Jump to content
Welcome to our new Citrix community!
  • 0

Automate citrix MCS golden image patching





We are managing seven MCS golden images, four non-persistent VDI images and three server OS images in production and seven in UAT so total 14.


It nearly takes a month to complete the image patching, right from UAT testing until the production roll out and the it goes on as the next month patches are ready by then.

In a nutshell the process we follow is

1.Power ON the golden image on vsphere

2.Install the patches via SCCM

3.Run the sealing script

4.Shutdown the image and snapshot it

5.Update the machine catalog with latest snapshot.


Is it possible to automate the aforementioned five steps or even if we can automate fifty percent of what we are doing at the moment that really helps our administrators save some time and do some productive work. 


Any thoughts please?

Link to comment

5 answers to this question

Recommended Posts

  • 0

Your hypervisor probably supports automation, usually through PowerShell or REST API.


Citrix supports automation through PowerShell.


SCCM will receive deployments.


Developing an automation workflow takes time but it can certainly be done. Citrix WEM in the Cloud has an automation module. For example - https://docs.citrix.com/en-us/workspace-environment-management/service/how-to/auto-apply-windows-updates.html


You'll find some scripting resources by Google searching.

Link to comment
  • 0

I have 15 separate master images for 22 MCS machine catalogs, and it takes me about 3-4 days of actual work to patch them and roll them out with a similar process.


I'm not sure how it is taking a month unless you are including 3 weeks of UAT testing in that time?

Link to comment
  • 0
On 10/27/2022 at 11:43 AM, LSN said:

Is it all manual process that you have been doing to patch the images and update the catalogs?


I use SCCM in conjunction with 'Patch My PC'.  That takes care of Windows, Office, Chrome/Edge/Firefox, Adobe Reader/Acrobat Pro, and many others utilities that are installed.  It scans the master image and if it finds something it can update, it does so.


Then I use a utility called NeverRed (see Deyda.net here) in a 3-part shutdown and sealing up script.   The first part of my script runs NeverRed, which pulls down the very latest Chome, Edge, Edge WebView, OneDrive and Teams per-machine and installs them on the fly (it can also do much more).   Then in part two, it runs some Powershell stuff I wrote to set some scheduled tasks to disabled, stops/disables certain services, tweaks some registry keys, and removes a few shortcuts from the desktop and start menu.  The third part calls Citrix Optimizer script to ensure everything else is set to Citrix best-practice recommendations.   Once those are all done, it pauses so I can check OneDrive and Teams are updated and the start menu looks how I want, then shuts down so I can take a snapshot.


So there's not a lot of manual work - power up master image, start SCCM agent service, then a day later log back in and briefly check it over before running a script to tidy up and shut it down.  I spent a fair amount of time writing powershell stuff which takes care of a lot of the hands-on work, but once done it then saves you a lot of work every month.


Obviously it then has to be pushed to UAT and Prod catalogs, but UAT I am allowed to do any time, and Prod we do as part of a monthly maintenance weekend on a Saturday evening.  We use the same master image for both Prod and UAT catalogs (so the only part being tested is the patches) but even so, it's a few clicks and a brief wait whilst MCS does it's stuff.  Apart from making sure MCS completed the update, it's not really down to the Citrix admins to do the testing.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...