We have numerous articles showcasing how to create the golden master image to deploy within the Host Pool. This blog post will showcase how to perform recurring monthly security patch updates within the golden master image and push that into your Host Pools within Azure Virtual Desktop.
- Pre-requisites
- Azure Compute Galleries – Create VM
- Console to Golden Image (RDP or Azure Bastion)
- Install the Microsoft Latest Cumulative Update (LCU)
- Sysprep (Generalize and Shutdown)
- Capture the Virtual Machine
- Azure Compute Galleries – New Version
- Drain and remove old session host vms
Feature Whishlist
If Microsoft is listening – requesting the feature of leveraging the Update Rings from Micorosft Intune can be integrated into applying the quality updates from #Intune on Microsoft Windows 10/11 Multi-session
Pre-requisites
The assumption here is that you already have a golden image and existing versions available. Below is an example from Azure Computer Galleries of a Windows 11 Multi-session and current running version 0.0.2 within my Host Pools. (Note its an already generalized image – See the OS State)
Azure Compute Galleries – Create VM
The first step here is to update the golden image with the monthly Microsoft Cumulative Security update, and we want to create a new virtual machine from the existing version of 0.0.2. (Background version 0.0.2 include the October 2022 Latest Cumulative Updates)
Now you will be presented with a Create VM wizard
Select Next – Disk Settings
Select Next – Networking Settings
Select Next – Management Settings
Select Next – Monitoring Settings
Select Tags
Select Review & Create the Virtual Machine – Golden Image.
#Tip – On the rare occasion that the creation of the virtual machine fails, in one instance, I had forgotten to perform Sysprep on the existing version in Azure Compute Galleries (e.g. 0.0.1). In such scenarios, create a virtual machine from the previous version number you know that works well. After updating the new vm from existing image version we can take a snapshot of that before sysprep and keep. It will be helpful if the vm due to any reason get destroyed during sysprep.
Console to Golden Image (RDP or Azure Bastion)
We now have the newly created golden image from the existing version 0.0.2 within the Azure – Virtual Machines blade listed and status=Running.
Download the RDP file and console into the Virtual machine – Win11MSGI04 (Note, as previously mentioned, this is a bad practice in a production environment as it needs public IP for access. The best approach here is to leverage Azure Bastion and click on the Bastion option, and securely console the VM via browser)
Install the Microsoft Latest Cumulative Update (LCU)
In our scenario, we shall install the November 8, 2022—KB5019980 (OS Build 22621.819) for Windows 11 22H2 Multi-session. Note I am using the Powershell pswindowsupdate module, but you can download and offline install the Windows update (LCU, which also includes SSU)
Get-WUList -MicrosoftUpdate
Install the Update
Get-WindowsUpdate -KBArticleID KB5019980 -Install -AutoReboot | Out-File "c:\Temp\$(get-date -f yyyy-MM-dd)-WindowsUpdate.log" -force
Post the reboot validate the windowsupdate log output to determine whether the patch was installed successfully. Optionally perform Disk Clean.
Sysprep (Generalize and Shutdown)
We are onto our final step before the capture. Perform Sysprep on the image and shutdown
%WINDIR%\system32\sysprep\sysprep.exe /generalize /shutdown /oobe
#Tip – Make sure the end state of the virtual machine status = Stopped (deallocated) before following the next step of Capture. Sysprep is the most crucial step if you forget this, your provisioning will fail with an error.
Capture the Virtual Machine
We will capture this image into Azure Compute Galleries
Next Capture wizard
#Tip – As we selected “Delete” post creation, the virtual machine will not appear within the Azure – Virtual Machines. Below is the task for the deletion.
Azure Compute Galleries – New Version
We can now see the latest version showing up 0.0.3 post the capture process. This version is now ready to be added to the AVD – Host Pools
Add Session Host Virtual Machine (New security patch version 0.0.3)
After clicking on Add, it will open the “Add virtual machine to a host pool” wizard
Select Next – Virtual Machines
Next enter the tags of your choice and hit Create
Drain and remove old session host vms
Put the old session host virtual machines in the drain and remove the virtual machine. This step will depend on how much time log-off all the end-user sessions will take on the VM.
Next, if all the sessions are drained. Select the old virtual machine and select Remove.
Note – When you hit remove for the session host virtual machine within the Host Pools blade, it will only remove the virtual machine from there. You will have to go into the Azure – Virtual Machines blade and stop and delete the virtual machine from there. The good thing here is that as we had selected delete disk/network (checkbox) during creation, it will delete everything associated with the VM.
#Tip – As a precautionary step, you can delete the virtual machine after 2-3 days after production stabilizes in case you have to revert and manually add the VM’s back into the host pool
A big thanks to Mahammad Kubaib for reviewing this blog post based on his previous experience. I hope you will find this helpful information for performing monthly cumulative security updates on your Azure Virtual Desktop – Host Pools. If you want to see a Powershell version of the same activity, leave me a comment below or on my socials. Please let me know if I have missed any steps or details, and I will be happy to update the post.
Thanks,
Aresh Sarkari
Amazing effort and good content thank you. I hope you keep serving the community.
Thankyou so much.This was very helpful!
It would be good if you can share the powershell version of the same as well.
Also I think, after updating the new vm from existing image version we can take a snapshot of that before sysprep and keep. It will be helpful if the vm due to any reason get destroyed during sysprep.
Also, in my environment I have a hostpool with 50+ VMs. It’s a new environment and patching process is not in place. Do you think above steps can be used for monthly patch release in case of 50+ VMs
When I get time, I will cover the PowerShell version! I think it’s an excellent recommendation on the snapshot before Sysprep. I will include in the blog post. I thinking you will have to think about automation when you are dealing with 50+ VMs.
Thank you so much for this wonderful article — it was incredibly helpful!
I do have one more question related to user data. In my current setup, we don’t use FSLogix, and most devices follow a one-to-one a. If I implement the methods discussed for updated image with latest security updates, how can I handle user data ? Many of my users are developers who likely want to retain their existing setups and configurations. Could you kindly suggest the best approach to manage this scenario smoothly?
For user data you should look at OneDrive for business and User Profile should be in FSLogix. Separation of both for the user will achieve your goal of making the image independent.
@Gokul remember! Question, how do you handle DR automation in VDI(what if does not work triggers a failure)? Can you direct me to some forums?
Links:
https://techzone.omnissa.com/resource/providing-disaster-recovery-horizon
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr