Through years of trial and error, I’ve cemented some of my personal best practices for desktop imaging that I’d like to share with all of you in this article. Although the technologies are very different, my practices for creating golden images of physical desktops and virtual desktops have many things in common.
Now, by no means am I suggesting this is industry best practice or even that you should follow my lead – I’m just sharing my methods. Maybe you do some of the same things yourself, feel free to leave feedback on our site.
Not So Bare Image
While I do like to keep my desktop image as bare as possible, I do make some exceptions:
- For patching purposes, I like to put Microsoft products in the image.
- I install our organization’s standard version(s) of .NET Framework e.g. 3.5 SP1 (as a feature) and 4.6.2 Full.
- I install all relevant versions of Visual C++ Redistributable.
Some people like to install every single version of Visual C++ Redistributable, but I advise against this. For example, if 2005 is not required, why install it? You’re adding junk into the image for no reason, AND the visual C++ redistributable support is aligned with versions of Visual Studio. 2005 is technically not supported which means you’re introducing a needless security hole. I may also install J# runtime (if required), Silverlight (if required) and of course, update Powershell
Whether you put Microsoft Office on the image is up to you. Currently, I do put it on. My reasoning is that an organization doesn’t change versions of Office very often. Of course, putting this in the image means you’ll have to create a new image from scratch further down the line if you want to install a different version of Office or remove it. That’s why I’ll leave it up to you. I’d try to figure out your organization’s roadmap and strategy for Office 365 before deciding!
Once you have an image which has passed testing by pilot groups, the apps on the image remain pretty static, but you will need to inject patches frequently. When you can crack open your image once a month or quarter and install your latest updates, having the Microsoft products in the image ensures you get to do this ONCE for many. I prefer this because if you have a completely bare image that doesn’t include these apps and you install them as part of your build process instead, you’ll add several minutes and possibly multiple reboots to your imaging process PER desktop. When you calculate, the time lost per desktop, you could be looking at hours or even days per year wasted.
If you have a patching solution which also enables you to patch some of your company-wide third party apps, you could consider putting those in the image too. Most organizations I’ve worked for don’t have a specific tool for patching third party apps, so I keep my images restricted to just the Windows applications.
Over the last year, Microsoft has moved to a different structure for patching. You may find that security patches are now delivered as monthly rollups. This can be challenging for some organizations, but regarding desktop imaging, it makes things a lot easier. Downloading and installing the patches takes about the same amount of time as far as I can tell but it’s less of a guessing game about whether or not all the patches have arrived on the machine or not.
With Windows 10 and Server 2016, App-V and UE-V are included as features within the Operating System. I enable the App-V feature in these images and apply the relevant hotfixes.