Update Strategy and Backups
Recommend update strategies for session hosts, design backup strategies, and configure backup and restore for FSLogix profiles and personal desktops.
Update Strategy and Backups
Session hosts are Windows VMs — they need patches, they can fail, and user data can be lost. How you handle updates depends on whether you use pooled or personal desktops. And backup is not optional: if a user’s FSLogix profile vanishes on a Monday morning, you need a plan that does not involve “start from scratch.”
Update Strategies — Pooled vs Personal
The update approach is fundamentally different depending on your host pool type:
Pooled Host Pools — The Golden Image Approach
Pooled session hosts are stateless by design. User profiles live in FSLogix, so the VM itself is disposable. That means updating is a replace-and-swap operation:
- Create a new image — Start from your current golden image, apply Windows updates, app updates, and security patches
- Test the image — Deploy a small validation host pool and have testers verify apps work
- Deploy new session hosts — Add new VMs to the host pool using the updated image
- Drain old hosts — Enable drain mode on old session hosts so no new users land on them
- Remove old hosts — Once old hosts are empty, delete them
- Update the image in Compute Gallery — Save the new image as a new version
This is cleaner than in-place patching because you never accumulate configuration drift. Every VM starts fresh from a known-good image.
Personal Host Pools — Traditional Patching
Personal session hosts are stateful — users have data, installed apps, and customisations on their VMs. You cannot just replace them. Instead, use traditional patch management:
- Azure Update Manager — Assess missing patches, create maintenance configurations, schedule update deployments
- Microsoft Intune — Push Windows Update policies, manage update rings, control feature update timing
- WSUS — On-premises option for approving and distributing updates
- Windows Update for Business — Policy-based controls built into Windows
🏢 Raj’s golden image pipeline: Every Patch Tuesday, Raj’s team at TerraStack follows the same routine. They start a VM from the current Compute Gallery image, run Windows Update, update the Office suite, and install any new line-of-business app versions. After testing with a 10-user validation pool, they deploy 50 new session hosts, drain the old 50, and delete them by Friday. The whole 8,000-user environment gets patched without a single user being interrupted.
Exam Tip — Image-Based vs In-Place Updates
The exam will present scenarios and ask you to recommend an update strategy. Key rule: pooled = image-based (replace VMs), personal = in-place (patch VMs). If the question mentions “golden image” or “non-persistent,” think image-based. If it mentions “users have installed their own apps” or “dedicated VMs,” think in-place patching.
Azure Update Manager
Azure Update Manager works for both pooled and personal hosts, but it is especially important for personal pools where you cannot just replace VMs.
Key capabilities:
- Assessment — Scan VMs to see which patches are missing
- Maintenance configurations — Define when updates can be installed (maintenance windows)
- Scheduled deployments — Automatically install approved patches during the configured window
- Reporting — Track patch compliance across your fleet
You can scope update assessments and deployments to a resource group, subscription, or use tags to target specific host pools.
Backup Strategy for AVD
Backups protect three different things in AVD, each with its own approach:
1. FSLogix User Profiles
FSLogix profiles are stored on Azure Files (or Azure NetApp Files). Losing a profile means a user loses their Outlook data, browser bookmarks, desktop layout, and app settings.
How to back up:
- Azure Files backup — Use Azure Backup to protect the file share. This creates share snapshots at scheduled intervals.
- Share snapshots — Manual or automated snapshots of the Azure Files share. Each snapshot captures the state of all profiles at that moment.
- Backup frequency — Daily is recommended for most organisations. Critical environments may want every 12 hours.
How to restore:
- Restore an individual profile (VHD/VHDX file) from a snapshot
- Restore the entire file share to a point in time
- Mount the snapshot and copy specific files from inside a profile container
🎧 Mia’s Monday morning save: Dr. Patel calls Mia in a panic — she logged in and her Outlook has no emails, her desktop is blank, and her bookmarks are gone. Her FSLogix profile is corrupted. Mia opens the Recovery Services vault, finds last night’s backup of the Azure Files share, and restores just Dr. Patel’s VHD file to its location. Ten minutes later, Dr. Patel logs back in and everything is back to normal. “This is why we do daily backups,” Mia tells Tom at the next team meeting.
2. Personal Desktop VMs
Personal VMs contain user-installed apps, local data, and customisations that do not live in FSLogix. If a VM’s OS disk is corrupted, you need a full VM backup.
How to back up:
- Azure Backup with a Recovery Services vault
- Configure a backup policy: daily snapshots, weekly/monthly retention
- Backup captures the entire VM (OS disk + data disks)
How to restore:
- Restore the entire VM (creates a new VM from the backup)
- Restore disks only (replace the OS disk on the existing VM)
- File-level recovery (mount a backup and extract specific files)
Recommended frequency: Daily for active personal desktops, weekly for less critical ones.
3. Golden Images
Your golden images are the foundation for every pooled session host. Losing an image means you cannot deploy new VMs.
How to protect images:
- Azure Compute Gallery — Store images with version numbers. Keep at least the last 2-3 versions so you can roll back if a new image has problems.
- Cross-region replication — Replicate images to a secondary region for DR
- Do not delete old versions immediately — Keep them for at least one update cycle in case you need to roll back
| Component | Backup Method | Restore Granularity | Recommended Frequency |
|---|---|---|---|
| FSLogix profiles | Azure Backup for Azure Files (share snapshots) | Individual file, single profile, or entire share | Daily |
| Personal desktop VMs | Azure Backup with Recovery Services vault | Full VM, disk only, or individual files | Daily to weekly |
| Golden images | Azure Compute Gallery versioning + cross-region replication | Full image version | Every update cycle (keep 2-3 versions) |
| App Attach packages | Azure Files backup or separate storage with versioning | Individual MSIX package | When packages change |
| AVD configuration | Azure Resource Manager (infrastructure as code) | Full host pool, workspace, and app group config | On every change (version control) |
Deep Dive — FSLogix Profile Restore Walkthrough
When a single user’s profile is corrupted:
- Open the Recovery Services vault in the Azure portal
- Find the backup instance for your Azure Files share
- Select a restore point (yesterday’s backup, for example)
- Choose File Recovery and browse to the user’s VHD file (usually under the profile share’s root, named like
Profile_username.vhdx) - Download or restore the file directly to the share
- Rename or delete the corrupted profile VHD
- Place the restored VHD in its original location
- The user logs in and gets their restored profile
For Azure NetApp Files, use volume snapshots instead of Azure Backup share snapshots. The process is similar — locate the snapshot, restore the individual profile file.
Recovery Scenarios
| Scenario | What to restore | Method |
|---|---|---|
| User profile corrupted | Single FSLogix VHD file | Azure Files backup — file-level restore |
| Personal VM will not boot | Entire VM or OS disk | Azure Backup — VM or disk restore |
| Bad Windows update on pooled hosts | Roll back to previous image | Azure Compute Gallery — deploy from previous version |
| Accidental deletion of app group config | Host pool and app group settings | Redeploy from ARM templates or Bicep (infrastructure as code) |
| Storage account data loss | All profiles on a share | Azure Files backup — full share restore |
🏢 Raj’s image rollback: After deploying a new image with a driver update, TerraStack’s engineering team reports that AutoCAD crashes on launch. Raj does not need to panic — the Compute Gallery still has the previous image version. He deploys new session hosts from version N-1, drains the broken hosts, and removes them. Engineering is back to normal in under an hour while the team investigates the driver issue in a test environment.
Exam Tip — Backup vs DR
The exam distinguishes between backup (protect against data loss, corruption, accidental deletion — restore to same region) and disaster recovery (protect against region-wide failure — failover to another region). This module covers backup. The next module covers DR. Know which scenarios call for which.
Flashcards
Knowledge Check
Mia needs to update Windows on session hosts at Horizons Health. The host pool is pooled and uses FSLogix for profiles. What is the recommended update approach?
A user's FSLogix profile is corrupted after a storage issue. The profile is stored on an Azure Files share with Azure Backup configured for daily snapshots. What is the fastest way to restore just this one user's profile?
Raj needs to ensure TerraStack can quickly roll back if a new golden image causes issues after deployment. Which approach provides this capability?
Summary
Pooled hosts get updated by replacing them with fresh VMs from a new golden image. Personal hosts get patched in place with Azure Update Manager or Intune. Back up your FSLogix profiles daily with Azure Files backup, protect personal VMs with Azure Backup, and always keep previous image versions in Azure Compute Gallery. When something breaks, you need to restore — not rebuild.
Next up: What happens when an entire region goes down? — Disaster Recovery and Multi-Region.
🎬 Video coming soon
Update Strategy and Backups