Implementing Essential 8 Maturity Level 2 in Microsoft Cloud VDI (AVD & W365) – Application Control

Keeping rogue code out of your virtual cuppa

A stale flat white is bad, but a stale system image is worse.
In Cloud VDI, old software doesn’t just ruin the experience, it opens the door to exploitation. Whether you’re running Azure Virtual Desktop (AVD) or Windows 365, both need regular patching discipline to meet the ACSC Essential 8 “Patch Applications” Maturity Level 2 control.

These two platforms share the same goal, consistent, secure endpoints but they take different routes to get there. Think of one as an automatic coffee pod machine and the other as a hand‑crafted espresso rig. Both deliver great results when maintained right.

What is Patch Applications?

The Patch Applications control ensures vulnerabilities in applications and online services are identified and remediated quickly.
At Maturity Level 2, you must:

  • Perform automated vulnerability scanning at least fortnightly.
  • Apply critical patches or mitigations within 48 hours.
  • Apply non‑critical patches within two weeks.
  • Patch other applications (non‑core) within one month.
  • Remove unsupported or end‑of‑life software.

It’s essentially maintenance discipline — applied not to a coffee grinder, but to your digital workspace.

How It Works in Cloud VDI

Essential 8 doesn’t dictate the tools — only the outcome. In Azure, the methods differ depending on whether you use Windows 365 or Azure Virtual Desktop.

Windows 365 — The Managed Shot

Windows 365 Cloud PCs are managed Windows devices. Microsoft maintains the backend, leaving you responsible for OS and app patching through Intune and Microsoft Defender for Endpoint.

Key components:

  • Intune Update Rings: Control OS update cadence and reboots.
  • Defender Vulnerability Management: Provides continuous vulnerability discovery and exposure scoring, satisfying the fortnightly scan requirement.
  • Patch My PC Enterprise: Automates packaging and updating of third‑party applications through Intune.
  • Intune Compliance Policies: Detect unsupported or outdated software and remove or re‑install as needed.

Workflow:

flowchart TD A[Microsoft 365 Admin] --> B[Intune Policies] B --> C[Windows 365 Cloud PCs] C --> D[Microsoft Update Services] C --> E[Patch My PC Third-Party Updates] C --> F[Defender Vulnerability Management] F --> G[Exposure Score & Reports] G --> H[Compliance Dashboard] classDef azure fill:#007FFF,stroke:#fff,color:#fff class B,C,D,E,F,G,H azure

In practice:

  1. Create and assign Windows Update Rings in Intune.
  2. Integrate Patch My PC for third‑party app patching.
  3. Monitor Defender Vulnerability Management weekly or fortnightly.
  4. Enforce compliance by removing unsupported or legacy software.

Result: Cloud PCs stay patched and compliant with minimal admin touch — automation does the pouring.

Azure Virtual Desktop — The Barista’s Setup

In AVD, you control the infrastructure, which means patching must cover both session hosts and the golden image in the Shared Image Gallery. The modern approach uses Azure Update Manager for orchestration and Defender Vulnerability Management for assurance.

Key components:

  • Azure Update Manager: Native patch management in the Azure Portal; replaces legacy Automation Accounts.
  • Shared Image Gallery: Source of truth for golden image lifecycle.
  • Defender Vulnerability Management: Performs regular (at least fortnightly) scans across hosts.
  • Patch My PC Enterprise (optional): Publishes third‑party app updates to Intune for deployment to AVD hosts.
  • Azure Policy: Ensures unsupported images or workloads are detected and blocked from deployment.

Workflow:

flowchart TD A[Admin Team] --> B[Golden Image in Shared Image Gallery] B --> C[Session Host Pool] C --> D[Azure Update Manager Patch Deployment] D --> E[Microsoft Update Services] C --> F[Defender Vulnerability Management Scans] F --> G[Vulnerability Reports / Log Analytics] E --> C B --> H[Monthly Image Refresh Cycle] classDef azure fill:#007FFF,stroke:#fff,color:#fff class B,C,D,E,F,G,H azure

In practice:

  1. Update the Golden Image: Patch the base image each month using Azure Update Manager. Include Windows updates, Microsoft 365 Apps, and common tools. Republish the image to your Shared Image Gallery.
  2. Patch Active Session Hosts: Use Azure Update Manager schedules to keep hosts current between image cycles.
  3. Vulnerability Visibility: Defender Vulnerability Management continuously scans sessions and reports missing patches.
  4. Reimage Regularly: Re‑deploy session hosts from the updated image to eliminate drift.

Result: A consistent, controlled baseline — every host as reliable as a freshly cleaned group head.

Real‑World Impact

Both AVD and Windows 365 can meet all Maturity Level 2 outcomes, they just get there differently:

Platform Responsibility Tooling Automation Level
Windows 365 Intune‑driven patching and app updates Intune, Defender, Patch My PC High (hands‑off)
Azure Virtual Desktop Admin controls image refresh and host patch cadence Update Manager, Defender, optional Patch My PC Medium (hands‑on)

Either path gives you predictable patch windows, shorter vulnerability exposure, and clear audit evidence against ACSC requirements.

Implementation Examples

Windows 365 via Intune

  1. Create Update Rings: Intune Admin Centre → Devices → Windows Update Rings → Create Policy.
  2. Deploy Patch My PC: Synchronise supported applications to Intune and assign them to device groups.
  3. Defender Vulnerability Management: Enable vulnerability scanning and review exposure reports fortnightly.

AVD via Azure Update Manager

  1. Azure Portal → Azure Update Manager.
  2. Select your AVD session host resource group or machines.
  3. Create an update deployment schedule (weekly or monthly).
  4. Configure update classifications (Critical and Security).
  5. Enable reboot if required and monitor compliance in the Updates dashboard.

Example Bicep Snippet — VM Inclusion for Update Manager:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
// Define a maintenance configuration for weekly patching of a VM
// This configuration targets OS image critical & security updates and specifies a maintenance window
resource weeklySchedule 'Microsoft.Maintenance/maintenanceConfigurations@2023-10-01-preview' = {
  name: 'weeklySchedule'
  location: resourceGroup().location
  properties: {
    maintenanceScope: 'OSImage'
    namespace: 'Microsoft.Compute'
    extensionProperties: {}
    visibility: 'Public'
    maintenanceWindow: {
      duration: 'PT4H' // 4 hours of Maintenance
      startDateTime: '2024-01-01T02:00:00Z'
      recurEvery: 'P7D' // Every 7 days
      timeZone: 'UTC+10:00' // AEST
    }
    installPatches:{
      windowsParameters:{
        classificationsToInclude:[
          'Critical'
          'Security'
        ]
      }
      rebootSetting: 'IfRequired'
    }
  }
}

// Get the VM id of the AVD Gold Image Machine
resource vm 'Microsoft.Compute/virtualMachines@2021-07-01' existing = {
  name: 'avd-goldimg-01'
}

// Apply the maintenance configuration to a specific VM
resource maintenanceConfig 'Microsoft.Maintenance/configurationAssignments@2023-04-01' = {
  name: 'avdPatchSchedule'
  location: resourceGroup().location
  properties: {
    maintenanceConfigurationId: weeklySchedule.id
    resourceId: vm.id
  }
}

Gotchas & Edge Cases

  • Session Host Drift (AVD): Hosts patched manually or off‑cycle may deviate from the image — rebuild from the golden image regularly.
  • Third‑Party Apps (Both): Patch My PC covers most catalogues, but internal LOB apps still need custom packaging.
  • Licensing: Defender Vulnerability Management and Patch My PC require additional licensing.
  • Reboot Management: Coordinate reboots for AVD session hosts to avoid user disruption.

Best Practices

  • Scan Fortnightly: Use Defender Vulnerability Management to detect missing patches.
  • Automate Regularly: For W365, rely on Intune and Patch My PC; for AVD, lean on Azure Update Manager.
  • Refresh Monthly: Rebuild AVD golden images monthly and redeploy hosts.
  • Remove Unsupported Software: Detect and remove old versions through Intune or Azure Policy.
  • Visibility Matters: Monitor Defender exposure scores and Update Manager compliance to track posture improvement.
🍺
Brewed Insight:

For Windows 365, patching is a push‑button brew — Intune and Patch My PC handle the flow, Defender highlights the exposure, and compliance takes care of itself.

For Azure Virtual Desktop, you’re the barista. Update your golden image through Azure Update Manager, deploy it regularly, and let Defender confirm everything’s clean. It’s a little more manual but built for those who like precision control.

Different tools, same aroma — both paths deliver a smooth, ACSC Maturity Level 2‑compliant patch regime if you keep the cadence, refresh cycle, and scanning tight.

Learn More