ACSC Essential 8 Microsoft Cloud VDI Azure Virtual Desktop (AVD) Windows 365 (W365) Security & Compliance

Implementing Essential 8 Maturity Level 2 in Microsoft Cloud VDI (AVD & W365) – Patch OS

Patch Operating Systems – Don’t Let Your Base Get Stale

Ever left milk out in the sun? You know how that ends sour, useless, and a bit embarrassing if anyone catches you. Unpatched operating systems are the same. They start smooth and reliable, but leave them a few cycles and they turn into a security liability. In a cloud-hosted desktop environment, a stale OS image is like serving last week’s brew to your end users it’s risky, inconsistent, and hard to swallow.

What is Patch Operating Systems?

This control from the ACSC Essential Eight focuses on keeping your operating systems current to reduce exposure to known vulnerabilities. For Maturity Level 2, organisations must:

  • Apply critical patches for internet‑facing systems within 48 hours of release.
  • Apply non‑critical patches for internet‑facing systems within two weeks.
  • Apply all OS patches for internal systems and non‑internet‑facing workloads within one month.
  • Regularly run automated discovery and vulnerability scans (at least fortnightly).

In short, stay current or stay vulnerable.

How it Works in Cloud VDI

Whether you’re using Azure Virtual Desktop (AVD) or Windows 365 (W365), the principle is the same: your operating system layer must be patched on a consistent and traceable schedule.

Azure Virtual Desktop

  • Uses golden images: a master VM image updates and redeploys downstream hosts.
  • Azure Update Manager (UMC) or Windows Update for Business (WUfB) handles recurring OS updates.
  • You test patches and rebuild host pools using automation to keep environments fresh.

Windows 365

  • Each Cloud PC is policy‑driven through Intune and WUfB.
  • Admins configure servicing channels, deferral periods, and reboot behaviour.
  • Updates are delivered directly from Microsoft, meaning no image rebuilds or manual patch runs.

Real-World Impact

Unpatched operating systems are one of the most common root causes of ransomware incidents. Attackers leverage public exploits faster than most teams can brew a long black. Regular, automated patching:

  • Reduces the attack surface and vulnerability dwell time.
  • Ensures consistent compliance with ACSC’s mandated timeframes.
  • Improves operational stability and audit readiness.

In a cloud VDI setup, patch discipline is the difference between a smooth latte and a burnt espresso.

Implementation – Meeting the Essential Eight Timeframes

To hit the Maturity Level 2 compliance bar, your patching process must be automated, repeatable, and verifiable. Azure gives you multiple ways to meet the 48‑hour, two‑week, and one‑month patch windows across AVD and W365 environments.

1. Discover and Scan Regularly

Tools:

  • Microsoft Defender for Servers / Endpoint — Daily OS vulnerability scanning.
  • Azure Update Manager (UMC) — Detects missing updates and compliance drift.
  • Defender External Attack Surface Management — Identifies internet‑facing assets.

Cadence:

  • Asset discovery: every 14 days.
  • Vulnerability scans: daily for internet‑facing, fortnightly for internal.

2. Internet‑Facing Session Hosts – Patch Within 48 Hours

Create a daily security‑only update schedule for any AVD session hosts tagged as internet‑facing.

Azure Portal Steps

  1. Open Update Management Center.
  2. Create a new update deployment schedule.
  3. Target hosts tagged avd-role=sessionhost.
  4. Select update classification: Security.
  5. Set recurrence to Every 1 day.
  6. Enable automatic reboot and email notifications for compliance verification.

Bicep Example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

// Define a maintenance configuration for daily patching of a VM
// This configuration targets OS image Critical updates and specifies a maintenance window
resource DailySchedule 'Microsoft.Maintenance/maintenanceConfigurations@2023-10-01-preview' = {
  name: 'dailySchedule'
  location: resourceGroup().location
  properties: {
    maintenanceScope: 'OSImage'
    namespace: 'Microsoft.Compute'
    extensionProperties: {}
    visibility: 'Public'
    maintenanceWindow: {
      duration: 'PT4H' // 4 hours of Maintenance
      startDateTime: '2025-01-01T02:00:00Z' // Start at 2 AM Sydney Time
      recurEvery: Day  // Every day
      timeZone: 'UTC+10:00' // AEST
    }
    installPatches:{
      windowsParameters:{
        classificationsToInclude:[
          'Critical'
        ]
      }
      rebootSetting: 'IfRequired'
    }
  }
}

// Apply the maintenance configuration to virtual machines with specific tags
resource tagBasedAssignment 'Microsoft.Maintenance/configurationAssignments@2023-04-01' = {
  name: 'AVD-tagBased-Critical-PatchSchedule'
  location: resourceGroup().location
  properties: {
    maintenanceConfigurationId: DailySchedule.id
    resourceId: '/subscriptions/${subscription().subscriptionId}/resourceGroups/${resourceGroup().name}' // Target the resource group
    filter: {
      tagSettings: {
        tags: {
          'avd-role': 'sessionhost'
        }
        filterOperator: 'All' // Match all specified tags
      }
    }
  }
}

This schedule comfortably achieves the critical‑within‑48‑hours mandate.

3. Internal or Non‑Internet‑Facing Hosts

For back‑end VMs and non‑internet‑facing AVD hosts:

  • Create a recurring deployment that includes both Critical and Security classifications.
  • Set frequency to every 14 days or monthly depending on risk classification.
  • Use tagging (e.g. patch-group=internal) to scope deployments automatically via Update Manager.

Portal Tip: Use Maintenance Configurations to enforce reboots after patching and to isolate patch windows outside business hours.

4. Windows 365 Cloud PCs – Intune Update Rings

Windows 365 handles updates through Windows Update for Business (WUfB), so compliance relies on your Intune configuration.

Steps:

  1. In Intune, navigate to Devices > Windows > Update Rings for Windows 10 and later.
  2. Create a new profile and set:
    • Quality update deferral: 0–7 days.
    • Servicing channel: Monthly Enterprise Channel.
    • Deadline for installation: 2 days after availability.
    • Enable auto‑restart with end‑user notice.
  3. Assign to Cloud PC groups.

This achieves both the 48‑hour critical and two‑week non‑critical timing requirements.

5. Verification and Reporting

Validation is what separates “automated patching” from documented compliance.

  • Use Azure Policy: “Machines should be compliant with Update Manager”.
  • Review UMC Compliance Reports weekly.
  • Export results to Log Analytics or Power BI for evidence.
  • Cross‑check with Defender for Endpoint’s Weaknesses and Exposures report.
ACSC Requirement Control Mechanism Frequency Verification
Internet‑facing hosts patched (critical ≤48 hrs) Daily security‑only Update Manager schedule Daily Update Manager compliance logs
Internet‑facing hosts patched (non‑critical ≤14 days) General update deployment 14 days UMC reports
Internal hosts patched (≤1 month) Tag‑based deployment scope Monthly Log Analytics reports
Vulnerability scanning Defender and Update Manager 1–14 days MDE dashboards

6. Image Lifecycle for AVD

flowchart TD A[Base OS Image] --> B[Apply Latest Patches in Staging] B --> C[Test Applications and GPOs] C --> D[Publish as Golden Image] D --> E[Deploy New Host Pool] E --> F[Automatic UMC Compliance and Reporting]

This ensures each AVD pool starts with a clean base image, patched hosts remain consistent, and rollback capability exists if a patch causes issues.

Gotchas & Edge Cases

  • Golden Image Drift: Avoid manually patching running hosts; always refresh from the updated base image.
  • Reboot Dependencies: Some cumulative updates don’t take effect until a restart.
  • Intune Sync Delay: W365 devices only check in at intervals — plan deadlines accordingly.
  • Testing Windows Updates: Use a staging host pool or pilot ring before mass deployment.

Best Practices

  • Align patch cycles with Microsoft Patch Tuesday for predictability.
  • Automate notification workflows using Logic Apps or Automation Runbooks.
  • Maintain tag‑based patch groupings (AVD‑PROD, AVDS‑UAT, W365‑TEST).
  • Track Compliance KPIs monthly — “mean time to patch” is an excellent internal metric.
  • Always verify before claiming ACSC compliance — auditors love data trails.
🍺
Brewed Insight: Patching is rarely glamorous, but it’s foundational. Think of it like regularly cleaning the group head on your espresso machine — skip it once and nobody notices, skip it twice and everything tastes off. Automate your patching, verify your cycles, and let Update Manager and Intune handle the grind for you.

Learn More