Application and OS updates for virtual desktops: Not so simple

Think virtual desktops make app and OS updates easier? Think again. Patching and updating virtual desktops can require more steps than physical ones.

Virtual desktops are often promoted as a way to simplify patching and updating, but that's not always the case.

Although it is easier to manage updates when you control the power state of the endpoints, as you do with virtual desktops, the process is not much different than managing physical desktops. In fact, in many cases there are additional steps and scheduling you have to do. Plus, application and OS updates for virtual desktops tend to have a greater effect on shared infrastructure components.

Still, virtual desktops can reduce the time spent managing application updates and patches when compared with physical endpoint management.

Persistent vs. nonpersistent virtual desktops

So how do you go about updating virtualized desktops? Virtual desktops are deployed either as persistent or as nonpersistent, and that affects the way you'll patch and update them. Here's a breakdown of the pros and cons of updating both types:

Persistent virtual desktops
During the reboot process, persistent virtual desktops retain all the changes users have made to them and do not have a separate read/write differential disk. They are typically patched using the same processes used to patch physical desktops, but it's harder to roll back changes if application or OS updates don't work properly. Persistent virtual desktops also need to have their master images periodically updated.



  • No different from physical endpoints for patching and updating
  • Need to stagger application and OS updates to reduce infrastructure load
  • Requires traditional patch management tools
  • Limited rollback options

Nonpersistent virtual desktops
Nonpersistent virtual desktops do not keep any changes, and they revert to their gold image after reboot. They write changes to a read/write differential disk that is flushed during the reboot.

Single image management allows IT to patch a single gold image for nonpersistent virtual desktops and then apply the new image to entire desktop pools. It is less time-consuming and more predictable to update a single OS image than push changes to hundreds or thousands of local and/or remote instances. Still, the OS update process can be taxing on CPU, memory and disk resources, although the load is generally less when compared with persistent virtual desktops.


  • Single image management
  • Easy to roll back to previous image


  • More steps required to manage and update the gold image
  • Need to stagger OS and application updates to reduce infrastructure load
  • Often need to manually update the gold image

So how does patching and updating virtual desktops compare with physical desktops? First of all, admins are more familiar with the process of updating physical endpoints. Also, the patching/updating workload is more distributed, so there is less impact on data center resources. On the downside, application and OS updates require more bandwidth on physical desktops. In addition, all the endpoints have to be available to receive updates, and it's more difficult to roll back changes.

What needs to be updated on virtual desktops?

Although updating virtual desktops is similar to updating physical ones, there are a few additional components you need to address:

Application streaming caches
Application streaming technologies such as Microsoft App-V, VMware ThinApp and Citrix XenApp allow administrators to install applications on demand by streaming the bits to the endpoint the moment they are requested. Some organizations pre-cache these bits in nonpersistent virtual desktops to reduce the amount of network and disk I/O generated by large applications when they launch. That cache stored on the gold image needs to be updated any time the streamed application package is updated.

More on virtual desktop updating

Considerations for upgrading to Windows 8

Who will upgrade to Windows 8?

Best practices for patching virtual hosts

Rearming Windows OSes and applications
Rearming your Windows desktop OS is normally the last step you perform before completing an update to a gold image. This process, which resets the trial period on your OS, involves running Sysprep to generalize the operating system. You can do a maximum of three rearms before you are required to rebuild your template gold image. You also need to rearm Microsoft Office 2010 and newer versions using a similar process.

You may also need to generalize other applications. Certain applications that use operating system variables may need to be cleared prior to shutdown. For example, any application that generates a one-time globally unique identifier to identify or license the software may need to be manually reset in the gold image prior to shutdown. That way, it is regenerated when the virtual desktop rolls out.

Antivirus software
Since nonpersistent virtual desktops revert back to the read-only gold image at reboot, they delete any updates to the antivirus files that happen while the desktop is running. Some provisioning technologies and antivirus software allow the signature files to be redirected to a persistent storage area, such as the differencing disk or user profile. Other solutions require the signature file to be updated as soon as the virtual desktop boots up. In that case, you need periodic updates to the signature file in the gold image to guard against infection after boot, but prior to updating.

It's a good idea to do a full scan of the nonpersistent virtual desktop after installing updates. That reduces the amount of overhead from subsequent scans and can improve virtual desktop density and user experience. To avoid doing this manually, there are tools available that relocate antivirus scanning to virtual appliances on the hypervisor or are VDI-aware.

Scheduling and automating virtual desktop updates

It's best to update virtual desktops during times of low activity. With persistent desktops, updates are applied to each virtual desktop individually, which can consume significant CPU, memory and disk I/O.

For nonpersistent desktops, you can do gold image updates during business hours, but if you're rolling out a whole new image, it's better to do that after hours. Rolling out a new master image requires virtual desktops to be rebooted, no matter how small the change.

There are also options for automating the process of managing gold images. Microsoft's Deployment Toolkit can automate the build and update of Windows gold images applications. If you are using Citrix Provisioning Server to deploy nonpersistent virtual desktops, you can use its vDisk technology to automate the process of scheduled or administrator-initiated Windows updates to vDisks.

Dig Deeper on Virtual and remote desktop strategies

Enterprise Desktop
Cloud Computing