What is the right way to patch AVD VMs?

Shane Curtis 36 Reputation points
2021-07-23T16:37:54.85+00:00

I'm confused about the right way to patch AVD VMs. Most of the time, Configuration Manager and Intune are not an option for our customers. Is it a bad idea to use Group Policy to control the Windows Update settings? I noticed that, in the AVD documentation for setting up a master VHD image that it says you should disable Automatic updates but it doesn't say why. Is it because the updates might cause a reboot and interfere with users' work? The AVD security best practices page says "We recommend patching your base images monthly to ensure that newly deployed machines are as secure as possible." So should monthly security patches be applied to the base image and then the host pools get updated with a new image monthly? Seems like a lot of work. Or is Azure Security Center capable of doing monthly security patches? Very confused on this subject.

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,536 questions
Accepted answer
  1. prmanhas-MSFT 17,901 Reputation points Microsoft Employee
    2021-07-26T11:24:24.403+00:00

    @Shane Curtis Apologies for the delay in response and all the inconvenience caused because of the issue.

    Customers that use Windows 10 Multisession usually follow one of the two patterns:

    1) Re-Deploy the host pool with an updated base image each month
    or
    2) Use Configuration Manager to deploy updates

    Intune doesn't support update deployment to Multi-Session, neither does Azure Update Management.

    You can use GPOs to do that, but it is very hard to properly schedule update deployment using GPOs, so the customers use either option 1 or 2.

    Yes, Option 1 requires a re-deployment, but those customer invested in automating this process as much as possible, so the monthly effort is limited. Option 2 might be more convenient for customers that are familiar with Config Mgr.

    There are also samples for automation on GitHub here

    Hope it helps!!!

    Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Todd Crooks 1 Reputation point
    2022-01-08T21:03:39.29+00:00

    If anyone is looking for the process to update the session hosts, it can be found here:
    https://techtodd.co.uk/index.php/2022/01/08/microsoft-azure-virtual-desktop-avd-image-update-process/

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.