How do handle patching your Windows 10 desktops with Horizon View?

We’re finally migrating our VDI infrastructure to Windows 10, but this is the remaining outstanding issue before cutting over. Previously our process would be to manually re-enable windows updates on our master image, run windows update, get updates for anything else we needed (adobe, etc), disable windows updates, shut the VM down, take a snapshot & recompose.

It doesn’t look like this will work with Windows 10, because if I kick off a manual check for windows updates it tries to download new builds of Windows 10 that we don’t want to use and may not be supported… There’s got to be a good way to do this, but I’m not sure what it looks like.

Can anyone explain how they handle monthly updates for VDI desktops?

Edit: I found a workaround by installing the PSWindowsUpdate powershell module on my master image. I can then list missing updates and install them by listing out the KBarticles of the patches I want. It’s not as friendly as the previous process, but it seems to work.

View Reddit by lordmycalView Source


To see the full content, share this page by clicking one of the buttons below

Related Articles


  1. We only use the LTSC builds, [https://docs.microsoft.com/en-us/windows/whats-new/ltsc/whats-new-windows-10-2019](https://docs.microsoft.com/en-us/windows/whats-new/ltsc/whats-new-windows-10-2019)

    The master image is standalone e.g. not joined to the domain. Here I only do Windows patching and VMware Agents upgrades. This VM is then converted to a template after servicing and a new VM is deployed with Guest Customization:

    1. Join domain and move to OU for the right GPOs
    2. Run prepare script
    3. Snapshot
    4. Recompose

    Old VM is archived and later deleted after some cycles.

    I found this to work really well for us.

  2. We do ours just like you mention. When I re-enable the update service and check for updates it only checks against our local WSUS server and only gets the updates that have been approved. I’d have to click the “Check online for updates from Microsoft Update” to bypass our WSUS server. Maybe you need to make sure your group policy is pointed correctly to your internal WSUS?


    Edit: grammar

  3. kjellcomputer is spot on! I do ours almost exactly the same but with wsus. the update ou has the correct fqdn to the wsus server for stuff i approve, the clones prod ou has a bogus one in there (fakewsus.abc.local). you can disable windows update service using gpo’s as well, but with w10 other services can re-start it up ive learned (windows medic i believe), hence the bogus wsus server entry, oh and dont’ forget to enable “don’t allow updates to be downloaded from the internet in the gpo’s as well.

    +1 for w10 1809 ltsc. i hear soooo many nightmares about using cbb or whatever they call it now a days, ltsc is soooo rock solid it should be almost standard for vdi. i’ve been a citrix guy for 10 years, but the horizon stuff when it comes to this is the same no matter what.

  4. I’ve been thinking about a solution for this for a customer. They are using W10 SAC and could not understand why they couldn’t deploy their upgraded W10 template (guest customization with sysprep doesn’t work on an upgraded machine). I realized that since we have two releases every year they will have to rebuild their golden image from scratch often enough that it’s worth to automate. And if we automate that process, we might as well build a new image instead of patching an existing one.

    The outlines of my plan is something like this:
    Set up MDT with a separate WSUS instance (this can also be used for building reference images for ConfigMgr)
    Include everything that’s needed in MDT; customizations, applications, etc
    Use vRO to create a VM with a specific MAC address, specify that in customsettings.ini to start the right TS, start the VM and then wait. When it’s finished and has shut down we convert it to a template.
    This customer has vRA, but you could do whatever you want with the machine when it’s done. If you don’t have vRO, PowerCLI will probably do the trick

Leave a Reply