VCP 5 – Objective 5.6 – Patch and Update ESXi and Virtual Machines

Identify patching requirements for ESXi hosts and virtual machine hardware/tools

Not sure what is required here, I'll just talk about Update Manager in general and some config max numbers..

Update Manager is a solution developed by VMware that allows you to

  • Upgrade and patch ESX/ESXi hosts
  • Install and Update third-party software on hosts.
  • Upgrade virtual machine hardware, VMware Tools, and virtual appliances.

Update manager is a separate application that is registered with a vCenter instance.  Only one vCenter instance can be registered to one Update Manager instance.  Linked Mode can be used, but each vCenter instance will also need a Update Manager instance and each update manager instance can only patch and remediate the VMs/hosts associated with that vCenter.

Update Manager is broken into 2 main views.  The Administration View and the Compliance View.  The Administration View allows you to perform the following tasks.

  • Configure Update Manager Settings
  • Create and manage baselines and baseline groups
  • View UM events
  • Review and add patches to the patch repository.
  • Import ESXi Images.

Compliance View is mainly used for

  • Viewing compliance and scan results
  • Attaching and detaching baseline (groups) to inventory objects
  • Scanning an object
  • Staging and Remediating objects.

Update Manager can be configured to download patches either from the internet or from a shared repository.  You can also import patches manually in a zip file.  If your deployment system is connected to the internet, it makes sense to go that route.  For systems that aren't connected you can use a shared repository that is populated by the Update Manager Download Service (essentially downloads patches for you on another system).  UM will download the following

  • metadata about all ESX(i) 4.x and 5.x patches regardless of whether you have these versions in your inventory.
  • patches for 3.5 hosts (these are downloaded only if you add an 3.5 host to the inventory).
  • notification, alerts, and patch recalls for 4.x plus
  • metadata about the upgrades of virtual appliances.

System Requirements for Update Manager

  • Intel or AMD x86 processor with two ore more logical cores (2GHz).
  • 10/100/1000 nic.
  • 2gb RAM if on a different server than vCenter, 4GB if on the same machine.
  • An MSSQL or Oracle DB.
  • You need to create a 32 bit DSN.
  • Obviously needs vCenter.  UM 5 can only attach to vCenter 5.

Create/Edit/Remove a Host Profile from an ESXi host

So before we get into creating, editing, and removing I just want to describe what host profiles are and what options are available within them.

What is a host profile?

  • Creates a profile that encapsulates the host configuration and allows you to apply it to other hosts.
  • Eliminates the need to manually setup each and every host in a cluster
  • Provides consistency and correctness across host configuration
  • Only supported for ESXi 4.0 or later.  You cannot create a profile from a 3.5 host as a reference host.  You cannot apply a profile to a 3.5 host.  If you attach a profile to a cluster that contains both 4.0 and 3.5 hosts, the compliance check will fail on the 3.5 hosts.
  • Requires Enterprise Plus licensing.
  • Used in collaboration with Auto Deploy to provide a complete provisioning of a host from start to finish.

What is configurable within a host profile?

There are several policies within a host profile, below is a description of what they are.

  • Memory Reservation Configuration
    • The amount of memory that is reserved for the service console.
  • Storage
    • Can configure storage options including NMP, PSA, FCoE, iSCSI, and NFS
  • Networking
    • Can configure virtual switch, port groups, physical NIC speeds, security and NIC teaming policies, vDS, and vDS uplink ports
  • Date and Time
    • Configure date and time and time zone settings as well as NTP servers.
  • Firewall
    • Can enabled and disable firewall rules
  • Security
    • Add any additional users or groups and set the root password.
  • Service
    • Configure settings for a service (on or off).
  • Advanced
    • Can modify advanced options. 
    • Host profiles will not copy all advanced settings.  It will only copy those that have been changed from the default
    • Does not support the config of PCI devices to use VM passthrough.
  • User 
  • User Group Configuration
  • Authentication configuration
    • Join host to a domain and setup AD Authentication
  • Coredump partition settings
    • Enable or disable the coredump partition
  • Kernel module
    • I would just stay out of here 🙂
  • DCUI Keyboard
    • Language settings for the DCUI keyboard
  • Host Cache Settings
  • SFCB Configuration
  • Resource Pool
  • Login Banner
    • Change text on the login banner
  • SNMP Agent
    • configure SNMP
  • Power system
    • CPU power options
  • CIM Indication Subscriptions

Creating Host Profiles

There are a few ways to create or get a host profile into vCenter

  • Create from Host Profiles View from a reference host.
    • Select 'Create Profile' from the Admin View.
    • Select 'Create Profile from Existing Host'
    • Select the host you wish to use as the reference host.
    • Give the profile a name and description
    • DONE.
  • Create a profile from a reference host in hosts and clusters view
    • Select the host you wish to use
    • Right-Click and select Host Profiles -> Create Profile from Host.
    • Give the profile a name an description
    • DONE!
  • Importing a host profile
    • Select Create Profile from Admin View.
    • Select Import Profile
    • Browse to a valid host profile file (.vpf)
    • Select a host to designate as the reference host for the imported profile.
    • Give it a name and description
    • DONE!.  Note, when the profile is exported, any passwords are removed so you will be prompted to re-enter these when the profile is applied to a host.

Edit a Host Profile

  • Not very hard, select a profile and click 'Edit Host Profile'
  • Here you can change the Name and Description of the profile as well as all of the policies listed above.
  • You can also enable or disable the policy compliance check.

Remove a host profile

  • Right click the profile and select 'Delete'

Attach/Apply a Host Profile to an ESXi host or cluster

Attaching a Host Profile

There are many ways to attach a host profile to a host or cluster.  This can be done

  • from the Host Profiles main view
  • from the Hosts context menu
  • Clusters context menu
  • Clusters Profile compliance tab

When a profile is attached to a cluster, any host that enters that cluster will automatically be attached to the profile.  If however a profile is then detached from the cluster, the association between the host and the host profile remains.

The process to attach a host to a host profile is as follows

  1. Right click the desired host and select 'Host Profiles' -> Manage Profile
  2. Select the desired profile and select 'OK'
  3. DONE.

Applying a Host Profile

In order to bring the state of the host to that of the profile you need to apply it.  Applying host profiles can be done from a few spots

  • The Host Profiles Main View
  • The Hosts context menu
  • The Clusters Profile Compliance tab.

Process to Apply a profile is as follows

  1. Right click the host and select Host Profiles -> Apply Profile
  2. In the profile editor you will need to enter the required parameters.
  3. Click 'Finish' and DONE!

Perform compliance scanning and remediation of an ESXi host using Host Profiles

Checking compliance will ensure that the host or cluster has been correctly and continues to be correctly configured.

Again, the process of doing this is quite easy.  On the host, just right click and select 'Host Profiles' -> 'Check Compliance'.  On the cluster you  can select the cluster, navigate to the Profile Compliance tab and select the 'Check Compliance Now'.  When performing cluster compliance the following is checked

  • The cluster is checked for compliance with specific settings for hosts in the cluster such as DRS, HA and DPM.  The compliance status will then be updated.   This check is performed regardless if a host profile is attached to the cluster or not.
  • If there is a host profile attached, the cluster will be checked for compliance with it.
  • A compliance status can be Non-compliant, unknown, or compliant.

Install and Configure vCenter Update Manager

Update Manager is divided into two separate installations.  The server and the plug-in.  The plug-in is simply downloaded and installed in the vSphere client.  The server installation and configuration is what I will concentrate on here.  I talked alot about the requirements of Update Manager in the first section of this page, so I will just include some other notes from the documentation here.

Database Requirements

  • must be a 32 bit DSN unless you use the bundled SQL 2008 R2 Express
  • Must use SQL authentication if the database is on a remote host.

More Update Manager Requirements

  • can only be installed on 64 Bit OS.
  • Upgrade supports upgrades from 1.0 and 4.x

There are a couple of deployment model listed

  • Internet-Connected Model – UM is connected to the VMware patch repository directly.
  • Air-gap Model – UM has no connection to the VMware patch repository.  Instead, UMDS is used to download and store patches in a shared repository.  UM will then connect to this repository.

Then they list more deployment models

  • All-in-one model – vCenter and UM are installed on one host and their db's are on the same host.  Used in a very small environment.
  • Medium Deployment Model – vCenter and UM are installed on one host and their db's on two separate hosts.  This model is recommended for medium deployments (300 VMs or 30 hosts).
  • Large Deployment model – vCenter and UM run on separate hosts, each with it's own dedicated db server.  Recommended for 1000 VMs or 100 hosts.

Configure patch download options

Patch download options are configurable in the Configuration tab in Update Manager Admin View.  The following can be configured.

  • Download Settings – Allows you to specify whether you use a direct connection to VMwares repository or a shared repository of your own (if using UMDS).  Enable or disable certain repositories.  Setup proxy settings.  You can also import patches from a zip file.
  • Download Schedule – Can enable or disable the schedule or change the schedule to download
    • If editing the schedule you need to specify the frequency (daily, weekly, monthly, hourly, once) , the start time and the interval.  You can also setup email notifications.
    • Can also be modified in the Scheduled Tasks.
  • Notification Schedule – Same deal as downloads, just for notifications.

Create/Edit/Delete an Update Manager baseline

Baselines can be upgrade, extension, or patch baselines.  Baseline groups are assembled from existing baselines.  Baselines are what hosts/VMs are evaluated against when scanning.  By default Update Manager includes two patch baselines and three upgrade baselines.

  • Critical Host Patches – Checks ESX(i) hosts for compliance with all critical patches
  • Non-Critical Host Patches – Checks ESX(i) hosts for compliance with non-critical patches
  • VMware Tools Upgrade to Match Host – Checks VMs for compliance with the latest VMware Tools version installed on the host. UM supports upgrading VMware Tools on hosts that are running 4.0 or later.
  • VM Hardware Upgrade to Match Host – Checks the virtual hardware of a VM for compliance with the latest version supported by the host.
  • VA Upgrade to Latest – checks virtual appliance compliance with the latest released version.

Earlier I mentioned there are three types of baselines; patch, extension, and upgrade.  Below is these in more detail.

Patch Baselines

Patch Baselines are further broken down into 2 categories; Dynamic and Fixed.  Dynamic Baselines contain a set of patches that update automatically according to patch availability based on the criteria specified (such as critical host patches).  Fixed baselines will only contain patches that you select regardless of updates or new patches (such as apply HP CIM Updates).

You can also manually add or exclude patches in dynamic baselines.  These patches will not be affected by new patch downloads.  When adding a dynamic patch baseline the criteria you can specify is as follows

  • Patch Vendor – specify a certain vendor
  • Product – Restrict patches to selected products or operating systems.
  • Severity – severity to include (Any, Low, Moderate, Important, Critical)
  • Category – category of patch (Any, Security, BugFix, Enchainment, Other)
  • Release Date – can filter out by release date.

Extension Baselines

Extension baselines contain additional software modules for ESX(i) hosts.  This can be from VMware or from third-party vendors.  To create a host extension baseline be sure to select Host Extension as your baseline type.  An example of this is the Cisco Nexus 1000V.

Upgrade Baselines

Upgrade Baselines are again broken down into a two different categories, Host Upgrades and VA Upgrades

Host Upgrades

  • Allow you to upgrade hosts to a new version.  Uses images (ISO) files that you upload to the server.
  • Supports upgrade from ESXi 4 to 5, and migration from ESX 4.x to 5, however if the host was upgraded from 3.x to 4.x, you cannot upgrade it with UM.  Those hosts do not have sufficient space in /boot.

VA Upgrades

  • Contain a set of updates to operating systems and applications in virtual appliances.
  • Can upgrade VA to the latest version, or a specific version number

I'm not going to go into detail about creating the baselines as it is pretty straight forward if you know all the above information.  A few other notables are listed below

  • When deleting a baseline, it automatically detaches it from hosts and clusters.
  • Baseline groups consist of non conflicting baselines.
  • The most famous use for a baseline group is called an orchestrated upgrade which contains the VMware Tools to match host baseline as well as the VM hardware to match host.
  • There are two types of baseline groups; baseline groups for hosts and baseline groups for VMs and virtual appliances.

Attach an Update Manager baseline to an ESXi host or cluster

Attaching baselines and baseline groups to hosts is done through the Update Manager Client compliance view.  Individual objects inherit baselines that are attached to their parent objects.  Really, there isn't much to talk about here…it's a pretty simple task.

Scan and remediate ESXi hosts and virtual machine hardware/tools using Update Manager


Scanning is the process in which the hosts, VMs, or virtual appliance are evaluated against the baselines.  Scans can either be manually initiated or schedule to run in the future.  

The process of scanning is as follows

  1. Click Scan 🙂
  2. Select to either scan for Patches and Extensions or Upgrades
  3. DONE

Just a note, to scan hosts you need to be in hosts and cluster view, to scan VMs and virtual appliances, VMs and templates view.

Once the scan has completed you will be able to review the scan results and compliance states.  The following information is included in the scan results.

  • Last time a scan was completed at this level
  • total number of noncompliant, incompatible, unknown and compliant updates
  • Number of VMs, Hosts, Virtual Appliances that are applicable, non-compliant, incompatible, unknown, or compatible.
  • Number of updates that are applicable to particular virtual machines, appliances, or hosts.

You can also view the compliance states for updates which include

  • Conflict – update conflicts with either an existing update or another update in the repository.
  • Conflicting New Module – host update is a new module that provides software for the first time but is in conflict with either and existing update or another update in the repository.
  • Incompatible Hardware – The hardware of the selected object is incompatible or has insufficient resources to perform the update.
  • Installed – update was installed.
  • Missing – Update is applicable to the target but is not yet installed.
  • Missing Package – metadata is in the repository, but the corresponding binary is not. (different locales, deleted).
  • New Module – The update is a new module and can't be installed in a patch baseline, need an extension baseline.
  • Not Applicable – not applicable to the target object
  • Not Installable – can't be installed on the target
  • Obsoleted By Host – Target probably has a newer patch that fixes the same problem.
  • Staged – Update has been copied to host and is awaiting remediation.
  • Unknown – the patch is in a unknown state until a scan is performed.
  • Unsupported Upgrade – upgrade path is not possible.

You can also view the patch details which include 

  • Name
  • Vendor
  • Compliance (explained above)
  • Patch ID
  • Severity (hosts: critical, general, security – VMs: critical, important, moderate).
  • Category (security, enhancement, recall, info, other)
  • Impact – whether the host needs to be in maintenance mode or rebooted.
  • Release Date

Extension Details Include

  • Name, Vendor, Compliance, Patch ID, Severity, Category, Impact, Release Date

Upgrade Details are a bit different, they include

  • Baseline Name
  • Baseline Type
  • Baseline Description
  • Compliance state
  • ESXi Image – image included
  • Version – targeted version of the upgrade
  • Vendor – vendor that provided ESXi image
  • Acceptance Level – the acceptance level of the ESXi image and included software packages.  Images can either be signed or unsigned indicating their acceptance level by VMware.  Software packages within the ESXi image can have the following levels.
    • VMware Certified – went through VMwares rigorous certification program and is signed by VMware.  Fully Supported by VMware.
    • VMware Accepted – went through a less rigorous program that only verifies the package will not destabilizes the system.  VMware support will hand off support calls to the vendor.
    • Partner Supported – Partner has singed a deal with VMware  VMware will hand off support calls to the partners.
    • Community Supported – Package is unsigned. No support.


Again, as simple as clicking 'remediate' but there are a few notables

  • When updating hosts in a cluster, if one fails, the process stops.  No more hosts are remediated.
  • If DRS cannot move a VM the process does not stop, it simply goes to the next host.
  • When remediating hosts that have been 'auto deployed' it will not install reboot packages.

Stage ESXi host updates

Staging allows you to download the patches and extensions from the UM server to the ESXi hosts without applying them.  This helps you speed up the remediation process and minimize the downtime required.  Staging will not stage patches that conflict with one another.

Leave a Reply

Your email address will not be published. Required fields are marked *