Share via

recommended Windows Update configuration for the AVD session hosts and base image

Luke 75 Reputation points
2026-06-08T00:13:51.0133333+00:00

Hi there,

We have a Windows 11 multi-session AVD environment where multiple users log in to complete their daily work.

As we manage the environment using Nerdio and maintain a base image, we are considering handling Windows Updates by patching the base image regularly and then reimaging the session hosts from that updated image.

Does this approach sound appropriate as best practice?

If so, anyone could please advise on the recommended Windows Update configuration for the AVD session hosts and base image? For example, should Windows Updates be controlled via Group Policy, or should automatic updates be fully disabled on the live session hosts to prevent users from manually installing updates?

The goal is to keep all AVD hosts consistent, avoid user-triggered updates during business hours, and manage patching through the base image/reimage process.

Azure Virtual Desktop
Azure Virtual Desktop

A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Himanshu Shekhar 6,530 Reputation points Microsoft External Staff Moderator
    2026-06-08T04:11:48.99+00:00

    Yes the approach is correct and aligns with Microsoft's pattern for pooled, multi-session AVD. Patching the base (golden) image regularly and reimaging session hosts from that updated image is an established best practice for non-persistent/multi-session VDI, where hosts are treated as stateless and identical. [learn.microsoft.com], [learn.microsoft.com]

    Is the base-image + reimage approach appropriate? Yes. For Windows 10/11 multi-session host pools, Microsoft's documented patterns are:

    1. Re-deploy/reimage the host pool with an updated base image each month, or
    2. Use Microsoft Configuration Manager to deploy updates.

    Please note:

    Intune update rings and Azure Update Manager do not support multi-session the same way they do for standard clients, so the image-based approach is generally the cleanest for keeping hosts consistent. Since you're using Nerdio, this is exactly what its automation is built for and you can schedule image patching, schedule a new image version, and schedule host reimaging on a cadence. [learn.microsoft.com]

    Recommended Windows Update configuration - the base image is the single source of truth for updates, and live session hosts should not check Windows Update or allow user-triggered updates.

    1. On the base image
    • Install the latest cumulative/security updates during the image build, then run cleanup, then sysprep/seal and capture. [learn.microsoft.com]
    • Validate the image for stability before rolling it out, then reimage the host pool from the updated version. [learn.microsoft.com]

    Microsoft's VDI optimization guidance states that in the patched-image model, the virtual desktops do not need to check Windows Update directly. Updating is handled against the image, not ad-hoc on each host. [learn.microsoft.com]

    So, your instinct is right by disabling automatic updates on the live hosts. Use Group Policy (or Intune Settings Catalog for multi-session) to:

    • Disable/Configure Automatic Updates > set to disabled so users can't trigger updates during business hours.
    • Optionally hide the Windows Update settings page from end users (Settings Page Visibility policy) and prevent standard users from shutting down/restarting the host both common AVD hardening practices.
    • Group Policy is the recommended control mechanism, and it gives you centralized, consistent enforcement across all hosts rather than relying on per-host settings. [learn.microsoft.com]
    • "Fully disabling" automatic updates is achieved through that GPO (Configure Automatic Updates > Disabled). This prevents user-initiated/automatic patching while you manage everything via the image. [learn.microsoft.com]
    • Reason the AVD image docs recommend disabling automatic updates: it prevents unscheduled reboots and inconsistent patch levels across hosts that would disrupt user sessions and break image consistency. [learn.microsoft.com]

    References

    Was this answer helpful?

  2. Jose Benjamin Solis Nolasco 8,076 Reputation points Volunteer Moderator
    2026-06-08T01:18:45.2266667+00:00

    Welcome to Microsoft Q&A

    Hello Luke,

    Your proposed approach is absolutely best practice for an Azure Virtual Desktop (AVD) multi-session environment managed via an image orchestration tool.

    In a pooled multi-session environment, handling updates via a "Golden Image" (patching the base image and re-deploying/re-imaging the hosts) ensures absolute consistency, eliminates configuration drift, and prevents performance degradation caused by background update processes while users are working.

    To achieve your goal of complete centralized control and zero user-triggered disruptions, the Windows Update configurations must be treated differently on the base image versus the active session hosts.

    Base Image configuration:

    The base image is the only place where Windows Updates should ever run.

    • Configuration: Leave the Windows Update service enabled, but keep it on its default manual/automatic settings during image creation.
    • Process: When it is time to patch (typically monthly during Patch Tuesday cycles), you power on the base image (or run the Nerdio image automation script), trigger Windows Update manually, install all cumulative quality and security updates, reboot, seal the image, and push it out to the host pools.

    Live sesions host configuration:

    Once the session hosts are deployed from the image, automatic updates must be strictly blocked at the OS level to prevent background resource consumption and block users or the OS from initiating a reboot mid-day.

    The most reliable way to achieve this across your host pool is via Group Policy Objects (GPO) or Microsoft Intune, rather than disabling the Windows Update service entirely (as disabling the service can break other core features like the Microsoft Store or language pack installations).

    Source links:

    1. https://learn.microsoft.com/en-us/azure/virtual-desktop/session-host-update
    2. https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-golden-image
    3. https://learn.microsoft.com/en-us/intune/solutions/azure-virtual-desktop-multi-session

    😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

    Was this answer helpful?

  3. AI answer

    2026-06-08T00:14:07.4433333+00:00

    Using a regularly patched base ("gold") image and then reimaging or redeploying Azure Virtual Desktop (AVD) session hosts from that image is an established and recommended pattern for non-persistent/multi-session VDI.

    The optimization guidance for VDI explicitly calls out this model: admins shut down VMs based on a master image, unseal the image, patch it, reseal it, and return it to production. In that model, the virtual desktop devices do not need to check Windows Update directly, and standard patching tools (Windows Update, Intune, or Microsoft Endpoint Configuration Manager) are used against the image or a controlled set of hosts rather than allowing ad-hoc updating on every session host.

    Given the goal of keeping all AVD hosts consistent and avoiding user-triggered updates during business hours, the configuration should align with the following principles:

    1. Treat the base image as the primary update source
      • Regularly patch the base image with the latest cumulative updates and security fixes.
      • After servicing the image, test its validity and stability before rolling it out.
      • Once validated, use that updated image to reimage or redeploy the session hosts so they all run the same build.
    2. Centralize update management rather than allowing interactive updates on session hosts
      • Use one of the supported enterprise mechanisms to control when and how updates are applied:
        • Microsoft Intune (recommended management platform for AVD) for device-based or user-based configurations on Windows 10/11 multi-session.
        • Microsoft Configuration Manager (Endpoint Configuration Manager) for domain-joined or Microsoft Entra hybrid joined session hosts, including automatic deployment rules (ADR) and collections specifically targeting AVD session hosts.
        • WSUS if using it to publish and approve feature updates for Windows Enterprise multi-session, similar to single-session Windows.
      • This ensures updates are applied in a controlled maintenance window and not initiated by end users.
    3. Windows Update configuration on live session hosts
      • For non-persistent/multi-session hosts that are regularly refreshed from a base image, it is appropriate to configure them so that they do not independently manage their own Windows Updates. The VDI optimization guidance notes that in environments where patching is done via a master image, virtual desktop devices do not need to check Windows Update.
      • In practice, this typically means:
        • Configure Windows Update behavior via Group Policy or your management platform so that updates are not automatically downloaded/installed during user sessions, and users are not prompted to install updates.
        • Ensure that any policy or configuration that would allow users to manually trigger Windows Update is restricted, so patching remains an admin-driven process.
      • The exact GPO settings are not detailed in the provided context, but the principle is to prevent ad-hoc updating on session hosts and rely on the base image and centralized tools instead.
    4. Use Intune or Configuration Manager for AVD host management
      • Intune is recommended to manage AVD session hosts and supports both device-based and user-based configurations for Windows 10/11 multi-session, allowing centralized control of update rings and maintenance windows.
      • Configuration Manager (current branch) can manage domain-joined or Microsoft Entra hybrid joined session hosts and can:
        • Group AVD session hosts into collections based on queries.
        • Use servicing plans and automatic deployment rules to approve and deploy updates to those collections.
      • This model aligns well with a base-image strategy: patch and validate the image, then use Intune/ConfigMgr policies to ensure any residual or interim updates are applied in a controlled way.
    5. Keep images and hosts current with monthly servicing
      • Windows uses a monthly update rhythm. The VDI optimization guidance emphasizes that organizations can choose the best approach (Windows Update, Intune, Configuration Manager) to update virtual desktop devices while reducing overhead.
      • For AVD, this typically means:
        • Monthly (or as required) update of the base image.
        • Optional use of marketplace images for Windows Enterprise multi-session, which are updated monthly after Patch Tuesday, as a starting point.

    In summary, the approach of patching the base image and reimaging AVD session hosts is aligned with recommended VDI practices. Windows Update on the live session hosts should be centrally controlled (via Intune, Configuration Manager, or WSUS policies) and configured so that users cannot manually initiate updates, keeping all hosts consistent and updates confined to planned maintenance cycles.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.