image, there would not be any issue for the user in a redeployment (for patching etc). This enables you to have a consistent user experience along your users, compared to desktops patching separately etc.

@knowlite 

 

Hi knowlite,

 

I probably didn't explain it well enough. We would want to give a group of users, possibly up to 20 a personal desktop with admin rights. They could be using a significant number of different applications (probably too many to have in a master image ). Also these applications could vary quite frequently for different development staff. In short ' image management' becomes too intensive from an app perspective. I do take the point that app attach is not necessarily a silver bullet but it does help with the separation of the apps from the OS and also keeping the updating of the apps and the OS segregated.

 

Effectively I was trying to find out if there was any reason why I couldn't just allow the personal desktops to autoupdate using windows update. I understand the inherent risk associated of adopting this method with respect of an update causing an issue on the desktop.

We use SCCM to patch WVD - Personal Desktop on monthly basis.  We consider it no different than regular corporate desktop.  This way, there is no new process/project/standards created for handling WVD - Personal Desktop.  Works very well with existing patching operations.  End-users are already familiar with how patching works on corporate desktop, so they don't have any issues with WVD - Personal Desktop patching process.

FYI, Based on extensive testing, I found WVD persistent VMs created based on "Microsoft Windows 10 + Office 365 ProPlus" image from Azure Marketplace is not working.  SCCM CB 1906 version or CB 2002 version is unable to patch these VMs using the regular SCCM patching process SUM - (Software Update Management).  And feedback or solution will be helpful.  

Hi all,

with MECM CB 1910 and above, it's possibile to update Windows Virtual Desktop Session Host. It's necessary to select "Windows Server, version 1903 and later" from Products section in Software Updates Point Component Properties.

 

Best regards,

Davide

Just FYI,

 

FYI,

 

On ConfigMgr CB 2002 version, each WVD - Shared Desktops or Persistent Desktops are reported as "Windows Server" Operating System on ConfigMgr.  Don't know why?

 

So, to manage WVDs with ConfigMgr, we made appropriate changes on ConfigMgr Collection's Limiting Collection and set to - "All Systems".

 

irfan.fakih@hotmail.com

@Irfan Fakih 

It' correct.

As Christiaan Brinkhoff says (https://twitter.com/brinkhoff_c/status/1244557292214915072), Windows 10 Enterprise Multi-session has a different OperatingSystemSKU (175) and it's not a client-sku.

 

Davide

Windows 10 Enterprise Multi-Session Support is there from SCC 1906 version onwards. Windows 10 multi-session support is only for Windows Virtual Desktop (WVD) solution. WVD Windows 10 multi-session is similar to a terminal server and most of the device management solutions are detecting multi-session as server OS. You will need to select the server-related patches as explained in the following post. https://www.anoopcnair.com/wvd-windows-10-multi-session-patching-with-sccm-configmgr-product-selecti...

Hi @Anoop C Nair

as indicated in my previous post, in order to update the WVD Session Hosts through Microsoft Endpoint Configuration Manager it is necessary to select "Windows Server, version 1903 and later" from Products section in Software Updates Point Component Properties.

Hi All,

We have similar situation where monthly patches are not being managed and it is causing issue with user performance. We are using personal desktop with FSLogix profiles.

Is it possible to manage the patches via Intune? what would be the best way to approach this.

Regards
Jag

Hi @Anoop C Nair Do you know if there were any changes to the patches for 21h1 forward?

i am not seeing server version 21h1 like i did for 20h2 and 2004.

Thank you in advance 

 

StevenBlatt_0-1629734224740.png