We have numerous articles showcasing how to create the golden master image to deploy within the Host Pool. This blog post will showcase how to perform recurring monthly security patch updates within the golden master image and push that into your Host Pools within Azure Virtual Desktop.
- Azure Compute Galleries – Create VM
- Console to Golden Image (RDP or Azure Bastion)
- Install the Microsoft Latest Cumulative Update (LCU)
- Sysprep (Generalize and Shutdown)
- Capture the Virtual Machine
- Azure Compute Galleries – New Version
- Drain and remove old session host vms
If Microsoft is listening – requesting the feature of leveraging the Update Rings from Micorosft Intune can be integrated into applying the quality updates from #Intune on Microsoft Windows 10/11 Multi-session
The assumption here is that you already have a golden image and existing versions available. Below is an example from Azure Computer Galleries of a Windows 11 Multi-session and current running version 0.0.2 within my Host Pools. (Note its an already generalized image – See the OS State)
Azure Compute Galleries – Create VM
The first step here is to update the golden image with the monthly Microsoft Cumulative Security update, and we want to create a new virtual machine from the existing version of 0.0.2. (Background version 0.0.2 include the October 2022 Latest Cumulative Updates)
Now you will be presented with a Create VM wizard
Select Next – Disk Settings
Select Next – Networking Settings
Select Next – Management Settings
Select Next – Monitoring Settings
Select Review & Create the Virtual Machine – Golden Image.
#Tip – On the rare occasion that the creation of the virtual machine fails, in one instance, I had forgotten to perform Sysprep on the existing version in Azure Compute Galleries (e.g. 0.0.1). In such scenarios, create a virtual machine from the previous version number you know that works well.
Console to Golden Image (RDP or Azure Bastion)
We now have the newly created golden image from the existing version 0.0.2 within the Azure – Virtual Machines blade listed and status=Running.
Download the RDP file and console into the Virtual machine – Win11MSGI04 (Note, as previously mentioned, this is a bad practice in a production environment as it needs public IP for access. The best approach here is to leverage Azure Bastion and click on the Bastion option, and securely console the VM via browser)
Install the Microsoft Latest Cumulative Update (LCU)
In our scenario, we shall install the November 8, 2022—KB5019980 (OS Build 22621.819) for Windows 11 22H2 Multi-session. Note I am using the Powershell pswindowsupdate module, but you can download and offline install the Windows update (LCU, which also includes SSU)
Install the Update
Get-WindowsUpdate -KBArticleID KB5019980 -Install -AutoReboot | Out-File "c:\Temp\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log" -force
Post the reboot validate the windowsupdate log output to determine whether the patch was installed successfully. Optionally perform Disk Clean.
Sysprep (Generalize and Shutdown)
We are onto our final step before the capture. Perform Sysprep on the image and shutdown
%WINDIR%\system32\sysprep\sysprep.exe /generalize /shutdown /oobe
#Tip – Make sure the end state of the virtual machine status = Stopped (deallocated) before following the next step of Capture. Sysprep is the most crucial step if you forget this, your provisioning will fail with an error.
Capture the Virtual Machine
We will capture this image into Azure Compute Galleries
Next Capture wizard
#Tip – As we selected “Delete” post creation, the virtual machine will not appear within the Azure – Virtual Machines. Below is the task for the deletion.
Azure Compute Galleries – New Version
We can now see the latest version showing up 0.0.3 post the capture process. This version is now ready to be added to the AVD – Host Pools
Add Session Host Virtual Machine (New security patch version 0.0.3)
After clicking on Add, it will open the “Add virtual machine to a host pool” wizard
Select Next – Virtual Machines
Next enter the tags of your choice and hit Create
Drain and remove old session host vms
Put the old session host virtual machines in the drain and remove the virtual machine. This step will depend on how much time log-off all the end-user sessions will take on the VM.
Next, if all the sessions are drained. Select the old virtual machine and select Remove.
Note – When you hit remove for the session host virtual machine within the Host Pools blade, it will only remove the virtual machine from there. You will have to go into the Azure – Virtual Machines blade and stop and delete the virtual machine from there. The good thing here is that as we had selected delete disk/network (checkbox) during creation, it will delete everything associated with the VM.
#Tip – As a precautionary step, you can delete the virtual machine after 2-3 days after production stabilizes in case you have to revert and manually add the VM’s back into the host pool
A big thanks to Mahammad Kubaib for reviewing this blog post based on his previous experience. I hope you will find this helpful information for performing monthly cumulative security updates on your Azure Virtual Desktop – Host Pools. If you want to see a Powershell version of the same activity, leave me a comment below or on my socials. Please let me know if I have missed any steps or details, and I will be happy to update the post.