Page 1
Installing and Administering VMware
vSphere Update Manager
Update 1
vSphere Update Manager 6.0
This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions
of this document, see http://www.vmware.com/support/pubs.
EN-001927-00
Page 2
Installing and Administering VMware vSphere Update Manager
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2009–2015 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Page 3
Contents
About Installing and Administering VMware vSphere Update Manager 9
Understanding Update Manager 11
1
Overview of the Update Manager Client Interfaces 12
About the Update Manager Process 13
Configuring the Update Manager Download Source 14
Downloading Updates and Related Metadata 14
Importing ESXi Images 15
Creating Baselines and Baseline Groups 16
Attaching Baselines and Baseline Groups to vSphere Objects 18
Scanning Selected vSphere Objects 18
Reviewing Scan Results 18
Staging Patches and Extensions to Hosts 19
Remediating Selected vSphere Objects 19
System Requirements 21
2
Update Manager Hardware Requirements 21
Supported Operating Systems and Database Formats 22
Update Manager Compatibility with vCenter Server , vSphere Client and vSphere Web Client 22
Required Database Privileges 23
Preparing the Update Manager Database 25
3
Create a 32-Bit DSN on a 64-Bit Operating System 26
About the Bundled Microsoft SQL Server 2012 Express Database Package 26
Maintaining Your Update Manager Database 26
Configure a Microsoft SQL Server Database Connection 26
Create a New Data Source (ODBC) 27
Identify the SQL Server Authentication Type 28
Configure an Oracle Database 28
Configure an Oracle Connection to Work Locally 29
Configure an Oracle Database to Work Remotely 29
VMware, Inc.
Installing Update Manager 31
4
Prerequisites for Installing the Update Manager Server 32
Obtain the Update Manager Installer 33
Install the Update Manager Server 34
Install the Update Manager Client Plug-In 36
Enable the Update Manager Web Client Plug-In 36
Upgrading Update Manager 37
5
Upgrade the Update Manager Server 37
3
Page 4
Installing and Administering VMware vSphere Update Manager
Upgrade the Update Manager Java Components 39
Best Practices and Recommendations for Update Manager Environment 41
6
Update Manager Deployment Models and Their Usage 42
Uninstalling Update Manager 43
7
Uninstall the Update Manager Server 43
Uninstall the Update Manager Client Plug-In 43
Installing, Setting Up, and Using Update Manager Download Service 45
8
Installing UMDS 45
Compatibility Between UMDS and the Update Manager Server 46
Install UMDS 46
Setting Up and Using UMDS 48
Set Up the Data to Download with UMDS 48
Change the UMDS Patch Repository Location 49
Configure URL Addresses for Hosts and Virtual Appliances 49
Download the Specified Data Using UMDS 50
Export the Downloaded Data 50
Configuring Update Manager 53
9
Update Manager Network Connectivity Settings 54
Change the Update Manager Network Settings 55
Configuring the Update Manager Download Sources 56
Configure Update Manager to Use the Internet as a Download Source 57
Add a New Download Source 57
Use a Shared Repository as a Download Source 58
Import Patches Manually 60
Configure the Update Manager Proxy Settings 61
Configure Checking for Updates 62
Configuring and Viewing Notifications 63
Configure Notifications Checks 63
View Notifications and Run the Notification Checks Task Manually 64
Types of Update Manager Notifications 65
Take Snapshots Before Remediation 65
Configuring Host and Cluster Settings 66
Configure Host Maintenance Mode Settings 67
Configure Cluster Settings 68
Enable Remediation of PXE Booted ESXi Hosts 69
Configure Smart Rebooting 70
Configure the Update Manager Patch Repository Location 71
Restart the Update Manager Service 71
Run the VMware vSphere Update Manager Update Download Task 72
Update Manager Privileges 72
Working with Baselines and Baseline Groups 73
10
Creating and Managing Baselines 74
Create and Edit Patch or Extension Baselines 74
4 VMware, Inc.
Page 5
Create and Edit Host Upgrade Baselines 79
Create and Edit a Virtual Appliance Upgrade Baseline 82
Delete Baselines 84
Creating and Managing Baseline Groups 84
Create a Host Baseline Group 85
Create a Virtual Machine and Virtual Appliance Baseline Group 86
Edit a Baseline Group 86
Add Baselines to a Baseline Group 87
Remove Baselines from a Baseline Group 88
Delete Baseline Groups 88
Attach Baselines and Baseline Groups to Objects 89
Detach Baselines and Baseline Groups from Objects 89
Contents
Scanning vSphere Objects and Viewing Scan Results 91
11
Manually Initiate a Scan of ESXi Hosts 91
Manually Initiate a Scan of Virtual Machines and Virtual Appliances 92
Manually Initiate a Scan of a Container Object in Update Manager Web Client 92
Schedule a Scan 93
Viewing Scan Results and Compliance States for vSphere Objects 94
View Compliance Information for vSphere Objects 94
Review Compliance with Individual vSphere Objects 95
Compliance View 95
Compliance States for Updates 97
Baseline and Baseline Group Compliance States 98
Viewing Patch Details 99
Viewing Extension Details 100
Viewing Upgrade Details 100
Host Upgrade Scan Messages in Update Manager 102
Host Upgrade Scan Messages When Cisco Nexus 1000V Is Present 104
VMware Tools Status 105
Remediating vSphere Objects 107
12
Orchestrated Upgrades of Hosts and Virtual Machines 107
Remediating Hosts 108
Remediation Specifics of ESXi Hosts 110
Remediating Hosts That Contain Third-Party Software 110
Remediating ESXi 5.x Hosts Against ESXi 6.0 Image 111
Remediation Specifics of Hosts That Are Part of a Virtual SAN Cluster 112
Stage Patches and Extensions to ESXi Hosts 112
Remediate Hosts Against Patch or Extension Baselines 113
Remediate Hosts Against an Upgrade Baseline 116
Remediate Hosts Against Baseline Groups 119
Cluster Remediation Options Report 121
Remediating Virtual Machines and Virtual Appliances 122
Rolling Back to a Previous Version 123
Remediate Virtual Machines and Virtual Appliances 123
Upgrade VMware Tools on Power Cycle 124
Scheduling Remediation for Hosts, Virtual Machines, and Virtual Appliances 125
VMware, Inc. 5
Page 6
Installing and Administering VMware vSphere Update Manager
View Update Manager Events 127
13
View Tasks and Events for a Selected Object 127
Update Manager Events 128
Patch Repository and Virtual Appliance Upgrades 139
14
View Available Patches and Extensions 139
Add and Remove Patches or Extensions from a Baseline 139
Search for Patches or Extensions in the Patch Repository 140
View Available Virtual Appliance Upgrades and Accept EULAs 140
Common User Goals 143
15
Applying Patches to Hosts 144
Applying Third-Party Patches to Hosts 145
Testing Patches or Extensions and Exporting Baselines to Another Update Manager Server 147
Applying Extensions to Hosts 150
Orchestrated Datacenter Upgrades 151
Orchestrated Upgrade of Hosts 152
Orchestrated Upgrade of Virtual Machines 153
Upgrading and Patching Hosts Using Baseline Groups 154
Upgrading Virtual Appliances 155
Keeping the Hosts Compliant With the Most Recent Patches 156
Associating the UMDS Patchstore Depot with the Update Manager Server 157
Associate the UMDS Depot with the Update Manager Server Using a Portable Media Drive 157
Associate the UMDS Depot with Update Manager Server Using IIS 158
Associate the UMDS Depot with Update Manager Server Using Apache 160
Generating Common Database Reports 161
Generate Common Reports Using Microsoft Office Excel 2003 161
Generate Common Reports Using Microsoft SQL Server Query 162
Setting a Bandwidth Limit for Downloading of ESXi 5.x Patches 162
Limit the Update Download Bandwidth by Running an esxcli Command 163
Troubleshooting 165
16
Update Manager Web Client Remains Visible in the vSphere Web Client After Uninstalling
Update Manager Server 165
Connection Loss with Update Manager Server or vCenter Server in a Single vCenter Server
System 166
Gather Update Manager Log Bundles 166
Gather Update Manager and vCenter Server Log Bundles 167
Log Bundle Is Not Generated 167
Host Extension Remediation or Staging Fails Due to Missing Prerequisites 167
No Baseline Updates Available 168
All Updates in Compliance Reports Are Displayed as Not Applicable 168
All Updates in Compliance Reports Are Unknown 169
VMware Tools Upgrade Fails if VMware Tools Is Not Installed 169
ESXi Host Scanning Fails 169
ESXi Host Upgrade Fails 170
The Update Manager Repository Cannot Be Deleted 170
6 VMware, Inc.
Page 7
Incompatible Compliance State 171
Updates Are in Conflict or Conflicting New Module State 171
Updates Are in Missing Package State 172
Updates Are in Not Installable State 172
Updates Are in Unsupported Upgrade State 173
Contents
Database Views 175
17
VUMV_VERSION 176
VUMV_UPDATES 176
VUMV_HOST_UPGRADES 176
VUMV_VA_UPGRADES 177
VUMV_PATCHES 177
VUMV_BASELINES 177
VUMV_BASELINE_GROUPS 178
VUMV_BASELINE_GROUP_MEMBERS 178
VUMV_PRODUCTS 178
VUMV_BASELINE_ENTITY 179
VUMV_UPDATE_PATCHES 179
VUMV_UPDATE_PRODUCT 179
VUMV_ENTITY_SCAN_HISTORY 179
VUMV_ENTITY_REMEDIATION_HIST 180
VUMV_UPDATE_PRODUCT_DETAILS 180
VUMV_BASELINE_UPDATE_DETAILS 180
VUMV_ENTITY_SCAN_RESULTS 181
VUMV_VMTOOLS_SCAN_RESULTS 181
VUMV_VMHW_SCAN_RESULTS 181
VUMV_VA_APPLIANCE 182
VUMV_VA_PRODUCTS 182
Index 183
VMware, Inc. 7
Page 8
Installing and Administering VMware vSphere Update Manager
8 VMware, Inc.
Page 9
About Installing and Administering VMware vSphere Update Manager
Installing and Administering VMware vSphere Update Manager provides information about installing,
configuring, and using VMware® vSphere Update Manager to scan and remediate the objects in your
vSphere environment. It also describes the tasks that you can perform to update your vSphere inventory
objects and make them compliant against attached baselines and baseline groups.
For scanning and remediation, Update Manager works with the following ESXi versions.
For VMware Tools and virtual machine hardware upgrade operations, Update Manager works with
n
ESXi version 5.0 and later.
For ESXi host patching operations, Update Manager works with ESXi 5.0 and later.
n
For ESXi host upgrade operations, Update Manager works with ESXi 5.0 and later.
n
Intended Audience
This information is intended for anyone who wants to install, upgrade, or use Update Manager. The
information is written for experienced Windows or Linux system administrators who are familiar with
virtual machine technology and datacenter operations.
VMware, Inc.
9
Page 10
Installing and Administering VMware vSphere Update Manager
10 VMware, Inc.
Page 11
Understanding Update Manager 1
Update Manager enables centralized, automated patch and version management for VMware vSphere and
offers support for VMware ESXi hosts, virtual machines, and virtual appliances.
With Update Manager, you can perform the following tasks:
Upgrade and patch ESXi hosts.
n
Install and update third-party software on hosts.
n
Upgrade virtual machine hardware, VMware Tools, and virtual appliances.
n
Update Manager requires network connectivity with VMware vCenter Server. Each installation of
Update Manager must be associated (registered) with a single vCenter Server instance.
The Update Manager module consists of a server component, which you can install either on the same
computer as the vCenter Server system or on a different computer, and of client components.
Update Manager has two client components, which run in the different vSphere client components. There is
an Update Manager Client plug-in that runs on the vSphere Client, and an Update Manager Web Client that
runs on the vSphere Web Client. The vSphere Client is a desktop client, and the vSphere Web Client is a
Web-based client. You can use Update Manager Web Client to view scan results and compliance states for
vSphere inventory objects, and use the Update Manager Client to perform patch and version management
of the vSphere inventory.
VMware, Inc.
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single
Sign-On domain, and you want to use Update Manager for each vCenter Server system, you must install
and register Update Manager instances with each vCenter Server system. You can use an Update Manager
instance only with the vCenter Server system with which it is registered.
To install Update Manager, you must have Windows administrator credentials for the computer on which
you install Update Manager.
You can deploy Update Manager in a secured network without Internet access. In such a case, you can use
the VMware vSphere Update Manager Download Service (UMDS) to download update metadata and
update binaries.
This chapter includes the following topics:
“Overview of the Update Manager Client Interfaces,” on page 12
n
“About the Update Manager Process,” on page 13
n
11
Page 12
Installing and Administering VMware vSphere Update Manager
Overview of the Update Manager Client Interfaces
The Update Manager server has two client interfaces, one for the vSphere Web Client, and one for the
vSphere Client,
The Update Manager Client interface for the vSphere Client has a separate installer that is accessible under
Plug-ins > Manage Plug-ins in the vSphere Client.
The Update Manager Web Client is automatically enabled in the vSphere Web Client after you install the
Update Manager server component. The Update Manager Web Client appears as an Update Manager tab
under the Monitor tab in vSphere Web Client.
To be able to see the Update Manager Web Client in vSphere Web Client you must have the View
Compliance Status privilege.
Both client interfaces have two main views, Administration view and Compliance view.
To access the Administration view for the Update Manager Web Client, navigate to Home > Update
Manager and select the IP Address of the Update Manager instance you want to use.
To access the Administration view for the Update Manager Client, you can use the Update Manager icon
under Solutions and Applications in the vSphere Client Home page or click Admin view from the Update
Manager tab.
In the Update Manager Client Administration view, you can do the following tasks:
Configure the Update Manager settings
n
Create and manage baselines and baseline groups
n
View Update Manager events
n
Review the patch repository and available virtual appliance upgrades
n
Review and check notifications
n
Import ESXi images
n
To view Compliance view information for a selected inventory object with the Update Manager Web Client,
select Hosts and Clusters or VMs and Templates inventory view of the vSphere Web Client, click the
Manage tab, and click the Update Manager tab.
To view Compliance view information for a selected inventory object with the Update Manager Client, click
the Update Manager tab in the Hosts and Clusters or VMs and Templates inventory view of the
vSphere Client.
In the Update Manager Client Compliance view, you can do the following tasks:
View compliance and scan results for each selected inventory object
n
Attach and detach baselines and baseline groups from a selected inventory object
n
Scan a selected inventory object
n
Stage patches or extensions to hosts
n
Remediate a selected inventory object
n
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single
Sign-On domain, and you have installed and registered more than one Update Manager instance, you can
configure the settings for each Update Manager instance. Configuration properties that you modify are
applied only to the Update Manager instance that you specify and are not propagated to the other instances
in the group. You can specify an Update Manager instance by selecting the name of the vCenter Server
system with which the Update Manager instance is registered from the navigation bar.
12 VMware, Inc.
Page 13
For a vCenter Server system that is connected to other vCenter Server systems by a common vCenter Single
Sign-On domain, you can also manage baselines and baseline groups as well as scan and remediate only the
inventory objects managed by the vCenter Server system with which Update Manager is registered.
About the Update Manager Process
Upgrading vSphere objects and applying patches or extensions with Update Manager is a multistage
process in which procedures must be performed in a particular order. Following the suggested process
helps ensure a smooth update with a minimum of system downtime.
The Update Manager process begins by downloading information (metadata) about a set of patches,
extensions, and virtual appliance upgrades. One or more of these patches or extensions are aggregated to
form a baseline. You can add multiple baselines to a baseline group. A baseline group is a composite object
that consists of a set of nonconflicting baselines. You can use baseline groups to combine different types of
baselines, and scan and remediate an inventory object against all of them as a whole. If a baseline group
contains both upgrade and patch or extension baselines, the upgrade runs first.
A collection of virtual machines, virtual appliances, and ESXi hosts or individual inventory objects can be
scanned for compliance with a baseline or a baseline group and later remediated. You can initiate these
processes manually or through scheduled tasks.
Configuring the Update Manager Download Source on page 14
n
You can configure the Update Manager server to download patches, extensions, and virtual appliance
upgrades either from the Internet or from a shared repository. You can also import patches and
extensions manually from a ZIP file.
Chapter 1 Understanding Update Manager
Downloading Updates and Related Metadata on page 14
n
Downloading virtual appliance upgrades, host patches, extensions, and related metadata is a
predefined automatic process that you can modify. By default, at regular configurable intervals,
Update Manager contacts VMware or third-party sources to gather the latest information (metadata)
about available upgrades, patches, or extensions.
Importing ESXi Images on page 15
n
You can upgrade the hosts in your environment to ESXi 6.0 by using host upgrade baselines. To create
a host upgrade baseline, you must first upload at least one ESXi 6.0 .iso image to the Update Manager
repository.
Creating Baselines and Baseline Groups on page 16
n
Baselines contain a collection of one or more patches, extensions, service packs, bug fixes, or upgrades,
and can be classified as patch, extension, or upgrade baselines. Baseline groups are assembled from
existing baselines.
Attaching Baselines and Baseline Groups to vSphere Objects on page 18
n
To use baselines and baseline groups, you must attach them to selected inventory objects such as
container objects, virtual machines, virtual appliances, or hosts. You can attach baselines and baseline
groups to vSphere objects from both the Update Manager Client and the Update Manager Web Client.
Scanning Selected vSphere Objects on page 18
n
Scanning is the process in which attributes of a set of hosts, virtual machines, or virtual appliances are
evaluated against all patches, extensions, and upgrades in the attached baselines or baseline groups,
depending on the type of scan you select.
Reviewing Scan Results on page 18
n
Update Manager scans vSphere objects to determine how they comply with baselines and baseline
groups that you attach. You can filter scan results by text search, group selection, baseline selection,
and compliance status selection.
VMware, Inc. 13
Page 14
Installing and Administering VMware vSphere Update Manager
Staging Patches and Extensions to Hosts on page 19
n
You can stage patches and extensions before remediation to ensure that the patches and extensions are
downloaded to the host. Staging patches and extensions is an optional step that can reduce the time
during which hosts are in maintenance mode.
Remediating Selected vSphere Objects on page 19
n
Remediation is the process in which Update Manager applies patches, extensions, and upgrades to
ESXi hosts, virtual machines, or virtual appliances after a scan is complete.
Configuring the Update Manager Download Source
You can configure the Update Manager server to download patches, extensions, and virtual appliance
upgrades either from the Internet or from a shared repository. You can also import patches and extensions
manually from a ZIP file.
Configuring the Update Manager download source is an optional step.
If your deployment system is connected to the Internet, you can use the default settings and links for
downloading upgrades, patches, and extensions to the Update Manager repository. You can also add URL
addresses to download virtual appliance upgrades or third-party patches and extensions. Third-party
patches and extensions are applicable only to hosts that are running ESXi 5.0 and later.
If your deployment system is not connected to the Internet, you can use a shared repository after
downloading the upgrades, patches, and extensions by using Update Manager Download Service (UMDS).
With Update Manager, you can import both VMware and third-party patches or extensions manually from
a ZIP file, also called an offline bundle. Import of offline bundles is supported only for hosts that are
running ESXi 5.0 and later. You download the offline bundle ZIP files from the Internet or copy them from a
media drive, and save them on a local or a shared network drive. You can import the patches or extensions
to the Update Manager patch repository later. You can download offline bundles from the VMware Web site
or from the Web sites of third-party vendors.
NOTE You can use offline bundles for host patching operations only. You cannot use third-party offline
bundles or offline bundles that you generated from custom VIB sets for host upgrade from ESXi 5.x to
ESXi 6.0.
Downloading Updates and Related Metadata
Downloading virtual appliance upgrades, host patches, extensions, and related metadata is a predefined
automatic process that you can modify. By default, at regular configurable intervals, Update Manager
contacts VMware or third-party sources to gather the latest information (metadata) about available
upgrades, patches, or extensions.
VMware provides information about patches for ESXi hosts and virtual appliance upgrades.
Update Manager downloads the following types of information:
Metadata about all ESXi 5.x patches regardless of whether you have hosts of such versions in your
n
environment.
Metadata about ESXi 5.x patches as well as about extensions from third-party vendor URL addresses.
n
Notifications, alerts, and patch recalls for ESXi 5.x hosts.
n
Metadata about upgrades for virtual appliances.
n
Downloading information about all updates is a relatively low-cost operation in terms of disk space and
network bandwidth. The availability of regularly updated metadata lets you add scanning tasks for hosts or
appliances at any time.
14 VMware, Inc.
Page 15
Chapter 1 Understanding Update Manager
Update Manager supports the recall of patches for hosts that are running ESXi 5.0 or later. A patch is
recalled if the released patch has problems or potential issues. After you scan the hosts in your environment,
Update Manager alerts you if the recalled patch has been installed on a certain host. Recalled patches cannot
be installed on hosts with Update Manager. Update Manager also deletes all the recalled patches from the
Update Manager patch repository. After a patch fixing the problem is released, Update Manager downloads
the new patch to its patch repository. If you have already installed the problematic patch, Update Manager
notifies you that a fix was released and prompts you to apply the new patch.
If Update Manager cannot download upgrades, patches, or extensions—for example, if it is deployed on an
internal network segment that does not have Internet access—you must use UMDS to download and store
the data on the machine on which UMDS is installed. The Update Manager server can use the upgrades,
patches, and extensions that UMDS downloaded after you export them.
You can configure Update Manager to use an Internet proxy to download upgrades, patches, extensions,
and related metadata.
Types of Software Updates and Related Terms
Update Manager downloads software updates and metadata from Internet depots or UMDS-created shared
repositories. You can import offline bundles and host upgrade images from a local storage device into the
local Update Manager repository.
Bulletin
Depot
Host upgrade image
Extension
Metadata
Offline bundle ZIP
Patch
Roll-up
VA upgrade
VIB
A grouping of one or more VIBs. Bulletins are defined within metadata.
A logical grouping of VIBs and associated metadata that is published online.
An ESXi image that you can import in the Update Manager repository and
use for upgrading ESXi 5.x hosts to ESXi 6.0.
A bulletin that defines a group of VIBs for adding an optional component to
an ESXi host. An extension is usually provided by a third party that is also
responsible for patches or updates to the extension.
Extra data that defines dependency information, textual descriptions, system
requirements, and bulletins.
An archive that encapsulates VIBs and corresponding metadata in a selfcontained package that is useful for offline patching. You cannot use thirdparty offline bundles or offline bundles that you generated from custom VIB
sets for host upgrade from ESXi 5.x to ESXi 6.0.
A bulletin that groups one or more VIBs together to address a particular
issue or enhancement.
A collection of patches that is grouped for ease of download and
deployment.
Updates for a virtual appliance, which the vendor considers an upgrade.
A VIB is a single software package.
Importing ESXi Images
You can upgrade the hosts in your environment to ESXi 6.0 by using host upgrade baselines. To create a
host upgrade baseline, you must first upload at least one ESXi 6.0 .iso image to the Update Manager
repository.
With Update Manager 6.0 you can upgrade hosts that are running ESXi 5.x to ESXi 6.0. Host upgrades to
ESXi 5.0, ESXi 5.1 or ESXi 5.5 are not supported.
VMware, Inc. 15
Page 16
Installing and Administering VMware vSphere Update Manager
Before uploading ESXi images, obtain the image files from the VMware Web site or another source. You can
create custom ESXi images that contain third-party VIBs by using vSphere ESXi Image Builder. For more
information, see Using vSphere ESXi Image Builder .
You can upload and manage ESXi images from the ESXi Images tab of the Update Manager Administration
view.
ESXi images that you import are kept in the Update Manager repository. You can include ESXi images in
host upgrade baselines. To delete an ESXi image from the Update Manager repository, first you must delete
the upgrade baseline that contains it. After you delete the baseline, you can delete the image from the ESXi
Images tab.
Creating Baselines and Baseline Groups
Baselines contain a collection of one or more patches, extensions, service packs, bug fixes, or upgrades, and
can be classified as patch, extension, or upgrade baselines. Baseline groups are assembled from existing
baselines.
Host baseline groups can contain a single upgrade baseline, as well as a number of patch and extension
baselines.
Virtual machine and virtual appliance baseline groups can contain up to three upgrade baselines: one
VMware Tools upgrade baseline, one virtual machine hardware upgrade baseline, and one virtual appliance
upgrade baseline.
When you scan hosts, virtual machines, and virtual appliances, you evaluate them against baselines and
baseline groups to determine their level of compliance.
Baseline Types
Update Manager supports different types of baselines that you can use when scanning and remediating
objects in your inventory.
Update Manager provides upgrade, patch, and extension baselines.
Upgrade Baselines
Baseline Description
Host Upgrade
Baseline
Virtual Appliance
Upgrade Baseline
Virtual Machine
Upgrade Baseline
Patch Baselines
Patch baselines define a number of patches that must be applied to a given host. Patch baselines can be
either dynamic or fixed.
Defines to which version to upgrade the hosts in your environment. With Update Manager, you
can upgrade ESXi hosts from version 5.x to ESXi 6.0.
Defines to which version to upgrade a selected virtual appliance. For example, you can upgrade
to the latest released virtual appliance version by using the predefined VA Upgrade to Latest
(Predefined) baseline.
Defines to which version to upgrade virtual hardware or VMware Tools. With
Update Manager 6.0 you can upgrade to hardware version vmx-11 and to the latest VMware
Tools version on hosts that are running ESXi 6.0.
Baseline Description
Dynamic Patch
Baseline
Fixed Patch Baseline You manually specify which patches to include in the fixed patch baseline from the total set of
16 VMware, Inc.
The contents of a dynamic baseline are based on available patches that meet the specified criteria.
As the set of available patches changes, dynamic baselines are updated as well. You can explicitly
include or exclude any patches.
patches available in the Update Manager repository.
Page 17
Chapter 1 Understanding Update Manager
Extension Baselines
Baseline Description
Extension
Baseline
Contains extensions (additional software such as third-party device drivers) that must be applied to a
given host. Extensions are installed on hosts that do not have such software installed on them, and
patched on hosts that already have the software installed. All third-party software for ESXi hosts is
classified as a host extension, although host extensions are not restricted to just third-party software.
Update Manager Default Baselines
Update Manager includes default baselines that you can use to scan any virtual machine, virtual appliance,
or host to determine whether the hosts in your environment are updated with the latest patches, or whether
the virtual appliances and virtual machines are upgraded to the latest version.
Critical Host Patches
Checks ESXi hosts for compliance with all critical patches.
(Predefined)
Non-Critical Host
Checks ESXi hosts for compliance with all optional patches.
Patches (Predefined)
VMware Tools Upgrade
to Match Host
(Predefined)
VM Hardware Upgrade
to Match Host
(Predefined)
VA Upgrade to Latest
(Predefined)
Checks virtual machines for compliance with the latest VMware Tools
version on the host. Update Manager supports upgrading of VMware Tools
for virtual machines on hosts that are running ESXi 5.0 and later.
Checks the virtual hardware of a virtual machine for compliance with the
latest version supported by the host. Update Manager supports upgrading to
virtual hardware version vmx-11 on hosts that are running ESXi 6.0.
Checks virtual appliance compliance with the latest released virtual
appliance version.
Baseline Groups
Baseline groups can contain patch, extension, and upgrade baselines. The baselines that you add to a
baseline group must be non-conflicting.
A baseline group is limited to a combination of patches, extensions, and upgrades. The following are valid
combinations of baselines that can make up a baseline group:
Multiple host patch and extension baselines.
n
One upgrade baseline, multiple patch and extension baselines.
n
For example, one ESXi upgrade baseline and multiple ESXi patch or extension baselines.
Multiple upgrade baselines, but only one upgrade baseline per upgrade type (like VMware Tools,
n
virtual machine hardware, virtual appliance, or host).
For example, VMware Tools Upgrade to Match Host baseline, VM Hardware Upgrade to Match Host
baseline and one VA Upgrade to Latest baseline. You cannot create a baseline group containing two
virtual appliance upgrade baselines.
VMware, Inc. 17
Page 18
Installing and Administering VMware vSphere Update Manager
Attaching Baselines and Baseline Groups to vSphere Objects
To use baselines and baseline groups, you must attach them to selected inventory objects such as container
objects, virtual machines, virtual appliances, or hosts. You can attach baselines and baseline groups to
vSphere objects from both the Update Manager Client and the Update Manager Web Client.
Although you can attach baselines and baseline groups to individual objects, a more efficient method is to
attach them to container objects, such as folders, vApps, clusters, and data centers. Individual vSphere
objects inherit baselines attached to the parent container object. Removing an object from a container
removes the inherited baselines from the object.
Scanning Selected vSphere Objects
Scanning is the process in which attributes of a set of hosts, virtual machines, or virtual appliances are
evaluated against all patches, extensions, and upgrades in the attached baselines or baseline groups,
depending on the type of scan you select.
You can scan a host installation to determine whether the latest patches or extensions are applied, or you
can scan a virtual machine to determine whether it is up to date with the latest virtual hardware or
VMware Tools version.
Update Manager supports the following types of scan:
Host patch scan
Host extensions scan
Host upgrade scan
VMware Tools scan
Virtual machine
hardware upgrade scan
Virtual appliance
upgrade scan
You can initiate scans on container objects, such as datacenters, clusters, vApps, or folders, to scan all the
ESXi hosts or virtual machines and appliances contained in the container object.
You can configure Update Manager to scan virtual machines, virtual appliances, and ESXi hosts against
baselines and baseline groups by manually initiating or scheduling scans to generate compliance
information. You should schedule scan tasks at a datacenter or vCenter Server system level to make sure
that scans are up to date.
You can perform patch scans on ESXi 5.0 and later.
You can scan ESXi 5.0 and later for extensions (additional software modules).
You can scan ESXi 5.x for upgrading to ESXi 6.0.
You can scan virtual machines running Windows or Linux for the latest
VMware Tools version. You can perform VMware Tools scans on online as
well as offline virtual machines and templates. You should power on the
virtual machine at least once before performing a VMware Tools scan.
You can scan virtual machines running Windows or Linux for the latest
virtual hardware supported on the host. You can perform hardware-upgrade
scans on online as well as offline virtual machines and templates.
You can scan powered-on virtual appliances that are created with VMware
Studio 2.0 and later.
Reviewing Scan Results
Update Manager scans vSphere objects to determine how they comply with baselines and baseline groups
that you attach. You can filter scan results by text search, group selection, baseline selection, and compliance
status selection.
When you select a container object, you view the overall compliance status of the container against the
attached baselines as a group. You also see the individual compliance statuses of the objects in the selected
container against all baselines. If you select an individual baseline attached to the container object, you see
the compliance status of the container against the selected baseline.
18 VMware, Inc.
Page 19
Chapter 1 Understanding Update Manager
If you select an individual virtual machine, appliance, or host, you see the overall compliance status of the
selected object against all attached baselines and the number of updates. If you select an individual baseline
attached to this object, you see the number of updates grouped by the compliance status for that baseline.
Staging Patches and Extensions to Hosts
You can stage patches and extensions before remediation to ensure that the patches and extensions are
downloaded to the host. Staging patches and extensions is an optional step that can reduce the time during
which hosts are in maintenance mode.
Staging patches and extensions to hosts that are running ESXi 5.0 or later lets you download the patches and
extensions from the Update Manager server to the ESXi hosts without applying the patches or extensions
immediately. Staging patches and extensions speeds up the remediation process because the patches and
extensions are already available locally on the hosts.
IMPORTANT Update Manager can stage patches to PXE booted ESXi hosts.
Remediating Selected vSphere Objects
Remediation is the process in which Update Manager applies patches, extensions, and upgrades to ESXi
hosts, virtual machines, or virtual appliances after a scan is complete.
Remediation makes the selected vSphere objects compliant with patch, extension, and upgrade baselines.
As with scanning, you can remediate single hosts, virtual machines, or virtual appliances, and you can also
initiate remediation on the folder, cluster, or datacenter level, as well as on all objects in your virtual
infrastructure.
Update Manager supports remediation for the following inventory objects:
Powered on, suspended, or powered off virtual machines and templates for VMware Tools and virtual
n
machine hardware upgrade.
Powered on virtual appliances that are created with VMware Studio 2.0 and later, for virtual appliance
n
upgrade.
ESXi hosts for patch, extension, and upgrade remediation.
n
Remediating Hosts
Update Manager 6.0 supports upgrade from ESXi 5.x to ESXi 6.0. Host upgrades to ESXi 5.0, ESXi 5.1 or
ESXi 5.5 are not supported.
IMPORTANT You can patch PXE booted ESXi hosts if you enable the setting from the ESX Host/Cluster
Settings page of the Configuration tab or from the Remediate wizard.
After you upload ESXi images, upgrades for ESXi hosts are managed through baselines and baseline groups.
Typically hosts are put into maintenance mode before remediation if the update requires it. Virtual
machines cannot run when a host is in maintenance mode. To ensure a consistent user experience,
vCenter Server migrates the virtual machines to other hosts within a cluster before the host is put in
maintenance mode. vCenter Server can migrate the virtual machines if the cluster is configured for vMotion
VMware, Inc. 19
Page 20
Installing and Administering VMware vSphere Update Manager
and if VMware Distributed Resource Scheduler (DRS) and VMware Enhanced vMotion Compatibility (EVC)
are enabled. EVC is not a prerequisite for vMotion. EVC guarantees that the CPUs of the hosts are
compatible. For other containers or individual hosts that are not in a cluster, migration with vMotion cannot
be performed.
IMPORTANT After you have upgraded your host to ESXi 6.0, you cannot roll back to your version ESXi 5.x
software. Back up your host configuration before performing an upgrade. If the upgrade fails, you can
reinstall the ESXi 5.x software that you upgraded from, and restore your host configuration. For more
information about backing up and restoring your ESXi configuration, see vSphere Upgrade.
Remediation of ESXi 5.0, 5.1 and 5.5 hosts to their respective ESXi update releases is a patching process,
while the remediation of ESXi hosts from version 5.x to 6.0 is an upgrade process.
Remediating Virtual Machines and Virtual Appliances
You can upgrade virtual appliances, VMware Tools, and the virtual hardware of virtual machines to a later
version. Upgrades for virtual machines are managed through the Update Manager default virtual machine
upgrade baselines. Upgrades for virtual appliances can be managed through both the Update Manager
default virtual appliance baselines and custom virtual appliance upgrade baselines that you create.
NOTE Update Manager 6.0 does not support virtual machines patch baselines.
Orchestrated Upgrades
With Update Manager, you can perform orchestrated upgrades of hosts and virtual machines. Orchestrated
upgrades allow you to upgrade hosts and virtual machines in your vSphere inventory by using baseline
groups.
You can perform an orchestrated upgrade of hosts by using a baseline group that contains a single host
upgrade baseline and multiple patch or extension baselines. Update Manager first upgrades the hosts and
then applies the patch or extension baselines.
You can perform an orchestrated upgrade of virtual machines by using a virtual machine baseline group
that contains the following baselines:
VM Hardware Upgrade to Match Host
n
VMware Tools Upgrade to Match Host
n
You can use orchestrated upgrades to upgrade the virtual hardware and VMware Tools of virtual machines
in the inventory at the same time. The VMware Tools upgrade baseline runs first, followed by the virtual
machine hardware upgrade baseline.
Orchestrated upgrades can be performed at a cluster, folder, or datacenter level.
20 VMware, Inc.
Page 21
System Requirements 2
To be able to run and use the Update Manager server and the Update Manager Client plug-in you must
ensure that your environment satisfies certain conditions. You also must ensure that the vCenter Server,
vSphere Client and Update Manager are of compatible versions.
Before you install Update Manager, you must set up an Oracle or Microsoft SQL Server database. If your
deployment is relatively small and contains up to 5 hosts and 50 virtual machines, you can use the bundled
Microsoft SQL Server 2012 Express database, which you can install during the Update Manager installation.
You can install the Update Manager server component on the same computer as vCenter Server or on a
different computer. After you install the Update Manager server component, to use Update Manager, you
must install the Update Manager Client plug-in and enable it on the vSphere Client.
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single
Sign-On domain, you can install and register Update Manager instances with each vCenter Server system.
This chapter includes the following topics:
“Update Manager Hardware Requirements,” on page 21
n
“Supported Operating Systems and Database Formats,” on page 22
n
“Update Manager Compatibility with vCenter Server, vSphere Client and vSphere Web Client,” on
n
page 22
“Required Database Privileges,” on page 23
n
Update Manager Hardware Requirements
You can run Update Manager on any system that meets the minimum hardware requirements.
Minimum hardware requirements for Update Manager vary depending on how Update Manager is
deployed. If the database is installed on the same machine as Update Manager, requirements for memory
size and processor speed are higher. To ensure acceptable performance, verify that your system meets the
minimum hardware requirements.
Table 2‑1. Minimum Hardware Requirements
Hardware Requirements
Processor Intel or AMD x86 processor with two or more logical cores, each with a speed of 2GHz
Network 10/100 Mbps
For best performance, use a Gigabit connection between Update Manager and the ESXi
hosts
Memory 2GB RAM if Update Manager and vCenter Server are on different machines
8GB RAM if Update Manager and vCenter Server are on the same machine
VMware, Inc. 21
Page 22
Installing and Administering VMware vSphere Update Manager
Update Manager uses a SQL Server or Oracle database. You should use a dedicated database for
Update Manager, not a database shared with vCenter Server, and should back up the database periodically.
Best practice is to have the database on the same computer as Update Manager or on a computer in the local
network.
Depending on the size of your deployment, Update Manager requires a minimum amount of free space per
month for database usage. For more information about space requirements, see the VMware vSphere Update
Manager Sizing Estimator.
Supported Operating Systems and Database Formats
Update Manager works with specific databases and operating systems.
The Update Manager server requires a 64-bit Windows system.
NOTE Make sure the system on which you are installing the Update Manager server is not an Active
Directory domain controller.
The Update Manager plug-in requires the vSphere Client, and works with the same operating systems as
the vSphere Client.
Update Manager scans and remediates Windows and Linux virtual machines for VMware Tools and virtual
hardware upgrades.
The Update Manager server requires SQL Server or Oracle database. Update Manager can handle smallscale environments using the bundled SQL Server 2012 Express. For environments with more than 5 hosts
and 50 virtual machines, create either an Oracle or a SQL Server database for Update Manager. For large
scale environments, you should set up the Update Manager database on a different computer than the
Update Manager server and the vCenter Server database.
To see a list of operating systems on which you can install the Update Manager server and the UMDS, see
Supported host operating systems for VMware vCenter Server installation. The supported host operating
systems for vCenter Server installation listed in the article also apply for installation of the respective
versions of the Update Manager server and the UMDS.
To see a list of database formats that are compatible with the Update Manager server and the UMDS, select
the Solution/Database Interoperability option from the VMware Product Interoperability Matrixes at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
Update Manager Compatibility with vCenter Server , vSphere Client and vSphere Web Client
Update Manager and vCenter Server must be of compatible versions. The Update Manager Client come as a
standalone installer in vSphere 6.0. The Update Manager Web Client is automatically enabled on a
vSphere Web Client of a compatible version after installation of the Update Manager server.
Update Manager is compatible with vCenter Server, vSphere Client and vSphere Web Client of the same
version.
Update Manager 6.0 is compatible only with vCenter Server 6.0. Although multiple versions of the
Update Manager Client plug-in might coexist on the same computer, the Update Manager Client plug-in of
version 6.0 can be installed and enabled only on vSphere Client 5.5.
During installation you connect the Update Manager 6.0 server to a vCenter Server 6.0 system. After the
installation, the Update Manager Web Client 6.0 is automatically enabled on the vSphere Web Client 6.0 that
you use to connect to this vCenter Server system.
To see more information about the Update Manager compatibility with vCenter Server, vSphere Client and
vSphere Web Client, select the Solution Interoperability option from the VMware Product Interoperability
Matrixes at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
22 VMware, Inc.
Page 23
Required Database Privileges
The set of database privileges needed for the Update Manager installation and upgrade differs from the set
of privileges needed for the Update Manager administration.
Before installing or upgrading Update Manager, you must grant adequate privileges to the database user.
Table 2‑2. Database Privileges Needed for Installation or Upgrade of Update Manager
Database Privileges
Oracle Either assign the DBA role, or grant the following set of privileges to the Update Manager Oracle
database user.
connect
n
execute on dbms_lock
n
create view
n
create procedure
n
create table
n
create sequence
n
create any sequence
n
create any table
n
create type
n
unlimited tablespace
n
Microsoft SQL
Server
Make sure that the database user has either a sysadmin server role or the db_owner fixed database
role on the Update Manager database and the MSDB database. Although the db_owner role is
required for the upgrade, SQL jobs are not created as part of the Update Manager installation or
upgrade.
Chapter 2 System Requirements
To run Update Manager, you must grant a set of minimum privileges to the database user.
Table 2‑3. Database Privileges Needed for Using Update Manager
Database Privileges
Oracle The minimum required privileges of the Oracle database user are the following:
create session
n
create any table
n
drop any table
n
Microsoft SQL
Server
The database user must have either a sysadmin server role or the db_owner fixed database role on
the Update Manager database and the MSDB database.
VMware, Inc. 23
Page 24
Installing and Administering VMware vSphere Update Manager
24 VMware, Inc.
Page 25
Preparing the Update Manager
Database 3
The Update Manager server and Update Manager Download Service require a database to store and
organize server data. Update Manager supports Oracle, Microsoft SQL Server databases.
Before installing the Update Manager server, you must create a database instance and configure it to ensure
that all Update Manager database tables can be created in it. You can install and configure the Microsoft
SQL Server 2012 Express database that is embedded with Update Manager. Microsoft SQL Server 2012
Express is recommended for small deployments of up to 5 hosts and 50 virtual machines.
To use Microsoft SQL Server and Oracle databases, you must configure a 32-bit system DSN and test it with
ODBC.
IMPORTANT Although you can install the Update Manager server only on 64-bit machines, Update Manager
is a 32-bit application and requires a 32-bit DSN.
The Update Manager database you use can be the same as the vCenter Server database. You can also use a
separate database, or you can use existing database clusters. For best results in a large scale environment,
you should use a dedicated Update Manager database that is located on a different computer than the
vCenter Server system database.
The Update Manager server requires administrative credentials to connect to the database. If the database
user name and password change after you install the Update Manager server or UMDS, you can reconfigure
Update Manager and UMDS without the need to reinstall them. See Reconfiguring VMware vSphere Update
Manager.
Before you begin the database setup, review the supported databases. If you create an ODBC connection to a
database server that is not supported, a DSN for the unsupported database might be displayed in the dropdown menu of the Update Manager installation wizard. For more information about the supported database
patches, see VMware Product Interoperability Matrixes. If you do not prepare your database correctly, the
Update Manager installer might display error or warning messages.
This chapter includes the following topics:
“Create a 32-Bit DSN on a 64-Bit Operating System,” on page 26
n
“About the Bundled Microsoft SQL Server 2012 Express Database Package,” on page 26
n
“Maintaining Your Update Manager Database,” on page 26
n
“Configure a Microsoft SQL Server Database Connection,” on page 26
n
“Configure an Oracle Database,” on page 28
n
VMware, Inc.
25
Page 26
Installing and Administering VMware vSphere Update Manager
Create a 32-Bit DSN on a 64-Bit Operating System
You can install or upgrade the Update Manager server on 64-bit operating systems. Even though
Update Manager runs on 64-bit operating systems, it is a 32-bit application and requires a 32-bit DSN.
The requirement for a 32-bit DSN applies to all supported databases. By default, any DSN created on a 64bit system is a 64-bit DSN.
Procedure
1 Install the ODBC drivers.
For Microsoft SQL Server database servers, install the 64-bit database ODBC drivers on your
n
Microsoft Windows system. When you install the 64-bit drivers, the 32-bit drivers are installed
automatically.
For Oracle database servers, install the 32-bit database ODBC drivers on your Microsoft Windows
n
system.
2 Run the 32-bit ODBC Administrator application, located at [WindowsDir]\SysWOW64\odbcad32.exe.
3 Use the application to create your DSN.
You now have a DSN that is compatible with the Update Manager server. When the Update Manager
installer prompts you for a DSN, you should select the 32-bit DSN.
About the Bundled Microsoft SQL Server 2012 Express Database Package
The Microsoft SQL Server 2012 Express database package is installed and configured when you select
Microsoft SQL Server 2012 Express as your database during the Update Manager installation or upgrade.
No additional configuration is required.
Maintaining Your Update Manager Database
After your Update Manager database instance and Update Manager server are installed and operational,
perform standard database maintenance processes.
Maintaining your Update Manager database involves several tasks:
Monitoring the growth of the log file and compacting the database log file, as needed. See the
n
documentation for the database type that you are using.
Scheduling regular backups of the database.
n
Backing up the database before any Update Manager upgrade.
n
See your database documentation for information about backing up your database.
Configure a Microsoft SQL Server Database Connection
When you install Update Manager, you can establish an ODBC connection with a SQL Server database.
If you use SQL Server for Update Manager, do not use the master database.
See your Microsoft SQL ODBC documentation for specific instructions on configuring the SQL Server
ODBC connection.
26 VMware, Inc.
Page 27
Chapter 3 Preparing the Update Manager Database
Procedure
1 Create a SQL Server database by using SQL Server Management Studio on SQL Server.
The Update Manager installer creates all tables, procedures, and user-defined functions (UDF) within
the default schema of the database user that you use for Update Manager. This default schema does not
necessarily have to be dbo schema.
2 Create a SQL Server database user with database operator (DBO) rights.
Make sure that the database user has either a sysadmin server role or the db_owner fixed database role
on the Update Manager database and the MSDB database.
The db_owner role on the MSDB database is required for installation and upgrade only.
Create a New Data Source (ODBC)
To prepare a Microsoft SQL Server database to work with Update Manager, you have to create a new data
source (ODBC).
Procedure
1 On your Update Manager server system, run the 32-bit ODBC Administrator application, located at
[WindowsDir]\SysWOW64\odbcad32.exe.
2 Click the System DSN tab.
3 Create or modify an ODBC system data source.
Option Action
Create an ODBC system data
source
Modify an existing ODBC system
data source
a Click Add.
b For Microsoft SQL Server 2008, Microsoft SQL Server 2008 R2 Express,
Microsoft SQL Server 2012, or Microsoft SQL Server 2014 select SQL
Native Client, and click Finish.
Double-click the ODBC system data source that you want to modify.
To see a detailed list of all Microsoft SQL Server database versions that are compatible with the
Update Manager server and the UMDS, select the Solution/Database Interoperability option from the
VMware Product Interoperability Matrixes at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
4 In the Microsoft SQL Server DSN Configuration window, enter the necessary information and click
Next.
a Type an ODBC DSN in the Name text field.
For example, type VUM.
b (Optional) Type an ODBC DSN description in the Description text field.
c Select the SQL Server name from the Server drop-down menu.
Type the SQL Server machine name in the text field if you cannot find it in the drop-down menu.
VMware, Inc. 27
Page 28
Installing and Administering VMware vSphere Update Manager
5 Configure the SQL Server authentication, and click Next.
If you are using a local SQL Server, you can select Integrated Windows NT authentication.
n
If you are using a remote SQL Server, you must use the SQL Server authentication method.
n
If you use the SQL Server authentication method, in the Update Manager installation wizard supply the
same user name, password, and ODBC DSN that you used to configure the ODBC.
IMPORTANT Update Manager does not support Windows authentication of the database when the
database is located on a different machine because of local system account issues. Make sure that if the
Update Manager database is located on a remote machine, the database and the system DSN use SQL
Server authentication.
6 Select a database from the Change the default database to drop-down menu, specify the ANSI settings,
and click Next.
7 Specify the language and translation settings, where to save the log files, and click Finish.
What to do next
To test the data source, in the ODBC Microsoft SQL Server Setup window, click Test Data Source, and click
OK. Ensure that SQL Agent is running on your database server by double-clicking the SQL Server icon in
the system tray.
Identify the SQL Server Authentication Type
You can identify whether your SQL Server is using Windows NT or SQL Server authentication.
Procedure
1 Open SQL Server Enterprise Manager.
2 Click the Properties tab.
3 Check the connection type.
Configure an Oracle Database
To use an Oracle database for Update Manager, you must first set up the database.
Procedure
1 Download Oracle 11g or Oracle 12c from the Oracle Web site, install it, and create a database (for
example, VUM).
Make sure that the TNS Listener is up and running, and test the database service to be sure it is
working.
2 Download Oracle ODBC from the Oracle Web site.
NOTE For Oracle database servers of version 11.2.0.3 or 11.2.0.4, use Oracle Instant Client Package ODBC of version 11.2.0.2 for 32-bit Microsoft Windows.
3 Install the corresponding Oracle ODBC driver through the Oracle Universal Installer.
4 Increase the number of open cursors for the database.
Add the entry open_cursors = 300 to the ORACLE_BASE\ADMIN\VUM\pfile\init.ora file.
In this example, ORACLE_BASE is the root of the Oracle directory tree.
28 VMware, Inc.
Page 29
Chapter 3 Preparing the Update Manager Database
Configure an Oracle Connection to Work Locally
You can configure an Oracle connection to work locally with Update Manager.
Prerequisites
Verify that the ODBC data source that you use is a 32-bit system DSN. See “Create a 32-Bit DSN on a 64-Bit
Operating System,” on page 26.
Procedure
1 Create a new tablespace specifically for Update Manager by using the following SQL statement:
CREATE TABLESPACE "VUM" DATAFILE 'ORACLE_BASE\ORADATA\VUM\VUM.dat' SIZE 1000M AUTOEXTEND ON
NEXT 500K;
In this example, ORACLE_BASE is the root of the Oracle directory tree.
2 Create a user, such as vumAdmin, for accessing this tablespace through ODBC.
CREATE USER vumAdmin IDENTIFIED BY vumadmin DEFAULT TABLESPACE “vum”;
3 Either grant the dba permission to the user, or grant the following specific permissions to the user.
grant connect to vumAdmin
grant resource to vumAdmin
grant create any job to vumAdmin
grant create view to vumAdmin
grant create any sequence to vumAdmin
grant create any table to vumAdmin
grant lock any table to vumAdmin
grant create procedure to vumAdmin
grant create type to vumAdmin
grant execute on dbms_lock to vumAdmin
grant unlimited tablespace to vumAdmin
# To ensure space limitation is not an issue
4 Create an ODBC connection to the database.
These are example settings.
Data Source Name: VUM
TNS Service Name: VUM
User ID: vumAdmin
Configure an Oracle Database to Work Remotely
You can configure your Oracle database to work with Update Manager remotely.
Prerequisites
Verify that the ODBC data source that you use is a 32-bit system DSN. See “Create a 32-Bit DSN on a
n
64-Bit Operating System,” on page 26.
Set up a database as described in “Configure an Oracle Database,” on page 28.
n
Procedure
1 Install the Oracle client on the Update Manager server machine.
VMware, Inc. 29
Page 30
Installing and Administering VMware vSphere Update Manager
2 Use the Net Configuration Assistant tool to add the entry to connect to the managed host.
VUM =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS=(PROTOCOL=TCP)(HOST=host_address)(PORT=1521))
)
(CONNECT_DATA =(SERVICE_NAME = VUM)
)
)
In this example, host_address is the managed host to which the client needs to connect.
3 (Optional) Edit the tnsnames.ora file located in ORACLE_HOME\network\admin\, as appropriate.
Here, ORACLE_HOME is located under C:\ORACLE_BASE, and it contains subdirectories for Oracle
software executable and network files.
4 Create an ODBC connection to the database.
These are example settings.
Data Source Name: VUM
TNS Service Name: VUM
User Id: vumAdmin
30 VMware, Inc.
Page 31
Installing Update Manager 4
Update Manager consists of a server component and a plug-in component. You can install the
Update Manager server and Update Manager Client plug-in on Windows machines only.
You can install the Update Manager server component either on the same computer as vCenter Server or on
a different computer. To improve performance, especially in large-scale environments, install the
Update Manager server component on a different computer. After you install the Update Manager server
component, to use the Update Manager application, you must install the Update Manager Client plug-in
and enable it on the vSphere Client.
Starting in version 5.1 Update 1, Update Manager provides an Update Manager Web Client plug-in for
vSphere Web Client. After you install the Update Manager server component, the
Update Manager Web Client plug-in is automatically enabled on vSphere Web Client. The
Update Manager Web Client plug-in appears as an Update Manager tab under the Monitor tab in
vSphere Web Client.
You can use Update Manager with a Update Manager instance installed on a Windows machine or with the
VMware vCenter Server Appliance.
The Update Manager 6.0 installer generates a 2048-bit key and self-signed certificate. To replace the selfsigned SSL certificate after installation, you can use the Update Manager Utility.
You can install vCenter Server and the Update Manager server in a heterogeneous network environment,
where one of the machines is configured to use IPv6 and the other is configured to use IPv4. In this case, to
install and enable the Update Manager plug-in, the machine on which vSphere Client is installed must be
configured to use both IPv6 and IPv4.
VMware, Inc.
To run and use Update Manager, you must use a local system account for the machine on which
Update Manager is installed.
VMware uses designated ports for communication. Additionally, the Update Manager server connects to
vCenter Server, ESXi hosts, and the Update Manager Client plug-in on designated ports. If a firewall exists
between any of these elements and Windows firewall service is in use, the installer opens the ports during
the installation. For custom firewalls, you must manually open the required ports.
You can run Update Manager in deployments that you protect using SRM. Use caution before connecting
the Update Manager server to a vCenter Server instance to which the SRM server is connected. Connecting
the Update Manager server to the same vCenter Server instance as SRM might cause problems when you
upgrade SRM or vSphere, and when you perform daily tasks. Check the compatibility and interoperability
of Update Manager with SRM before you deploy.
This chapter includes the following topics:
“Prerequisites for Installing the Update Manager Server,” on page 32
n
“Obtain the Update Manager Installer,” on page 33
n
31
Page 32
Installing and Administering VMware vSphere Update Manager
“Install the Update Manager Server,” on page 34
n
“Install the Update Manager Client Plug-In,” on page 36
n
“Enable the Update Manager Web Client Plug-In,” on page 36
n
Prerequisites for Installing the Update Manager Server
Before you install the Update Manager server, review the installation prerequisites.
Update Manager Database Requirements
Update Manager requires an Oracle or SQL Server database. Update Manager can handle small-scale
environments using the bundled Microsoft SQL Server 2012 Express. For environments with more than 5
hosts and 50 virtual machines, you must create either an Oracle or SQL Server database.
To see a list of database formats that are compatible with the Update Manager server and the UMDS, select
the Solution/Database Interoperability option from the VMware Product Interoperability Matrixes at
http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.
For large-scale environments, set up the database on a machine different than the machines on which the
Update Manager server is installed and the vCenter Server database is located. For more information about
setting up the Update Manager database, see Chapter 3, “Preparing the Update Manager Database,” on
page 25.
Create a database and 32-bit DSN, unless you are using the bundled Microsoft SQL Server 2012
n
Express.
Make sure that if the Update Manager database is located on a remote machine, the database and the
n
system DSN use SQL Server authentication.
Update Manager does not support Windows authentication of the database when the database is
located on a different machine because of local system account problems.
If you plan to use the bundled Microsoft SQL Server 2012 Express database, make sure that you install
n
Microsoft Windows Installer version 4.5 (MSI 4.5) on your system.
Make sure that the database privileges meet the requirements listed in “Required Database Privileges,”
n
on page 23.
Create the 32-bit ODBC connection to a supported database server version by using a supported
n
database client version.
If you create an ODBC connection to a database server that is of an unsupported version, and your
database client is of a supported version, a DSN for the unsupported database might be displayed in
the drop-down menu of the Update Manager installation wizard.
vCenter Server Installation
Install vCenter Server.
n
If prompted, you must restart the machine on which vCenter Server is installed. Otherwise, you might
not be able to register Update Manager with vCenter Server, and the Update Manager installation
might fail.
For more information about installing vCenter Server, see vSphere Installation and Setup.
Gather the following networking information for the vCenter Server system.
n
User name and password for the vCenter Server system.
n
32 VMware, Inc.
Page 33
During the Update Manager installation process, you must register the Update Manager server
with the vCenter Server system. To register Update Manager with vCenter Server, you must
provide the credentials of the vCenter Server user that has the Register extension privilege. For
more information about managing users, groups, roles, and permissions, see vCenter Server and
Host Management.
Port numbers. In most cases, the default Web service port 80 is used.
n
IP address.
n
If the IP address of the vCenter Server system or Update Manager changes, you can re-register the
Update Manager server with the vCenter Server system. For more information about configuring
the Update Manager server after installation, see Reconfiguring VMware vSphere Update Manager.
Update Manager System Requirements
Make sure that your system meets the requirements specified in Chapter 2, “System Requirements,” on
n
page 21.
IMPORTANT You can install the Update Manager 6.0 server component only on a 64-bit machine. Make
sure the system on which you are installing the Update Manager server is not an Active Directory
domain controller.
Log in as a local Administrator or a domain user that is member of the Administrators group.
n
Chapter 4 Installing Update Manager
Obtain the Update Manager Installer
You install the Update Manager components from the vCenter Server installer for Windows.
Update Manager can only run on a 64-bit Windows operating system. If you want to use a
vCenter Server Appliance to manage your virtual environment, you still need to obtain the vCenter Server
installer for Windows to install the Update Manager server or the UMDS on a Windows host machine of a
supported version.
Prerequisites
Create a My VMware account at https://my.vmware.com/web/vmware/.
Procedure
1 Download the vCenter Server installer from the VMware Web site at
https://my.vmware.com/web/vmware/downloads.
vCenter Server is part of VMware vCloud Suite and of VMware vSphere, listed under Datacenter &
Cloud Infrastructure.
a Navigate to Downloads > All Products.
b Under Datacenter & Cloud Infrastructure, select View Download Components next to a VMware
vCloud Suite or VMware vSphere.
c Select a version from the Select Version drop-down menu, and click Go to Downloads next to
VMware vCenter Server.
d Download the .iso file of the VMware vCenter Server for Windows and modules.
2 Confirm that the md5sum is correct.
See the VMware Web site topic Using MD5 Checksums at
http://www.vmware.com/download/md5.html.
3 Mount the ISO image to the Windows virtual machine or physical server on which you want to install
the Update Manager server or the UMDS.
VMware, Inc. 33
Page 34
Installing and Administering VMware vSphere Update Manager
Install the Update Manager Server
The Update Manager installation requires a connection with a single vCenter Server instance. You can
install Update Manager on the same computer on which vCenter Server is installed or on a different
computer.
Prerequisites
n
Check the compatibility and interoperability of the vCenter Server server with S.M. You should use
n
caution when connecting the Update Manager server to a vCenter Server instance to which the S.M.
server is connected. Connecting the Update Manager server to the same vCenter Server instance as S.M.
might cause problems when you upgrade SRM or vSphere, and when you perform daily operations.
Procedure
1 In the software installer directory, double-click the autorun.exe file and select vSphere Update
Manager > Server.
If you cannot run autorun.exe, browse to the UpdateManager folder and run VMware-UpdateManager.exe.
2 (Optional) Select the option to Use Microsoft SQL Server 2012 Express as the embedded database, and
click Install.
NOTE Skip this step only if you plan to use another supported Oracle or SQL Server database.
If the Microsoft SQL Server 2012 Express is not present on your system from previous Update Manager
installations, the installation wizard for the Microsoft SQL Server 2012 Express opens.
3 Click Install.
4 Select a language for the installer and click OK.
5 Review the Welcome page and click Next.
6 Read and accept the license agreement, and click Next.
7 Accept the terms in the license agreement and click Next.
8 Review the support information, select whether to download updates from the default download
sources immediately after installation, and click Next.
If you deselect Download updates from default sources immediately after installation, Update
Manager downloads updates once daily according to the default download schedule or immediately
after you click the Download Now button on the Download Settings page. You can modify the default
download schedule after the installation is complete.
If you deselect Download updates from default sources immediately after installation, the update
download task runs after installation, but it does not download any updates.
9 Type the vCenter Server IP address or name, HTTP port, and the administrative account that the
Update Manager server will use to connect to the vCenter Server system, and click Next.
You can provide an IP address to a vCenter Server instance running on Windows, or a
vCenter Server Appliance.
In vSphere 6.0, the default administrative user account is administrator@vsphere.local.
34 VMware, Inc.
Page 35
Chapter 4 Installing Update Manager
10 (Optional) Select the database, and click Next.
If you selected to use the embedded Microsoft SQL Server 2012 Express database, the installation
wizard skips this page.
a Use an existing supported database, by selecting your database from the list of DSNs. If the DSN
does not use Windows NT authentication, enter the user name and password for the DSN and click
Next.
IMPORTANT The DSN must be a 32-bit DSN.
11 (Optional) Select the database options.
If the system DSN you specify points to an existing Update Manager database with the current
n
schema, you can either retain your existing database or replace it with an empty one.
If the system DSN you specify points to an existing Update Manager database with different
n
schema, on the Database Upgrade page, select Yes, I want to upgrade my Update Manager
database and I have taken a backup of the existing Update Manager database, and click Next.
12 From the drop-down menu, select the IP address or the host name of your Update Manager instance.
If the computer on which you install Update Manager has one NIC, the Update Manager installer
automatically detects the IP address. If the computer has multiple NICs, you must select the correct IP
address or use a DNS name. The DNS name must be resolved from all hosts that this Update Manager
instance will manage.
13 Specify the Update Manager port settings, select whether you want to configure the proxy settings, and
click Next.
NOTE Use caution when you specify the Update Manager port settings, as you cannot modify them
after installation.
For the SOAP port, you have no limitations to the range of ports used, as long as there are no conflicts.
For the Server port, you can use the following range: 80, 9000-9100. Update Manager automatically
opens ESXi firewall ports in this range to allow outbound HTTP traffic to the patch store.
14 (Optional) Provide information about the proxy server, the port, and whether the proxy should be
authenticated, and click Next.
15 Select the Update Manager installation and patch download directories, and click Next.
If you do not want to use the default locations, you can click Change to browse to a different directory.
16 (Optional) In the warning message about the disk free space, click OK.
This message appears when you try to install Update Manager on a computer that has less than 120GB
free space.
17 Click Install to begin the installation.
18 Click Finish.
The Update Manager server component is installed, and the client component appears as an available plugin in the Plug-in Manager of the vSphere Client.
What to do next
In the vSphere Client, select Plug-ins > Manage Plug-ins to install and enable the Update Manager Client
plug-in.
VMware, Inc. 35
Page 36
Installing and Administering VMware vSphere Update Manager
Install the Update Manager Client Plug-In
To use Update Manager, you must install the Update Manager Client plug-in, which is delivered as a plugin for the vSphere Client.
You can install the Update Manager Client plug-in on both 32-bit and 64-bit operating systems.
Prerequisites
Install the Update Manager server.
n
Install Microsoft.NET Framework 4.0. You can download it from the vSphere installer.
n
Procedure
1 Connect the vSphere Client to a vCenter Server system with which Update Manager is registered.
2 Select Plug-ins > Manage Plug-ins.
3 In the Plug-in Manager window, click Download and install for the VMware vSphere Update Manager
extension.
4 Select a language for the installer and click OK.
5 Review the Welcome page and click Next.
6 Read and accept the license agreement, and click Next.
7 Click Install.
8 Complete the Update Manager Client installation, and click Finish.
The status for the Update Manager extension is displayed as Enabled.
9 Click Ignore if a security warning appears.
The security warning appears when the vSphere client detects a certificate that is not added in the
Trusted Root Certification Authorities store. This is usually the case with the self-signed certificate used
by ESXi hosts by default. For highly secure environments, you must set up a trusted third-party
certificate later.
10 Click Close to close the Plug-in Manager window.
The icon for the Update Manager plug-in is displayed on the vSphere Client Home page under Solutions
and Applications.
Enable the Update Manager Web Client Plug-In
You can use the Update Manager Web Client plug-in for the vSphere Web Client to perform upgrade
operations on the hosts and update operations the virtual machines in your environment. With the
Update Manager Web Client you can perform the full set of operations that Update Manager offers.
For more information, see “Overview of the Update Manager Client Interfaces,” on page 12
Prerequisites
Verify you have the View Compliance Status privilege, otherwise you cannot see and use the
Update Manager Web Client in vSphere Web Client.
The Update Manager Web Client plug-in is automatically enabled in the vSphere Web Client after you
install the Update Manager server.
The Update Manager Web Client plug-in appears as an Update Manager tab under the Monitor tab in
vSphere Web Client.
36 VMware, Inc.
Page 37
Upgrading Update Manager 5
You can upgrade to Update Manager 6.1 only from Update Manager versions 5.5 or 6.0 that are installed on
a 64-bit operating system.
If you are running Update Manager of a version earlier than 5.5, or Update Manager that runs on a 32-bit
platform, you cannot perform an in-place upgrade to Update Manager 6.1. You must use the data migration
tool that is provided with Update Manager 5.0 installation media to upgrade your Update Manager system
to Update Manager 5.0 running on a 64-bit operating system, and then perform an in-place upgrade from
version 5.0 or version 5.1 to version 5.5 before upgrading to version 6.1. For detailed information how to use
the data migration tool, see the Installing and Administering VMware vSphere Update Manager documentation
for Update Manager 5.0.
When you upgrade Update Manager, you cannot change the installation path and patch download location.
To change these parameters, you must install a new version of Update Manager rather than upgrade.
Previous versions of Update Manager use a 512-bit key and self-signed certificate and these are not replaced
during upgrade. If you require a more secure 2048-bit key, you can either perform a fresh installation of
Update Manager 6.1, or use the Update Manager Utility to replace the existing certificate.
Scheduled tasks for virtual machine patch scan and remediation are not removed during the upgrade. After
the upgrade, you can edit and remove scheduled scan tasks that exist from previous releases. You can
remove existing scheduled remediation tasks but you cannot edit them.
Virtual machine patch baselines are removed during the upgrade. Existing scheduled tasks that contain
them run normally and ignore only the scanning and remediation operations that use virtual machine patch
baselines.
You must upgrade the Update Manager database during the Update Manager upgrade. You can select
whether to keep your existing data in the database or to replace it during the upgrade.
The Java Components (JRE) required by Update Manager are installed or upgraded silently on the system
when you install or upgrade Update Manager. Starting with Update Manager 5.5 update 1, you can upgrade
the Java Components separately from an Update Manager upgrade procedure to a version of the Java
Components that is released asynchronously from the Update Manager releases.
This chapter includes the following topics:
“Upgrade the Update Manager Server,” on page 37
n
“Upgrade the Update Manager Java Components,” on page 39
n
Upgrade the Update Manager Server
To upgrade an instance of Update Manager that is installed on a 64-bit machine, you must first upgrade
vCenter Server to a compatible version.
The Update Manager 6.1 release allows upgrades from Update Manager 5.5 or later.
VMware, Inc.
37
Page 38
Installing and Administering VMware vSphere Update Manager
Prerequisites
Stop the Update Manager service and back up the Update Manager database. The installer upgrades
n
the database schema, making the database irreversibly incompatible with previous Update Manager
versions.
Procedure
1 Upgrade vCenter Server to a compatible version.
NOTE The vCenter Server installation wizard warns you that Update Manager is not compatible when
vCenter Server is upgraded.
If prompted, you must restart the machine that is running vCenter Server. Otherwise, you might not be
able to upgrade Update Manager.
2 In the software installer directory, double-click the autorun.exe file and select vSphere Update
Manager > Server.
If you cannot run autorun.exe, browse to the UpdateManager folder and run VMware-UpdateManager.exe.
3 Select a language for the installer and click OK.
4 In the upgrade warning message, click OK.
5 Review the Welcome page and click Next.
6 Read and accept the license agreement, and click Next.
7 Review the support information, select whether to delete old upgrade files, select whether to download
updates from the default download sources immediately after installation, and click Next.
If you deselect Delete the old host upgrade files from the repository, you retain files that you cannot
use with Update Manager 6.1.
If you deselect Download updates from default sources immediately after installation,
Update Manager downloads updates once daily according to the default download schedule or
immediately after you click Download Now on the Download Settings page. You can modify the
default download schedule after the installation is complete.
8 Type the vCenter Server system credentials and click Next.
To keep the Update Manager registration with the original vCenter Server system valid, keep the
vCenter Server system IP address and enter the credentials from the original installation.
9 Type the database password for the Update Manager database and click Next.
The database password is required only if the DSN does not use Windows NT authentication.
10 On the Database Upgrade page, select Yes, I want to upgrade my Update Manager database and I
have taken a backup of the existing Update Manager database, and click Next.
11 (Optional) On the Database re-initialization warning page, select to keep your existing remote database
if it is already upgraded to the latest schema.
If you replace your existing database with an empty one, you lose all of your existing data.
12 Specify the Update Manager port settings, select whether you want to configure the proxy settings, and
click Next.
Configure the proxy settings if the computer on which Update Manager is installed has access to the
Internet.
13 (Optional) Provide information about the proxy server and port, specify whether the proxy should be
authenticated, and click Next.
38 VMware, Inc.
Page 39
14 Click Install to begin the upgrade.
15 Click Finish.
You upgraded the Update Manager server.
What to do next
Upgrade the Update Manager Client plug-in.
Upgrade the Update Manager Java Components
The required Update Manager Java Components (JRE) are installed or upgraded silently when you install or
upgrade Update Manager. By using a vCenter Server Java components patch, you can also upgrade
Update Manager Java Components separately from Update Manager installer.
By using the separate installer, you can upgrade JRE to a version that is released asynchronously from
Update Manager releases. If an earlier version of JRE is present on the system, this procedure upgrades it.
When Update Manager runs on the same system as the vCenter Server, if an earlier version of
vCenter Server tc Server is present on that system, this procedure also upgrades the vCenter Server tc Server
component.
During the patch process, the Update Manager undergoes a downtime as the vCenter Server Java
Components patch restarts the Update Manager service.
Chapter 5 Upgrading Update Manager
Prerequisites
Download the vCenter Server Java Components patch from VMware downloads page at
n
https://my.vmware.com/web/vmware/downloads. The name format is VMware-VIMPatch-5.5.0-
build_number-YYYYMMDD.iso
Stop any running Update Manager operations, such as scanning, staging, or remediation.
n
Procedure
1 On the system where Update Manager is installed, mount the ISO of the vCenter Server Java
Components patch.
2 In Windows Explorer, double-click the file ISO_mount_directory/autorun.exe.
A vCenter Server Java Components Update wizard opens.
3 Click Patch All.
If the Java components on the Update Manager system are up to date, a status message that confirms
that is displayed.
If the Java components on the Update Manager system are not up to date, they are silently upgraded.
When clicking the Patch All button, if vCenter Server, vCenter Single Sign-On, vCenter Inventory
Service or vSphere Web Client are also installed on the system where Update Manager is installed, the
Java components for all of these are also silently upgraded.
The Java components are upgraded on the Update Manager system.
VMware, Inc. 39
Page 40
Installing and Administering VMware vSphere Update Manager
40 VMware, Inc.
Page 41
Best Practices and
Recommendations for
Update Manager Environment 6
You can install Update Manager on the server on which vCenter Server runs or on a different server.
The Update Manager server and client plug-ins must be the same version. Update Manager and
vCenter Server, and the vSphere Client must be of a compatible version. For more information about
compatibility, see “Update Manager Compatibility with vCenter Server, vSphere Client and vSphere Web
Client,” on page 22.
Update Manager has two deployment models:
Internet-connected
model
Air-gap model
Outside of DRS clusters, you might not be able to remediate the host running the Update Manager or
vCenter Server virtual machines by using the same vCenter Server instance, because the virtual machines
cannot be suspended or shut down during remediation. You can remediate such a host by using separate
vCenter Server and Update Manager instances on another host. Inside DRS clusters, if you start a
remediation task on the host running the vCenter Server or Update Manager virtual machines, DRS
attempts to migrate the virtual machines to another host, so that the remediation succeeds. If DRS cannot
migrate the virtual machine running Update Manager or vCenter Server, the remediation fails. Remediation
also fails if you have selected the option to power off or suspend the virtual machines before remediation.
The Update Manager server is connected to the VMware patch repository,
and third-party patch repositories (for ESXi 5.x and ESXi 6.0 hosts, as well as
for virtual appliances). Update Manager works with vCenter Server to scan
and remediate the virtual machines, appliances, hosts, and templates.
Update Manager has no connection to the Internet and cannot download
patch metadata. In this model, you can use UMDS to download and store
patch metadata and patch binaries in a shared repository. To scan and
remediate inventory objects, you must configure the Update Manager server
to use a shared repository of UMDS data as a patch datastore. For more
information about using UMDS, see Chapter 8, “Installing, Setting Up, and
Using Update Manager Download Service,” on page 45.
VMware, Inc.
41
Page 42
Installing and Administering VMware vSphere Update Manager
Update Manager Deployment Models and Their Usage
You can use the different Update Manager deployment models in different cases, depending on the size of
your system.
You can use one of several common host-deployment models for Update Manager server:
All-in-one model
Medium deployment
model
Large deployment
model
vCenter Server and Update Manager server are installed on one host and
their database instances are on the same host. This model is most reliable
when your system is relatively small.
vCenter Server and Update Manager server are installed on one host and
their database instances are on two separate hosts. This model is
recommended for medium deployments, with more than 300 virtual
machines or 30 hosts.
vCenter Server and Update Manager server run on different hosts, each with
its dedicated database server. This model is recommended for large
deployments when the datacenters contain more than 1,000 virtual machines
or 100 hosts.
42 VMware, Inc.
Page 43
Uninstalling Update Manager 7
Update Manager has a relatively small impact on computing resources such as disk space. Unless you are
certain that you want to remove Update Manager, leave an existing installation in place for later use and
disable the Update Manager Client plug-in.
The Update Manager server and Update Manager Client plug-in can be uninstalled separately.
The Update Manager Web Client is automatically removed from the vSphere Web Client after you uninstall
the Update Manager server.
This chapter includes the following topics:
“Uninstall the Update Manager Server,” on page 43
n
“Uninstall the Update Manager Client Plug-In,” on page 43
n
Uninstall the Update Manager Server
You can uninstall the Update Manager server component.
Procedure
1 From the Windows Start menu, select Settings > Control Panel > Add or Remove Programs.
2 Select VMware vSphere Update Manager and click Remove.
The Update Manager server component is uninstalled from your system. All downloaded metadata and
binaries, as well as log data remain on the machine where Update Manager was installed.
The Update Manager Web Client is automatically removed from the vSphere Web Client.
Uninstall the Update Manager Client Plug-In
If you uninstall Update Manager, you might also want to uninstall the Update Manager Client plug-in from
the vSphere Client.
Prerequisites
Check if you have McAfee software installed on the system the Update Manager plug-in runs on. In case
McAfee software runs in the same system as Update Manager, you cannot uninstall the Update Manager
Client plug-in. To successfully uninstall the Update Manager Client plug-in, first disable all McAfee
services, then uninstall the Update Manager Client plug-in and enable the McAfee services again.
Procedure
1 From the Windows Start menu, select Settings > Control Panel > Add or Remove Programs.
2 Select VMware vSphere Update Manager Client and click Remove.
VMware, Inc.
43
Page 44
Installing and Administering VMware vSphere Update Manager
After you uninstall the Update Manager plug-in, the Update Manager icon is no longer available in the
vSphere Client.
44 VMware, Inc.
Page 45
Installing, Setting Up, and Using
Update Manager Download Service 8
VMware vSphere Update Manager Download Service (UMDS) is an optional module of Update Manager.
UMDS downloads upgrades for virtual appliances, patch metadata, patch binaries, and notifications that
would not otherwise be available to the Update Manager server.
For security reasons and deployment restrictions, vSphere, including Update Manager, might be installed in
a secured network that is disconnected from other local networks and the Internet. Update Manager
requires access to patch information to function properly. In such an environment, you can install UMDS on
a computer that has Internet access to download upgrades, patch binaries, and patch metadata, and then
export the downloads to a portable media drive so that they become accessible to the Update Manager
server.
In a deployment where the machine on which Update Manager is installed has no Internet access, but is
connected to a server that has Internet access, you can automate the export process and transfer files from
UMDS to the Update Manager server by using a Web server on the machine on which UMDS is installed.
UMDS 6.0 supports patch recalls and notifications. A patch is recalled if the released patch has problems or
potential issues. After you download patch data and notifications with UMDS, and export the downloads so
that they become available to the Update Manager server, Update Manager deletes the recalled patches and
displays the notifications on the Update Manager Notifications tab. For more information about patch
recalls and notifications, see “Configuring and Viewing Notifications,” on page 63.
This chapter includes the following topics:
“Installing UMDS,” on page 45
n
“Setting Up and Using UMDS,” on page 48
n
Installing UMDS
You can install and use UMDS to download virtual appliance upgrades, patch binaries, patch metadata, and
notifications if Update Manager does not have access to the Internet. The machine on which you install
UMDS must have Internet access.
NOTE You cannot upgrade UMDS 5.x to UMDS 6.0. You can perform a fresh installation of UMDS 6.0
according to all system requirements, and use an existing patch store from UMDS 5.x. You can install UMDS
only on 64-bit machines.
Before installing UMDS, you must create a database instance and configure it to ensure that all tables are
placed in it. You must configure a 32-bit DSN and test the DSN from ODBC. If you are using Microsoft SQL
Server 2012 Express, you can install and configure the database when you install UMDS.
VMware, Inc.
45
Page 46
Installing and Administering VMware vSphere Update Manager
Installing UMDS 6.0 in an Environment with Update Manager 6.0 Instances Only
In the UMDS 6.0 installation wizard, you can select the patch store to be an existing download directory
from an earlier UMDS 5.x installation and reuse the applicable downloaded updates in UMDS 6.0. You
should uninstall existing UMDS 5.x instances before reusing the patch store. Once you associate an existing
download directory with UMDS 6.0, you cannot use it with earlier UMDS versions.
If you install UMDS with an existing download directory, make sure that you perform at least one
download by using UMDS 6.0 before you export updates.
Installing UMDS 6.0 in an Environment with both Update Manager 5.x and
Update Manager 6.0 Instances
You should not install UMDS 6.0 with an existing UMDS 5.x download directory if your environment
contains both Update Manager 5.x and Update Manager 6.0 instances. In such a case, you need a UMDS 5.x
and a UMDS 6.0 installation on two separate machines, in order to export updates for the respective
Update Manager versions.
Regardless of the version, you must not install the UMDS on the same machine as the Update Manager
server.
Compatibility Between UMDS and the Update Manager Server
UMDS must be of a version that is compatible with the Update Manager server.
Update Manager can work with a certain UMDS version if the metadata and structure of the patch store that
UMDS exports is compatible with Update Manager, and if the data can be imported and used by the
Update Manager server.
UMDS 6.0 is compatible and can work with Update Manager 5.x and their respective update releases, and
with Update Manager 6.0.
Install UMDS
Install UMDS if the machine on which Update Manager is installed does not have access to the Internet.
Prerequisites
Verify that the machine on which you install UMDS has Internet access, so that UMDS can download
n
upgrades, patch metadata and patch binaries.
Uninstall UMDS 1.0.x, UMDS 4.x, or UMDS 5.x if it is installed on the machine. If such a version of
n
UMDS is already installed, the installation wizard displays an error message and the installation cannot
proceed.
Before you install UMDS create a database instance and configure it. If you install UMDS on 64-bit
n
machine, you must configure a 32-bit DSN and test it from ODBC. The database privileges and
preparation steps are the same as the ones used for Update Manager. For more information, see
Chapter 3, “Preparing the Update Manager Database,” on page 25.
If you plan to use the bundled Microsoft SQL Server 2012 Express database, make sure that you install
n
Microsoft Windows Installer version 4.5 (MSI 4.5) on your system.
UMDS and Update Manager must be installed on different machines.
n
To ensure optimal performance, install UMDS on a system with requirements same as the ones for the
n
Update Manager server listed in Chapter 2, “System Requirements,” on page 21.
46 VMware, Inc.
Page 47
Chapter 8 Installing, Setting Up, and Using Update Manager Download Service
Procedure
1 In the software installer directory, double-click the autorun.exe file and select vSphere Update
Manager > Download Service.
If you cannot run autorun.exe, browse to the umds folder and run VMware-UMDS.exe.
2 (Optional) Select the option to Use Microsoft SQL Server 2012 Express as the embedded database, and
click Install.
NOTE Skip this step only if you plan to use another supported Oracle or SQL Server database.
If the Microsoft SQL Server 2012 Express is not present on your system from previous Update Manager
installations, the installation wizard for the Microsoft SQL Server 2012 Express opens.
3 Click Install.
4 Select the language for the installation and click OK.
5 (Optional) If the wizard prompts you, install the required items such as Windows Installer 4.5.
This step is required only if Windows Installer 4.5 is not present on your machine and you must
perform it the first time you install a vSphere 5.x product. After the system restarts, the installer
launches again.
6 Review the Welcome page and click Next.
7 Read and accept the license agreement, and click Next.
8 Accept the terms in the license agreement and click Next.
9 (Optional) Select the database, and click Next.
If you selected to use the embedded Microsoft SQL Server 2012 Express database, the installation
wizard skips this page.
a Use an existing supported database, by selecting your database from the list of DSNs. If the DSN
does not use Windows NT authentication, enter the user name and password for the DSN and click
Next.
IMPORTANT The DSN must be a 32-bit DSN.
10 Enter the Update Manager Download Service proxy settings and click Next.
11 Select the Update Manager Download Service installation and patch download directories and click
Next.
If you do not want to use the default locations, you can click Change to browse to a different directory.
You can select the patch store to be an existing download directory from a previous UMDS 5.x
installation and reuse the applicable downloaded updates in UMDS 6.0. After you associate an existing
download directory with UMDS 6.0, you cannot use it with earlier UMDS versions.
12 (Optional) In the warning message about the disk free space, click OK.
13 Click Install to begin the installation.
14 Click OK in the Warning message notifying you that .NET Framework 4.0 is not installed.
The UMDS installer installs the prerequisite before the actual product installation.
15 Click Finish.
UMDS is installed.
VMware, Inc. 47
Page 48
Installing and Administering VMware vSphere Update Manager
Setting Up and Using UMDS
You can set up UMDS to download upgrades for virtual appliances, or patches and notifications for ESXi
hosts. You can also set up UMDS to download ESXi 5.x and ESXi 6.0 patch binaries, patch metadata, and
notifications from third-party portals.
After you download the upgrades, patch binaries, patch metadata, and notifications, you can export the data
to a Web server or a portable media drive and set up Update Manager to use a folder on the Web server or
the media drive (mounted as a local disk) as a shared repository.
You can also set up UMDS to download ESXi 5.x and ESXi 6.0 patches and notifications from third-party
portals.
To use UMDS, the machine on which you install it must have Internet access. After you download the data
you want, you can copy it to a local Web server or a portable storage device, such as a CD or USB flash
drive.
The best practice is to create a script to download the patches manually and set it up as a Windows
Scheduled Task that downloads the upgrades and patches automatically.
Set Up the Data to Download with UMDS
By default UMDS downloads patch binaries, patch metadata, and notifications for hosts. You can specify
which patch binaries and patch metadata to download with UMDS.
Procedure
1 Log in to the machine where UMDS is installed, and open a Command Prompt window.
2 Navigate to the directory where UMDS is installed.
The default location in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update
Manager.
3 Specify the updates to download.
To set up a download of all ESXi host updates and all virtual appliance upgrades, run the
n
following command:
vmware-umds -S --enable-host --enable-va
To set up a download of all ESXi host updates and disable the download of virtual appliance
n
upgrades, run the following command:
vmware-umds -S --enable-host --disable-va
To set up a download of all virtual appliance upgrades and disable the download of host updates,
n
run the following command:
vmware-umds -S --disable-host --enable-va
What to do next
Download the selected data.
48 VMware, Inc.
Page 49
Chapter 8 Installing, Setting Up, and Using Update Manager Download Service
Change the UMDS Patch Repository Location
UMDS downloads upgrades, patch binaries, patch metadata, and notifications to a folder that you can
specify during the UMDS installation. The default folder to which UMDS downloads patch binaries and
patch metadata is C:\Documents and Settings\All Users\Application Data\VMware\VMware Update
Manager\Data. You can change the folder in which UMDS downloads data after you install UMDS.
If you have already downloaded any virtual appliances upgrades, or host updates, make sure that you copy
all the files and folders from the old location to the new patch store location. The folder in which UMDS
downloads patch binaries and patch metadata must be located on the machine on which UMDS is installed.
Procedure
1 Log in as an administrator to the machine where UMDS is installed, and open a Command Prompt
window.
2 Navigate to the directory where UMDS is installed.
The default location in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update
Manager.
3 Change the patch repository directory by running the command:
vmware-umds -S --patch-store your_new_patchstore_folder
In this example, your_new_patchstore_folder is the path to the new folder in which you want to
download the patch binaries and patch metadata.
You successfully changed the directory in which UMDS stores patch data.
What to do next
Download data using UMDS.
Configure URL Addresses for Hosts and Virtual Appliances
You can configure UMDS to connect to the Web sites of third-party vendors to download ESXi 5.x and ESXi
6.0 host patches and notifications. You can also configure the URL addresses from which UMDS downloads
virtual appliance upgrades.
Procedure
1 Log in to the machine where UMDS is installed, and open a Command Prompt window.
2 Navigate to the directory where UMDS is installed.
The default location in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update
Manager.
3 Configure UMDS to download data from the new URL address.
To add a new URL address for downloading patches and notifications for ESXi 5.x or ESXi 6.0
n
hosts, run the following command:
vmware-umds -S --add-url https://host_URL/index.xml --url-type HOST
To add a URL address for downloading virtual appliance upgrades, run the following command:
n
vmware-umds -S --add-url https://virtual_appliance_URL/index.xml --url-type VA
VMware, Inc. 49
Page 50
Installing and Administering VMware vSphere Update Manager
4 (Optional) Remove a URL address, so that UMDS will not download data from it anymore.
Downloaded data is retained and can be exported.
vmware-umds.exe -S --remove-url https://URL_to_remove/index.xml
UMDS is configured to download host patches and notifications, as well as virtual appliance upgrades from
specific URL addresses.
What to do next
Download the patches and notifications using UMDS.
Download the Specified Data Using UMDS
After you set up UMDS, you can download upgrades, patches and notifications to the machine on which
UMDS is installed.
Procedure
1 Log in to the machine where UMDS is installed, and open a Command Prompt window.
2 Navigate to the directory where UMDS is installed.
The default location in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update
Manager.
3 Download the selected updates.
vmware-umds -D
This command downloads all the upgrades, patches and notifications from the configured sources for
the first time. Subsequently, it downloads all new patches and notifications released after the previous
UMDS download.
4 (Optional) If you have already downloaded upgrades, patches, and notifications and want to download
them again, you can include the start and end times to restrict the data to download.
The command to re-download patches and notifications deletes the existing data from the patch store
(if present) and re-downloads it.
To re-download the upgrades, patches and notifications that were downloaded in November 2010, for
example, run the following command:
vmware-umds -R --start-time 2010-11-01T00:00:00 --end-time 2010-11-30T23:59:59
The data previously downloaded for the specified period is deleted and downloaded again.
What to do next
Export the downloaded upgrades, patches, and notifications.
Export the Downloaded Data
You can export downloaded upgrades, patches, and notifications to a specific location that serves as a
shared repository for Update Manager. You can configure Update Manager to use the shared repository as a
patch download source. The shared repository can also be hosted on a Web server.
Prerequisites
If you installed UMDS with an existing download directory, make sure that you perform at least one
download by using UMDS 6.0 before you export updates.
50 VMware, Inc.
Page 51
Chapter 8 Installing, Setting Up, and Using Update Manager Download Service
Procedure
1 Log in to the machine where UMDS is installed and open a Command Prompt window.
2 Navigate to the directory where UMDS is installed.
The default location in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update
Manager.
3 Specify the export parameters and export the data.
vmware-umds -E --export-store repository_path
In the command, you must specify the full path of the export directory.
If you are working in a deployment in which the Update Manager server is installed on a machine
connected to the machine on which UMDS is installed, repository_path can be the path to the folder on
the Web server that serves as a shared repository.
If the Update Manager server is installed on a machine in an isolated and secure environment,
repository_path can be the path to a portable media drive. Export the downloads to the portable media
drive to physically transfer the patches to the machine on which Update Manager is installed.
The data you downloaded by using UMDS is exported to the path you specify. Make sure that all files
are exported. You can periodically perform export from UMDS and populate the shared repository so
that Update Manager can use the new patch binaries and patch metadata.
4 (Optional) You can export the ESXi patches that you downloaded during a specified time window.
For example, to export the patches downloaded in November 2010, run the following command:
vmware-umds -E --export-store repository-path --start-time 2010-11-01T00:00:00 --end-time
2010-11-30T23:59:59
What to do next
Configure Update Manager to use a shared repository as a patch download source. For more information,
see “Use a Shared Repository as a Download Source,” on page 58.
VMware, Inc. 51
Page 52
Installing and Administering VMware vSphere Update Manager
52 VMware, Inc.
Page 53
Configuring Update Manager 9
Update Manager runs with the default configuration properties if you have not modified them during the
installation. You can modify the Update Manager settings later from the Update Manager Administration
view.
You can configure and modify the Update Manager settings only if you have the privileges to configure the
Update Manager settings and service. These permissions must be assigned on the vCenter Server system
with which Update Manager is registered. For more information about managing users, groups, roles and
permissions, see vSphere Security documentation. For a list of Update Manager privileges and their
descriptions, see “Update Manager Privileges,” on page 72.
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single
Sign-On domain, and you have installed and registered more than one Update Manager instance, you can
configure the settings for each Update Manager instance. Configuration properties you modify are applied
only to the Update Manager instance you specify and are not propagated to the other instances in the group.
You can specify an Update Manager instance by selecting the name of the vCenter Server system with which
the Update Manager instance is registered from the navigation bar.
This chapter includes the following topics:
“Update Manager Network Connectivity Settings,” on page 54
n
“Change the Update Manager Network Settings,” on page 55
n
VMware, Inc.
“Configuring the Update Manager Download Sources,” on page 56
n
“Configure the Update Manager Proxy Settings,” on page 61
n
“Configure Checking for Updates,” on page 62
n
“Configuring and Viewing Notifications,” on page 63
n
“Take Snapshots Before Remediation,” on page 65
n
“Configuring Host and Cluster Settings,” on page 66
n
“Configure Smart Rebooting,” on page 70
n
“Configure the Update Manager Patch Repository Location,” on page 71
n
“Restart the Update Manager Service,” on page 71
n
“Run the VMware vSphere Update Manager Update Download Task,” on page 72
n
“Update Manager Privileges,” on page 72
n
53
Page 54
Installing and Administering VMware vSphere Update Manager
Update Manager Network Connectivity Settings
The port, IP, and DNS settings are configured during the installation of Update Manager and do not depend
on your deployment model.
Default Network Ports
The network port settings are configured during installation but you can change them later to avoid
conflicts with other programs installed on the same machine.
Table 9‑1. Update Manager Default Network Ports
TCP Port Number Description
80 The port used by Update Manager to connect to vCenter Server.
9084 The port used by ESXi hosts to access host patch downloads over
HTTP.
902 The port used by Update Manager to push host upgrade files.
8084 The port used by Update Manager Client plug-in to connect to the
Update Manager SOAP server.
9087 The HTTPS port used by Update Manager Client plug-in to
upload host upgrade files.
IP Address and DNS Name
The Update Manager network settings include the IP address or DNS name that the update utility on hosts
uses to retrieve the patch metadata and binaries from the Update Manager server (through HTTP). The IP
address is configured during installation, but you can change it later from the IP address or host name for
the patch store drop-down menu on the Network Connectivity page of the Configuration tab.
IMPORTANT To avoid any potential DNS resolution problems, use an IP address whenever possible. If you
must use a DNS name instead of an IP address, ensure that the DNS name you specify can be resolved from
all hosts managed by Update Manager as well as by vCenter Server.
Update Manager supports Internet Protocol version 6 (IPv6) environments for scanning and remediating
hosts running ESXi 5.0 and later. Update Manager does not support IPv6 for scanning and remediation of
virtual machines and virtual appliances.
vCenter Server, Update Manager, and your ESXi hosts might exist in a heterogeneous IPv6 and IPv4
network environment. In such an environment, if you use IP addresses, and no dual stack IPv4 or IPv6 DNS
servers exist, the ESXi hosts configured to use only IPv4 address cannot access the IPv6 network resources.
The hosts configured to use only IPv6 cannot access the IPv4 network resources either.
You can install Update Manager on a machine on which both IPv4 and IPv6 are enabled. During host
operations such as scanning, staging, and remediation, Update Manager provides the address of its patch
store location to the ESXi hosts. If Update Manager is configured to use an IP address, it provides an IP
address of either IPv4 or IPv6 type, and can be accessed only by some of the hosts. For example, if
Update Manager provides an IPv4 address, the hosts that use only an IPv6 address cannot access the
Update Manager patch store. In such a case, consider the following configuration.
54 VMware, Inc.
Page 55
Table 9‑2. Update Manager Configuration
Host IP Version Action
IPv4 Configure Update Manager to use either an IPv4 address
or a host name. Using a host name lets all hosts rely on the
DNS server to resolve to an IPv4 address.
IPv6 Configure Update Manager to use either an IPv6 address
or a host name. Using a host name lets hosts rely on the
DNS server to resolve to an IPv6 address.
IPv4 and IPv6 Configure Update Manager to use either IPv4 or IPv6.
Change the Update Manager Network Settings
The network ports are configured during installation. You can modify the IP address or host name for the
patch store in the Update Manager network connectivity settings.
Prerequisites
If any remediation or scan tasks are running, cancel them or wait until they complete.
n
To obtain metadata for the patches, Update Manager must be able to connect to
n
https://www.vmware.com and requires outbound ports 80 and 443.
Chapter 9 Configuring Update Manager
Procedure
1 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click Network
Connectivity.
vSphere Client 1 On the Configuration tab, under Settings, click
Network Connectivity.
2 See information about the network connectivity settings.
Option Description
SOAP port Update Manager clients uses this port to communicate
with the Update Manager server.
Server port (range: 80, 9000–9100) Listening port for the Web server that provides access to
the plug-in client installer, and provides access to the
patch depot for ESXi hosts
IP address or host name for the patch store The IP address or name of the host in which patches are
downloaded and stored.
3 Edit the IP address or host name for the patch store.
4 Click Apply.
What to do next
Restart the Update Manager service for network changes to take effect.
VMware, Inc. 55
Page 56
Installing and Administering VMware vSphere Update Manager
Configuring the Update Manager Download Sources
You can configure the Update Manager server to download patches and extensions for ESXi hosts or
upgrades for virtual appliances either from the Internet or from a shared repository of UMDS data. You can
also import patches and extensions for ESXi hosts manually from a ZIP file.
If your deployment system is connected to the Internet, you can use the default settings and links for
downloading upgrades, patches, and extensions to the Update Manager repository. You can also add URL
addresses to download virtual appliance upgrades or third-party patches and extensions. Third-party
patches and extensions are applicable only to hosts that are running ESXi 5.0 and later.
If your deployment system is not connected to the Internet, you can use a shared repository after
downloading the upgrades, patches, and extensions by using Update Manager Download Service (UMDS).
Changing the download source from a shared repository to Internet, and the reverse, is a change in the
Update Manager configuration. Both options are mutually exclusive. You cannot download updates from
the Internet and a shared repository at the same time. To download new data, you must run the VMware
vSphere Update Manager Download task. You can start the task by clicking the Download Now button at
the bottom of the Download Sources pane.
If the VMware vSphere Update Manager Update Download task is running when you apply the new
configuration settings, the task continues to use the old settings until it completes. The next time the task to
download updates starts, it uses the new settings.
With Update Manager, you can import both VMware and third-party patches or extensions manually from
a ZIP file, also called an offline bundle. Import of offline bundles is supported only for hosts that are
running ESXi 5.0 and later. You download the offline bundle ZIP files from the Internet or copy them from a
media drive, and save them on a local or a shared network drive. You can import the patches or extensions
to the Update Manager patch repository later. You can download offline bundles from the VMware Web site
or from the Web sites of third-party vendors.
NOTE You can use offline bundles for host patching operations only. You cannot use third-party offline
bundles or offline bundles that you generated from custom VIB sets for host upgrade from ESXi 5.x to
ESXi 6.0.
Offline bundles contain one metadata.zip file, one or more VIB files, and optionally two .xml files,
index.xml and vendor-index.xml. When you import an offline bundle to the Update Manager patch
repository, Update Manager extracts it and checks whether the metadata.zip file has already been imported.
If the metadata.zip file has never been imported, Update Manager performs sanity testing, and imports the
files successfully. After you confirm the import, Update Manager saves the files into the Update Manager
database and copies the metadata.zip file, the VIBs, and the .xml files, if available, into the Update Manager
patch repository.
Configure Update Manager to Use the Internet as a Download Source on page 57
n
If your deployment system is connected to the Internet, you can directly download ESXi patches and
extensions, as well as virtual appliance upgrades.
Add a New Download Source on page 57
n
If you use the Internet as a download source for updates, you can add a third-party URL address to
download virtual appliance upgrades, as well as patches and extensions for hosts that are running
ESXi 5.x and later.
Use a Shared Repository as a Download Source on page 58
n
You can configure Update Manager to use a shared repository as a source for downloading virtual
appliance upgrades, as well as ESXi patches, extensions, and notifications.
56 VMware, Inc.
Page 57
Chapter 9 Configuring Update Manager
Import Patches Manually on page 60
n
Instead of using a shared repository or the Internet as a download source for patches and extensions,
you can import patches and extensions manually by using an offline bundle.
Configure Update Manager to Use the Internet as a Download Source
If your deployment system is connected to the Internet, you can directly download ESXi patches and
extensions, as well as virtual appliance upgrades.
Prerequisites
Required privileges: VMware vSphere Update Manager.Configure
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click Download
Settings.
vSphere Client 1 On the Configuration tab, under Settings, click
Download Settings.
2 Click Edit.
3 In the Download Sources pane, select Direct connection to Internet.
4 If you use the vSphere Client, choose the type of updates to download by selecting or deselecting the
check box next to the type of update.
You can choose whether to download virtual appliance upgrades and host patches and extensions. You
cannot edit the download source location of the default ESXi patches and extensions. You can only
enable or disable downloading.
5 (Optional) Add an additional third-party download source for virtual appliances or hosts that are
running ESXi 5.0 and later.
6 Click Apply.
7 Click Download Now to run the VMware vSphere Update Manager Update Download task.
All notifications and updates are downloaded immediately even if the Enable scheduled download
checkbox is not selected in Configuration > Notification Check Schedule or Configuration >
Download Schedule, respectively.
Add a New Download Source
If you use the Internet as a download source for updates, you can add a third-party URL address to
download virtual appliance upgrades, as well as patches and extensions for hosts that are running ESXi 5.x
and later.
Prerequisites
Required privileges: VMware vSphere Update Manager.Configure
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
VMware, Inc. 57
Page 58
Installing and Administering VMware vSphere Update Manager
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click Download
vSphere Client 1 On the Configuration tab, under Settings, click
3 In the Download Sources pane, select Direct connection to Internet.
4 Click Add Download Source.
5 In the Add Download Source window, type the new download source URL.
Update Manager supports both HTTP and HTTPS URL addresses. You should specify HTTPS URL
addresses, so that the data is downloaded securely. The URL addresses that you add must be complete
and contain the index.xml file, which lists the vendor and the vendor index.
NOTE The proxy settings for Update Manager are applicable to third-party URL addresses too. You can
configure the proxy settings from the Proxy Settings pane.
6 (Optional) Type a URL description.
Setings.
2 Click Edit.
Download Setings.
7 If you use the vSphere Client, click Validate URL to verify that the URL is accessible.
The vSphere Web Client performs the validation when you click OK.
8 Click OK.
9 Click Apply.
10 Click Download Now to run the VMware vSphere Update Manager Update Download task.
All notifications and updates are downloaded immediately even if the Enable scheduled download
checkbox is not selected in Configuration > Notification Check Schedule or Configuration >
Download Schedule, respectively.
The location is added to the list of Internet download sources.
Use a Shared Repository as a Download Source
You can configure Update Manager to use a shared repository as a source for downloading virtual
appliance upgrades, as well as ESXi patches, extensions, and notifications.
Prerequisites
Required privileges: VMware vSphere Update Manager.Configure
You must create the shared repository using UMDS and host it on a Web server or a local disk. The UMDS
version you use must be of a version compatible with your Update Manager installation.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
58 VMware, Inc.
Page 59
Chapter 9 Configuring Update Manager
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click Download
Setings.
2 Click Edit.
vSphere Client 1 On the Configuration tab, under Settings, click
Download Setings.
3 In the Download Sources pane, select Use a shared repository.
4 Enter the path or the URL to the shared repository.
For example, C:\repository_path\, https://repository_path/, or http://repository_path/
In these examples, repository_path is the path to the folder to which you have exported the downloaded
upgrades, patches, extensions, and notifications. In an environment where the Update Manager server
does not have direct access to the Internet, but is connected to a machine that has Internet access, the
folder can be on a Web server.
You can specify an HTTP or HTTPS address, or a location on the disk on which Update Manager is
installed. HTTPS addresses are supported without any authentication.
IMPORTANT You cannot use folders located on a network drive as a shared repository. Update Manager
does not download updates from folders on a network share either in the Microsoft Windows Uniform
Naming Convention form (such as \\Computer_Name_or_Computer_IP\Shared), or on a mapped network
drive (for example, Z:\).
5 If you use the vSphere Client, click Validate URL to validate the path.
The vSphere Web Client performs the validation automatically when you click OK on the Edit
Download Sources dialog.
IMPORTANT If the updates in the folder you specify are downloaded with a UMDS version that is not
compatible with the Update Manager version you use, the validation fails and you receive an error
message.
You must make sure that the validation is successful. If the validation fails, Update Manager reports a
reason for the failure. You can use the path to the shared repository only when the validation is
successful.
6 Click Apply.
7 Click Download Now to run the VMware vSphere Update Manager Update Download task and to
download the updates immediately.
The shared repository is used as a source for downloading upgrades, patches, and notifications.
Example: Using a Folder or a Server as a Shared Repository
You can use a folder or a Web server as a shared repository.
When you use a folder as a shared repository, repository_path is the top-level directory where patches
n
and notifications exported from UMDS are stored.
For example, export the patches and notifications using UMDS to F:\, which is a drive mapped to a
plugged-in USB device on the machine on which UMDS is installed. Then, plug in the USB device to the
machine on which Update Manager is installed. On this machine the device is mapped as E:\. The
folder to configure as a shared repository in the Update Manager is E:\.
VMware, Inc. 59
Page 60
Installing and Administering VMware vSphere Update Manager
When you use a Web server as a shared repository, repository_path is the top-level directory on the Web
n
server where patches exported from UMDS are stored.
For example, export the patches and notifications from UMDS to C:\docroot\exportdata. If the folder is
configured on a Web server and is accessible from other machines at the URL
https://umds_host_name/exportdata, the URL to configure as a shared repository in Update Manager is
https://umds_host_name/exportdata.
Import Patches Manually
Instead of using a shared repository or the Internet as a download source for patches and extensions, you
can import patches and extensions manually by using an offline bundle.
You can import offline bundles only for hosts that are running ESXi 5.x or later.
Prerequisites
The patches and extensions you import must be in ZIP format.
To import patches and extensions, you must have the Upload File privilege. For more information about
managing users, groups, roles, and permissions, see vCenter Server and Host Management. For a list of
Update Manager privileges and their descriptions, see “Update Manager Privileges,” on page 72.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click Download
Settings.
vSphere Client 1 On the Configuration tab, under Settings, click
Download Settings.
3 Click Import Patches in the Download Sources pane.
4 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Import Patches page of the Import Patches
wizard, browse to and select the .zip file containing
the patches you want to import.
2 Click Upload file and wait until the file upload
completes successfully.
vSphere Client 1 On the Select Patches File page of the Import Patches
wizard, browse to and select the .zip file containing
the patches you want to import.
2 Click Next and wait until the file upload completes
successfully.
In case of upload failure, check whether the structure of the .zip file is correct or whether the
Update Manager network settings are set up correctly.
60 VMware, Inc.
Page 61
5 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Ready to complete page of the Import
Patches wizard, review the patches that you have
selected to import into the repository.
vSphere Client 1 On the Confirm Import page of the Import Patches
wizard, review the patches that you have selected to
import into the repository.
6 Click Finish.
You imported the patches into the Update Manager patch repository. You can view the imported patches on
the Update Manager Patch Repository tab.
Configure the Update Manager Proxy Settings
You can configure Update Manager to download updates from the Internet using a proxy server.
Prerequisites
Required privileges: VMware vSphere Update Manager.Configure
Chapter 9 Configuring Update Manager
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click Download
Settings.
2 In the Proxy Settings pane, click Edit.
3 Select Use proxy and change the proxy information.
vSphere Client 1 On the Configuration tab, under Settings, click
Download Settings.
2 In the Proxy Settings pane, select Use proxy and
change the proxy information.
3 (Optional) If the proxy requires authentication, select Proxy requires authentication and provide a user
name and password.
4 (Optional) Click Test Connection at any time to test that you can connect to the Internet through the
proxy.
5 Click Apply.
You configured Update Manager to use an Internet proxy to download upgrades, patches, extensions, and
related metadata.
VMware, Inc. 61
Page 62
Installing and Administering VMware vSphere Update Manager
Configure Checking for Updates
Update Manager checks for virtual appliance upgrades, host patches, and extensions at regular intervals.
Generally, the default schedule settings are sufficient, but you can change the schedule if your environment
requires more or less frequent checks.
In some cases you might want to decrease the duration between checks for updates. If you are not
concerned about the latest updates and want to reduce network traffic, or if you cannot access the update
servers, you can increase the duration between checks for updates.
By default the task to download update metadata and binaries is enabled and is called
VMware vSphere Update Manager Update Download task. By modifying this task, you can configure
checking for updates. You can modify the VMware vSphere Update Manager Update Download task from
either the Scheduled Tasks view of the vSphere Client or the Configuration tab of the Update Manager
Client Administration view.
Prerequisites
Required privileges: VMware vSphere Update Manager.Configure
To download update data, the machine on which Update Manager is installed must have Internet access.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click Download
Schedule.
2 Click Edit.
3 Make sure that the Enable scheduled download
check box is selected.
4 Click Next.
If you deselect the check box, the scheduled task that
checks for updates is disabled. However, you can
still force a check and download updates by clicking
Download Now in Download Settings on the
Settings tab.
vSphere Client 1 On the Configuration tab, under Settings, click
Download Schedule.
2 Make sure that the Enable scheduled download
check box is selected.
If you deselect the check box, the scheduled task that
checks for updates is disabled. However, you can
still force a check and download updates by clicking
Download Now in Download Settings on the
Configuration tab.
3 Specify a task name and, optionally, a description, or keep the defaults.
4 Specify the Frequency, Start Time, Interval of the update download, and click Next.
5 (Optional) Specify one or more email addresses to be notified when the new updates are downloaded,
and click Next.
You must configure mail settings for the vCenter Server system to enable this option.
62 VMware, Inc.
Page 63
6 On the Ready to Complete page, click Finish.
The task runs according to the time you specified.
Configuring and Viewing Notifications
At regular time intervals, Update Manager contacts VMware to download information (notifications) about
patch recalls, new fixes, and alerts.
In case patches with issues or potential issues are released, the patch metadata is updated, and
Update Manager marks the patches as recalled. If you try to install a recalled patch, Update Manager
notifies you that the patch is recalled and does not install it on the host. Update Manager notifies you if a
recalled patch is already installed on certain hosts. Update Manager also deletes all the recalled patches
from the patch repository.
When a patch fixing the problem is released, Update Manager downloads the new patch and prompts you
to install it to fix the issues that the recalled patch might cause. If you have already installed a recalled patch,
Update Manager alerts you that the patch is recalled and that there is a fix you must install.
Update Manager supports patch recalls for offline bundles that you have imported. Patches from an
imported offline bundle are recalled when you import a new offline bundle. The metadata.zip file contains
information about the patches that must be recalled. Update Manager removes the recalled patches from the
patch repository, and after you import a bundle containing fixes, Update Manager notifies you about the
fixes and sends email notifications if you have enabled them.
Chapter 9 Configuring Update Manager
If you use a shared repository as a source for downloading patches and notifications, Update Manager
downloads recall notifications from the shared repository to the Update Manager patch repository, but does
not send recall email alerts. For more information about using a shared repository, see “Use a Shared
Repository as a Download Source,” on page 58.
NOTE After a download of patch recall notifications, Update Manager flags recalled patches but their
compliance state does not refresh automatically. You must perform a scan to view the updated compliance
state of patches affected by the recall.
Configure Notifications Checks
By default Update Manager checks for notifications about patch recalls, patch fixes, and alerts at certain time
intervals. You can modify this schedule.
By default the task to check for notifications and to send notifications alerts is enabled and is called the
VMware vSphere Update Manager Check Notification task. By modifying this task, you can configure the
time and frequency at which Update Manager checks for patch recalls or for the release of patch fixes, and
sends notifications to the email addresses you specify. You can modify the VMware vSphere
Update Manager Check Notification task from either the Scheduled Tasks view of the vSphere Client or the
Configuration tab of the Update Manager Client Administration view.
Prerequisites
Required privileges: VMware vSphere Update Manager.Configure
To configure notification checks, make sure that the machine on which Update Manager is installed has
Internet access.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
VMware, Inc. 63
Page 64
Installing and Administering VMware vSphere Update Manager
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click Notification Check
vSphere Client 1 On the Configuration tab, under Settings, click Download Schedule.
3 Specify a task name and, optionally, a description, or keep the defaults.
Schedule .
2 Click Edit.
3 Make sure that the Enable scheduled task check box is selected.
4 Click Next.
If you deselect the check box, the scheduled task that checks for
notifications is disabled. However, you can still force a check and
download notifications by clicking the Download Now button in
Download Settings on the Settings tab.
2 Make sure that the Enable scheduled task check box is selected.
If you deselect the check box, the scheduled task that checks for
notifications is disabled. However, you can still force a check and
download notifications by clicking the Check Notifications link on
the Notifications tab or the Download Now button in Download
Settings on the Configuration tab.
3 Click Edit Notifications on the upper right.
4 Specify the Frequency, Start Time, and Interval of the task, and click Next.
5 (Optional) Specify one or more email addresses where notifications about patch recalls or email alerts
are sent, and click Next.
You must configure mail settings for the vCenter Server system to enable this option.
6 On the Ready to Complete page, click Finish.
The task runs according to the time you specified.
View Notifications and Run the Notification Checks Task Manually
Notifications that Update Manager downloads are displayed on the Notifications tab of the
Update Manager Administration view.
Procedure
1 Click the Notifications tab in the Update Manager Administration view.
2 Double-click a notification to view the notification details.
3 Click Check Notifications on the upper-right to check for notifications immediately.
Any new notifications that are available on the VMware Web site are immediately downloaded even if
the Enable scheduled download checkbox is not selected in Configuration > Notification Check
Schedule.
64 VMware, Inc.
Page 65
Chapter 9 Configuring Update Manager
Types of Update Manager Notifications
Update Manager downloads all notifications that are available on the VMware Web site. Some notifications
can trigger an alarm. By using the Alarm Settings wizard, you can specify automated actions to be taken
when an alarm is triggered.
Information
notifications
Information notifications appear in the Update Manager Notifications tab.
They do not trigger an alarm. Clicking an information notification opens the
Notification Details window.
Warning notifications
Warning notifications appear in the Update Manager Notifications tab and
trigger an alarm, which appears in the vSphere Client Alarms tab. Warning
notifications are typically fixes for patch recalls. Clicking a warning
notification opens the Patch Recall Details window.
Alert notifications
Alert notifications appear in the Update Manager Notifications tab and
trigger an alarm, which appears in the vSphere Client Alarms tab. Alert
notifications are typically patch recalls. Clicking an alert notification opens
the Patch Recall Details window.
Take Snapshots Before Remediation
By default, Update Manager is configured to take snapshots of virtual machines before applying updates. If
the remediation fails, you can use the snapshot to return the virtual machine to the state before the
remediation.
Update Manager does not take snapshots of fault tolerant virtual machines and virtual machines that are
running virtual machine hardware version 3. If you decide to take snapshots of such virtual machines, the
remediation might fail.
You can choose to keep snapshots indefinitely or for a fixed period of time. Use the following guidelines
when managing snapshots:
Keeping snapshots indefinitely might consume a large amount of disk space and degrade virtual
n
machine performance.
Keeping no snapshots saves space, ensures best virtual machine performance, and might reduce the
n
amount of time it takes to complete remediation, but limits the availability of a rollback.
Keeping snapshots for a set period of time uses less disk space and offers a backup for a short time.
n
Prerequisites
Required privileges: VMware vSphere Update Manager.Configure
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click VM
Settings.
2 Click Edit.
vSphere Client 1 On the Configuration tab, under Settings, click
Virtual Machine Settings.
VMware, Inc. 65
Page 66
Installing and Administering VMware vSphere Update Manager
3 To take snapshots of the virtual machines before remediating them, leave Take a snapshot of the
virtual machines before remediation to enable rollback selected.
4 Configure snapshots to be kept indefinitely or for a fixed period of time.
5 Click Apply.
These settings become the default rollback option settings for virtual machines. You can specify different
settings when you configure individual remediation tasks.
Configuring Host and Cluster Settings
When you update vSphere objects in a cluster with vSphere Distributed Resource Scheduler (DRS), vSphere
High Availability (HA), and vSphere Fault Tolerance (FT) enabled, you can temporarily disable vSphere
Distributed Power Management (DPM), HA admission control, and FT for the entire cluster. When the
update completes, Update Manager restores these features.
Updates might require the host to enter maintenance mode during remediation. Virtual machines cannot
run when a host is in maintenance mode. To ensure availability, vCenter Server can migrate virtual
machines to other ESXi hosts within a cluster before the host is put into maintenance mode. vCenter Server
migrates the virtual machines if the cluster is configured for vSphere vMotion, and if DRS is enabled.
If a host has no running virtual machines, DPM might put the host in standby mode and interrupt an
Update Manager operation. To make sure that scanning and staging complete successfully, Update Manager
disables DPM during these operations. To ensure successful remediation, have Update Manager disable
DPM and HA admission control before the remediation operation. After the operation completes,
Update Manager restores DPM and HA admission control. Update Manager disables HA admission control
before staging and remediation but not before scanning.
If DPM has already put hosts in standby mode, Update Manager powers on the hosts before scanning,
staging, and remediation. After the scanning, staging, or remediation is complete, Update Manager turns on
DPM and HA admission control and lets DPM put hosts into standby mode, if needed. Update Manager
does not remediate powered off hosts.
If hosts are put into standby mode and DPM is manually disabled for a reason, Update Manager does not
remediate or power on the hosts.
Within a cluster, temporarily disable HA admission control to allow vSphere vMotion to proceed. This
action prevents downtime of the machines on the hosts that you remediate. After the remediation of the
entire cluster, Update Manager restores HA admission control settings.
If FT is turned on for any of the virtual machines on hosts within a cluster, temporarily turn off FT before
performing any Update Manager operations on the cluster. If FT is turned on for any of the virtual machines
on a host, Update Manager does not remediate that host. Remediate all hosts in a cluster with the same
updates, so that FT can be reenabled after the remediation. A primary virtual machine and a secondary
virtual machine cannot reside on hosts of different ESXi version and patch levels.
As you remediate hosts that are part of a Virtual SAN cluster, be aware of the following behavior:
The host remediation process might take an extensive amount of time to complete.
n
By design, only one host from a Virtual SAN cluster can be in a maintenance mode at any time.
n
Update Manager remediates hosts that are part of a Virtual SAN cluster sequentially even if you set the
n
option to remediate the hosts in parallel.
If a host is a member of a Virtual SAN cluster, and any virtual machine on the host uses a VM storage
n
policy with a setting for "Number of failures to tolerate=0", the host might experience unusual delays
when entering maintenance mode. The delay occurs because Virtual SAN has to migrate the virtual
machine data from one disk to another in the Virtual SAN datastore cluster. Delays might take up to
hours. You can workaround this by setting the "Number of failures to tolerate=1" for the VM storage
policy, which results in creating two copies of the virtual machine files in the Virtual SAN datastore.
66 VMware, Inc.
Page 67
Chapter 9 Configuring Update Manager
Configure Host Maintenance Mode Settings
ESXi host updates might require that the host enters maintenance mode before they can be applied.
Update Manager puts the ESXi hosts in maintenance mode before applying these updates. You can
configure how Update Manager responds if the host fails to enter maintenance mode.
For hosts in a container different from a cluster or for individual hosts, migration of the virtual machines
with vMotion cannot be performed. If vCenter Server cannot migrate the virtual machines to another host,
you can configure how Update Manager responds.
Hosts that are part of a Virtual SAN cluster can enter maintenance mode only one at a time. This is
specificity of the Virtual SAN clusters.
If a host is a member of a Virtual SAN cluster, and any virtual machine on the host uses a VM storage policy
with a setting for "Number of failures to tolerate=0", the host might experience unusual delays when
entering maintenance mode. The delay occurs because Virtual SAN has to migrate the virtual machine data
from one disk to another in the Virtual SAN datastore cluster. Delays might take up to hours. You can
workaround this by setting the "Number of failures to tolerate=1" for the VM storage policy, which results in
creating two copies of the virtual machine files in the Virtual SAN datastore.
Prerequisites
Required privileges: VMware vSphere Update Manager.Configure
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Settings tab, under Manage, click
Host/Cluster Settings.
Click Edit.
vSphere Client 1 On the Configuration tab, under Settings, click ESXi
Host/Cluster Settings.
3 Under Maintenance Mode Settings, select an option from the VM Power state drop-down menu to
determine the change of the power state of the virtual machines and appliances that are running on the
host to be remediated.
Option Description
Power Off virtual machines
Suspend virtual machines
Do Not Change VM Power State
Powers off all virtual machines and virtual appliances before remediation.
Suspends all running virtual machines and virtual appliances before
remediation.
Leaves virtual machines and virtual appliances in their current power
state. This is the default setting.
4 (Optional) Select Retry entering maintenance mode in case of failure, specify the retry delay, and the
number of retries.
If a host fails to enter maintenance mode before remediation, Update Manager waits for the retry delay
period and retries putting the host into maintenance mode as many times as you indicate in Number of
retries field.
VMware, Inc. 67
Page 68
Installing and Administering VMware vSphere Update Manager
5 (Optional) Select Temporarily disable any removable media devices that might prevent a host from
entering maintenance mode.
Update Manager does not remediate hosts on which virtual machines have connected CD/DVD or
floppy drives. All removable media drives that are connected to the virtual machines on a host might
prevent the host from entering maintenance mode and interrupt remediation.
After remediation, Update Manager reconnects the removable media devices if they are still available.
6 Click Apply.
These settings become the default failure response settings. You can specify different settings when you
configure individual remediation tasks.
Configure Cluster Settings
For ESXi hosts in a cluster, the remediation process can run either in a sequence or in parallel. Certain
features might cause remediation failure. If you have VMware DPM, HA admission control, or Fault
Tolerance enabled, you should temporarily disable these features to make sure that the remediation is
successful.
NOTE Remediating hosts in parallel can improve performance significantly by reducing the time required
for cluster remediation. Update Manager remediates hosts in parallel without disrupting the cluster
resource constraints set by DRS. Avoid remediating hosts in parallel if the hosts are part of a Virtual SAN
cluster. Due to the specifics of the Virtual SAN cluster, a host cannot enter maintenance mode while other
hosts in the cluster are currently in maintenance mode.
Prerequisites
Required privileges: VMware vSphere Update Manager.Configure
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click
Host/Cluster Settings.
2 Click Edit.
vSphere Client 1 On the Configuration tab, under Settings, click ESX
Host/Cluster Settings.
68 VMware, Inc.
Page 69
3 Select the check boxes for features that you want to disable or enable.
Option Description
Distributed Power Management
(DPM)
High Availability (HA) admission
control
Fault Tolerance (FT)
Enable parallel remediation for
hosts in cluster
Migrate powered off and suspended
virtual machines to other hosts in
the cluster, if a host must enter
maintenance mode
VMware DPM monitors the resource use of the running virtual machines
in the cluster. If sufficient excess capacity exists, VMware DPM
recommends moving virtual machines to other hosts in the cluster and
placing the original host into standby mode to conserve power. If the
capacity is insufficient, VMware DPM might recommend returning
standby hosts to a powered-on state.
If you do not choose to disable DPM, Update Manager skips the cluster on
which VMware DPM is enabled. If you choose to temporarily disable
VMware DPM, Update Manager disables DPM on the cluster, remediates
the hosts in the cluster, and re-enables VMware DPM after remediation is
complete.
Admission control is a policy used by VMware HA to ensure failover
capacity within a cluster. If HA admission control is enabled during
remediation, the virtual machines within a cluster might not migrate with
vMotion.
If you do not choose to disable HA admission control, Update Manager
skips the cluster on which HA admission control is enabled. If you choose
to temporarily disable HA admission control, Update Manager disables
HA admission control, remediates the cluster, and re-enables HA
admission control after remediation is complete.
FT provides continuous availability for virtual machines by automatically
creating and maintaining a secondary virtual machine that is identical to
the primary virtual machine. If you do not choose to turn off FT for the
virtual machines on a host, Update Manager does not remediate that host.
Update Manager can remediate hosts in clusters in a parallel manner.
Update Manager continuously evaluates the maximum number of hosts it
can remediate in parallel without disrupting DRS settings. If you do not
select the option, Update Manager remediates the hosts in a cluster
sequentially.
By design only one host from a Virtual SAN cluster can be in a
maintenance mode at any time. Update Manager remediates hosts that are
part of a Virtual SAN cluster sequentially even if you select the option to
remediate them in parallel.
Update Manager migrates the suspended and powered off virtual
machines from hosts that must enter maintenance mode to other hosts in
the cluster. You can select to power off or suspend virtual machines before
remediation in the Maintenance Mode Settings pane.
4 Click Apply.
Chapter 9 Configuring Update Manager
These settings become the default failure response settings. You can specify different settings when you
configure individual remediation tasks.
Enable Remediation of PXE Booted ESXi Hosts
You can configure Update Manager to let other software initiate remediation of PXE booted ESXi hosts. The
remediation installs patches and software modules on the hosts, but typically the host updates are lost after
a reboot.
The global setting in the Update Manager Configuration tab enables solutions such as ESX Agent Manager
or Cisco Nexus 1000V to initiate remediation of PXE booted ESXi hosts. In contrast, the Enable patch
remediation of powered on PXE booted ESXi hosts setting in the Remediate wizard enables Update
Manager to patch PXE booted hosts.
VMware, Inc. 69
Page 70
Installing and Administering VMware vSphere Update Manager
To retain updates on stateless hosts after a reboot, use a PXE boot image that contains the updates. You can
update the PXE boot image before applying the updates with Update Manager, so that the updates are not
lost because of a reboot. Update Manager itself does not reboot the hosts because it does not install updates
requiring a reboot on PXE booted ESXi hosts.
Prerequisites
Required privileges: VMware vSphere Update Manager.Configure
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click
vSphere Client 1 On the Configuration tab, under Settings, click ESX
Host/Cluster Settings.
2 Click Edit.
Host/Cluster Settings.
3 To enable installation of software for solutions on PXE booted ESXi hosts, select Allow installation of
additional software on PXE booted ESXi hosts.
4 Click Apply.
Configure Smart Rebooting
Smart rebooting selectively restarts the virtual appliances and virtual machines in the vApp to maintain
startup dependencies. You can enable and disable smart rebooting of virtual appliances and virtual
machines in a vApp after remediation.
Smart rebooting is enabled by default. If you disable smart rebooting, the virtual appliances and virtual
machines are restarted according to their individual remediation requirements, disregarding existing
startup dependencies.
Prerequisites
Required privileges: VMware vSphere Update Manager.Configure
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Settings, click vApp
vSphere Client 1 On the Configuration tab, under Settings, click
Settings.
2 Click Edit.
vApp Settings.
3 Deselect Enable smart reboot after remediation to disable smart rebooting.
70 VMware, Inc.
Page 71
Chapter 9 Configuring Update Manager
Configure the Update Manager Patch Repository Location
When you install Update Manager, you can select the location for storing the downloaded patches and
upgrade binaries. To change the location after installation, you must manually edit the vci-integrity.xml
file.
Procedure
1 Log in as an administrator to the machine on which the Update Manager server is installed.
2 Stop the Update Manager service.
a Right-click My Computer and click Manage.
b In the left pane, expand Services and Applications and click Services.
c In the right pane, right-click VMware vSphere Update Manager Service and click Stop.
3 Navigate to the Update Manager installation directory and locate the vci-integrity.xml file.
The default location is C:\Program Files (x86)\VMware\Infrastructure\Update Manager.
4 Create a backup copy of this file in case you need to revert to the previous configuration.
5 Edit the file by changing the following fields:
<patchStore>your_new_location</patchStore>
The default patch download location is
C:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manager\Data\.
The directory path must end with \.
6 Save the file in UTF-8 format, replacing the existing file.
7 Copy the contents from the old patchstore directory to the new folder.
8 Start the Update Manager service by right-clicking VMware vSphere Update Manager Service in the
Computer Management window and selecting Start.
Restart the Update Manager Service
In certain cases, such as when you change the network connectivity settings, you must restart the
Update Manager service.
Procedure
1 Log in as the administrator to the machine on which the Update Manager server component is installed.
2 Right-click My Computer and click Manage.
3 In the left pane of the Computer Management window, expand Services and Applications and click
Services.
4 In the right pane, right-click VMware vSphere Update Manager Service and select Restart.
The service restarts on the local computer.
VMware, Inc. 71
Page 72
Installing and Administering VMware vSphere Update Manager
Run the VMware vSphere Update Manager Update Download Task
If you change the patch download source settings, you must run the VMware vSphere Update Manager
Update Download task to download any new patches, extensions, and notifications.
Procedure
1 In the vSphere Client, select Home > Management > Scheduled Tasks in the navigation bar.
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter
Single Sign-On domain, specify the Update Manager instance to configure, by selecting the name of the
corresponding vCenter Server system in the navigation bar.
2 Right-click the VMware vSphere Update Manager Update Download task and select Run.
You can see the running task listed in the Recent Tasks pane.
Update Manager Privileges
To configure Update Manager settings, to manage baselines, patches, and upgrades, you must have the
proper privileges. You can assign Update Manager privileges to different roles from the vSphere Client.
Update Manager privileges cover distinct functionalities.
Table 9‑3. Update Manager Privileges
Privilege Group Privilege Description
Configure Configure Service Configure the Update Manager service and
the scheduled patch download task.
Manage Baseline Attach Baseline Attach baselines and baseline groups to
objects in the vSphere inventory.
Manage Baseline Create, edit, or delete baseline and baseline
groups.
Manage Patches and Upgrades Remediate to Apply Patches,
Extensions, and Upgrades
Scan for Applicable Patches,
Extensions, and Upgrades
Stage Patches and Extensions Stage patches or extensions to hosts. In
View Compliance Status View baseline compliance information for
Upload File Upload File Upload upgrade images and offline patch
Remediate virtual machines, virtual
appliances, and hosts to apply patches,
extensions, or upgrades. In addition, this
privilege allows you to view compliance
status.
Scan virtual machines, virtual appliances,
and hosts to search for applicable patches,
extensions, or upgrades.
addition, this privilege allows you to view
compliance status of the hosts.
an object in the vSphere inventory.
bundles.
For more information about managing users, groups, roles, and permissions, see vCenter Server and Host
Management.
72 VMware, Inc.
Page 73
Working with Baselines and Baseline
Groups 10
Baselines can be upgrade, extension, or patch baselines. Baselines contain a collection of one or more
patches, extensions, or upgrades.
Baseline groups are assembled from existing baselines, and might contain one upgrade baseline per type of
upgrade baseline and one or more patch and extension baselines, or might contain a combination of
multiple patch and extension baselines. When you scan hosts, virtual machines, and virtual appliances, you
evaluate them against baselines and baseline groups to determine their level of compliance.
Update Manager includes two default dynamic patch baselines and three upgrade baselines.
Critical Host Patches
(Predefined)
Non-Critical Host
Patches (Predefined)
VMware Tools Upgrade
to Match Host
(Predefined)
VM Hardware Upgrade
to Match Host
(Predefined)
VA Upgrade to Latest
(Predefined)
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single
Sign-On domain and you have an Update Manager instance for each vCenter Server system in the group,
the baselines and baseline groups you create and manage are applicable only to inventory objects managed
by the vCenter Server system with which the selected Update Manager instance is registered. You can use
an Update Manager instance only with a vCenter Server system on which the instance is registered.
This chapter includes the following topics:
“Creating and Managing Baselines,” on page 74
n
“Creating and Managing Baseline Groups,” on page 84
n
Checks ESXi hosts for compliance with all critical patches.
Checks ESXi hosts for compliance with all optional patches.
Checks virtual machines for compliance with the latest VMware Tools
version on the host. Update Manager supports upgrading of VMware Tools
for virtual machines on hosts that are running ESXi 5.0 and later.
Checks the virtual hardware of a virtual machine for compliance with the
latest version supported by the host. Update Manager supports upgrading to
virtual hardware version vmx-11 on hosts that are running ESXi 6.0.
Checks virtual appliance compliance with the latest released virtual
appliance version.
VMware, Inc.
“Attach Baselines and Baseline Groups to Objects,” on page 89
n
“Detach Baselines and Baseline Groups from Objects,” on page 89
n
73
Page 74
Installing and Administering VMware vSphere Update Manager
Creating and Managing Baselines
You can create custom patches, extensions, and upgrade baselines to meet the needs of your specific
deployment by using the New Baseline wizard. You create and manage baselines in the
Update Manager Client Administration view.
Create and Edit Patch or Extension Baselines
You can remediate hosts against baselines that contain patches or extensions. Depending on the patch
criteria you select, patch baselines can be either dynamic or fixed.
Dynamic patch baselines contain a set of patches, which updates automatically according to patch
availability and the criteria that you specify. Fixed baselines contain only patches that you select, regardless
of new patch downloads.
Extension baselines contain additional software modules for ESXi hosts. This additional software might be
VMware software or third-party software. You can install additional modules by using extension baselines,
and update the installed modules by using patch baselines.
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single
Sign-On domain, and you have more than one Update Manager instance, patch and extension baselines that
you create are not applicable to all inventory objects managed by other vCenter Server systems. Baselines
are specific for the Update Manager instance you select.
Prerequisites
Ensure that you have the Manage Baseline privilege.
Create a Fixed Patch Baseline on page 75
n
Fixed baselines consist of a specific set of patches that do not change as patch availability changes.
Create a Dynamic Patch Baseline on page 75
n
Dynamic baselines consist of a set of patches that meet certain criteria. The contents of a dynamic
baseline varies as the available patches change. You can also exclude or add specific patches. Patches
you select to add or exclude do not change with new patch downloads.
Create a Host Extension Baseline on page 76
n
Extension baselines contain additional software for ESXi hosts. This additional software might be
VMware software or third-party software. You create host extension baselines using the New Baseline
wizard.
Filter Patches or Extensions in the New Baseline Wizard on page 77
n
When you create a patch or extension baseline, you can filter the patches and extensions available in
the Update Manager repository to find specific patches and extensions to exclude or include in the
baseline.
Edit a Patch Baseline on page 78
n
You can edit an existing host patch baseline.
Edit a Host Extension Baseline on page 78
n
You can change the name, description, and composition of an existing extension baseline.
74 VMware, Inc.
Page 75
Chapter 10 Working with Baselines and Baseline Groups
Create a Fixed Patch Baseline
Fixed baselines consist of a specific set of patches that do not change as patch availability changes.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Host Baselines, click
Create a new baseline.
vSphere Client 1 On the Baselines and Groups tab, click Create
above the Baselines tab.
3 Type a name, and optionally, a description of the baseline.
4 Under Baseline Type, select Host Patch, and click Next.
5 Select Fixed for the type of baseline and click Next.
6 Select individual patches to include and click the down arrow to add them to the Fixed Patches to Add
list.
7 (Optional) If you use the vSphere Client, click Advanced to find specific patches to include in the
baseline.
8 Click Next.
9 On the Ready to Complete page, click Finish.
The new baseline is displayed in the Baselines pane of the Baselines and Groups tab.
Create a Dynamic Patch Baseline
Dynamic baselines consist of a set of patches that meet certain criteria. The contents of a dynamic baseline
varies as the available patches change. You can also exclude or add specific patches. Patches you select to
add or exclude do not change with new patch downloads.
Prerequisites
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Host Baselines, click
Create a new baseline.
vSphere Client 1 On the Baselines and Groups tab, click Create
above the Baselines tab.
3 Type a name, and optionally, a description of the baseline.
4 Under Baseline Type select Host Patch, and click Next.
5 Select Dynamic as the type of baseline, and click Next.
VMware, Inc. 75
Page 76
Installing and Administering VMware vSphere Update Manager
6 On the Dynamic Baseline Criteria page, specify criteria to define the patches to include, and then click
Next.
Option Description
Patch Vendor
Product
Severity
Category
Release Date
The relationship between these fields is defined by the Boolean operator AND.
For example, when you select a product and severity option, the patches are restricted to the ones that
are applicable for the selected product and are of the specified severity level.
7 (Optional) On the Patches to Exclude page, select one or more patches in the list and click the down
arrow to permanently exclude them from the baseline.
8 (Optional) If you use the vSphere Client, click Advanced to search for specific patches to exclude from
the baseline.
Specifies which patch vendor to use.
Restricts the set of patches to the selected products or operating systems.
The asterisk at the end of a product name is a wildcard character for any
version number.
Specifies the severity of patches to include.
Specifies the category of patches to include.
Specifies the range for the release dates of the patches.
9 Click Next.
10 (Optional) On the Additional patches page, select individual patches to include in the baseline and click
the down arrow to move them into the Fixed Patches to Add list.
The patches you add to the dynamic baseline stay in the baseline regardless of the new downloaded
patches.
11 (Optional) If you use the vSphere Client, click Advanced to search for specific patches to include in the
baseline.
12 Click Next.
13 On the Ready to Complete page, click Finish.
The new baseline is displayed in the Baselines pane of the Baselines and Groups tab.
Create a Host Extension Baseline
Extension baselines contain additional software for ESXi hosts. This additional software might be VMware
software or third-party software. You create host extension baselines using the New Baseline wizard.
Extensions can provide additional features, updated drivers for hardware, Common Information Model
(CIM) providers for managing third-party modules on the host, improvements to the performance or
usability of existing host features, and so on.
Host extension baselines that you create are always fixed. You must carefully select the appropriate
extensions for the ESXi hosts in your environment.
To perform the initial installation of an extension, you must use an extension baseline. After the extension is
installed on the host, you can update the extension module with either patch or extension baselines.
NOTE When applying extension baselines by using Update Manager, you must be aware of the functional
implications of new modules to the host. Extension modules might alter the behavior of ESXi hosts. During
installation of extensions, Update Manager only performs the checks and verifications expressed at the
package level.
76 VMware, Inc.
Page 77
Chapter 10 Working with Baselines and Baseline Groups
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Host Baselines, click
Create a new baseline.
vSphere Client 1 On the Baselines and Groups tab, click Create
above the Baselines tab.
3 Type a name, and optionally, a description of the baseline.
4 Under Baseline Type, select Host Extension and click Next.
5 On the Extensions page, select individual extensions to include in the baseline and click the down
arrow to add them to the Included Extensions list.
6 (Optional) If you use the vSphere Client, click Advanced to filter the extensions to include specific
extensions in the baseline.
7 Click Next.
8 On the Ready to Complete page, click Finish.
The new baseline is displayed in the Baselines pane of the Baselines and Groups tab.
Filter Patches or Extensions in the New Baseline Wizard
When you create a patch or extension baseline, you can filter the patches and extensions available in the
Update Manager repository to find specific patches and extensions to exclude or include in the baseline.
Procedure
1 In the New Baseline wizard, click Advanced.
If you are creating a fixed patch baseline, on the Patches page, click Advanced.
n
If you are creating a dynamic patch baseline, on the Patches to Exclude or Additional Patches page,
n
click Advanced.
If you are creating a host extension baseline, on the Extensions page, click Advanced.
n
2 On the Filter Patches or Filter Extensions page, specify the criteria to define the patches or extensions to
include or exclude.
Option Description
Patch Vendor
Product
Severity
Category
Release Date
Text
The relationship between these fields is defined by the Boolean operator AND.
Specifies which patch or extension vendor to use.
Restricts the set of patches or extensions to the selected products or
operating systems.
The asterisk at the end of a product name is a wildcard character for any
version number.
Specifies the severity of patches or extensions to include.
Specifies the category of patches or extensions to include.
Specifies the range for the release dates of the patches or extensions.
Restricts the patches or extensions to those containing the text that you
enter.
VMware, Inc. 77
Page 78
Installing and Administering VMware vSphere Update Manager
3 Click Find.
The patches or extensions in the New Baseline wizard are filtered with the criteria that you specified.
Edit a Patch Baseline
You can edit an existing host patch baseline.
Prerequisites
Ensure that you have the Manage Baseline privilege.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 Navigate to Manage > Host Baselines .
vSphere Client 1 On the Baselines and Groups tab, click Hosts above
the Baselines tab.
3 Select a patch baseline and click Edit above the Baselines pane.
4 Edit the name and description of the baseline and click Next.
5 Go through the Edit Baseline wizard to change the criteria, and select patches to include or exclude.
6 On the Ready to Complete page, click Finish.
Edit a Host Extension Baseline
You can change the name, description, and composition of an existing extension baseline.
Prerequisites
Ensure that you have the Manage Baseline privilege.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 Navigate to Manage > Host Baselines .
vSphere Client 1 On the Baselines and Groups tab, click Hosts above
the Baselines tab.
2 On the Baselines and Groups tab, click the Hosts
button.
3 Select an extension baseline and click Edit above the Baselines pane.
4 Edit the name and description of the baseline and click Next.
5 Make your changes by going through the Edit Baseline wizard.
6 On the Ready to Complete page, click Finish.
78 VMware, Inc.
Page 79
Chapter 10 Working with Baselines and Baseline Groups
Create and Edit Host Upgrade Baselines
You can create an ESXi host upgrade baseline by using the New Baseline wizard. You can create host
baselines with already uploaded ESXi 6.0 images.
You can upload and manage ESXi images from the ESXi Images tab of the Update Manager Administration
view.
Update Manager 6.0 supports upgrade from ESXi 5.x to ESXi 6.0. Host upgrades to ESXi 5.0, ESXi 5.1 or
ESXi 5.5 are not supported.
Before uploading ESXi images, obtain the image files from the VMware Web site or another source. You can
create custom ESXi images that contain third-party VIBs by using vSphere ESXi Image Builder. For more
information, see Using vSphere ESXi Image Builder .
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single
Sign-On domain, and you have more than one Update Manager instance, host upgrade files that you upload
and baselines that you create are not applicable to the hosts managed by other vCenter Server systems.
Upgrade files and baselines are specific for the Update Manager instance you select.
Import Host Upgrade Images and Create Host Upgrade Baselines on page 79
n
You can create upgrade baselines for ESXi hosts with ESXi 6.0 images that you import to the
Update Manager repository.
Create a Host Upgrade Baseline on page 80
n
To upgrade the hosts in your vSphere environment, you must create host upgrade baselines.
Edit a Host Upgrade Baseline on page 81
n
You can change the name, description, and upgrade options of an existing host upgrade baseline. You
cannot delete a host upgrade image by editing the host upgrade baseline.
Delete ESXi Images on page 81
n
You can delete ESXi images from the Update Manager repository if you no longer need them.
Import Host Upgrade Images and Create Host Upgrade Baselines
You can create upgrade baselines for ESXi hosts with ESXi 6.0 images that you import to the
Update Manager repository.
You can use ESXi .iso images to upgrade ESXi 5.x hosts to ESXi 6.0.
To upgrade hosts, use the ESXi installer image distributed by VMware with the name format VMware-
VMvisor-Installer-6.0.0-build_number.x86_64.iso or a custom image created by using vSphere ESXi
Image Builder.
Prerequisites
Ensure that you have the Upload File privilege. For more information about managing users, groups, roles,
and permissions, see vCenter Server and Host Management.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
VMware, Inc. 79
Page 80
Installing and Administering VMware vSphere Update Manager
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the ESXi Images tab under Manage, click Import
vSphere Client 1 On the ESXi Images tab, click Import ESXi Image
3 On the Select ESXi Image page of the Import ESXi Image wizard, browse to and select the ESXi image
that you want to upload.
4 Click Next.
CAUTION Do not close the import wizard. Closing the import wizard stops the upload process.
5 (Optional) In the Security Warning window, select an option to handle the certificate warning.
A trusted certificate authority does not sign the certificates that are generated for vCenter Server and
ESXi hosts during installation. Because of this, each time an SSL connection is made to one of these
systems, the client displays a warning.
ESXi Image.
on the upper-right side.
Option Action
Ignore
Cancel
Install this certificate and do not
display any security warnings
Click Ignore to continue using the current SSL certificate and start the
upload process.
Click Cancel to close the window and stop the upload process.
Select this check box and click Ignore to install the certificate and stop
receiving security warnings.
6 After the file is uploaded, click Next.
7 (Optional) Create a host upgrade baseline.
a Leave the Create a baseline using the ESXi image selected.
b Specify a name, and optionally, a description for the host upgrade baseline.
8 Click Finish.
The ESXi image that you uploaded appears in the Imported ESXi Images pane. You can see more
information about the software packages that are included in the ESXi image in the Software Packages pane.
If you also created a host upgrade baseline, the new baseline is displayed in the Baselines pane of the
Baselines and Groups tab.
What to do next
To upgrade the hosts in your environment, you must create a host upgrade baseline if you have not already
done so.
Create a Host Upgrade Baseline
To upgrade the hosts in your vSphere environment, you must create host upgrade baselines.
Prerequisites
Upload at least one ESXi image.
80 VMware, Inc.
Page 81
Chapter 10 Working with Baselines and Baseline Groups
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Manage tab, under Host Baselines, click
Create a new baseline.
vSphere Client 1 On the Baselines and Groups tab, click Create
above the Baselines tab.
3 Type a name, and optionally, a description of the baseline.
4 On the Baselines and Groups tab, click Create above the Baselines pane.
5 Under Baseline Type, select Host Upgrade and click Next.
6 On the ESXi Image page, select a host upgrade image and click Next.
7 Review the Ready to Complete page and click Finish.
The new baseline is displayed in the Baselines pane of the Baselines and Groups tab.
Edit a Host Upgrade Baseline
You can change the name, description, and upgrade options of an existing host upgrade baseline. You
cannot delete a host upgrade image by editing the host upgrade baseline.
Prerequisites
Ensure that you have the Manage Baseline privilege.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 Navigate to Manage > Host Baselines.
vSphere Client 1 On the Baselines and Groups tab, click the Hosts
button.
3 Select an existing host upgrade baseline and click Edit above the Baselines pane.
4 Edit the name and description of the baseline, and click Next.
5 Make your changes by going through the Edit Baseline wizard.
6 On the Ready to Complete page, click Finish.
Delete ESXi Images
You can delete ESXi images from the Update Manager repository if you no longer need them.
Prerequisites
Verify that the ESXi images are not included in baselines. You cannot delete images that are included in a
baseline.
VMware, Inc. 81
Page 82
Installing and Administering VMware vSphere Update Manager
Procedure
1 Depending on the Update Manager client interface you use to connect to vCenter Server perform the
following steps.
Client Steps
vSphere Web Client 1 Select Home > Update Manager
vSphere Client 1 Select Home > Update Manager under Solutions
2 Under Imported ESXi Images, select the file you want to delete and click Delete.
3 Click Yes to confirm the deletion.
The ESXi image is deleted and no longer available under Imported ESXi Images.
2 Select the IP address of the Update Manager
instance that uses the ESXi image you want to
delete.
3 Select ESXi Images tab
and Applications.
2 Select Update Manager Administration view, and
click the ESXi Images tab.
Create and Edit a Virtual Appliance Upgrade Baseline
A virtual appliance upgrade baseline contains a set of updates to the operating system and to the
applications installed in the virtual appliance. The virtual appliance vendor considers these updates an
upgrade.
Virtual appliance baselines that you create consist of a set of user-defined rules. If you add rules that
conflict, the Update Manager displays an Upgrade Rule Conflict window so that you can resolve the
conflicts.
Virtual appliance baselines let you upgrade virtual appliances either to the latest available version or to a
specific version number.
Create a Virtual Appliance Upgrade Baseline on page 82
n
You upgrade virtual appliances by using a virtual appliance upgrade baseline. You can either use the
predefined virtual appliance upgrade baseline, or create custom virtual appliance upgrade baselines.
Edit a Virtual Appliance Upgrade Baseline on page 83
n
You can change the name, description, and upgrade options of an existing upgrade baseline.
Create a Virtual Appliance Upgrade Baseline
You upgrade virtual appliances by using a virtual appliance upgrade baseline. You can either use the
predefined virtual appliance upgrade baseline, or create custom virtual appliance upgrade baselines.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
82 VMware, Inc.
Page 83
Chapter 10 Working with Baselines and Baseline Groups
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the VMs/VAs Baselines tab under Manage, click
Create new baseline.
vSphere Client 1 On the Baselines and Groups tab, click Create
above the Baselines pane.
3 Type a name, and optionally, a description of the baseline.
4 Under Baseline Type, select VA Upgrade, and click Next.
5 On the Upgrade Options page, select Vendor and Appliance options from the respective drop-down
menus.
The options listed in these menus depend on the virtual appliance upgrades that are downloaded in the
Update Manager repository. If no upgrades are downloaded in the repository, the available options are
All Vendors and All Products, respectively.
6 Select an option from the Upgrade To drop-down menu.
Option Description
Latest
A specific version number
Do Not Upgrade
Upgrades the virtual appliance to the latest version.
Upgrades the virtual appliance to a specific version. This option is
available when you select a specific vendor and appliance name.
Does not upgrade the virtual appliance.
7 Click Add Rule.
8 (Optional) Add multiple rules.
If you create multiple rules to apply to the same virtual appliance, only the first applicable rule in the
list is applied.
9 (Optional) Resolve any conflicts within the rules you apply.
10 Click Next.
11 On the Ready to Complete page, click Finish.
The new baseline is displayed in the Baselines pane of the Baselines and Groups tab.
Edit a Virtual Appliance Upgrade Baseline
You can change the name, description, and upgrade options of an existing upgrade baseline.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
VMware, Inc. 83
Page 84
Installing and Administering VMware vSphere Update Manager
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the VMs/VAs Baselines tab under Manage,
vSphere Client 1 On the Baselines and Groups tab, click VMs/VAs
3 Edit the name and the description of the baseline and click Next.
4 Edit the upgrade options and click Next.
5 On the Ready to Complete page, click Finish.
Delete Baselines
You can delete baselines that you no longer need from Update Manager. Deleting a baseline detaches it
from all the objects to which the baseline is attached.
Procedure
select an existing baseline and click Edit existing
baseline definition.
above the Baselines pane.
2 Select an existing baseline and click Edit above the
Baseline pane.
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the VMs/VAs Baselines tab under Manage,
vSphere Client 1 In the Baselines pane of the Baselines and Groups
3 In the confirmation dialog box, click Yes.
The baseline is deleted.
Creating and Managing Baseline Groups
A baseline group consists of a set of non-conflicting baselines. Baseline groups allow you to scan and
remediate objects against multiple baselines at the same time.
You can perform an orchestrated upgrade of the virtual machines by remediating the same folder or
datacenter against a baseline group containing the following baselines:
VMware Tools Upgrade to Match Host
n
select the baselines to remove and click Delete the
baseline definition.
tab, select the baselines to remove, and click Delete.
VM Hardware Upgrade to Match Host
n
You can perform an orchestrated upgrade of hosts by using a baseline group that contains a single host
upgrade baseline and multiple patch or extension baselines.
You can create two types of baseline groups depending on the object type to which you want to apply them:
Baseline groups for hosts
n
Baseline groups for virtual machines and virtual appliances
n
84 VMware, Inc.
Page 85
Chapter 10 Working with Baselines and Baseline Groups
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single
Sign-On domain, and you have more than one Update Manager instance, baseline groups you create are not
applicable to all inventory objects managed by other vCenter Server systems in the group. Baseline groups
are specific for the Update Manager instance that you select.
Create a Host Baseline Group
You can combine one host upgrade baseline with multiple patch or extension baselines, or combine multiple
patch and extension baselines in a baseline group.
NOTE You can click Finish in the New Baseline Group wizard at any time to save your baseline group and
add baselines to it at a later stage.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 On the Baselines and Groups tab, click Create above the Baseline Groups pane.
3 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the Host Baselines tab under Manage, click the
Create above the Baseline Groups pane.
2 Enter a unique name for the baseline group and click
Next.
vSphere Client 1 On the Baselines and Groups tab, click the Create
above the Baseline Groups pane.
2 Enter a unique name for the baseline group
3 Under Baseline Group Type, select Host Baseline
Group and click Next.
4 Select a host upgrade baseline to include it in the baseline group.
5 (Optional) If you use the vSphere Client create a new host upgrade baseline by clicking Create a new
Host Upgrade Baseline at the bottom of the Upgrades page and complete the New Baseline wizard.
6 Click Next.
7 Select the patch baselines that you want to include in the baseline group.
8 (Optional) If you use the vSphere Client, create a new patch baseline by clicking Create a new Host
Patch Baseline at the bottom of the Patches page and complete the New Baseline wizard.
9 Click Next.
10 Select the extension baselines to include in the baseline group.
11 (Optional) If you use the vSphere Client, create a new extension baseline by clicking Create a new
Extension Baseline at the bottom of the Patches page and complete the New Baseline wizard.
12 On the Ready to Complete page, click Finish.
The host baseline group is displayed in the Baseline Groups pane.
VMware, Inc. 85
Page 86
Installing and Administering VMware vSphere Update Manager
Create a Virtual Machine and Virtual Appliance Baseline Group
You can combine upgrade baselines in a virtual machine and virtual appliance baseline group.
NOTE You can click Finish in the New Baseline Group wizard at any time to save your baseline group, and
add baselines to it at a later stage.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the VMs/VAs Baselines tab under Manage, click
Create new baseline definition group.
vSphere Client 1 On the Baselines and Groups tab, click Create
above the Baseline Groups pane.
2 In the New Baseline Group wizard, under Baseline
Group Type, select Virtual Machines and Virtual
Appliances Baseline Group.
3 Enter a name for the baseline group and click Next.
4 For each type of upgrade (virtual appliance, virtual hardware, and VMware Tools), select one of the
available upgrade baselines to include in the baseline group.
NOTE If you decide to remediate only virtual appliances, the upgrades for virtual machines are
ignored, and the reverse. If a folder contains both virtual machines and virtual appliances, the
appropriate upgrades are applied to each type of object.
5 (Optional) In the vSphere Client Create a new Virtual Appliance upgrade baseline by clicking Create a
new Virtual Appliance Upgrade Baseline at the bottom of the Upgrades page, and complete the New
Baseline wizard.
After you complete the New Baseline wizard, you return to the New Baseline Group wizard.
6 Click Next.
7 On the Ready to Complete page, click Finish.
The new baseline group is displayed in the Baseline Groups pane.
Edit a Baseline Group
You can change the name and type of an existing baseline group, as well as add or remove the upgrade and
patch baselines from a baseline group.
Prerequisites
You can edit baseline groups only if you have the Manage Baseline privilege.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
86 VMware, Inc.
Page 87
Chapter 10 Working with Baselines and Baseline Groups
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the VMs/VAs Baselines tab under Manage,
select an existing baseline group and click Edit
existing baseline group definition.
vSphere Client 1 On the Baselines and Groups tab, select the type of
baseline group to edit by clicking either Hosts or
VMs/VAs.
2 Select a baseline group from the Baseline Groups
pane and click Edit above the pane.
3 Edit the name of the baseline group.
4 (Optional) Change the included upgrade baselines (if any).
5 (Optional) Change the included patch baselines (if any).
6 (Optional) Change the included extension baselines (if any).
7 Review the Ready to Complete page and click OK.
Add Baselines to a Baseline Group
You can add a patch, extension, or upgrade baseline to an existing baseline group.
Prerequisites
Ensure that you have the Manage Baseline privilege.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the VMs/VAs Baselines tab under Manage,
select an existing baseline group and click Edit
existing baseline group definition.
vSphere Client 1 On the Baselines and Groups tab, select the type of
baseline group to edit by clicking either Hosts or
VMs/VAs.
2 Select a baseline group from the Baseline Groups
pane and click Edit above the pane.
3 From the Baseline Groups pane, select a baseline group and expand it to view the included baselines.
4 Select a baseline from the list in the Baselines pane, and click the right arrow.
The baseline is added to the selected baseline group.
VMware, Inc. 87
Page 88
Installing and Administering VMware vSphere Update Manager
Remove Baselines from a Baseline Group
You can remove individual baselines from existing baseline groups.
Prerequisites
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the VMs/VAs Baselines tab under Manage,
vSphere Client 1 On the Baselines and Groups tab, select the type of
select an existing baseline group and expand it to
view the included baselines.
baseline group to edit by clicking either Hosts or
VMs/VAs.
2 Select a baseline group from the Baseline Groups
pane and expand it to view the included baselines.
3 Select a baseline from the Baseline Groups pane on the right and click the left arrow.
The baseline is removed from the selected baseline group.
Delete Baseline Groups
You can delete baseline groups that you no longer need from Update Manager. Deleting a baseline group
detaches it from all the objects to which the baseline group is attached.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Depending on the client you use to connect to vCenter Server perform the following steps.
Client Steps
vSphere Web Client 1 On the VMs/VAs Baselines tab under Manage,
select an existing baseline group and click Delete.
vSphere Client 1 On the Baselines and Groups tab, select the type of
baseline group to edit by clicking either Hosts or
VMs/VAs.
2 Select a baseline group from the Baseline Groups
pane and click Delete.
3 In the confirmation dialog box, click Yes.
The baseline group is deleted.
88 VMware, Inc.
Page 89
Chapter 10 Working with Baselines and Baseline Groups
Attach Baselines and Baseline Groups to Objects
To view compliance information and scan objects in the inventory against baselines and baseline groups,
you must first attach existing baselines and baseline groups to these objects. You can attach baselines and
baseline groups to objects.
Prerequisites
Verify that you have the Attach Baseline privilege.
n
Verify that all the baselines or baseline groups that you want to use are already created. You can create
n
baselines and baseline groups only from the Update Manager Client plug-in for the vSphere Client.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Select the type of object in the vSphere Web Client or vSphere Client object navigator.
For example, Hosts and Clusters or VMs and Templates.
3 Select the object in the inventory, and select Update Manager.
Client Steps
vSphere Web Client Select Manage > Update Manager tab.
vSphere Client Select Update Manager tab.
4 Click Attach, and select the types of baselines you want to attach.
a In the Individual Baselines pane, select one or more baselines to attach to the object.
b In the Baseline Groups pane, select one or more baseline groups to attach to the object.
5 Click OK.
What to do next
Scan the selected object against the attached baselines.
Detach Baselines and Baseline Groups from Objects
You can detach baselines and baseline groups from objects to which the baselines or baseline groups are
directly attached. Because vSphere objects can have inherited properties, you might have to select the
container object where the baseline or baseline group is attached and then detach it from the container
object.
Prerequisites
Ensure that you have the Attach Baseline privilege.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Select the type of object in the vSphere Web Client or vSphere Client object navigator.
For example, Hosts and Clusters or VMs and Templates.
VMware, Inc. 89
Page 90
Installing and Administering VMware vSphere Update Manager
3 Select the object in the inventory, and select Update Manager.
Client Steps
vSphere Web Client Select Manage > Update Manager tab.
vSphere Client Select Update Manager tab.
4 Remove a baseline or a baseline group that you no longer need.
Client Steps
vSphere Web Client
vSphere Client
n
n
n
n
5 In the Detach Baseline Group dialog box, select the entities that you want to detach the baseline or the
baseline group from.
To remove a baseline, select the baseline and click Detach on the upper left
corner of the Attached Baselines pane.
To remove a baseline group, select the baseline group from the Attached
Baseline Groups drop-down menu, and click Detach at the upper right
corner of the Attached Baseline Groups drop-down menu.
To remove a baseline, right-click the baseline or baseline group to remove
and select Detach Baseline.
To remove a baseline group, right-click the baseline or baseline group to
remove and select Detach Baseline Group.
6 Click OK.
The baseline or baseline group that you detach is no longer listed in the Attached Baselines pane or the
Attached Baseline Groups drop-down menu.
90 VMware, Inc.
Page 91
Scanning vSphere Objects and
Viewing Scan Results 11
Scanning is the process in which attributes of a set of hosts, virtual machines, or virtual appliances are
evaluated against the patches, extensions, and upgrades included in the attached baselines and baseline
groups.
You can configure Update Manager to scan virtual machines, virtual appliances, and ESXi hosts by
manually initiating or scheduling scans to generate compliance information. To generate compliance
information and view scan results, you must attach baselines and baseline groups to the objects you scan.
This chapter includes the following topics:
“Manually Initiate a Scan of ESXi Hosts,” on page 91
n
“Manually Initiate a Scan of Virtual Machines and Virtual Appliances,” on page 92
n
“Manually Initiate a Scan of a Container Object in Update Manager Web Client,” on page 92
n
“Schedule a Scan,” on page 93
n
“Viewing Scan Results and Compliance States for vSphere Objects,” on page 94
n
Manually Initiate a Scan of ESXi Hosts
Before remediation, you should scan the vSphere objects against the attached baselines and baseline groups.
You can run a scan of hosts in the vSphere inventory immediately by initiating a scan from the
Update Manager Web Client, and later perform staging and remediation from the Update Manager Client
plug-in for the vSphere Client.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
Client Steps
vSphere Web Client 1 Select Home > Hosts and Clusters.
2 From the inventory object navigator, right-click a datacenter, a cluster, or a
host, and select Update Manager > Scan for Updates.
vSphere Client 1 Select Home > Inventory > Hosts and Clusters, in the navigation bar.
2 From the object navigator, right-click a datacenter, a cluster, or a host, and
select Scan.
The Scan wizard opens.
2 Select the types of updates to scan for.
You can scan for Patches and Extensions and Upgrades.
VMware, Inc.
91
Page 92
Installing and Administering VMware vSphere Update Manager
3 Click OK.
The selected host, or the container object is scanned against all patches, extensions, and upgrades in the
attached baselines.
What to do next
Stage and remediate the scanned inventory object in Update Manager Client plug-in for the vSphere Client.
Manually Initiate a Scan of Virtual Machines and Virtual Appliances
You can scan virtual machines and virtual appliances in the vSphere inventory against attached baselines
and baseline groups from the vSphere Web Client by using the Update Manager Web Client. You can later
perform staging and remediation from the Update Manager Client plug-in for the vSphere Client.
After you import a VMware Studio created virtual appliance in the vSphere Web Client, power it on so that
it is discovered as a virtual appliance.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
Client Steps
vSphere Web Client 1 Select Home > VMs and Templates.
2 From the inventory object navigator, right-click a virtual machine, and
select Update Manager > Scan for Updates.
vSphere Client 1 Select Home > Inventory > VMs and Templates, in the navigation bar.
2 From the object navigator, right-click a virtual machine, and select Scan.
The Scan wizard opens.
2 Select the types of updates to scan for.
You can scan for Virtual appliance upgrades, VMware Tools upgrades, and VM Hardware upgrades.
3 Click OK.
The virtual machines and appliances are scanned against the attached baselines, depending on the options
that you selected.
What to do next
Stage and remediate the scanned inventory object in Update Manager Client plug-in for the vSphere Client.
Manually Initiate a Scan of a Container Object in Update Manager Web Client
To start a simultaneous scan of hosts, virtual machines, and virtual appliances that are part of a datacenter
or a datacenter folder from the vSphere inventory, you can initiate a scan against attached baselines and
baseline groups from the Update Manager Web Client.
After you import a VMware Studio created virtual appliance in the vSphere Web Client, power it on so that
it is discovered as a virtual appliance.
Procedure
1 Use the vSphere Web Client to connect to a vCenter Server system with which Update Manager is
registered.
92 VMware, Inc.
Page 93
2 From the inventory object navigator, right-click a vCenter Server instance, datacenter, a cluster, or a VM
Folder, and select Update Manager > Scan for Updates.
The Scan wizard opens.
3 Select the types of updates to scan for.
For the ESXi hosts in the container object, you can scan for Patches and Extensions and Upgrades.
For virtual machines and virtual appliances in the datacenter, you can scan for Virtual appliance
upgrades, VMware Tools upgrades, and VM Hardware upgrades.
4 Click OK.
The selected inventory object and all child objects are scanned against the attached baselines, depending on
the options that you selected. The larger the virtual infrastructure and the higher up in the object hierarchy
you initiate the scan, the longer the scan takes.
What to do next
Stage and remediate the scanned inventory object in Update Manager Client plug-in for the vSphere Client.
Schedule a Scan
You can configure the vSphere Client to scan virtual machines, virtual appliances, and ESXi hosts at specific
times or at intervals that are convenient for you.
Chapter 11 Scanning vSphere Objects and Viewing Scan Results
Procedure
1 Connect the vSphere Client to a vCenter Server system with which Update Manager is registered and
select Home > Management > Scheduled Tasks.
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter
Single Sign-On domain, specify the Update Manager instance that you want to use to schedule a scan
task by selecting the name of the corresponding vCenter Server system in the navigation bar.
2 Click New in the toolbar to open the Schedule Task dialog box.
3 Select Scan for Updates and click OK.
4 Select the type of vSphere infrastructure object to scan, and click Next.
5 In the inventory tree, select the inventory object to be scanned and click Next.
All child objects of the object that you select are also scanned.
6 Select the types of updates to scan for and click Next.
7 Enter a unique name, and optionally, a description for the scan.
8 Set the frequency and the start time for the task and click Next.
9 (Optional) Specify one or more email addresses to send the results to and click Next.
You must configure mail settings for the vCenter Server system to enable this option.
10 Review the Ready to Complete page and click Finish.
The scan task is listed in the Scheduled Tasks view of the vSphere Client.
VMware, Inc. 93
Page 94
Installing and Administering VMware vSphere Update Manager
Viewing Scan Results and Compliance States for vSphere Objects
Update Manager scans objects to determine how they comply with the attached baselines and baseline
groups. You can review compliance by examining results for a single virtual machine, virtual appliance,
template, or ESXi host, as well as for a group of virtual machines, appliances, or hosts.
Supported groups of virtual machines, appliances, or ESXi hosts include virtual infrastructure container
objects such as folders, vApps, clusters, and datacenters.
NOTE After a download of patch recall notifications, Update Manager flags recalled patches but their
compliance state does not refresh automatically. You must perform a scan to view the updated compliance
state of patches affected by the recall.
View Compliance Information for vSphere Objects
You can review compliance information for the virtual machines, virtual appliances, and hosts against
baselines and baseline groups that you attach.
When you select a container object, you view the overall compliance status of the attached baselines, as well
as all the individual compliance statuses. If you select an individual baseline attached to the container object,
you see the compliance status of the baseline.
If you select an individual virtual machine, appliance, or host, you see the overall compliance status of the
selected object against all attached baselines and the number of updates. If you further select an individual
baseline attached to this object, you see the number of updates grouped by the compliance status for that
baseline.
Procedure
1 Use the vSphere Client or the vSphere Web Client to connect to a vCenter Server system with which
Update Manager is registered.
2 Select the type of object for which you want to view compliance information.
Client Steps
vSphere Web Client 1 Depending on the compliance information you want to see, perform the
following steps:
a To view host compliance information, select Home > Hosts and Clusters,
and select a host, a cluster, a datacenter or a vCenter Server instance.
b To view virtual machine compliance information, select Home > VMs and
Templates, and select a virtual machine, a folder or a virtual appliance.
2 Select Manage tab, and then select Update Manager tab.
vSphere Client 1 Depending on the compliance information you want to see, perform the
following steps:
a To view host compliance information, select Home > Inventory > Hosts and
Clusters, and select a host, a cluster, a datacenter or a vCenter Server
instance.
b To view virtual machine compliance information, select Home > Inventory >
VMs and Templates, and select a virtual machine, a folder or a virtual
appliance.
2 Select the Update Manager tab.
3 Select one of the attached baselines to view compliance information for the object against that baseline.
94 VMware, Inc.
Page 95
Chapter 11 Scanning vSphere Objects and Viewing Scan Results
Review Compliance with Individual vSphere Objects
Scan results provide information about the degree of compliance with attached baselines and baseline
groups. You can view information about individual vSphere objects and about the patches, extensions, and
upgrades included in a baseline or a baseline group.
Procedure
1 Connect the vSphere Client to a vCenter Server system with which Update Manager is registered, and
select Home > Inventory.
2 Select the type of object for which you want to view scan results.
For example, Hosts and Clusters or VMs and Templates.
3 Select an individual object from the inventory, such as a virtual machine, virtual appliance, or host.
4 Click the Update Manager tab.
5 Select a baseline group or baseline.
Select All Groups and Independent Baselines in the Attached Baseline Groups pane and All in the
Attached Baselines pane to view the overall compliance of all attached baselines and baseline groups.
6 In the Compliance pane, select the All Applicable compliance status to view the overall compliance
status of the selected object.
The selected object together with the number of patches, upgrades, and extensions (if the selected object
is a host) appear in the bottom pane of the Update Manager tab.
7 Click a number link in the bottom pane of the Update Manager tab to see more details about updates.
Column Description
Patches
Upgrades
Extensions
Change log
The link indicates the number of patches in the selected compliance state
and opens the Patch Details window.
The link indicates the number of upgrades in the selected compliance state
and opens the Upgrade Details window.
The link indicates the number of extensions in the selected compliance
state and opens the Extension Details window.
The link is available only if the upgrade in the baseline is applicable to the
selected virtual appliance. The link opens the Virtual Appliance Change
Log Details window.
Compliance View
Information about the compliance states of selected vSphere inventory objects against baselines and baseline
groups you attach is displayed in the Update Manager Client Compliance view.
The information is displayed in four panes.
Table 11‑1. Update Manager Tab Panes
Pane Description
Attached Baseline Groups Displays the baseline groups attached to the selected object. If you select All
Groups and Independent Baselines, all attached baselines in the Attached
Baselines pane are displayed. If you select an individual baseline group, only
the baselines in that group are displayed in the Attached Baselines pane.
Attached Baselines Displays the baselines attached to the selected object and included in the
selected baseline group.
VMware, Inc. 95
Page 96
Installing and Administering VMware vSphere Update Manager
Table 11‑1. Update Manager Tab Panes (Continued)
Pane Description
Compliance Contains a compliance graph that changes dynamically depending on the
inventory object, baseline groups, and baselines that you select. The graph
represents the percentage distribution of the virtual machines, appliances, or
hosts in a selected container object that are in a particular compliance state
against selected baselines.
If you select an individual host, virtual machine, or appliance, the color of the
graph is solid and represents a single compliance state.
Above the graph, the following compliance states are displayed:
All Applicable
Non-Compliant
Incompatible
Unknown
Compliant
Total number of inventory objects for which
compliance is being calculated. This number is the
total of objects in the selected container inventory
object minus the objects for which the selected
baselines are not applicable.
The applicability of a baseline is determined on the
basis of whether the baseline is directly attached to
the virtual machine, appliance, or host, or whether it
is attached to a container object. Applicability also
depends on whether the baseline contains patches,
extensions, or upgrades that can be applied to the
selected object.
Number of virtual machines, appliances, or hosts in
the selected container object that are not compliant
with at least one patch, extension, or upgrade in the
selected baselines or baseline groups.
Number of virtual machines, appliances, or hosts in
the selected container object that cannot be
remediated against the selected baselines and
baseline groups. Incompatible state requires more
attention and investigation for determining the
reason for incompatibility. To obtain more
information about the incompatibility, view patch,
extension, or upgrade details.
Number of virtual machines, appliances, or hosts in
the selected container object that are not scanned
against at least one of the patches, extensions, or
upgrades in the selected baselines and baseline
groups.
Number of compliant virtual machines, appliances,
or hosts in the selected container object.
Bottom pane The information in this pane depends on whether you select an individual
object or a container object.
If you select a container object, the bottom pane of the Update Manager tab
displays the following information:
A list of virtual machines, appliances, or hosts that meet the selections
n
from the Attached Baseline Groups, Attached Baselines and Compliance
panes.
The overall compliance of the objects against the patches, extensions, or
n
upgrades included in the selected baselines and baseline groups.
If you select an individual object (such as virtual machine, appliance, or
host), the bottom pane of the Update Manager tab displays the following
information:
The number of patches, extensions, or upgrades included in the baseline
n
or baseline group that you select.
The number of staged patches or extensions to a host.
n
96 VMware, Inc.
Page 97
Chapter 11 Scanning vSphere Objects and Viewing Scan Results
Table 11‑1. Update Manager Tab Panes (Continued)
Pane Description
The overall compliance of the objects against the patches, extensions, or
n
upgrades included in the selected baselines and baseline groups.
The vendor, product, version, compliance, release date as well as change
n
log for the selected virtual appliance against the attached upgrade
baseline.
Compliance States for Updates
In Update Manager, update stands for all patches, extensions, and upgrades that you can apply with
Update Manager. The compliance state of the updates in baselines and baseline groups that you attach to
objects in your inventory is calculated after you perform a scan of the target object.
Conflict
Conflicting New Module
Incompatible Hardware
Installed
Missing
Missing Package
The update conflicts with either an existing update on the host or another
update in the Update Manager patch repository. Update Manager reports the
type of conflict. A conflict does not indicate any problem on the target object.
It just means that the current baseline selection is in conflict. You can
perform scan, remediation, and staging operations. In most cases, you can
take action to resolve the conflict.
The host update is a new module that provides software for the first time,
but is in conflict with either an existing update on the host or another update
in the Update Manager repository. Update Manager reports the type of
conflict. A conflict does not indicate any problem on the target object. It just
means that the current baseline selection is in conflict. You can perform scan,
remediation, and staging operations. In most cases, you must take action to
resolve the conflict.
The hardware of the selected object is incompatible or has insufficient
resources to support the update. For example, when you perform a host
upgrade scan against a 32-bit host or if a host has insufficient RAM.
Installed compliance state indicates that the update is installed on the target
object, and no further user action is required.
Missing compliance state indicates that the update is applicable to the target
object, but not yet installed. You must perform a remediation on the target
object with this update, so that the update becomes compliant.
This state occurs when metadata for the update is in the depot but the
corresponding binary payload is missing. The reasons can be that the
product might not have an update for a given locale; the Update Manager
patch repository is deleted or corrupt, and Update Manager no longer has
Internet access to download updates; or you have manually deleted an
upgrade package from the Update Manager repository.
New Module
New module compliance state indicates that the update is a new module. An
update in this compliance state cannot be installed when it is part of a host
patch baseline. When it is part of a host extension baseline, the new module
state signifies that the module is missing on the host and can be provisioned
by remediation. The compliance state of the baseline depends on the type of
baseline containing the update in new module state. If the baseline is a host
patch baseline, the overall status of the baseline is compliant. If the baseline
is a host extension baseline, the overall status of the baseline is not compliant.
VMware, Inc. 97
Page 98
Installing and Administering VMware vSphere Update Manager
Not Applicable
Not Installable
Obsoleted By Host
Staged
Unknown
Unsupported Upgrade
Not applicable compliance state indicates that the patch is not applicable to
the target object. A patch might be in not applicable compliance state for one
of the following reasons:
There are other patches in the Update Manager patch repository that
n
obsolete this patch.
The update does not apply to the target object.
n
The update cannot be installed. The scan operation might succeed on the
target object, but remediation cannot be performed.
This compliance state applies mainly to patches. The target object has a
newer version of the patch. For example, if a patch has multiple versions,
after you apply the latest version to the host, the earlier versions of the patch
are in Obsoleted By Host compliance state.
This compliance state applies to host patches and host extensions. It indicates
that the update is copied from the Update Manager repository to the host,
but is not yet installed. Staged compliance state might occur only when you
scan hosts running ESXi 5.0 and later.
A patch is in unknown state for a target object until Update Manager
successfully scans the object. A scan might not succeed if the target object is
of an unsupported version, if Update Manager lacks metadata, or if the patch
metadata is corrupt.
The upgrade path is not possible. For example, the current hardware version
of the virtual machine is greater than the highest version supported on the
host.
Baseline and Baseline Group Compliance States
Compliance states are computed after you scan the objects in your inventory against attached baselines or
baseline groups. Update Manager computes the compliance state based on the applicability of the patches,
extensions, and upgrades contained in the attached baselines or baseline groups.
Compliant
Compliant state indicates that a vSphere object is compliant with all baselines in an attached baseline group
or with all patches, extensions, and upgrades in an attached baseline. Compliant state requires no further
action. If a baseline contains patches or upgrades that are not relevant to the target object, the individual
updates, and baselines or baseline groups that contain them, are treated as not applicable, and represented
as compliant. Compliant are also hosts with attached patch baselines containing extensions or patches in
Obsoleted By Host state.
Compliant state occurs under the following conditions:
Target objects are compliant with the baselines and baseline groups when all updates in the baseline or
n
baseline group are either installed on the target object, obsoleted by host, or are not applicable to the
target object.
The updates in a baseline are compliant when they are installed on the target object, or are not
n
applicable to the object.
Non-Compliant
Non-compliant state indicates that one or more baselines in a baseline group, or one or more patches,
extensions, or upgrades in a baseline are applicable to the target object, but are not installed (missing) on the
target. You must remediate the target object to make it compliant.
98 VMware, Inc.
Page 99
Chapter 11 Scanning vSphere Objects and Viewing Scan Results
When a baseline contains a non-compliant update, the overall status of the baseline is non-compliant. When
a baseline group contains a non-compliant baseline, the overall status of the baseline group is noncompliant. The non-compliant state takes precedence over incompatible, unknown, and compliant states.
Unknown
When you attach a baseline or a baseline group to a vSphere object, and you do not scan the object, the state
of the vSphere object against the baseline or baseline group is Unknown. This state indicates that a scan
operation is required, that the scan has failed, or that you initiated a scan on an unsupported platform (for
example, you performed a VMware Tools scan on a virtual machine running on an ESX 3.5 host).
When a baseline contains updates in compliant and unknown states, the overall status of the baseline is
unknown. When a baseline group contains unknown baselines as well as compliant baselines, the overall
status of the baseline group is unknown. The unknown compliance state takes precedence over compliant
state.
Incompatible
Incompatible state requires attention and further action. You must determine the reason for incompatibility
by probing further. You can remediate the objects in this state, but there is no guarantee that the operation
will succeed. In most cases Update Manager provides sufficient details for incompatibility. For more
information about incompatible compliance state, see “Incompatible Compliance State,” on page 171.
When a baseline contains updates in incompatible, compliant, and unknown states, the overall status of the
baseline is incompatible. When a baseline group contains incompatible, unknown, and compliant baselines,
the overall status of the baseline group is incompatible. The incompatible compliance state takes precedence
over compliant and unknown compliance states.
Viewing Patch Details
The Patch Details window displays a table of the patches ordered according to their compliance status with
the selected virtual machine or host.
The compliance summary above the table in the Patch Details window represents the number of the
applicable patches, missing patches (noncompliant), compliant patches, staged patches, and so on. If any of
the patches are in the incompatible state, the compliance summary displays a detailed view of the
incompatible patches. Incompatibility might be a result of a conflict, missing update packages, and so on.
You can obtain complete information about a patch by double-clicking a patch in the Patch Details window.
Table 11‑2. Patch Details Window
Option Description
Patch Name Name of the update.
Vendor Vendor of the update.
Compliance Compliance status of the patch. The state might be Missing (Non-Compliant), Not
Applicable, Unknown, Installed (Compliant), and so on.
Patch ID Vendor-assigned identification code of the update.
Severity Severity of the update. For hosts, the severity status might be Critical, General,
Security, and so on. For virtual machines, the severity might be Critical, Important,
Moderate, and so on.
Category Category of the update. The category might be Security, Enhancement, Recall, Info,
Other, and so on.
Impact The action that you must take to apply the update. This action might include rebooting
the system or putting the host into maintenance mode.
Release Date Release date of the update.
VMware, Inc. 99
Page 100
Installing and Administering VMware vSphere Update Manager
Viewing Extension Details
The Extension Details window displays a table of the extensions in the order of their compliance status with
the selected host.
You can obtain complete information about an extension by double-clicking an extension in the Extension
Details window.
Table 11‑3. Extension Details Window
Option Description
Patch Name Name of the update.
Vendor Vendor of the update.
Compliance Compliance status of the patch. The state might be Missing (Non-Compliant), Not
Applicable, Unknown, Installed (Compliant), and so on.
Patch ID Vendor-assigned identification code of the update.
Severity Severity of the update. For hosts, the severity status might be Critical, General,
Security, and so on. For virtual machines, the severity might be Critical, Important,
Moderate, and so on.
Category Category of the update. The category might be Security, Enhancement, Recall, Info,
Other, and so on.
Impact The action that you must take to apply the update. This action might include rebooting
the system or putting the host into maintenance mode.
Release Date Release date of the update.
Viewing Upgrade Details
The Upgrade Details window presents information about a specific upgrade you select.
Table 11‑4. Host Upgrade Details Window
Option Description
Baseline Name Name of the upgrade baseline.
Baseline Type The baseline type is host upgrade.
Baseline Description Description of the baseline. If the baseline has no description, it is not displayed.
Compliance State Compliance status for the upgrade. It represents a comparison between the state of
the selected object and the upgrade baseline.
ESXi image Displays the ESXi image included in the baseline.
Product Displays the release version of the upgrade.
Version Target version of the upgrade baseline.
100 VMware, Inc.
Loading...