In this blog post, I’ll tell you about my struggles just two days after the official release of Windows 11 25H2 on the newly built Azure Virtual Desktop based on Windows 11 24H2 Multi-Session. In the truest sense of the word, the update ruined my quiet Thursday evening. Instead of enjoying a cold beer, I got to the bottom of the error, and I would like to share this first-hand experience with you.
Windows 11 25H2 – Release
First of all, what exactly happened?
Microsoft released the new Windows 11 25H2 on the evening of 30 September in Europe. With the help of the enablement package KB5054156, this will be distributed more or less directly to systems running Windows 11 24H2, provided that no corresponding policies are in place to defer this feature upgrade.
At first glance, you think, okay, no problem, why not try out the new version right away. In the weeks leading up to its release, there was a lot of positive talk in the community about the upcoming version 25H2. Trying out the new version on a private computer wouldn’t be such a big deal, but rolling it out directly in an enterprise environment is not an option for me.
To be honest, I wasn’t really aware of the release date. I thought it was in about two weeks’ time, not already on 30 September.
What happened within the AVD environment?
I was contacted by telephone yesterday evening to say that Windows 11 25H2 Multi-Session could be installed on the newly built AVD environment based on Windows 11 24H2 Multi-Session.
I first had to ask whether he really meant 25H2. When I connected to a session host, I couldn’t believe my eyes. At first, I immediately thought that it was going to be a long night for me. I spent at least half an hour wondering how this could have happened. Is this a quality update, or how on earth did it update directly to 25H2? As is well known, one searches for the reason why this happened. For a better understanding, the AVD environment is Entra joined and fully managed within Microsoft Intune.
troubleshooting
First, I checked the Intune configuration policies and, at first glance, did not discover any misconfiguration within Windows Updates for Business (WUfB). In my opinion, the two options to be configured were configured correctly:
- Defer Feature Updates Period In Days
- Defer Quality Updates Periods (Days)
In this context, I did a little research and found two other options within WUfB:
- Product Version
- Target Release Version
I configured both options and then rolled back the first session host to Windows 11 24H2. This has worked without any problems so far. Within a few seconds, the enablement package is uninstalled and the session host reboots briefly. After that, my goal was for the machine to report back to Intune and receive the latest configuration policies with the adjustments to the WUfB settings.
The session host applied the new configuration policy after more than an hour. When everything looked green at first glance in the Intune Dashboard, I started Windows Update again. And as is sometimes the case as an engineer, what you don’t want to happen just before 11 p.m. is exactly what happens. Windows 25H2 will be downloaded and installed again.
So the search for the problem continues. If you click on the policy for further details, you will see that various WUfB settings cannot be applied to multi-session hosts. An attempt to set the most common registry keys was then abandoned relatively quickly, as these are also ignored.
Final solution for the problem
Shortly before midnight, the final solution was found. Most of the time, it is relatively simple, and this time too.
Within the Intune portal, under Devices -> Windows updates -> Features, you can create a policy that allows you to fix the version of your system.
In the drop-down menu marked in red, you can select the appropriate Windows 11 version and set it.
Assign the Windows Update Feature Policy to an AVD device group. If you do not yet have one, first create a group with the AVD session hosts as members.
Note
Currently, this is the only way I know of to fix the version of Windows 11 multi-session hosts that are managed via Intune. Please note that most Windows Update for Business settings are not taken into account in most cases.
Learnings
Personally, I learned a lot again from the lack of configuration for AVD session hosts. Since customer devices are managed via Autopatch, I assumed that these settings would also apply to the AVD machines.
A big thank you to my colleague, who played a major role in the analysis and finding a solution, despite spoiling the cool beer and quiet Thursday evening 😉.