Tehama provides two different types of Windows desktops:
- Our classic desktops, which are based on AWS Workspaces, and run Windows Server 2016
- Our next-generation desktops, Tehama Desktops, and run Windows Server 2019
For most organizations, ensuring that desktops are up to date on all critical patches is a core component of security and compliance, and this continues to be true when virtual desktops are managed within the secure perimeter of a Tehama Room.
While Tehama provides virtual desktops that include the default Windows Update capabilities provided by Microsoft, organizations leveraging Tehama are responsible for managing and monitoring updates for these desktops.
How are Windows Updates managed by default?
Windows updates rely on Windows Update, the standard Microsoft service that is provided by default with the Windows OS. Windows Update normally enables each individual desktop to reach out over the internet to Microsoft servers to check for updates, then downloads and installs them according to how Windows Update settings have been configured.
- AWS Workspaces desktops have automatic updates enabled by default.
- Tehama Windows Desktops have automatic updates disabled by default.
- This is in response to requests from customers who wish to control more around the behaviour of updates themselves.
- This doesn’t mean updates cannot happen; they can still be manually triggered by users, triggered by Tehama DIA, or you can choose to enable automatic updates and control more settings around their behaviour using Group or Local Policy. See more below to learn about these options.
Internet Access Requirements
Virtual desktops within a Tehama Room must have appropriate internet access to reach the Windows Update servers in order to query for updates. This is true whether updates are set up to be automatic or a user manually triggers a search for updates. Check your firewall rules in your Room to ensure this access is allowed.
Further, updates can only happen when a user is actively logged into a desktop. This is because there is no traffic allowed from a desktop within a Tehama Room unless a user is logged in.
How do I change Windows Update settings?
You have several options to control how Windows Updates behave, including the behaviour of automatic updates. These are capabilities provided by Microsoft, rather than Tehama, but there are a few ways you can modify them within a Tehama environment.
Some options you can configure:
- Enable/Disable Automatic Updates
- Control auto-restart behaviour to minimize disruption to end users
- Configure update and restart notifications, including enabling them for non-admin users
- Specify deadlines for updates and restarts
Refer to Microsoft Windows Update or Group Policy documentation for full details on these settings. Note that options to schedule an update to happen outside of active hours are not supported in Tehama, due to the desktop not having internet access when a user is not actively logged in. You may also want to confirm that the setting you are applying is compatible with the version of Windows Server that runs on the desktop.
Methods to configure these settings:
- Local Group Policy: If you would like to apply the change to individual virtual desktops, have the desktop user log in to the virtual desktop and modify these settings directly in Local Group Policy.
- Tehama Room Directory: If you would like to apply the change to all virtual desktops in a Room, the Tehama Room Directory allows you to log in as a Group Policy Admin and make these changes. They will automatically apply to all Windows desktops in the Room.
- Domain Join: If you would like to control these settings from your domain, set up a Domain Join Room. Tehama users will then inherit the Group Policy settings applied to their corresponding corporate users in your domain. Note that only Tehama Desktops (not AWS Workspaces) are supported in Domain Join Rooms.
Can I leverage my WSUS server?
Windows Server Update Service (WSUS) is a tool used to manage and distribute Windows updates. Instead of each individual desktop reaching out over the internet to locate available updates, desktops instead look to your WSUS server hosted in your network, and your WSUS server reaches out to Windows Update directly.
You can use Group Policy to repoint your desktops to obtain automatic updates from WSUS. This option is described in the Microsoft documentation linked above.
How does using Custom Images affect Windows Updates?
When provisioning a new desktop to a user, it’s generally desirable for it to be reasonably up to date. Otherwise, a user’s first login may be on a very out-of-date desktop, resulting in them needing to wait for a series of updates to occur in their first session.
To help with this, Tehama supplies and manages a “base image”. Tehama maintains a best effort attempt to keep this base image up to date. Therefore, when you create a new desktop in Tehama without leveraging a custom image, the desktop will use Tehama’s most recent version of the base image, and will be relatively up to date upon creation. Once the desktop is created, your organization will need to manage updates going forward.
However, organizations typically create their own custom images, with all of their important applications installed and settings applied so they can create a consistent out-of-the-box experience for their end users. Custom Images do not automatically have Windows Updates applied, so if you have a very old image, new desktops created from that image will likely start several updates behind. Organizations who choose to use custom images are responsible for keeping their own images as up-to-date as their organization requires.
As the image is not hosted on an active machine, this process typically involves:
- Using your existing image, create a new desktop
- Apply any Windows updates to that new desktop
- Create a new custom image from that desktop
- Begin using the new image to create desktops, and retire the old image.
How do I get visibility to Windows Update status on all my desktops?
If you wish to gain visibility to the adoption of Windows Updates across your Tehama desktops, this visibility is not provided directly within the Tehama admin console. However, Tehama Desktops Intelligence and Automation (DIA) can be used to gain visibility to missing patches. This can be viewed per-device, or through reports.
You may also opt to leverage alternative 3rd-party monitoring tools to gain visibility to the Windows update status.
How can I enforce or script updates?
In addition to setting rules around how Windows Updates behave through Group Policy, you may opt to enforce the installation of updates.
Organizations may choose to utilize DIA in conjunction with the Tehama App Vault to supply and install Windows Updates on Tehama Windows Desktops. Or, use DIA to control how often and when Windows updates are downloaded and installed from the Internet.
Note that, even through these methods, the Windows update can only run when a user is actively logged into the desktop, as internet connectivity is required for the DIA administration console to communicate with the DIA agent installed on the desktop.