VMware Horizon Community
VirtualSven
Hot Shot
Hot Shot

How to manage RDSH / terminal servers with App Volumes?

I have a question about managing RDSH-servers with App Volumes. In my environment, I've noticed that when I have Appstacks attached to a RDSH-server and I want to install Windows Updates or updates to the applications which are installed locally, those updates are not installed anymore after a reboot. It looks as if App Volumes "captures" the changes to the OS and as the attached Appstacks are read-only, those changes are discarded after a reboot. See: http://svenhuisman.com/2015/05/disable-app-volumes-service-before-updating-os-or-installed-apps/

My question is: Is this expected behaviour and what is the best way to manage the RDSH-servers? Do you need to disable the App Volumes service before making changes to the OS?

Sven Huisman VMware vExpert 2009-2016 Twitter: @svenh blog: svenhuisman.com
Tags (2)
4 Replies
Ray_handels
Virtuoso
Virtuoso

I haven't seen this behaviour to be honest. We did update the RDSH server while an appstack was attached. Normally the filter driver only merges the appstack (which is read only) onto the operating system.

Could it be that you have also got a writable volume attached to it?

And stopping the filter driver is quite easy, could be worth a shot, i would at least test it.

net stop svdriver

net stop svservice

Reply
0 Kudos
longlejd
Contributor
Contributor

Did you ever find a resolution to this. I am experiencing the same issue.

Reply
0 Kudos
Rob90
Contributor
Contributor

We are facing the same issue.

We are deploying Windows updates monthly, as a workarround for the windows updates i can do the following:
Disabling app volumes service, rebooting RDSH server, installing updates, enabling app volumes service.

The biggest issue for us is installing antivirus definitions updates as they will be released daily, and also fail (we are using system center endpoint protection).

We cant stop the app volumes service on daily base (there will be to much down time for users), on the other side: not updating antivirus definitions will be a security risk.


Is there a way to solve this issue?


Thanks in advance.

Rob

Reply
0 Kudos
techguy129
Expert
Expert

My workaround for definition updates were to exclude the processes and directories. I created a blank Appstack and edit the snapvol.cfg. I attach that appstack to our rdsh servers.

In the snapvol.cfg file, make sure it include these:

exclude_path=\ProgramData\Microsoft\Windows Defender

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender

exclude_path=\Program Files\Windows Defender

exclude_path=\Program Files\Microsoft Security Client

exclude_path=\Program Files\Microsoft Anitmalware

exclude_path=%SystemRoot%\system32\MpSigStub.exe

exclude_process_name=Msseces.exe

exclude_process_name=MsMpEng.exe

exclude_process_name=MpCmdRun.exe

exclude_process_name=AM_Delta.exe

(I believe that is all of them)

For windows updates, I follow the process of stopping and disabling the appvol services, restart, install updates, re-enable appvol services and reboot.