VMware vSphere Update Manager - 6.7.1 Installation Manual

vSphere Update Manager
Installation and
Administration Guide

Update 1
16 OCT 2018
VMware vSphere 6.7
vSphere Update Manager 6.7

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 2

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

docfeedback@vmware.com

Copyright © 2009–2018 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc.

3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

Contents

About Installing and Administering VMware vSphere Update Manager 9

1

Understanding Update Manager 10

Overview of the Update Manager Client Interfaces 11

Update Manager Client Interface in the vSphere Client 12

Update Manager Client Interface in the vSphere Web Client 13

About the Update Manager Process 14

Configuring the Update Manager Download Source 15

Downloading Updates and Related Metadata 16

Importing ESXi Images 17

Creating Baselines and Baseline Groups 18

Attaching Baselines and Baseline Groups to vSphere Objects 20

Scanning Selected vSphere Objects 20

Reviewing Scan Results 21

Staging Patches and Extensions to Hosts 21

Remediating Selected vSphere Objects 22

2

Installing, Upgrading, and Uninstalling Update Manager on a Windows

Operating System 24

System Requirements 24

Update Manager Hardware Requirements 25

Supported Windows Operating Systems and Database Formats 25

Update Manager Compatibility with vCenter Server , vCenter Server Appliance ,

vSphere Web Client , and vSphere Client 26

Required Database Privileges 26

Preparing the Update Manager Database 27

Create a 64-Bit DSN 28

About the Bundled Microsoft SQL Server 2012 Express Database Package 28

Maintaining Your Update Manager Database 28

Configure a Microsoft SQL Server Database Connection 29

Configure an Oracle Database 31

Installing Update Manager on Windows 33

Prerequisites for Installing the Update Manager Server on Windows 34

Obtain the Update Manager Installer 36

Install the Update Manager Server 36

Using the Update Manager Client Interface with Update Manager Server that Runs on

Windows 40

VMware, Inc.

3

Upgrading Update Manager that Runs on Windows 40

Upgrade the Update Manager Server 41

Upgrade the Update Manager Java Components 43

Uninstalling Update Manager that Runs on Windows 44

Uninstall the Update Manager Server that Runs on Windows 44

Best Practices and Recommendations for Update Manager Environment 44

Update Manager Deployment Models and Their Usage 45

3

Update Manager in the vCenter Server Appliance 46

Using the Update Manager Client Interfaces with Update Manager Service that Runs in the

vCenter Server Appliance 47

Start, Stop, or Restart Update Manager Service in the vCenter Server Appliance 47

4

Migrating Update Manager from Windows to the vCenter Server Appliance 48

Download and Run VMware Migration Assistant on the Source Update Manager Machine 49

Roll Back a Migration of vCenter Server Appliance with Update Manager 50

5

Configuring Update Manager 51

Update Manager Network Connectivity Settings 52

Change the Update Manager Network Settings 53

Change the Update Manager Network Settings in the vSphere Web Client 54

Configuring the Update Manager Download Sources 55

Use the Internet as a Download Source 57

Use the Internet as a Download Source in the vSphere Web Client 58

Add a New Download Source 59

Add a New Download Source in the vSphere Web Client 60

Use a Shared Repository as a Download Source 61

Use a Shared Repository as a Download Source in the vSphere Web Client 62

Import Patches Manually 64

Import Patches Manually in the vSphere Web Client 65

Configure the Update Manager Proxy Settings 66

Configure the Update Manager Proxy Settings in the vSphere Web Client 66

Configure Checking for Updates 67

Configure Checking for Updates in the vSphere Web Client 68

Configuring and Viewing Notifications 70

Configure Notifications Checks 70

Configure Notifications Checks in the vSphere Web Client 71

View Notifications and Run the Notification Checks Task Manually 72

View Notifications and Run the Notification Checks Task Manually in the vSphere Web Client 73

Types of Update Manager Notifications 74

Configuring Host and Cluster Settings 74

Configure Host Settings 76

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 4

System Requirements for Using Quick Boot During Remediation 77

Configure Using Quick Boot During Host Remediation in the vSphere Web Client 77

Configure Host Maintenance Mode Settings in the vSphere Web Client 78

Configure Cluster Settings in the vSphere Web Client 80

Enable Remediation of PXE Booted ESXi Hosts in the vSphere Web Client 81

Take Snapshots Before Remediation 82

Take Snapshots Before Remediation in the vSphere Web Client 83

Configure Smart Rebooting in the vSphere Web Client 84

Configure the Update Manager Patch Repository Location 85

Run the VMware vSphere Update Manager Update Download Task 86

Update Manager Privileges 86

6

Installing, Setting Up, and Using Update Manager Download Service 88

Compatibility Between UMDS and the Update Manager Server 89

Installing UMDS on a Windows Operating System 89

Install UMDS on a Windows Operating System 89

Installing and Upgrading UMDS on a Linux-Based Operating System 91

Supported Linux-Based Operating Systems for Installing UMDS 91

Install UMDS on a Linux OS 92

Uninstall UMDS from a Linux OS 93

Setting Up and Using UMDS 93

Set Up the Data to Download with UMDS 94

Change the UMDS Patch Repository Location 94

Configure URL Addresses for Hosts 95

Download the Specified Data Using UMDS 96

Export the Downloaded Data 97

7

Working with Baselines and Baseline Groups 99

Creating and Managing Baselines 101

Create and Edit Patch or Extension Baselines 101

Create and Edit Host Upgrade Baselines 111

Delete Baselines in the vSphere Web Client 119

Creating and Managing Baseline Groups 119

Create a Host Baseline Group 120

Create a Host Baseline Group in the vSphere Web Client 120

Create a Virtual Machine Baseline Group in the vSphere Web Client 121

Edit a Baseline Group 122

Edit a Baseline Group in the vSphere Web Client 123

Add Baselines to a Baseline Group 123

Remove Baselines from a Baseline Group 124

Delete Baseline Groups in the vSphere Web Client 125

Attach Baselines and Baseline Groups to Objects 125

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 5

Attach Baselines and Baseline Groups to Objects in the vSphere Web Client 126

Detach Baselines and Baseline Groups from Objects 127

Detach Baselines and Baseline Groups from Objects in the vSphere Web Client 127

Delete Baselines and Baseline Groups 128

Duplicate Baselines and Baseline Groups 129

8

Scanning vSphere Objects and Viewing Scan Results 130

Manually Initiate a Scan of ESXi Hosts 130

Manually Initiate a Scan of Virtual Machines 131

Manually Initiate a Scan of a Container Object 131

Schedule a Scan 132

Viewing Scan Results and Compliance States for vSphere Objects 133

Check Compliance of a vSphere Inventory Object 134

View Compliance Information for vSphere Objects in the vSphere Web Client 135

Review Compliance with Individual vSphere Objects 135

Compliance View 136

Compliance States for Updates 138

Baseline and Baseline Group Compliance States 140

Viewing Patch Details 141

Viewing Extension Details 141

Viewing Upgrade Details 142

Host Upgrade Scan Messages in Update Manager 143

Host Upgrade Scan Messages When Cisco Nexus 1000V Is Present 145

VMware Tools Status 146

9

Remediating vSphere Objects 148

Staging Patches and Extensions to ESXi Hosts 148

Stage Patches and Extensions to ESXi Hosts 149

Stage Patches and Extensions to ESXi Hosts in the vSphere Web Client 150

Pre-Check Remediation Report 151

Remediating Hosts 153

Remediation Specifics of ESXi Hosts 156

Remediating Hosts That Contain Third-Party Software 157

Remediating ESXi 6.0 or ESXi 6.5 Hosts Against ESXi 6.7 Image 157

Remediate Hosts Against Baselines 158

Remediate Hosts Against Patch or Extension Baselines in the vSphere Web Client 159

Remediate Hosts Against an Upgrade Baseline in the vSphere Web Client 162

Remediate Hosts Against Baseline Groups in the vSphere Web Client 166

Remediation Specifics of Hosts That Are Part of a vSAN Cluster 169

Remediating vSAN Clusters Against vSAN System Baseline Groups 171

Updating Firmware in vSAN Clusters 172

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 6

Upgrading and Remediating Virtual Machines 177

Rolling Back to a Previous Version 177

Upgrade VM Hardware Compatibility of Virtual Machines 177

Upgrade VMware Tools for Virtual Machines 178

Automatically Upgrade VMware Tools on Reboot 179

Remediate Virtual Machines in the vSphere Web Client 180

Upgrade VMware Tools on Power Cycle in the vSphere Web Client 181

Scheduling Remediation for Hosts and Virtual Machines 182

Orchestrated Upgrades of Hosts and Virtual Machines 182

10

View Update Manager Events 184

Update Manager Events 184

11

The Update Manager Patch Repository 195

Add or Remove Patches From a Baseline 195

12

Troubleshooting 197

Update Manager Client Interface Remains Visible in the vSphere Web Client After Uninstalling

Update Manager Server 197

Connection Loss with Update Manager Server or vCenter Server in a Single vCenter Server

System 198

Gather Update Manager Log Bundles 199

Gather Update Manager and vCenter Server Log Bundles 199

Log Bundle Is Not Generated 200

Host Extension Remediation or Staging Fails Due to Missing Prerequisites 200

No Baseline Updates Available 201

All Updates in Compliance Reports Are Displayed as Not Applicable 201

All Updates in Compliance Reports Are Unknown 202

VMware Tools Upgrade Fails if VMware Tools Is Not Installed 202

ESXi Host Scanning Fails 202

ESXi Host Upgrade Fails 203

The Update Manager Repository Cannot Be Deleted 203

Incompatible Compliance State 204

Updates Are in Conflict or Conflicting New Module State 205

Updates Are in Missing Package State 206

Updates Are in Not Installable State 206

Updates Are in Unsupported Upgrade State 207

13

Database Views 208

VUMV_VERSION 208

VUMV_UPDATES 209

VUMV_HOST_UPGRADES 209

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 7

VUMV_PATCHES 210

VUMV_BASELINES 210

VUMV_BASELINE_GROUPS 210

VUMV_BASELINE_GROUP_MEMBERS 211

VUMV_PRODUCTS 211

VUMV_BASELINE_ENTITY 211

VUMV_UPDATE_PATCHES 212

VUMV_UPDATE_PRODUCT 212

VUMV_ENTITY_SCAN_HISTORY 212

VUMV_ENTITY_REMEDIATION_HIST 213

VUMV_UPDATE_PRODUCT_DETAILS 213

VUMV_BASELINE_UPDATE_DETAILS 213

VUMV_ENTITY_SCAN_RESULTS 214

VUMV_VMTOOLS_SCAN_RESULTS 214

VUMV_VMHW_SCAN_RESULTS 215

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 8

About Installing and Administering
VMware vSphere Update Manager

Installing and Administering VMware vSphere Update Manager provides information about installing,

configuring, and using VMware® vSphere Update Manager to scan and remediate the objects in your

vSphere environment. It also describes the tasks that you can perform to update your vSphere inventory

objects and make them compliant against attached baselines and baseline groups.

For scanning and remediation, Update Manager works with the following ESXi versions:

n

For VMware Tools and virtual machine hardware upgrade operations, Update Manager works with

6.0, ESXi 6.5, and ESXi 6.7.

n

For ESXi host patching operations, Update Manager works with ESXi 6.0, ESXi 6.5, and ESXi 6.7.

n

For ESXi host upgrade operations, Update Manager works withESXi 6.0, ESXi 6.5, and their

respective Update releases.

Intended Audience

This information is intended for anyone who wants to install, upgrade, migrate, or use Update Manager.

The information is written for experienced Windows or Linux system administrators who are familiar with

virtual machine technology and data center operations.

vSphere Client and vSphere Web Client

Instructions in this guide reflect the vSphere Client (an HTML5-based GUI). You can also use the

instructions to perform the tasks by using the vSphere Web Client (a Flex-based GUI).

Tasks for which the workflow differs significantly between the vSphere Client and the vSphere Web Client

have duplicate procedures that provide steps according to the respective client interface. The procedures

that relate to the vSphere Web Client, contain vSphere Web Client in the title.

VMware, Inc.

9

Understanding Update Manager 1

Update Manager enables centralized, automated patch and version management for VMware vSphere

and offers support for VMware ESXi hosts, and virtual machines.

With Update Manager, you can perform the following tasks:

n

Upgrade and patch ESXi hosts.

n

Install and update third-party software on hosts.

n

Upgrade virtual machine hardware and VMware Tools.

Update Manager requires network connectivity with VMware vCenter Server. Each installation of

Update Manager must be associated (registered) with a single vCenter Server instance.

The Update Manager module consists of a server component and of a client component.

You can use Update Manager with either vCenter Server that runs on Windows or with the

vCenter Server Appliance.

If you want to use Update Manager with vCenter Server, you have to perform Update Manager

installation on a Windows machine. You can install the Update Manager server component either on the

same Windows server where the vCenter Server is installed or on a separate machine. To install

Update Manager, you must have Windows administrator credentials for the computer on which you install

Update Manager.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter

Single Sign-On domain, and you want to use Update Manager for each vCenter Server system, you must

install and register Update Manager instances with each vCenter Server system. You can use an

Update Manager instance only with the vCenter Server system with which it is registered.

From vSphere 6.5 and later, it is no longer supported to register Update Manager to a

vCenter Server Appliance during the installation of the Update Manager server on a Windows machine.

The vCenter Server Appliance delivers Update Manager as a service. Update Manager is bundled in the

vCenter Server Appliance.

The Update Manager client component is a plug-in that runs on the vSphere Web Client (Flex) and the

vSphere Client (HTML5). The Update Manager client component is automatically enabled after

installation of the Update Manager server component on Windows, and after deployment of the

vCenter Server Appliance.

VMware, Inc.

10

However, if you are using Update Manager server that runs on Windows, you can see the

Update Manager client component only in the vSphere Web Client. If you are using Update Manager with

the vCenter Server Appliance, the Update Manager client component is available in both the

vSphere Web Client and the vSphere Client.

You can deploy Update Manager in a secured network without Internet access. In such a case, you can

use the VMware vSphere Update Manager Download Service (UMDS) to download update metadata and

update binaries.

This chapter includes the following topics:

n

Overview of the Update Manager Client Interfaces

n

About the Update Manager Process

Overview of the Update Manager Client Interfaces

The Update Manager server has a client interface for the vSphere Web Client and the vSphere Client.

The Update Manager client interfaces do not require any installation, and are automatically enabled in the

vSphere Web Client and the vSphere Client after you install the Update Manager server component on

Windows, or deploy the vCenter Server Appliance.

When you use an Update Manager server instance that runs on Windows, you can use Update Manager

only with the vSphere Web Client. The vSphere Client does not support using Update Manager server

that runs on Windows and is connected to a vCenter Server instance that also runs on Windows. To use

Update Manager capabilities with the vSphere Client, use a vCenter Server Appliance where

Update Manager runs as a service.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter

Single Sign-On domain, and you have installed and registered more than one Update Manager instance,

you can configure the settings for each Update Manager instance. Configuration properties that you

modify are applied only to the Update Manager instance that you specify and are not propagated to the

other instances in the group. You can specify an Update Manager instance by selecting the name of the

vCenter Server system with which the Update Manager instance is registered from the navigation bar. In

vSphere 6.7, you can make configuration changes only by using the Update Manager client interface in

the vSphere Web Client.

For a vCenter Server system that is connected to other vCenter Server systems by a common vCenter

Single Sign-On domain, you can also manage baselines and baseline groups as well as scan and

remediate only the inventory objects managed by the vCenter Server system with which Update Manager

is registered.

The Update Manager client interface have two main views, administration view and compliance view.

n

Update Manager Client Interface in the vSphere Client

In the vSphere Client, the Update Manager client interface appears under tab Updates. The

Updates tab is a first-level tab and is last in the row of vSphere Client first-level tabs, following the

Summary, the Monitor, the Configure, the Permissions, and so on, tabs.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 11

n

Update Manager Client Interface in the vSphere Web Client

In the vSphere Web Client, the Update Manager client interface appears as tab Update Manager.

The Update Manager tab is a first-level tab and is last in the row of first-level tabs, following the

Summary, the Monitor, the Configure, the Permissions, and so on, tabs.

Update Manager Client Interface in the vSphere Client

In the vSphere Client, the Update Manager client interface appears under tab Updates. The Updates tab

is a first-level tab and is last in the row of vSphere Client first-level tabs, following the Summary, the

Monitor, the Configure, the Permissions, and so on, tabs.

The Update Manager home view in vSphere Client corresponds to the Update Manager administration

view in the vSphere Web Client. To access the Update Manager home view in vSphere Client, navigate to

Home > Update manager. Another way to navigate to the Update Manager home view is to click Update

Manager Home, while you are in the Update Manager compliance view.

In the Update Manager home view, you have the following top-level tabs: Home, Monitor, Baselines,

Updates, ESXi Images, and Settings.

In the Update Manager home view, you can do the following tasks:

n

See statistics about non-compliant hosts and clusters and attached baselines in your vSphere

environment.

n

Review and check notifications.

n

Create and manage baselines and baseline groups.

n

Review the patch repository and upload patches.

n

Import ESXi images.

n

Configure the Update Manager settings.

To access the Update Manager compliance view in the vSphere Client, selected an inventory object such

as a data center, a cluster, or a host and click the Updates tab.

In the Update Manager compliance view, you can do the following tasks:

n

Check compliance and scan results for hosts and clusters.

n

Attach and detach baselines and baseline groups to hosts and clusters.

n

Generate a pre-check remediation report that lists recommended actions to ensure successful

remediation.

n

Scan a selected inventory object.

n

Stage patches or extensions to hosts.

n

Upgrade VMware Tools and the hardware version of virtual machines.

n

Remediate hosts against patch, extension, and upgrade baselines.

n

Remediate hosts that are part of a vSAN cluster against system-managed baselines.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 12

n

Upgrade the firmware of hosts in a vSAN cluster.

Update Manager Client Interface in the vSphere Web Client

In the vSphere Web Client, the Update Manager client interface appears as tab Update Manager. The

Update Manager tab is a first-level tab and is last in the row of first-level tabs, following the Summary,

the Monitor, the Configure, the Permissions, and so on, tabs.

To see the Update Manager client interface in the vSphere Web Client, you must have the View

Compliance Status privilege.

To access the Update Manager administration view in the vSphere Web Client, click the

vSphere Web Client Home menu, and click Update Manager. From the Objects tab, click the IP Address

of the Update Manager instance you want to administer. Another way to navigate to the Update Manager

administration view is to click Go to Admin View while you are in the Update Manager compliance view.

In the Update Manager administration view in the vSphere Web Client, you have the following top-level

tabs: Getting Started, Monitor, and Manage.

Under the Monitor tab, you can perform the following tasks:

n

View Update Manager events.

n

Review and check notifications.

Under the Manage tab, you can perform the following tasks:

n

Configure the Update Manager settings.

n

Create and manage baselines and baseline groups.

n

Review the patch repository.

n

Import ESXi images.

To access the Update Manager compliance view in the vSphere Web Client, selected an inventory object

such as a data center, a cluster, a host, a VM, a vApp, and click the Update Manager tab.

In the Update Manager compliance view, you can do the following tasks:

n

View compliance and scan results for each selected inventory object.

n

Attach and detach baselines and baseline groups from a selected inventory object.

n

Scan a selected inventory object.

n

Stage patches or extensions to hosts.

n

Remediate virtual machines against predefined VM Tools and virtual machine hardware baselines.

n

Remediate hosts against patch, extension, and upgrade baselines.

n

Remediate hosts that are part of a vSAN cluster against system-managed baselines.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 13

About the Update Manager Process

Upgrading vSphere objects and applying patches or extensions with Update Manager is a multistage

process in which procedures must be performed in a particular order. Following the suggested process

helps ensure a smooth update with a minimum of system downtime.

The Update Manager process begins by downloading information (metadata) about a set of patches and

extensions. One or more of these patches or extensions are aggregated to form a baseline. You can add

multiple baselines to a baseline group. A baseline group is a composite object that consists of a set of

nonconflicting baselines. You can use baseline groups to combine different types of baselines, and scan

and remediate an inventory object against all of them as a whole. If a baseline group contains both

upgrade and patch or extension baselines, the upgrade runs first.

A collection of virtual machines and ESXi hosts or individual inventory objects can be scanned for

compliance with a baseline or a baseline group and later remediated. You can initiate these processes

manually or through scheduled tasks.

n

Configuring the Update Manager Download Source

You can configure the Update Manager server to download patches and extensions either from the

Internet or from a shared repository. You can also import patches and extensions manually from a

ZIP file.

n

Downloading Updates and Related Metadata

Downloading host patches, extensions, and related metadata is a predefined automatic process that

you can modify. By default, at regular configurable intervals, Update Manager contacts VMware or

third-party sources to gather the latest information (metadata) about available upgrades, patches, or

extensions.

n

Importing ESXi Images

You can upgrade the hosts in your environment to ESXi 6.7 by using host upgrade baselines. To

create a host upgrade baseline, you must first upload at least one ESXi 6.7 .iso image to the

Update Manager repository.

n

Creating Baselines and Baseline Groups

Baselines contain a collection of one or more patches, extensions, service packs, bug fixes, or

upgrades, and can be classified as patch, extension, or upgrade baselines. Baseline groups are

assembled from existing baselines.

n

Attaching Baselines and Baseline Groups to vSphere Objects

To use baselines and baseline groups, you must attach them to selected inventory objects such as

container objects, virtual machines, or hosts.

n

Scanning Selected vSphere Objects

Scanning is the process in which attributes of a set of hosts or virtual machines are evaluated

against all patches, extensions, and upgrades from an attached baseline or baseline group,

depending on the type of scan you select.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 14

n

Reviewing Scan Results

Update Manager scans vSphere objects to determine how they comply with baselines and baseline

groups that you attach. You can filter scan results by text search, group selection, baseline selection,

and compliance status selection.

n

Staging Patches and Extensions to Hosts

You can stage patches and extensions before remediation to ensure that the patches and

extensions are downloaded to the host. Staging patches and extensions is an optional step that can

reduce the time during which hosts are in maintenance mode.

n

Remediating Selected vSphere Objects

Remediation is the process in which Update Manager applies patches, extensions, and upgrades to

ESXi hosts and virtual machines after a scan is complete.

Configuring the Update Manager Download Source

You can configure the Update Manager server to download patches and extensions either from the

Internet or from a shared repository. You can also import patches and extensions manually from a ZIP file.

Configuring the Update Manager download source is an optional step.

If your deployment system is connected to the Internet, you can use the default settings and links for

downloading upgrades, patches, and extensions to the Update Manager repository. You can also add

URL addresses to download third-party patches and extensions. Third-party patches and extensions are

applicable only to hosts that are running ESXi 6.0 and later.

If your deployment system is not connected to the Internet, you can use a shared repository after

downloading the upgrades, patches, and extensions by using Update Manager Download Service

(UMDS).

For more information about UMDS, see Chapter 6 Installing, Setting Up, and Using Update Manager

Download Service.

With Update Manager, you can import both VMware and third-party patches or extensions manually from

a ZIP file, also called an offline bundle. Import of offline bundles is supported only for hosts that are

running ESXi 6.0 and later. You download the offline bundle ZIP files from the Internet or copy them from

a media drive, and save them on a local or a shared network drive. You can import the patches or

extensions to the Update Manager patch repository later. You can download offline bundles from the

VMware Web site or from the Web sites of third-party vendors.

Note You can use offline bundles for host patching operations only. You cannot use third-party offline

bundles or offline bundles that you generated from custom VIB sets for host upgrade from ESXi 6.0 and

ESXi 6.5 to ESXi 6.7.

For detailed descriptions of the procedures, see Configuring the Update Manager Download Sources.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 15

Downloading Updates and Related Metadata

Downloading host patches, extensions, and related metadata is a predefined automatic process that you

can modify. By default, at regular configurable intervals, Update Manager contacts VMware or third-party

sources to gather the latest information (metadata) about available upgrades, patches, or extensions.

VMware provides information about patches for ESXi hosts.

Update Manager downloads the following types of information:

n

Metadata about all ESXi 6.x patches regardless of whether you have hosts of such versions in your

environment.

n

Metadata about ESXi 6.x patches as well as about extensions from third-party vendor URL

addresses.

n

Notifications, alerts, and patch recalls for ESXi 6.x hosts.

Downloading information about all updates is a relatively low-cost operation in terms of disk space and

network bandwidth. The availability of regularly updated metadata lets you add scanning tasks on the

hosts at any time.

Update Manager supports the recall of patches for hosts that are running ESXi 6.0 or later. A patch is

recalled if the released patch has problems or potential issues. After you scan the hosts in your

environment, Update Manager alerts you if the recalled patch has been installed on a certain host.

Recalled patches cannot be installed on hosts with Update Manager. Update Manager also deletes all the

recalled patches from the Update Manager patch repository. After a patch fixing the problem is released,

Update Manager downloads the new patch to its patch repository. If you have already installed the

problematic patch, Update Manager notifies you that a fix was released and prompts you to apply the new

patch.

If Update Manager cannot download upgrades, patches, or extensions—for example, if it is deployed on

an internal network segment that does not have Internet access—you must use UMDS to download and

store the data on the machine on which UMDS is installed. The Update Manager server can use the

upgrades, patches, and extensions that UMDS downloaded after you export them.

For more information about UMDS, see Chapter 6 Installing, Setting Up, and Using Update Manager

Download Service.

You can configure Update Manager to use an Internet proxy to download upgrades, patches, extensions,

and related metadata.

You can change the time intervals at which Update Manager downloads updates or checks for

notifications. For detailed descriptions of the procedures, see Configure Checking for Updates in the

vSphere Web Client and Configure Notifications Checks in the vSphere Web Client.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 16

Types of Software Updates and Related Terms

Update Manager downloads software updates and metadata from Internet depots or UMDS-created

shared repositories. You can import offline bundles and host upgrade images from a local storage device

into the local Update Manager repository.

Bulletin A grouping of one or more VIBs. Bulletins are defined within metadata.

Depot A logical grouping of VIBs and associated metadata that is published

online.

Host upgrade image An ESXi image that you can import in the Update Manager repository and

use for upgrading ESXi 6.0 or ESXi 6.5 hosts to ESXi 6.7.

Extension A bulletin that defines a group of VIBs for adding an optional component to

an ESXi host. An extension is usually provided by a third party that is also

responsible for patches or updates to the extension.

Metadata Extra data that defines dependency information, textual descriptions,

system requirements, and bulletins.

Offline bundle ZIP An archive that encapsulates VIBs and corresponding metadata in a self-

contained package that is useful for offline patching. You cannot use third-

party offline bundles or offline bundles that you generated from custom VIB

sets for host upgrade from ESXi 6.0 or ESXi 6.5 to ESXi 6.7.

Patch A bulletin that groups one or more VIBs together to address a particular

issue or enhancement.

Roll-up A collection of patches that is grouped for ease of download and

deployment.

VIB A VIB is a single software package.

Importing ESXi Images

You can upgrade the hosts in your environment to ESXi 6.7 by using host upgrade baselines. To create a

host upgrade baseline, you must first upload at least one ESXi 6.7 .iso image to the Update Manager

repository.

With Update Manager 6.7 you can upgrade hosts that are running ESXi 6.0 or ESXi 6.5 to ESXi 6.7. Host

upgrades to ESXi 5.x, ESXi 6.0 or ESXi 6.5 are not supported.

Before uploading ESXi images, obtain the image files from the VMware Web site or another source. You

can create custom ESXi images that contain third-party VIBs by using vSphere ESXi Image Builder. For

more information, see Customizing Installations with vSphere ESXi Image Builder.

You can upload and manage ESXi images from the ESXi Images tab of the Update Manager

Administration view.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 17

ESXi images that you import are kept in the Update Manager repository. You can include ESXi images in

host upgrade baselines. To delete an ESXi image from the Update Manager repository, first you must

delete the upgrade baseline that contains it. After you delete the baseline, you can delete the image from

the ESXi Images tab.

For more information about importing ESXi images and creating host upgrade baselines, see Create a

Host Upgrade Baseline in the vSphere Web Client.

Creating Baselines and Baseline Groups

Baselines contain a collection of one or more patches, extensions, service packs, bug fixes, or upgrades,

and can be classified as patch, extension, or upgrade baselines. Baseline groups are assembled from

existing baselines.

Host baseline groups can contain a single upgrade baseline, and various patch and extension baselines.

Virtual machine baseline groups can contain up to two upgrade baselines: one VMware Tools upgrade

baseline, and one virtual machine hardware upgrade baseline.

When you scan hosts and virtual machines, you evaluate them against baselines and baseline groups to

determine their level of compliance.

Update Manager includes two predefined patch baselines and two predefined upgrade baselines. You

cannot edit or delete the predefined virtual machine baselines. You can use the predefined baselines, or

create patch, extension, and upgrade baselines that meet your criteria. Baselines you create, and

predefined baselines, can be combined in baseline groups. For more information about creating and

managing baselines and baseline groups, see Chapter 7 Working with Baselines and Baseline Groups.

Baseline Types

Update Manager supports different types of baselines that you can use when scanning and remediating

objects in your inventory.

Update Manager provides upgrade, patch, and extension baselines.

Upgrade Baselines

Baseline Description

Host Upgrade

Baseline

Defines to which version to upgrade the hosts in your environment. With Update Manager 6.7, you can

upgrade ESXi hosts from version 6.0 and 6.5 to ESXi 6.7.

Virtual Machine

Upgrade Baseline

Defines to which version to upgrade virtual hardware or VMware Tools. With Update Manager 6.7 you

can upgrade to hardware version vmx-14 and to the latest VMware Tools version on hosts that are

running ESXi 6.7.

Patch Baselines

Patch baselines define a number of patches that must be applied to a given host. Patch baselines can be

either dynamic or fixed.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 18

Baseline Description

Dynamic Patch

Baseline

The contents of a dynamic baseline are based on available patches that meet the specified criteria. As

the set of available patches changes, dynamic baselines are updated as well. You can explicitly include

or exclude any patches.

Fixed Patch Baseline You manually specify which patches to include in the fixed patch baseline from the total set of patches

available in the Update Manager repository.

Extension Baselines

Baseline Description

Extension

Baseline

Contains extensions (additional software such as third-party device drivers) that must be applied to a given

host. Extensions are installed on hosts that do not have such software installed on them, and patched on hosts

that already have the software installed. All third-party software for ESXi hosts is classified as a host extension,

although host extensions are not restricted to just third-party software.

Update Manager Default Baselines

Update Manager includes default baselines that you can use to scan any virtual machine or host to

determine whether the hosts in your environment are updated with the latest patches, or whether the

virtual machines are upgraded to the latest version.

Critical Host Patches

(Predefined)

Checks ESXi hosts for compliance with all critical patches.

Non-Critical Host

Patches (Predefined)

Checks ESXi hosts for compliance with all optional patches.

VMware Tools Upgrade

to Match Host

(Predefined)

Checks virtual machines for compliance with the latest VMware Tools

version on the host. Update Manager supports upgrading of VMware Tools

for virtual machines on hosts that are running ESXi 6.0.x and later.

VM Hardware Upgrade

to Match Host

(Predefined)

Checks the virtual hardware of a virtual machine for compliance with the

latest version supported by the host. Update Manager supports upgrading

to virtual hardware version vmx-14 on hosts that are running ESXi 6.7.

Baseline Groups

Baseline groups can contain patch, extension, and upgrade baselines. The baselines that you add to a

baseline group must be non-conflicting.

A baseline group is limited to a combination of patches, extensions, and upgrades. The following are valid

combinations of baselines that can make up a baseline group:

n

Multiple host patch and extension baselines.

n

One upgrade baseline, multiple patch and extension baselines.

For example, one ESXi upgrade baseline and multiple ESXi patch or extension baselines.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 19

n

Multiple upgrade baselines, but only one upgrade baseline per upgrade type (like VMware Tools,

virtual machine hardware, or host).

For example, VMware Tools Upgrade to Match Host baseline and VM Hardware Upgrade to Match

Host baseline.

Attaching Baselines and Baseline Groups to vSphere Objects

To use baselines and baseline groups, you must attach them to selected inventory objects such as

container objects, virtual machines, or hosts.

Although you can attach baselines and baseline groups to individual objects, a more efficient method is to

attach them to container objects, such as folders, vApps, clusters, and data centers. Individual vSphere

objects inherit baselines attached to the parent container object. Removing an object from a container

removes the inherited baselines from the object.

For a detailed description of the procedure, see Attach Baselines and Baseline Groups to Objects in the

vSphere Web Client.

Scanning Selected vSphere Objects

Scanning is the process in which attributes of a set of hosts or virtual machines are evaluated against all

patches, extensions, and upgrades from an attached baseline or baseline group, depending on the type

of scan you select.

You can scan a host installation to determine whether the latest patches or extensions are applied, or you

can scan a virtual machine to determine whether it is up to date with the latest virtual hardware or

VMware Tools version.

Update Manager supports the following types of scan:

Host patch scan You can perform patch scans on ESXi 6.0 and later.

Host extensions scan You can scan ESXi 6.0 and later for extensions (additional software

modules).

Host upgrade scan You can scan ESXi 6.0 and ESXi 6.5 for upgrading to ESXi 6.5.

VMware Tools scan You can scan virtual machines running Windows or Linux for the latest

VMware Tools version. You can perform VMware Tools scans on online or

offline virtual machines and templates. You must power on the virtual

machine at least once before performing a VMware Tools scan.

Virtual machine

hardware upgrade scan

You can scan virtual machines running Windows or Linux for the latest

virtual hardware supported on the host. You can perform hardware-upgrade

scans on online or offline virtual machines and templates.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 20

You can use VMware Studio 2.0 and later to automate the creation of ready-to-deploy vApps with pre-

populated application software and operating systems. VMware Studio adds a network agent to the guest

so that vApps bootstrap with minimal effort. Configuration parameters specified for vApps appear as OVF

properties in the vCenter Server deployment wizard. For more information about VMware Studio, see the

VMware SDK and API documentation for VMware Studio. For more information about vApp, you can also

check the VMware blog site. You can download VMware Studio from the VMware website.

You can initiate scans on container objects, such as data centers, clusters, or folders, to scan all the ESXi

hosts or virtual machines in that container object.

You can configure Update Manager to scan virtual machines and ESXi hosts against baselines and

baseline groups by manually initiating or scheduling scans to generate compliance information. Schedule

scan tasks at a data center or vCenter Server system level to make sure that scans are up to date.

For manual and scheduled scanning procedures, see Chapter 8 Scanning vSphere Objects and Viewing

Scan Results.

Reviewing Scan Results

Update Manager scans vSphere objects to determine how they comply with baselines and baseline

groups that you attach. You can filter scan results by text search, group selection, baseline selection, and

compliance status selection.

When you select a container object, you view the overall compliance status of the container against the

attached baselines as a group. You also see the individual compliance statuses of the objects in the

selected container against all baselines. If you select an individual baseline attached to the container

object, you see the compliance status of the container against the selected baseline.

If you select an individual virtual machine, appliance, or host, you see the overall compliance status of the

selected object against all attached baselines and the number of updates. If you select an individual

baseline attached to this object, you see the number of updates grouped by the compliance status for that

baseline.

The compliance information is displayed on the Update Manager tab. For more information about viewing

compliance information, see Viewing Scan Results and Compliance States for vSphere Objects.

Staging Patches and Extensions to Hosts

You can stage patches and extensions before remediation to ensure that the patches and extensions are

downloaded to the host. Staging patches and extensions is an optional step that can reduce the time

during which hosts are in maintenance mode.

Staging patches and extensions to hosts that are running ESXi 5.0 or later lets you download the patches

and extensions from the Update Manager server to the ESXi hosts without applying the patches or

extensions immediately. Staging patches and extensions speeds up the remediation process because the

patches and extensions are already available locally on the hosts.

Important Update Manager can stage patches to PXE booted ESXi hosts.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 21

For more information about staging patches, see Stage Patches and Extensions to ESXi Hosts in the

vSphere Web Client.

Remediating Selected vSphere Objects

Remediation is the process in which Update Manager applies patches, extensions, and upgrades to ESXi

hosts and virtual machines after a scan is complete.

Remediation makes the selected vSphere objects compliant with patch, extension, and upgrade

baselines.

As with scanning, you can remediate single hosts or virtual machines. You can also initiate remediation

on a folder, a cluster, or a data center level.

Update Manager supports remediation for the following inventory objects:

n

Powered on, suspended, or powered off virtual machines and templates for VMware Tools and virtual

machine hardware upgrade.

n

ESXi hosts for patch, extension, and upgrade remediation.

You can remediate the objects in your vSphere inventory by using either manual remediation or

scheduled remediation. For more information about manual and scheduled remediation, see Chapter 9

Remediating vSphere Objects.

Remediating Hosts

Update Manager 6.7 supports upgrade from ESXi 6.0.x and ESXi 6.5.x to ESXi 6.7.

Important If you enable the setting from the ESX Host/Cluster Settings page of the Configuration tab,

or from the Remediate wizard, you can patch PXE booted ESXi hosts.

After you upload ESXi images, upgrades for ESXi hosts are managed through baselines and baseline

groups.

Typically, if the update requires it, hosts are put into maintenance mode before remediation. Virtual

machines cannot run when a host is in maintenance mode. To ensure a consistent user experience,

vCenter Server migrates the virtual machines to other hosts within a cluster before the host is put in

maintenance mode. vCenter Server can migrate the virtual machines if the cluster is configured for

vMotion and if VMware Distributed Resource Scheduler (DRS) and VMware Enhanced vMotion

Compatibility (EVC) are enabled. EVC is not a prerequisite for vMotion. EVC guarantees that the CPUs of

the hosts are compatible. For other containers or individual hosts that are not in a cluster, migration with

vMotion cannot be performed.

Important After you have upgraded your host to ESXi 6.7, you cannot roll back to your version ESXi

6.0.x or ESXi 6.5.x software. Back up your host configuration before performing an upgrade. If the

upgrade fails, you can reinstall the ESXi 6.0.x or ESXi 6.5.x software that you upgraded from, and restore

your host configuration. For more information about backing up and restoring your ESXi configuration,

see vSphere Upgrade.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 22

Remediation of ESXi 6.0 and 6.5 hosts to their respective ESXi update releases is a patching process,

while the remediation of ESXi hosts from version 6.0 or 6.5 to 6.7 is an upgrade process.

Remediating Virtual Machines

You can upgrade VMware Tools, and the virtual hardware of virtual machines to a later version. Upgrades

for virtual machines are managed through the Update Manager default virtual machine upgrade

baselines.

Orchestrated Upgrades

With Update Manager, you can perform orchestrated upgrades of hosts and virtual machines. With

orchestrated upgrades, you can upgrade hosts and virtual machines in your vSphere inventory by using

baseline groups.

You can perform an orchestrated upgrade of hosts by using a baseline group that contains a single host

upgrade baseline and multiple patch or extension baselines. Update Manager first upgrades the hosts

and then applies the patch or extension baselines.

You can perform an orchestrated upgrade of virtual machines by using a virtual machine baseline group

that contains the following baselines:

n

VM Hardware Upgrade to Match Host

n

VMware Tools Upgrade to Match Host

You can use orchestrated upgrades to upgrade the virtual hardware and VMware Tools of virtual

machines in the inventory at the same time. The VMware Tools upgrade baseline runs first, followed by

the virtual machine hardware upgrade baseline.

Orchestrated upgrades can be performed at a cluster, folder, or a data center level.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 23

Installing, Upgrading, and
Uninstalling Update Manager on

a Windows Operating System 2

You can install Update Manager server on a Windows virtual or physical machine and connect it to a

vCenter Server instance that also runs on Windows. You can later uninstall the Update Manager server. If

you are running Update Manager server of an earlier version, you can upgrade it to version 6.7.

n

System Requirements

To run and use the Update Manager server, you must ensure that your environment satisfies certain

conditions. You also must ensure that the vCenter Server and Update Manager are of compatible

versions.

n

Preparing the Update Manager Database

The Update Manager server and Update Manager Download Service (UMDS) that you install on

Windows require a database to store and organize server data. Update Manager supports Oracle,

Microsoft SQL Server databases.

n

Installing Update Manager on Windows

The Update Manager server is a 64-bit application. You can install the Update Manager server for

Windows only on 64-bit Windows machines.

n

Upgrading Update Manager that Runs on Windows

You can upgrade to Update Manager 6.7 only from Update Manager versions 6.0 or 6.5 that are

installed on a 64-bit Windows operating system.

n

Uninstalling Update Manager that Runs on Windows

Update Manager has a relatively small impact on computing resources such as disk space. Unless

you are certain that you want to remove Update Manager, leave an existing installation in place.

n

Best Practices and Recommendations for Update Manager Environment

You can install Update Manager on the server on which vCenter Server runs or on a different server.

System Requirements

To run and use the Update Manager server, you must ensure that your environment satisfies certain

conditions. You also must ensure that the vCenter Server and Update Manager are of compatible

versions.

VMware, Inc.

24

Before you install Update Manager on Windows, you must set up an Oracle or Microsoft SQL Server

database. If your deployment is relatively small and contains up to 5 hosts and 50 virtual machines, you

can use the bundled Microsoft SQL Server 2012 Express database, which you can select to install from

the Update Manager installation wizard.

You can install Update Manager on a physical server or on a virtual machine. You can install the

Update Manager server component on the same Windows machine as vCenter Server or on a different

machine. After you install the Update Manager server component, to use Update Manager, the

Update Manager client is automatically enabled on the vSphere Web Client.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter

Single Sign-On domain, you can install and register Update Manager instances with each vCenter Server

system.

Update Manager Hardware Requirements

You can run Update Manager on any system that meets the minimum hardware requirements.

Minimum hardware requirements for Update Manager vary depending on how Update Manager is

deployed. If the database is installed on the same machine as Update Manager, requirements for

memory size and processor speed are higher. To ensure acceptable performance, verify that your system

meets the minimum hardware requirements.

Table 2‑1. Minimum Hardware Requirements

Hardware Requirements

Processor Intel or AMD x86 processor with two or more logical cores, each with a speed of 2GHz

Network 10/100 Mbps

For best performance, use a Gigabit connection between Update Manager and the ESXi hosts

Memory 2GB RAM if Update Manager and vCenter Server are on different machines

8GB RAM if Update Manager and vCenter Server are on the same machine

Update Manager uses a SQL Server or Oracle database. You should use a dedicated database for

Update Manager, not a database shared with vCenter Server, and should back up the database

periodically. Best practice is to have the database on the same computer as Update Manager or on a

computer in the local network.

Depending on the size of your deployment, Update Manager requires a minimum amount of free space

per month for database usage. For more information about space requirements, see the VMware

vSphere Update Manager Sizing Estimator.

Supported Windows Operating Systems and Database Formats

Update Manager works with specific databases and operating systems.

The Update Manager server requires a 64-bit Windows system.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 25

To see a list of the supported Windows operating systems on which you can install the Update Manager

server and the UMDS, see Supported host operating systems for VMware vCenter Server installation.

The supported Windows operating systems for vCenter Server installation listed in the article also apply

for installation of the respective versions of the Update Manager server and the UMDS.

Note Make sure the Windows system on which you are installing the Update Manager server is not an

Active Directory domain controller.

The Update Manager server that you install on Windows requires a SQL Server or an Oracle database.

Update Manager can handle small-scale environments using the bundled in the installer SQL Server

2012 Express database. For environments with more than 5 hosts and 50 virtual machines, create either

an Oracle or a SQL Server database for Update Manager. For large-scale environments, set up the

Update Manager database on a different computer than the Update Manager server and the

vCenter Server database.

To see a list of database formats that are compatible with the Update Manager server and the UMDS,

select the Solution/Database Interoperability option from the VMware Product Interoperability Matrixes

at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

Update Manager Compatibility with vCenter Server ,
vCenter Server Appliance , vSphere Web Client , and
vSphere Client

Update Manager 6.7 is compatible only with vCenter Server 6.7 and its components.

An Update Manager server that runs on Windows is only compatible with the vCenter Server that runs on

Windows and the vSphere Web Client.

The vCenter Server Appliance is packed with the Update Manager server, and after deployment runs

Update Manager as a service. The vCenter Server Appliance supports Update Manager client interfaces

in both the vSphere Client and the vSphere Web Client.

There are differences in the Update Manager user interface between the vSphere Client and the

vSphere Web Client. For example, in the vSphere Client you are unable to change Update Manager

configuration settings, or change default remediation options in the remediation wizard, or remediate

VMs. For such operations, use the vSphere Web Client.

Required Database Privileges

The set of database privileges needed for the Update Manager installation and upgrade differs from the

set of privileges needed for the Update Manager administration.

Before installing or upgrading Update Manager, you must grant adequate privileges to the database user.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 26

Table 2‑2. Database Privileges Needed for Installation or Upgrade of Update Manager

Database Privileges

Oracle Either assign the DBA role, or grant the following set of privileges to the Update Manager Oracle database

user.

n

connect

n

execute on dbms_lock

n

create view

n

create procedure

n

create table

n

create sequence

n

create any sequence

n

create any table

n

create type

n

unlimited tablespace

Microsoft SQL

Server

Make sure that the database user has either a sysadmin server role or the db_owner fixed database role

on the Update Manager database and the MSDB database. Although the db_owner role is required for the

upgrade, SQL jobs are not created as part of the Update Manager installation or upgrade.

To run Update Manager, you must grant a set of minimum privileges to the database user.

Table 2‑3. Database Privileges Needed for Using Update Manager

Database Privileges

Oracle The minimum required privileges of the Oracle database user are the following:

n

create session

n

create any table

n

drop any table

Microsoft SQL

Server

The database user must have either a sysadmin server role or the db_owner fixed database role on the

Update Manager database and the MSDB database.

Preparing the Update Manager Database

The Update Manager server and Update Manager Download Service (UMDS) that you install on

Windows require a database to store and organize server data. Update Manager supports Oracle,

Microsoft SQL Server databases.

Before installing the Update Manager server on a Windows machine, you must create a database

instance and configure it to ensure that all Update Manager database tables can be created in it. You can

install and configure the Microsoft SQL Server 2012 Express database that is embedded with

Update Manager. Microsoft SQL Server 2012 Express is recommended for small deployments of up to

5 hosts and 50 virtual machines.

Update Manager 6.7 server is a 64-bit application, and you can install it only on 64-bit machines.

Update Manager requires a 64-bit DSN.

To use Microsoft SQL Server and Oracle databases, you must configure a 64-bit system DSN and test it

with ODBC.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 27

The Update Manager database you use can be the same as the vCenter Server database. You can also

use a separate type of database, or you can use existing database clusters. For optimal results in a large-

scale environment, use a dedicated Update Manager database that runs on a different machine than the

vCenter Server system database.

The Update Manager server requires administrative credentials to connect to the database. If the

database user name and password change after you install the Update Manager server or UMDS on

Windows, you can reconfigure Update Manager and UMDS without the need to reinstall them. See the

Reconfiguring VMware vSphere Update Manager documentation.

Before you begin the database setup, review the supported databases. If you create an ODBC

connection to a database server that is not supported, a DSN for the unsupported database might be

displayed in the drop-down menu of the Update Manager installation wizard. For more information about

the supported database patches, see the Solution/Database Interoperability option from the VMware

Product Interoperability Matrixes at

http://www.vmware.com/resources/compatibility/sim/interop_matrix.php. If you do not prepare your

database correctly, the Update Manager installer might display error or warning messages.

Create a 64-Bit DSN

The Update Manager 6.7 system must have a 64-bit DSN. This requirement applies to all supported

databases.

Procedure

1 From the Windows Start menu, select Control Panel > Administrative Tools > Data Sources

(ODBC).

2 Create a system DSN.

If you have a Microsoft SQL database, create the system DSN by using SQL Native Client version 10

or 11.

3 Test the connectivity.

The system now has a DSN that is compatible with Update Manager. When the Update Manager installer

prompts you for a DSN, select the 64-bit DSN.

About the Bundled Microsoft SQL Server 2012 Express Database
Package

The Microsoft SQL Server 2012 Express database package is installed and configured when you select

Microsoft SQL Server 2012 Express as your database during the Update Manager installation or upgrade.

No additional configuration is required.

Maintaining Your Update Manager Database

After your Update Manager database instance and Update Manager server are installed and operational,

perform standard database maintenance processes.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 28

Maintaining your Update Manager database involves several tasks:

n

Monitoring the growth of the log file and compacting the database log file, as needed. See the

documentation for the database type that you are using.

n

Scheduling regular backups of the database.

n

Backing up the database before any Update Manager upgrade.

See your database documentation for information about backing up your database.

Configure a Microsoft SQL Server Database Connection

When you install Update Manager, you can establish an ODBC connection with a SQL Server database.

If you use SQL Server for Update Manager, do not use the master database.

See your Microsoft SQL ODBC documentation for specific instructions on configuring the SQL Server

ODBC connection.

Procedure

1 Create a SQL Server database by using SQL Server Management Studio on SQL Server.

The Update Manager installer creates all tables, procedures, and user-defined functions (UDF) within

the default schema of the database user that you use for Update Manager. This default schema does

not necessarily have to be dbo schema.

2 Create a SQL Server database user with database operator (DBO) rights.

Make sure that the database user has either a sysadmin server role or the db_owner fixed database

role on the Update Manager database and the MSDB database.

The db_owner role on the MSDB database is required for installation and upgrade only.

Create a New Data Source (ODBC)

To prepare a Microsoft SQL Server database to work with Update Manager, you have to create a data

source (ODBC).

Procedure

1 On your Update Manager server system, select Control Panel > Administrative Tools > Data

Sources (ODBC).

2 Click the System DSN tab.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 29

3 Create or modify an ODBC system data source.

Option Action

Create an ODBC system data source a Click Add.

b For Microsoft SQL Server 2008, Microsoft SQL Server 2008 R2 Express,

Microsoft SQL Server 2012, or Microsoft SQL Server 2014 select SQL Native

Client, and click Finish.

Modify an existing ODBC system data

source

Double-click the ODBC system data source that you want to modify.

To see a detailed list of all Microsoft SQL Server database versions that are compatible with the

Update Manager server and the UMDS, select the Solution/Database Interoperability option from

the VMware Product Interoperability Matrixes at

http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

4 In the Microsoft SQL Server DSN Configuration window, enter the necessary information and click

Next.

a Type an ODBC DSN in the Name text field.

For example, type VUM.

b (Optional) Type an ODBC DSN description in the Description text field.

c Select the SQL Server name from the Server drop-down menu.

Type the SQL Server machine name in the text field if you cannot find it in the drop-down menu.

5 Configure the SQL Server authentication, and click Next.

n

If you are using a local SQL Server, you can select Integrated Windows NT authentication.

n

If you are using a remote SQL Server, you must use the SQL Server authentication method.

If you use the SQL Server authentication method, in the Update Manager installation wizard supply

the same user name, password, and ODBC DSN that you used to configure the ODBC.

Important Update Manager does not support Windows authentication of the database when the

database is located on a different machine because of local system account issues. Make sure that if

the Update Manager database is on a remote machine, the database, and the system DSN use SQL

Server authentication.

6 Select a database from the Change the default database to drop-down menu, specify the ANSI

settings, and click Next.

7 Specify the language and translation settings, where to save the log files, and click Finish.

What to do next

To test the data source, in the ODBC Microsoft SQL Server Setup window, click Test Data Source, and

click OK. Ensure that SQL Agent is running on your database server by double-clicking the SQL Server

icon in the system tray.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 30

Identify the SQL Server Authentication Type

You can identify whether your SQL Server is using Windows NT or SQL Server authentication.

Procedure

1 Open SQL Server Enterprise Manager.

2 Click the Properties tab.

3 Check the connection type.

Configure an Oracle Database

To use an Oracle database for Update Manager, you must first set up the database.

Procedure

1 Download Oracle 11g or Oracle 12c from the Oracle Web site, install it, and create a database (for

example, VUM).

Make sure that the TNS Listener is up and running, and test the database service to be sure it is

working.

2 Download Oracle ODBC from the Oracle Web site.

3 Install the corresponding Oracle ODBC driver through the Oracle Universal Installer.

4 Increase the number of open cursors for the database.

Add the entry open_cursors = 300 to the ORACLE_BASE\ADMIN\VUM\pfile\init.ora file.

In this example, ORACLE_BASE is the root of the Oracle directory tree.

Configure an Oracle Connection to Work Locally

You can configure an Oracle connection to work locally with Update Manager.

Prerequisites

Verify that the ODBC data source that you use is a 64-bit system DSN. See Create a 64-Bit DSN.

Procedure

1 Create a tablespace specifically for Update Manager by using the following SQL statement:

CREATE TABLESPACE "VUM" DATAFILE 'ORACLE_BASE\ORADATA\VUM\VUM.dat' SIZE 1000M AUTOEXTEND ON NEXT

500K;

In this example, ORACLE_BASE is the root of the Oracle directory tree.

2 Create a user, such as vumAdmin, for accessing this tablespace through ODBC.

CREATE USER vumAdmin IDENTIFIED BY vumadmin DEFAULT TABLESPACE “vum”;

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 31

3 Either grant the dba permission to the user, or grant the following specific permissions to the user.

grant connect to vumAdmin

grant resource to vumAdmin

grant create any job to vumAdmin

grant create view to vumAdmin

grant create any sequence to vumAdmin

grant create any table to vumAdmin

grant lock any table to vumAdmin

grant create procedure to vumAdmin

grant create type to vumAdmin

grant execute on dbms_lock to vumAdmin

grant unlimited tablespace to vumAdmin

# To ensure space limitation is not an issue

4 Create an ODBC connection to the database.

See the following example settings:

Data Source Name: VUM

TNS Service Name: VUM

User ID: vumAdmin

Configure an Oracle Database to Work Remotely

You can configure your Oracle database to work with Update Manager remotely.

Prerequisites

n

Verify that the ODBC data source that you use is a 64-bit system DSN. See Create a 64-Bit DSN.

n

Set up a database as described in Configure an Oracle Database.

Procedure

1 Install the Oracle client on the Update Manager server machine.

2 Use the Net Configuration Assistant tool to add the entry to connect to the managed host.

VUM =

(DESCRIPTION =

(ADDRESS_LIST =

(ADDRESS=(PROTOCOL=TCP)(HOST=host_address)(PORT=1521))

)

(CONNECT_DATA =(SERVICE_NAME = VUM)

)

)

In this example, host_address is the managed host to which the client needs to connect.

3 (Optional) Edit the tnsnames.ora file located in ORACLE_HOME\network\admin\, as appropriate.

Here, ORACLE_HOME is located under C:\ORACLE_BASE, and it contains subdirectories for Oracle

software executable and network files.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 32

4 Create an ODBC connection to the database.

These are example settings.

Data Source Name: VUM

TNS Service Name: VUM

User Id: vumAdmin

Installing Update Manager on Windows

The Update Manager server is a 64-bit application. You can install the Update Manager server for

Windows only on 64-bit Windows machines.

You can install the Update Manager server component either on the same machine where the

vCenter Server is installed or on a separate machine. For optimal performance, especially in large-scale

environments, install the Update Manager server component on a different Windows machine.

The Update Manager 6.7 installer for Windows generates a 2048-bit key and self-signed certificate. To

replace the self-signed SSL certificate after installation, you can use the Update Manager Utility.

You can install vCenter Server and the Update Manager server in a heterogeneous network environment,

where one of the machines is configured to use IPv6 and the other is configured to use IPv4.

To run and use Update Manager, you must use a local system account for the machine on which

Update Manager is installed.

During installation, you cannot connect an Update Manager server that is installed on a Windows server

to a vCenter Server Appliance. The vCenter Server Appliance facilitates Update Manager server as a

service.

After you install the Update Manager server component, the Update Manager client interface is

automatically enabled on the vSphere Web Client.

In the vSphere Web Client the Update Manager client interface appears as tab Update Manager. The

Update Manager tab is a first level tab and is last in the row of first level tabs, following the Summary,

the Monitor, the Configure, the Permissions, and so on tabs.

When you use an Update Manager server instance that runs on Windows, you can use Update Manager

only with the vSphere Web Client. The vSphere Client does not support using Update Manager server

that runs on Windows and is connected to a vCenter Server instance that also runs on Windows. To use

Update Manager capabilities with the vSphere Client, use a vCenter Server Appliance where

Update Manager runs as a service.

VMware uses designated ports for communication. The Update Manager server connects to

vCenter Server, ESXi hosts, and the vSphere Web Client on designated ports. If a firewall exists between

any of these elements and Windows firewall service is in use, the installer opens the ports during the

installation. For custom firewalls, you must manually open the required ports.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 33

You can run Update Manager in deployments that you protect using SRM. Use caution before connecting

the Update Manager server to a vCenter Server instance to which the SRM server is connected.

Connecting the Update Manager server to the same vCenter Server instance as SRM might cause

problems when you upgrade SRM or vSphere, and when you perform daily tasks. Check the compatibility

and interoperability of Update Manager with SRM before you install the Update Manager server.

Prerequisites for Installing the Update Manager Server on
Windows

Before you install the Update Manager server, review the installation prerequisites.

Update Manager Database Requirements

Update Manager requires an Oracle or SQL Server database. Update Manager can handle small-scale

environments using the bundled Microsoft SQL Server 2012 Express. For environments with more than 5

hosts and 50 virtual machines, you must create either an Oracle or SQL Server database.

To see a list of database formats that are compatible with the Update Manager server and the UMDS,

select the Solution/Database Interoperability option from the VMware Product Interoperability Matrixes

at http://www.vmware.com/resources/compatibility/sim/interop_matrix.php.

For large-scale environments, set up the database on a machine different than the machines on which the

Update Manager server is installed and the vCenter Server database is located. For more information

about setting up the Update Manager database, see Preparing the Update Manager Database.

n

Create a database and 64-bit DSN, unless you are using the bundled Microsoft SQL Server 2012

Express.

n

Make sure that if the Update Manager database is located on a remote machine, the database and

the system DSN use SQL Server authentication.

Update Manager does not support Windows authentication of the database when the database is

located on a different machine because of local system account problems.

n

If you plan to use the bundled Microsoft SQL Server 2012 Express database, make sure that you

install Microsoft Windows Installer version 4.5 (MSI 4.5) on your system.

n

Make sure that the database privileges meet the requirements listed in Required Database Privileges.

n

Create the 64-bit ODBC connection to a supported database server version by using a supported

database client version.

If you create an ODBC connection to a database server that is of an unsupported version, and your

database client is of a supported version, a DSN for the unsupported database might be displayed in

the drop-down menu of the Update Manager installation wizard.

vCenter Server Installation

n

Install vCenter Server.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 34

If prompted, you must restart the machine on which vCenter Server is installed. Otherwise, you might

not be able to register Update Manager with vCenter Server, and the Update Manager installation

might fail.

For more information about installing vCenter Server, see vSphere Installation and Setup.

n

Gather the following networking information for the vCenter Server system.

n

User name and password for the vCenter Server system.

During the Update Manager installation process, you must register the Update Manager server

with the vCenter Server system. To register Update Manager with vCenter Server, you must

provide the credentials of the vCenter Server user that has the Register extension privilege. For

more information about managing users, groups, roles, and permissions, see vSphere Security.

n

Port numbers. In most cases, the default Web service port 80 is used.

n

IP address.

If the IP address of the vCenter Server system or Update Manager changes, you can re-register

the Update Manager server with the vCenter Server system. For more information about

configuring the Update Manager server after installation, see Reconfiguring VMware vSphere

Update Manager.

Update Manager System Requirements

n

Make sure that your system meets the requirements specified in System Requirements.

Important You can install the Update Manager 6.7 server component only on a 64-bit machine.

Make sure the Windows system on which you are installing the Update Manager server is not an

Active Directory domain controller.

n

Log in as a local Administrator or a domain user that is member of the Administrators group.

n

Update Manager installation requires installation of the Microsoft .NET framework 4.7. Consider the

following before proceeding with the installation.

n

Installing Microsoft .NET framework 4.7 is not supported on Microsoft Windows Server 2008

Service Pack 2 64-bit.

n

Installing Microsoft .NET framework 4.7 might require you to install some additional Windows

updates. Relevant links to the Windows updates are provided during the Microsoft .NET

framework 4.7.

n

Installing Microsoft .NET framework 4.7 might require you to reboot your host operating system.

n

If you plan to install Update Manager server on the same Windows machine where

vCenter Server runs (typical installation), the vCenter Server service might temporarily disconnect

if the a reboot is invoked on the system by the .NET Microsoft .NET framework 4.7 installation.

n

After installing or upgrading the Microsoft .NET framework 4.7, follow the prompts of the

Update Manager server or the UMDS installation wizards.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 35

n

Check the compatibility and interoperability of the vCenter Server server with VMware Site Recovery

Manager®. Use caution when connecting the Update Manager server to a vCenter Server instance to

which the Site Recovery Manager server is also connected. Connecting the Update Manager server

to the same vCenter Server instance as Site Recovery Manager might cause problems when you

upgrade the Site Recovery Manager or the vCenter Server, or when you perform daily operations.

Obtain the Update Manager Installer

You install the Update Manager server for Windows from the vCenter Server installer for Windows.

Update Manager for Windows runs only on a 64-bit Windows operating system.

Prerequisites

Create a My VMware account at https://my.vmware.com/web/vmware/.

Procedure

1 Download the vCenter Server installer from the VMware website at

https://my.vmware.com/web/vmware/downloads.

vCenter Server is part of VMware vCloud Suite and of VMware vSphere, listed under Datacenter &

Cloud Infrastructure.

a Under Datacenter & Cloud Infrastructure, select VMware vCloud Suite or VMware vSphere,

and click Download Product.

b From the Select Version drop-down menu, select the version you want.

c Locate VMware vCenter Server on the page, and select Go to Downloads.

d Download the ISO file of the VMware vCenter Server <product version> and Modules for

Windows.

2 Confirm that the md5sum is correct.

See the VMware website topic Using MD5 Checksums at

http://www.vmware.com/download/md5.html.

3 Mount the ISO image to the Windows virtual machine or physical server on which you want to install

the Update Manager server or the UMDS.

Install the Update Manager Server

The Update Manager installation requires a connection with a single vCenter Server instance. You can

install Update Manager on the same computer on which vCenter Server is installed or on a different

computer.

When you use an Update Manager server instance that runs on Windows, you can use Update Manager

only with the vSphere Web Client. The vSphere Client does not support using Update Manager server

that runs on Windows and is connected to a vCenter Server instance that also runs on Windows. To use

Update Manager capabilities with the vSphere Client, use a vCenter Server Appliance where

Update Manager runs as a service.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 36

Prerequisites

n

See installation prerequisites in Prerequisites for Installing the Update Manager Server on Windows.

n

Check the compatibility and interoperability of the vCenter Server server with VMware Site Recovery

Manager®. Use caution when connecting the Update Manager server to a vCenter Server instance to

which the Site Recovery Manager server is also connected. Connecting the Update Manager server

to the same vCenter Server instance as Site Recovery Manager might cause problems when you

upgrade the Site Recovery Manager or the vCenter Server, or when you perform daily operations.

n

Update Manager installation requires installation of the Microsoft .NET framework 4.7. Consider the

following before proceeding with the installation.

n

Installing Microsoft .NET framework 4.7 is not supported on Microsoft Windows Server 2008

Service Pack 2 64-bit.

n

Installing Microsoft .NET framework 4.7 might require you to install some additional Windows

updates. Relevant links to the Windows updates are provided during the Microsoft .NET

framework 4.7.

n

Installing Microsoft .NET framework 4.7 might require you to reboot your host operating system.

n

If you plan to install Update Manager server on the same Windows machine where

vCenter Server runs (typical installation), the vCenter Server service might temporarily disconnect

if the a reboot is invoked on the system by the .NET Microsoft .NET framework 4.7 installation.

n

After installing or upgrading the Microsoft .NET framework 4.7, follow the prompts of the

Update Manager server or the UMDS installation wizards.

Procedure

1 Mount the ISO image of the vCenter Server installer to the Windows virtual machine or physical

server on which you want to install the Update Manager server.

2 In the mounted directory, double-click the autorun.exe file of the VMware vCenter Installer, and

select vSphere Update Manager > Server.

3 (Optional) Select the option to Use Microsoft SQL Server 2012 Express as the embedded

database, and click Install.

Note Skip this step only if you plan to use another supported Oracle or SQL Server database.

If the Microsoft SQL Server 2012 Express is not present on your system from previous

Update Manager installations, the installation wizard for the Microsoft SQL Server 2012 Express

opens.

4 Select the option to install the Microsoft .NET framework 4.7.

Note If you do not select to install Microsoft .NET framework 4.7, the Update Manager server

installation will fail with an error message.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 37

5 On the VMware vCenter Installer, click Install.

The VMware vCenter Installer wizard remains open, and a language selection dialog box opens.

6 Select the language for the vSphere Update Manager installer, and click OK.

7 Depending on the database selection you made in the VMware vCenter Installer, perform one of the

following steps:

n

If you selected to use embedded Microsoft SQL Server 2012, wait for the installation process of

the Microsoft .NET framework 4.7 and the Microsoft SQL Server 2012 to complete, and from the

VMware vCenter Installer, click Install again.

The VMware vSphere Update Manager installer opens.

n

If you are using another supported database and did not select to use the embedded Microsoft

SQL Server 2012, the VMware vSphere Update Manager installer opens, and you can proceed

with next steps.

8 Review the Welcome page and click Next.

9 Read and accept the license agreement, and click Next.

10 Review the support information, select whether to download updates from the default download

sources immediately after installation, and click Next.

If you deselect Download updates from default sources immediately after installation,

Update Manager downloads updates once daily according to the default download schedule or

immediately after you click the Download Now button on the Download Settings page. You can

modify the default download schedule after the installation is complete.

11 Type the vCenter Server IP address or name, HTTP port, and the administrative account that the

Update Manager server will use to connect to the vCenter Server system, and click Next.

You can not provide an IP address to a vCenter Server Appliance. Update Manager server is fully

integrated with the vCenter Server Appliance, and the vCenter Server Appliance runs

Update Manager as a service.

The default administrative user account is administrator@vsphere.local.

12 (Optional) Select the database, and click Next.

If you selected to use the embedded Microsoft SQL Server 2012 Express database, the installation

wizard skips this page.

a Use an existing supported database, by selecting your database from the list of DSNs. If the DSN

does not use Windows NT authentication, enter the user name and password for the DSN and

click Next.

Important The DSN must be a 64-bit DSN.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 38

13 (Optional) Select the database options.

n

If the system DSN you specify points to an existing Update Manager database with the current

schema, you can either retain your existing database or replace it with an empty one.

n

If the system DSN you specify points to an existing Update Manager database with a different

schema, on the Database Upgrade page, select Yes, I want to upgrade my Update Manager

database and I have taken a backup of the existing Update Manager database, and click

Next.

14 From the drop-down menu, select the IP address or the host name of your Update Manager instance.

If the computer on which you install Update Manager has one NIC, the Update Manager installer

automatically detects the IP address. If the computer has multiple NICs, you must select the correct

IP address or use a DNS name. The DNS name must be resolved from all hosts that this

Update Manager instance will manage.

15 Specify the Update Manager port settings, select whether you want to configure the proxy settings,

and click Next.

Note Use caution when you specify the Update Manager port settings, as you cannot modify them

after installation.

For the SOAP port, you have no limitations to the range of ports used, unless there are conflicts.

For the Server port, you can use the following range: 80, 9000-9100. Update Manager automatically

opens ESXi firewall ports in this range to allow outbound HTTP traffic to the patch store.

16 (Optional) Provide information about the proxy server, the port, and whether the proxy should be

authenticated, and click Next.

17 Select the Update Manager installation and patch download directories, and click Next.

If you do not want to use the default locations, you can click Change to browse to a different

directory.

18 (Optional) In the warning message about the disk free space, click OK.

This message appears when you try to install Update Manager on a computer that has less than 120

GB free space.

19 Click Install to begin the Update Manager server installation.

20 Click Finish to close the Update Manager installation wizard.

The Update Manager server component is installed. The Update Manager client interface is automatically

enabled in the vSphere Web Client.

Note When you use an Update Manager server instance that runs on Windows, you can use

Update Manager only with the vSphere Web Client. If you use the vSphere Client to connect to the

vCenter Server instance to which the Update Manager server that runs on Windows is registered, you do

not see any Update Manager interface.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 39

Using the Update Manager Client Interface with Update Manager
Server that Runs on Windows

The Update Manager client interface do not require any installation, and is automatically enabled in the

vSphere Web Client after you install the Update Manager server component on Windows.

When you use an Update Manager server instance that runs on Windows, you can use Update Manager

only with the vSphere Web Client. The vSphere Client does not support using Update Manager server

that runs on Windows and is connected to a vCenter Server instance that also runs on Windows. To use

Update Manager capabilities with the vSphere Client, use a vCenter Server Appliance where

Update Manager runs as a service.

With the Update Manager client interface in the vSphere Web Client, you can perform the full set of

operations that Update Manager offers. You can create and manage baselines, attach and detach

baselines to hosts and VMs, scan for compliance, perform upgrade operations on the hosts and update

operations the virtual machines in your environment, manage the Update Manager configuration settings.

Verify that you have the View Compliance Status privilege, otherwise you cannot see and use the

Update Manager client interface in the vSphere Web Client.

In the vSphere Web Client the Update Manager client interface appears as tab Update Manager. The

Update Manager tab is a first level tab and is last in the row of first level tabs, following the Summary,

the Monitor, the Configure, the Permissions, and so on tabs.

For more information, see Overview of the Update Manager Client Interfaces.

Upgrading Update Manager that Runs on Windows

You can upgrade to Update Manager 6.7 only from Update Manager versions 6.0 or 6.5 that are installed

on a 64-bit Windows operating system.

If you are switching from using a vCenter Server system of version 6.0 or version 6.5 that runs on

Windows to a vCenter Server Appliance 6.7, this is a migration process. For detailed information on

Update Manager migration process, read Chapter 4 Migrating Update Manager from Windows to the

vCenter Server Appliance, or see the Migration chapter in vSphere Upgrade documentation.

If you are running Update Manager of a version earlier than 5.5, or Update Manager that runs on a 32-bit

platform, you cannot perform a direct upgrade to Update Manager 6.7. You must use the data migration

tool that is provided with Update Manager 5.0 installation media to upgrade your Update Manager system

to Update Manager 5.0 running on a 64-bit operating system, and then perform an upgrade from version

5.0 or version 5.1 to version 5.5 before upgrading to version 6.7. For detailed information how to use the

data migration tool, see the Installing and Administering VMware vSphere Update Manager

documentation for Update Manager 5.0.

When you upgrade Update Manager, you cannot change the installation path and patch download

location. To change these parameters, you must install a new version of Update Manager rather than

upgrade.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 40

Previous versions of Update Manager use a 512-bit key and self-signed certificate and these are not

replaced during upgrade. If you require a more secure 2048-bit key, you can either perform a new

installation of Update Manager 6.7, or use the Update Manager Utility to replace the existing certificate.

For more information about how to use the Update Manager Utility, see the Reconfiguring VMware

vSphere Update Manager documentation.

Scheduled tasks for virtual machine patch scan and remediation are retained during the upgrade. After

the upgrade, you can edit and remove scheduled scan tasks that exist from previous releases. You can

remove existing scheduled remediation tasks but you cannot edit them.

You must upgrade the Update Manager database during the Update Manager upgrade. You can select

whether to keep your existing data in the database or to replace it during the upgrade.

The Java Components (JRE) required by Update Manager are installed or upgraded silently on the

system when you install or upgrade Update Manager. You can upgrade the Java Components separately

from an Update Manager upgrade procedure to a version of the Java Components that is released

asynchronously from the Update Manager releases.

Upgrade the Update Manager Server

To upgrade an instance of Update Manager that is installed on a 64-bit machine, you must first upgrade

vCenter Server to a compatible version.

The Update Manager 6.7 release allows upgrades from Update Manager 6.0 or later.

Prerequisites

n

Grant the database user the required set of privileges. For more information, see Preparing the

Update Manager Database.

n

Stop the Update Manager service and back up the Update Manager database. The installer upgrades

the database schema, making the database irreversibly incompatible with previous Update Manager

versions.

n

If you are upgrading Update Manager instance that uses Oracle database, Create a 64-Bit DSN. If

you are upgrading Update Manager instance that uses Microsoft SQL database, the creation of 64-bit

DSN is managed by the installer.

n

See information about Update Manager Compatibility with vCenter Server, vCenter Server Appliance,

vSphere Web Client, and vSphere Client.

Procedure

1 Upgrade vCenter Server to a compatible version.

Note The vCenter Server installation wizard warns you that Update Manager is not compatible when

vCenter Server is upgraded.

If prompted, you must restart the machine that is running vCenter Server. Otherwise, you might not

be able to upgrade Update Manager.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 41

2 In the software installer directory, double-click the autorun.exe file and select vSphere Update

Manager > Server.

If you cannot run autorun.exe, browse to the UpdateManager folder and run VMware-

UpdateManager.exe.

3 Select a language for the installer and click OK.

4 In the upgrade warning message, click OK.

5 Review the Welcome page and click Next.

6 Read and accept the license agreement, and click Next.

7 Review the support information, select whether to download updates from the default download

sources immediately after installation, and click Next.

If you deselect Download updates from default sources immediately after installation,

Update Manager downloads updates once daily according to the default download schedule or

immediately after you click Download Now on the Download Settings page. You can modify the

default download schedule after the installation is complete.

8 Type the vCenter Server system credentials and click Next.

To keep the Update Manager registration with the original vCenter Server system valid, keep the

vCenter Server system IP address and enter the credentials from the original installation.

9 Type the database password for the Update Manager database and click Next.

The database password is required only if the DSN does not use Windows NT authentication.

10 On the Database Upgrade page, select Yes, I want to upgrade my Update Manager database and

I have taken a backup of the existing Update Manager database, and click Next.

11 (Optional) On the Database re-initialization warning page, select to keep your existing remote

database if it is already upgraded to the latest schema.

If you replace your existing database with an empty one, you lose all of your existing data.

12 Specify the Update Manager port settings, select whether you want to configure the proxy settings,

and click Next.

Configure the proxy settings if the computer on which Update Manager is installed has access to the

Internet.

13 (Optional) Provide information about the proxy server and port, specify whether the proxy should be

authenticated, and click Next.

14 Click Install to begin the upgrade.

15 Click Finish.

You upgraded the Update Manager server.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 42

Upgrade the Update Manager Java Components

The required Update Manager Java Components (JRE) are installed or upgraded silently when you install

or upgrade Update Manager. By using a vCenter Server Java components patch, you can also upgrade

Update Manager Java Components separately from Update Manager installer.

By using the separate installer, you can upgrade JRE to a version that is released asynchronously from

Update Manager releases. If an earlier version of JRE is present on the system, this procedure upgrades

it.

When Update Manager runs on the same system as the vCenter Server, if an earlier version of

vCenter Server tc Server is present on that system, this procedure also upgrades the vCenter Server tc

Server component.

During the patch process, the Update Manager undergoes a downtime as the vCenter Server Java

Components patch restarts the Update Manager service.

Prerequisites

n

Download the vCenter Server Java Components patch from VMware downloads page at

https://my.vmware.com/web/vmware/downloads. The name format is VMware-VIMPatch-6.7.0-

build_number-YYYYMMDD.iso.

n

Stop any running Update Manager operations, such as scanning, staging, or remediation.

Procedure

1 On the system where Update Manager is installed, mount the ISO of the vCenter Server Java

Components patch.

2 In Windows Explorer, double-click the file ISO_mount_directory/autorun.exe.

A vCenter Server Java Components Update wizard opens.

3 Click Patch All.

If the Java components on the Update Manager system are up to date, a status message that

confirms that is displayed.

If the Java components on the Update Manager system are not up to date, they are silently upgraded.

When clicking the Patch All button, if vCenter Server, vCenter Single Sign-On, vCenter Inventory

Service, or vSphere Web Client are also installed on the system where Update Manager is installed,

the Java components for all thesevCenter Server components are also silently upgraded.

The Java components are upgraded on the Update Manager system.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 43

Uninstalling Update Manager that Runs on Windows

Update Manager has a relatively small impact on computing resources such as disk space. Unless you

are certain that you want to remove Update Manager, leave an existing installation in place.

When you uninstall the Update Manager server, the Update Manager client interface is automatically

removed from the vSphere Web Client.

Uninstall the Update Manager Server that Runs on Windows

You can uninstall the Update Manager server component.

Procedure

1 From the Windows Start menu, select Settings > Control Panel > Add or Remove Programs.

2 Select VMware vSphere Update Manager and click Remove.

The Update Manager server component is uninstalled from your system. All downloaded metadata and

binaries, as well as log data remain on the machine where Update Manager server was installed.

The Update Manager client interface is automatically removed from the vSphere Web Client.

Best Practices and Recommendations for
Update Manager Environment

You can install Update Manager on the server on which vCenter Server runs or on a different server.

The Update Manager server and client plug-ins must be the same version. Update Manager and

vCenter Server, and the vSphere Web Client must be of a compatible version. For more information about

compatibility, see Update Manager Compatibility with vCenter Server, vCenter Server Appliance, vSphere

Web Client, and vSphere Client.

Update Managerr has two deployment models:

Internet-connected

model

The Update Manager server is connected to the VMware patch repository,

and third-party patch repositories (for ESXi 6.x hosts). Update Manager

works with vCenter Server to scan and remediate the virtual machines,

hosts, and templates.

Air-gap model Update Manager has no connection to the Internet and cannot download

patch metadata. In this model, you can use UMDS to download and store

patch metadata and patch binaries in a shared repository. To scan and

remediate inventory objects, you must configure the Update Manager

server to use a shared repository of UMDS data as a patch datastore. For

more information about using UMDS, see Chapter 6 Installing, Setting Up,

and Using Update Manager Download Service.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 44

Outside of DRS clusters, you might not be able to remediate the host running the Update Manager or

vCenter Server virtual machines by using the same vCenter Server instance, because the virtual

machines cannot be suspended or shut down during remediation. You can remediate such a host by

using separate vCenter Server and Update Manager instances on another host. Inside DRS clusters, if

you start a remediation task on the host running the vCenter Server or Update Manager virtual machines,

DRS attempts to migrate the virtual machines to another host, so that the remediation succeeds. If DRS

cannot migrate the virtual machine running Update Manager or vCenter Server, the remediation fails.

Remediation also fails if you have selected the option to power off or suspend the virtual machines before

remediation.

Update Manager Deployment Models and Their Usage

You can use the different Update Manager deployment models in different cases, depending on the size

of your system.

You can use one of several common host-deployment models for Update Manager server:

All-in-one model vCenter Server and Update Manager server are installed on one host and

their database instances are on the same host. This model is most reliable

when your system is relatively small.

Medium deployment

model

vCenter Server and Update Manager server are installed on one host and

their database instances are on two separate hosts. This model is

recommended for medium deployments, with more than 300 virtual

machines or 30 hosts.

Large deployment

model

vCenter Server and Update Manager server run on different hosts, each

with its dedicated database server. This model is recommended for large

deployments when the datacenters contain more than 1,000 virtual

machines or 100 hosts.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 45

Update Manager in the

vCenter Server Appliance 3

You can use the Update Manager 6.7 as a service of the vCenter Server Appliance 6.7. The

Update Manager server and client components are part of the vCenter Server Appliance.

When you deploy the vCenter Server Appliance, the VMware vSphere Update Manager Extension

service starts automatically.

Attempts to connect Update Manager server during installation on a Windows operating system to a

vCenter Server Appliance fail with an error. Beginning with vSphere 6.5 an later releases, registering a

Update Manager server instance that runs on Windows to a vCenter Server Appliance is not supported.

The Update Manager extension for the vCenter Server Appliance uses a PostgreSQL database that is

bundled with the Appliance. Although the Update Manager and the vCenter Server Appliance share the

same PostgreSQL database server, they have separate database instances. If you must reset the

Update Manager database, the vCenter Server Appliance database remains intact.

After deploying the vCenter Server Appliance, the Update Manager user interfaces are automatically

enabled in both the vSphere Client and the vSphere Web Client. However, there are some differences in

the available Update Manager functionality in the two vSphere clients. For more information, see

Overview of the Update Manager Client Interfaces.

Unlike the Update Manager instance that runs on Windows, with the Update Manager instance that runs

in the vCenter Server Appliance you can make certain configurations changes directly from the

vSphere Web Client. You can change the values for Download patches on service start, Log Level, SOAP

Port, Web Server Port, and Web SSL Port. You can access these settings from System Configuration >

Services, under vSphere Web Client Administration. After you change these settings, restart the VMware

vSphere Update Manager service for the changes to take effect.

For Update Manager that runs in the vCenter Server Appliance the only configuration you cannot change

from the vSphere Web Client is the certificate that Update Manager uses to authenticate to

vCenter Server. You can change the certificate by using the Update Manager Utility.

The Update Manager Utility is also bundled with the vCenter Server Appliance. You can access the

Update Manager Utility from the Bash Shell of the vCenter Server Appliance.

This chapter includes the following topics:

n

Using the Update Manager Client Interfaces with Update Manager Service that Runs in the vCenter

Server Appliance

n

Start, Stop, or Restart Update Manager Service in the vCenter Server Appliance

VMware, Inc.

46

Using the Update Manager Client Interfaces with
Update Manager Service that Runs in the
vCenter Server Appliance

The Update Manager client interface do not require any installation, and is automatically enabled in both

the vSphere Web Client and the vSphere Client after you deploy the vCenter Server Appliance.

With the Update Manager client interface in the vSphere Web Client, you can perform the full set of

operations that Update Manager offers. You can create and manage baselines, attach and detach

baselines to hosts and VMs, scan for compliance, perform upgrade operations on the hosts and update

operations the virtual machines in your environment, manage the Update Manager configuration settings.

With the Update Manager client interface for the vSphere Client, you can perform a limited set of

Update Manager operations. You can create, attach and detach baselines, monitor host and cluster

compliance, remediate hosts and clusters. With vSphere Client 6.7 you cannot change Update Manager

configuration settings, remediate VMs, or change the default options for the remediation process in the

remediation wizard. For any of the limited functionality, you must use the vSphere Web Client.

For more information, see Overview of the Update Manager Client Interfaces.

Start, Stop, or Restart Update Manager Service in the
vCenter Server Appliance

If you make configuration changes to Update Manager settings, you might need restart the

Update Manager service in the vCenter Server Appliance.

Note Starting with vSphere 6.5, all vCenter Server services and some Platform Services Controller

services run as child processes of the VMware Service Lifecycle Manager service.

Prerequisites

Verify that the user you use to log in to the vCenter Server instance is a member of the

SystemConfiguration.Administrators group in the vCenter Single Sign-On domain.

Procedure

1 Log in to the vCenter Server by using the vSphere Web Client.

2 On the vSphere Web Client Home page, click System Configuration.

3 Under System Configuration, click Services.

4 From the Services list, select the VMware vSphere Update Manager service.

5 From the Actions menu, select an operation name.

n

Restart

n

Start

n

Stop

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 47

Migrating Update Manager from
Windows to the

vCenter Server Appliance 4

For vSphere 6.0 and earlier releases, 64-bit Windows operating systems are the only supported host

operating systems for Update Manager. In vSphere 6.5, Update Manager is provided as an optional

service in the vCenter Server Appliance 6.5. VMware provides supported paths for migrating

Update Manager from a Windows operating system to a vCenter Server Appliance 6.5.

You can migrate Update Manager in the following vCenter Server deployments:

Table 4‑1. Supported Migration Paths for Update Manager That Runs on Windows to a
vCenter Server Appliance

Source Configuration Target Configuration

vCenter Server and Update Manager run on the same

Windows machine

vCenter Server Appliance 6.7 with embedded Update Manager

vCenter Server and Update Manager run on different Windows

machines

vCenter Server Appliance 6.7 with embedded Update Manager

Update Manager run on a Windows machine and is connected

to a vCenter Server Appliance

vCenter Server Appliance 6.7 with embedded Update Manager

You can use a GUI method or a CLI method to upgrade or migrate your vCenter Server deployment that

uses external Update Manager instance. If you use the GUI method, you need to perform manual steps

on the Update Manager Windows system. If you use the CLI method, you need to add configuration

parameters about Update Manager in your JSON template.

For detailed information about the GUI method or the CLI upgrade or migration configuration parameters,

see the vSphere Upgrade documentation.

Important Verify that the Update Manager source machine does not run additional extensions that are

connected to other vCenter Server systems, which are not part of your migration.

Before the migration, Update Manager might use any of the supported Microsoft SQL Server, or Oracle,

or the Embedded database solution. After the migration to the vCenter Server Appliance,

Update Manager starts to use the PostgreSQL Database.

After the migration, you can shut down the Update Manager machine. You might need to keep the

Update Manager machine for roll back purposes to the earlier version before the migration.

VMware, Inc.

48

This chapter includes the following topics:

n

Download and Run VMware Migration Assistant on the Source Update Manager Machine

n

Roll Back a Migration of vCenter Server Appliance with Update Manager

Download and Run VMware Migration Assistant on the
Source Update Manager Machine

Before running a migration from vCenter Server that runs on Windows, or upgrading

vCenter Server Appliance that use an external Update Manager, you must download and run the

VMware Migration Assistant on the source Windows physical server or the Windows virtual machine

where Update Manager runs. The VMware Migration Assistant facilitates the migration of the

Update Manager server and database to the vCenter Server Appliance 6.5.

Alternatively, if you plan to perform the CLI method for upgrading your vCenter Server Appliance or

migrating your vCenter Server that runs on Windows, you can skip this procedure, and add the

source.vum section section and run.migration.assistant subsection to your JSON template.

For information about the CLI upgrade or migration configuration parameters, see the vSphere Upgrade

documentation.

Caution It is important to run the VMware Migration Assistant on the source Update Manager machine

before migrating other of the vCenter Server components.

Prerequisites

n

Download the vCenter Server Appliance Installer. For more information, see the vCenter Server

Installation and Setup documentation.

n

Log in to the source Update Manager machine as an administrator.

Procedure

1 From the vCenter Server Appliance installer package, copy the migration-assistant folder to the

source Update Manager machine.

2 From the migration-assistant directory, double-click VMware-Migration-Assistant.exe, and

provide the vCenter Single Sign-On administrator password.

Note Leave the Migration Assistant window open during the migration process. Closing the

Migration Assistant causes the migration process to stop.

The VMware Migration Assistant runs pre-upgrade checks and prompts you to resolve any errors it

finds before starting the upgrade.

When the pre-checks are finished and any errors are addressed, your source Update Manager system is

ready for the migration to the vCenter Server Appliance.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 49

What to do next

Use VMware Migration Assistant to migrate vCenter Server and all its components to

vCenter Server Appliance 6.5.

Roll Back a Migration of vCenter Server Appliance with
Update Manager

You can roll back a vCenter Server Appliance with Update Manager after a migration.

Rolling back to the vCenter Server version before the upgrade or migration requires to shut down the new

appliance and revert to the source appliance or vCenter Server on Windows.

Prerequisites

n

You must have access to the source vCenter Server Appliance.

n

You must have access to the Update Manager source machine on Windows.

Procedure

1 Power off the newly upgraded or migrated vCenter Server Appliance.

2 Power on the vCenter Server Appliance that Update Manager was connected to before the migration.

3 Start the Windows source machine where Update Manager ran before the migration, and rejoin it to

the Active Directory domain.

n

If the source machine was attached to an Active Directory domain and migration failed before

network migration, you do not need to perform any additional steps.

n

If the source machine was attached to an Active Directory domain and the migration failed after

network migration, log in with the local administrator after the machine powers up and rejoin the

machine to the Active Directory domain.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 50

Configuring Update Manager 5

Update Manager uses the default configuration properties unless you have modified them during the

installation process. You can modify the settings in both the vSphere Web Client and vSphere Client.

You can configure and modify the Update Manager settings only if you have the privileges to configure

the Update Manager settings and service. The permission must be assigned to the vCenter Server

system with which Update Manager is registered. For more information about managing users, groups,

roles, and permissions, see the vCenter Server and Host Management documentation. For a list of the

Update Manager privileges and their descriptions, see Update Manager Privileges.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter

Single Sign-On domain, and multiple vCenter Server instances use Update Manager, you can configure

the settings for each Update Manager instance. The configuration properties that you modify are applied

only to the Update Manager instance that you specify, and are not propagated to the other instances in

the domain.

To change a certain Update Manager setting in the vSphere Web Client, select Home > Update Manager

and from the list of objects, select the name of the vCenter Server system with which the

Update Manager server is registered. The Update Manager settings are available on the Manage tab.

To change a certain Update Manager setting in the vSphere Client, select Home > Update Manager and

clck the Settings tab.

This chapter includes the following topics:

n

Update Manager Network Connectivity Settings

n

Change the Update Manager Network Settings

n

Change the Update Manager Network Settings in the vSphere Web Client

n

Configuring the Update Manager Download Sources

n

Configure the Update Manager Proxy Settings

n

Configure the Update Manager Proxy Settings in the vSphere Web Client

n

Configure Checking for Updates

n

Configure Checking for Updates in the vSphere Web Client

n

Configuring and Viewing Notifications

n

Configuring Host and Cluster Settings

VMware, Inc.

51

n

Take Snapshots Before Remediation

n

Take Snapshots Before Remediation in the vSphere Web Client

n

Configure Smart Rebooting in the vSphere Web Client

n

Configure the Update Manager Patch Repository Location

n

Run the VMware vSphere Update Manager Update Download Task

n

Update Manager Privileges

Update Manager Network Connectivity Settings

You can configure port, IP, and DNS settings during the installation of Update Manager. Those settings do

not depend on your deployment model.

Default Network Ports

You can configure the network port settings during installation or change them later to avoid conflicts with

other applications installed on the same physical machine.

Table 5‑1. Update Manager Default Network Ports

TCP Port Number Description

80 The port used by Update Manager to connect to vCenter Server.

9084 The port used by ESXi hosts to access host patch downloads over

HTTP.

902 The port used by Update Manager to push host upgrade files.

8084 The port used by Update Manager Client plug-in to connect to the

Update Manager SOAP server.

9087 The HTTPS port used by Update Manager Client plug-in to upload

host upgrade files.

IP Address and DNS Name

The Update Manager network settings include the IP address or DNS name that the update utility on

hosts uses to retrieve the patch metadata and binaries from the Update Manager server through HTTP.

You can configure the IP address during installation or you can change it later.

Important To avoid any potential DNS resolution problems, use an IP address whenever possible. If you

must use a DNS name instead of an IP address, ensure that the DNS name you specify can be resolved

by all hosts managed by Update Manager and by vCenter Server.

Update Manager supports Internet Protocol version 6 (IPv6) environments for scanning and remediating

hosts running ESXi 6.0 and later. Update Manager does not support IPv6 for scanning and remediating

virtual machines.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 52

vCenter Server, Update Manager, and your ESXi hosts might exist in a heterogeneous IPv6 and IPv4

network environment. In such an environment, if you use IP addresses and no dual-stack IPv4 or IPv6

DNS servers exist, the ESXi hosts that are configured to use only IPv4 address cannot access the IPv6

network resources. The hosts configured to use only IPv6 cannot access the IPv4 network resources.

You can install Update Manager on a physical machine on which both IPv4 and IPv6 are enabled. During

host operations such as scanning, staging, and remediation, Update Manager provides the address of its

patch store location to the ESXi hosts. If Update Manager is configured to use an IP address, it provides

an IP address of either the IPv4 or IPv6 type, and can be accessed only by some of the hosts. For

example, if Update Manager provides an IPv4 address, the hosts that use only an IPv6 address cannot

access the Update Manager patch store. In such a case, consider the following configuration.

Table 5‑2. Update Manager Configuration

Host IP Version Action

IPv4 Configure Update Manager to use either an IPv4 address or a

host name. Using a host name lets all hosts rely on the DNS

server to resolve to an IPv4 address.

IPv6 Configure Update Manager to use either an IPv6 address or a

host name. Using a host name lets hosts rely on the DNS

server to resolve to an IPv6 address.

IPv4 and IPv6 Configure Update Manager to use either IPv4 or IPv6.

Change the Update Manager Network Settings

Network ports are configured during installation. After installation, you can only edit whether to use an IP

address or host name for the Update Manager patch store.

Prerequisites

n

Cancel all remediation or scanning tasks or wait until they finish.

n

Verify that Update Manager has access to https://www.vmware.com.

n

Verify that outbond ports 80 and 443 are open.

Procedure

1 Use the vSphere Client to log in to a vCenter Server Appliance.

Note In vSphere 6.7 and later, using the Update Manager functionality in the vSphere Client is only

supported for Update Manager that runs in the vCenter Server Appliance.

2 Navigate to Menu > Update Manager.

3 Click the Settings tab.

4 Select Administration Settings > Network Connectivity.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 53

5 Click Edit and select an IP address or a host name for the patch store.

Important Use an IP address whenever possible to avoid any potential DNS resolution problems. If

you must use a DNS name instead of an IP address, ensure that the DNS name you specify can be

resolved from vCenter Server and the hosts that are managed by Update Manager.

Note You can only edit the IP address or host name for the patch store. The ports are defined during

installation.

You can change the ports from the vCenter Server system configuration. For more information, see

"Edit the Settings of Services" in the vCenter Server and Host Management documentation.

Option Description

SOAP port Update Manager client uses this port to communicate with the Update Manager server.

Server port (range: 80,

9000–9100)

Listening port for the Web server that provides access to the patch depot for ESXi hosts.

IP address or host name for

the patch store

The IP address or name of the host where patches are downloaded and stored.

6 Click Save.

What to do next

Restart the Update Manager service for network changes to take effect.

Change the Update Manager Network Settings in the
vSphere Web Client

Network ports are configured during installation. After installation, you can only edit whether to use an IP

address or host name for the Update Manager patch store.

Prerequisites

n

Cancel all remediation or scanning tasks or wait until they finish.

n

Verify that Update Manager has access to https://www.vmware.com.

n

Verify that outbond ports 80 and 443 are open.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Network Connectivity.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 54

5 See information about the network connectivity settings for Update Manager.

Option Description

SOAP port Update Manager client uses this port to communicate with

the Update Manager server.

Server port (range: 80, 9000–9100) Listening port for the Web server that provides access to the

patch depot for ESXi hosts.

IP address or host name for the patch store The IP address or name of the host where patches are

downloaded and stored.

Note You can only edit the IP address or host name for the patch store. The ports are defined during

installation.

If you are using Update Manager that runs in the vCenter Server Appliance, you can change the ports

from the vCenter Server system configuration. For more information, see "Edit the Settings of

Services" in the vCenter Server and Host Management documentation.

6 Click Edit, and select an IP address or host name for the patch store.

Important Use an IP address whenever possible to avoid any potential DNS resolution problems. If

you must use a DNS name instead of an IP address, ensure that the DNS name you specify can be

resolved from vCenter Server, and the hosts that are managed by Update Manager.

7 Click OK.

What to do next

Restart the Update Manager service for network changes to take effect.

Configuring the Update Manager Download Sources

You can configure the Update Manager server to download patches and extensions for ESXi hosts either

from the Internet or from a shared repository of UMDS data. You can also import patches and extensions

for ESXi hosts manually from a ZIP file.

If your deployment system is connected to the Internet, you can use the default settings and links for

downloading upgrades, patches, and extensions to the Update Manager repository. You can also add

URL addresses to download third-party patches and extensions. Third-party patches and extensions are

applicable only to hosts that are running ESXi 6.0 and later.

Downloading host patches from the VMware website is a secure process.

n

Patches are cryptographically signed with the VMware private keys. Before you try to install a patch

on a host, the host verifies the signature. This signature enforces the end-to-end protection of the

patch itself, and can also address any concerns about patch download.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 55

n

Update Manager downloads patch metadata and patch binaries over SSL connections.

Update Manager downloads the patch metadata and patch binaries only after verifying both the

validity of the SSL certificates and the common name in the certificates. The common name in the

certificates must match the names of the servers from which Update Manager downloads the

patches.

If your deployment system is not connected to the Internet, you can use a shared repository after

downloading the upgrades, patches, and extensions by using Update Manager Download Service

(UMDS).

For more information about UMDS, see Chapter 6 Installing, Setting Up, and Using Update Manager

Download Service.

Changing the download source from a shared repository to the Internet, and the reverse, is a change in

the Update Manager configuration. The two options are mutually exclusive. You cannot download updates

from the Internet and a shared repository at the same time. To download new data, you must run the

VMware vSphere Update Manager Download task.

If the VMware vSphere Update Manager Update Download task runs when you apply the new

configuration settings, the task continues to use the old settings until it finishes. The next time the task to

download updates starts, it uses the new settings.

With Update Manager, you can import both VMware and third-party patches or extensions manually from

a ZIP file, also called an offline bundle. Import of offline bundles is supported only for hosts that are

running ESXi 6.0 and later. You download the offline bundle ZIP files from the Internet or copy them from

a media drive, and save them on a local or a shared network drive. You can import the patches or

extensions to the Update Manager patch repository later. You can download offline bundles from the

VMware Web site or from the Web sites of third-party vendors.

Note You can use offline bundles for host patching operations only. You cannot use third-party offline

bundles or offline bundles that you generated from custom VIB sets for host upgrade from ESXi 6.0 and

ESXi 6.5 to ESXi 6.7.

Offline bundles contain one metadata.zip file, one or more VIB files, and, optionally, two .xml files:

index.xml and vendor-index.xml.

When you import an offline bundle to the Update Manager patch repository, Update Manager extracts the

bundle and checks whether the metadata.zip file has already been imported. If the metadata.zip file

has never been imported, Update Manager performs sanity testing and imports the files successfully.

After you confirm the import, Update Manager saves the files to the Update Manager database and

copies the metadata.zip file, the VIBs, and the .xml files, if available, to the Update Manager patch

repository.

n

Use the Internet as a Download Source

If your deployment system is connected to the Internet, you can directly download ESXi patches and

extensions.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 56

n

Use the Internet as a Download Source in the vSphere Web Client

If your deployment system is connected to the Internet, you can directly download ESXi patches and

extensions.

n

Add a New Download Source

If you use the Internet as a download source for updates, you can add a third-party URL address to

download patches and extensions for hosts that are running ESXi 6.0 and later.

n

Add a New Download Source in the vSphere Web Client

If you use the Internet as a download source for updates, you can add a third-party URL address to

download patches and extensions for hosts that are running ESXi 6.0 and later.

n

Use a Shared Repository as a Download Source

You can configure Update Manager to use a shared repository as a source for downloading ESXi

patches, extensions, and notifications.

n

Use a Shared Repository as a Download Source in the vSphere Web Client

You can configure Update Manager to use a shared repository as a source for downloading ESXi

patches, extensions, and notifications.

n

Import Patches Manually

Instead of using a shared repository or the Internet as a download source for patches and

extensions, you can import patches and extensions manually by using an offline bundle.

n

Import Patches Manually in the vSphere Web Client

Instead of using a shared repository or the Internet as a download source for patches and

extensions, you can import patches and extensions manually by using an offline bundle.

Use the Internet as a Download Source

If your deployment system is connected to the Internet, you can directly download ESXi patches and

extensions.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 Use the vSphere Client to log in to a vCenter Server Appliance.

Note In vSphere 6.7 and later, using the Update Manager functionality in the vSphere Client is only

supported for Update Manager that runs in the vCenter Server Appliance.

2 Navigate to Menu > Update Manager.

3 Click the Settings tab.

4 Select Administration Settings > Patch Setup.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 57

5 Click Change Download Source.

The Change Download Source Type dialog box opens.

6 Select the option Download patches directly from the Internet.

7 Click Save.

8 (Optional) Select an item from the Download Source list and click Enable or Disable depending on

whether you want to download updates from that source.

You can choose to download host patches and extensions. You cannot edit the download source

location of the default ESXi patches and extensions. You can only enable or disable downloading.

9 (Optional) Add a third-party download source for hosts that run ESXi 6.0 and later.

What to do next

To download all updates immediately, select Administration Settings > Patch Downloads and click

Download Now.

Use the Internet as a Download Source in the vSphere Web Client

If your deployment system is connected to the Internet, you can directly download ESXi patches and

extensions.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Download Setings.

5 In the Download Sources pane, click Edit.

An Edit Download Sources dialog box opens.

6 Select the option Use direct connection to Internet.

7 Select a download source from the list, and click Enable or Disable depending on whether you want

to download updates from that source.

You can choose to download host patches and extensions. You cannot edit the download source

location of the default ESXi patches and extensions. You can only enable or disable downloading.

8 (Optional) Add an extra third-party download source for hosts that are running ESXi 6.0 and later.

9 Click OK to close the Edit Download Sources dialog box.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 58

10 In the Download Sources pane, click Download Now to run the Download patch definitions task.

All notifications and updates are downloaded immediately even if the Enable scheduled download

check box is selected in Manage > Notification Check Schedule or Manage > Download

Schedule, respectively.

Add a New Download Source

If you use the Internet as a download source for updates, you can add a third-party URL address to

download patches and extensions for hosts that are running ESXi 6.0 and later.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 Use the vSphere Client to log in to a vCenter Server Appliance.

Note In vSphere 6.7 and later, using the Update Manager functionality in the vSphere Client is only

supported for Update Manager that runs in the vCenter Server Appliance.

2 Navigate to Menu > Update Manager.

3 Click the Settings tab.

4 Select Administration Settings > Patch Setup.

5 Click New.

The New Download Source dialog box opens.

6 Enter the URL address of the new download source.

Update Manager supports both HTTP and HTTPS URL addresses. Use HTTPS URL addresses to

download data securely. The URL addresses that you add must be complete and contain the

index.xml file, which lists the vendor and the vendor index.

7 (Optional) Type a short description for the URL.

8 Click Save.

9 (Optional) Configure the proxy settings from the Proxy Settings pane.

The proxy settings for Update Manager are also applicable to third-party URL addresses.

The location is added to the list of Internet download sources.

What to do next

To download all updates immediately, select Administration Settings > Patch Downloads and click

Download Now.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 59

Add a New Download Source in the vSphere Web Client

If you use the Internet as a download source for updates, you can add a third-party URL address to

download patches and extensions for hosts that are running ESXi 6.0 and later.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Download Setings.

5 In the Download Sources pane, click Edit.

An Edit Download Sources dialog box opens.

6 Select the option Use direct connection to Internet.

7 Click Add.

An Add Download Source dialog box opens.

8 Enter a URL to a new download source.

Update Manager supports both HTTP and HTTPS URL addresses. Use HTTPS URL addresses, so

that the data is downloaded securely. The URL addresses that you add must be complete and

contain the index.xml file, which lists the vendor and the vendor index.

Note The proxy settings for Update Manager are applicable to third-party URL addresses too. You

can configure the proxy settings from the Proxy Settings pane.

9 Type a short description for the URL, and click OK.

The vSphere Web Client performs validation of the URL.

10 Click OK to close the Edit Download Sources dialog box.

11 In the Download Sources pane, click Download Now to run the Download patch definitions task.

All notifications and updates are downloaded immediately even if the Enable scheduled download

check box is selected in Manage > Notification Check Schedule or Manage > Download

Schedule, respectively.

The location is added to the list of Internet download sources.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 60

Use a Shared Repository as a Download Source

You can configure Update Manager to use a shared repository as a source for downloading ESXi

patches, extensions, and notifications.

Prerequisites

n

Create a shared repository using UMDS, and host the repository on a Web server or a local disk. The

UMDS version must be compatible with your Update Manager installation. For more information

about compatibility, see Compatibility Between UMDS and the Update Manager Server. You can find

the detailed procedure about exporting the upgrades, patch binaries, patch metadata, and

notifications in Export the Downloaded Data.

n

Required privileges: VMware vSphere Update Manager.Configure.

Procedure

1 Use the vSphere Client to log in to a vCenter Server Appliance.

Note In vSphere 6.7 and later, using the Update Manager functionality in the vSphere Client is only

supported for Update Manager that runs in the vCenter Server Appliance.

2 Navigate to Menu > Update Manager.

3 Click the Settings tab.

4 Select Administration Settings > Patch Setup.

5 Click Change Download Source.

The Change Download Source Type dialog box opens.

6 Select the option Download patches from a UMDS shared repository.

7 Enter the path or the URL to the shared repository.

For example, C:\repository_path\, https://repository_path/, or

http://repository_path/.

In these examples, repository_path is the path to the folder with the exported downloaded upgrades,

patches, extensions, and notifications. In an environment where the Update Manager server does not

have direct access to the Internet, but is connected to a physical machine that has access to the

Internet, the folder can be on a Web server.

You can specify an HTTP or HTTPS address, or a location on the disk where Update Manager is

installed. HTTPS addresses are supported without any authentication.

Important You cannot use folders on a network drive as a shared repository. Update Manager does

not download updates from folders on a network share either in the Microsoft Windows Uniform

Naming Convention form (such as \\Computer_Name_or_Computer_IP\Shared), or on a mapped

network drive (for example, Z:\).

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 61

8 Click Save.

The vSphere Client validates the URL.

Important If the updates in the folder that you specify are downloaded with a UMDS version that is

not compatible with the Update Manager version that you use, the validation fails and you receive an

error message.

You must make sure that the validation is successful. If the validation fails, Update Manager reports a

reason for the failure. You can use the path to the shared repository only when the validation is

successful.

The shared repository is used as a source for downloading upgrades, patches, and notifications.

Example: Using a Folder or a Server as a Shared Repository

You can use a folder or a Web server as a shared repository.

n

When you use a folder as a shared repository, repository_path is the top-level directory that stores

the patches and notifications exported from UMDS.

For example, use UMDS to export the patches and notifications to the F:\ drive, which is a drive

mapped to a plugged-in USB device on a physical machine where UMDS is installed. Then, plug in

the USB device to the physical machine where the Update Manager is installed. The device is

mapped as E:\ and the folder to configure as a shared repository in the Update Manager is E:\.

n

When you use a Web server as a shared repository, repository_path is the top-level directory on the

Web server that stores the patches exported from UMDS.

For example, export the patches and notifications from UMDS to C:\docroot\exportdata. If the

folder is configured on a Web server and is accessible from other physical machines at the URL

https://umds_host_name/exportdata, the URL to configure as a shared repository in

Update Manager is https://umds_host_name/exportdata.

What to do next

To download all updates immediately, select Administration Settings > Patch Downloads and click

Download Now.

Use a Shared Repository as a Download Source in the
vSphere Web Client

You can configure Update Manager to use a shared repository as a source for downloading ESXi

patches, extensions, and notifications.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 62

Prerequisites

n

Create a shared repository using UMDS, and host it on a Web server or a local disk. The UMDS

version you use must be of a version compatible with your Update Manager installation. For more

information about the compatibility, see Compatibility Between UMDS and the Update Manager

Server. You can find the detailed procedure about exporting the upgrades, patch binaries, patch

metadata, and notifications in Export the Downloaded Data.

n

Required privileges: VMware vSphere Update Manager.Configure.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Download Setings.

5 In the Download Sources pane, click Edit.

An Edit Download Sources dialog box opens.

6 Select the option Use a shared repository.

7 Enter the path or the URL to the shared repository.

For example, C:\repository_path\, https://repository_path/, or

http://repository_path/

In these examples, repository_path is the path to the folder to which you have exported the

downloaded upgrades, patches, extensions, and notifications. In an environment where the

Update Manager server does not have direct access to the Internet, but is connected to a machine

that has Internet access, the folder can be on a Web server.

You can specify an HTTP or HTTPS address, or a location on the disk on which Update Manager is

installed. HTTPS addresses are supported without any authentication.

Important You cannot use folders located on a network drive as a shared repository.

Update Manager does not download updates from folders on a network share either in the Microsoft

Windows Uniform Naming Convention form (such as \\Computer_Name_or_Computer_IP\Shared),

or on a mapped network drive (for example, Z:\).

8 Click OK to close the Edit Download Sources dialog.

The vSphere Web Client performs validation of the URL.

Important If the updates in the folder you specify are downloaded with a UMDS version that is not

compatible with the Update Manager version you use, the validation fails and you receive an error

message.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 63

You must make sure that the validation is successful. If the validation fails, Update Manager reports a

reason for the failure. You can use the path to the shared repository only when the validation is

successful.

9 In the Download Sources pane, click Download Now to run the Download patch definitions task.

All notifications and updates are downloaded immediately even if the Enable scheduled download

check box is selected in Manage > Notification Check Schedule or Manage > Download

Schedule, respectively.

The shared repository is used as a source for downloading upgrades, patches, and notifications.

Example: Using a Folder or a Server as a Shared Repository

You can use a folder or a Web server as a shared repository.

n

When you use a folder as a shared repository, repository_path is the top-level directory where

patches and notifications exported from UMDS are stored.

For example, export the patches and notifications using UMDS to F:\ drive, which is a drive mapped

to a plugged-in USB device on the machine on which UMDS is installed. Then, plug in the USB

device to the machine on which Update Manager is installed. On this machine the device is mapped

as E:\. The folder to configure as a shared repository in the Update Manager is E:\.

n

When you use a Web server as a shared repository, repository_path is the top-level directory on the

Web server where the patches exported from UMDS are stored.

For example, export the patches and notifications from UMDS to C:\docroot\exportdata. If the

folder is configured on a Web server and is accessible from other machines at the URL

https://umds_host_name/exportdata, the URL to configure as a shared repository in

Update Manager is https://umds_host_name/exportdata.

Import Patches Manually

Instead of using a shared repository or the Internet as a download source for patches and extensions,

you can import patches and extensions manually by using an offline bundle.

You can import offline bundles only for hosts that run ESXi 6.0 and later.

Prerequisites

n

The patches and extensions you import must be in ZIP format.

n

Required privileges: VMware vSphere Update Manager.Upload File.Upload File.

Procedure

1 Use the vSphere Client to log in to a vCenter Server Appliance.

Note In vSphere 6.7 and later, using the Update Manager functionality in the vSphere Client is only

supported for Update Manager that runs in the vCenter Server Appliance.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 64

2 Navigate to Menu > Update Manager.

3 Click the Settings tab.

4 Select Administration Settings > Patch Downloads.

5 In thePatch Downloads pane, click Upload From File.

The Import Patches dialog box opens.

6 Click Browse and select a .zip file or enter the URL for the patches that you want to import.

If the upload fails, check whether the structure of the .zip file is correct and whether the

Update Manager network settings are set up correctly.

Local patches are imported immediately.

The Upload offline patches task appears in the Recent Tasks pane.

7 (Optional) To import the patches from the URL, click Import.

You imported the patches into the Update Manager patch repository. You can view the imported patches

on the Update Manager Updates tab.

Import Patches Manually in the vSphere Web Client

Instead of using a shared repository or the Internet as a download source for patches and extensions,

you can import patches and extensions manually by using an offline bundle.

You can import offline bundles only for hosts that are running ESXi 6.0 or later.

Prerequisites

n

The patches and extensions you import must be in ZIP format.

n

Required privileges: VMware vSphere Update Manager.Upload File.Upload File.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Download Setings.

5 In the Download Sources pane, click Import Patches.

The Import Patches wizard opens.

6 On the Import Patches page, browse and select the .zip file containing the patches you want to

import.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 65

7 Click Upload file and wait until the file upload completes successfully.

In case of upload failure, check whether the structure of the .zip file is correct, or whether the

Update Manager network settings are set up correctly.

8 On the Ready to complete page, review the patches that you have selected to import into the

repository.

9 Click Finish.

You imported the patches into the Update Manager patch repository. You can view the imported patches

on the Update Manager Patch Repository tab.

Configure the Update Manager Proxy Settings

You can configure Update Manager to download updates from the Internet through a proxy server.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 Use the vSphere Client to log in to a vCenter Server Appliance.

Note In vSphere 6.7 and later, using the Update Manager functionality in the vSphere Client is only

supported for Update Manager that runs in the vCenter Server Appliance.

2 Navigate to Menu > Update Manager.

3 Click the Settings tab.

4 Select Administration Settings > Patch Setup.

5 In the Proxy Settings pane, click the Edit button.

6 Select the Use proxy check box and enter the proxy server address and port.

7 If the proxy requires authentication, select the Proxy requires authentication check box and provide

a user name and password.

8 (Optional) Click Test Connection to verify that you can connect to the Internet through the proxy.

9 Click Save.

You configured Update Manager to use a proxy server to download upgrades, patches, extensions, and

related metadata from the Internet.

Configure the Update Manager Proxy Settings in the
vSphere Web Client

You can configure Update Manager to download updates from the Internet using a proxy server.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 66

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Download Setings.

5 In the Proxy Settings pane, click Edit.

6 Select Use proxy, and change the proxy information.

7 If the proxy requires authentication, select Proxy requires authentication, and provide a user name

and password.

8 (Optional) Click Test Connection to test that you can connect to the Internet through the proxy.

9 Click OK.

You configured Update Manager to use an Internet proxy to download upgrades, patches, extensions,

and related metadata.

Configure Checking for Updates

Update Manager checks for host patches and extensions at regular intervals. The default schedule

settings ensure frequent checks, but you can change the schedule if your environment requires more or

less frequent checks.

If you need the latest host patches and extensions, you might want to reduce the time interval between

checks for updates. Similarly, if you are not concerned about the latest updates, if you want to reduce

network traffic, or if you cannot access the update servers, you might want to increase the time interval

between the checks for updates.

By default, downloading update metadata and binaries is enabled and the respective task is called

VMware vSphere Update Manager Update Download task. You can change/modify the configuration of

the task.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

To download update data, the machine on which Update Manager is installed must have Internet access.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 67

Procedure

1 Use the vSphere Client to log in to a vCenter Server Appliance.

Note In vSphere 6.7 and later, using the Update Manager functionality in the vSphere Client is only

supported for Update Manager that runs in the vCenter Server Appliance.

2 Navigate to Menu > Update Manager.

3 Click the Settings tab.

4 Select Administration Settings > Patch Downloads.

5 In the Automatic Download Settings pane, click the Edit button.

The Edit Settings for Automatic Patch Downloads dialog box appears. The Download patches

check box is selected by default. If you deselect the check box, the automatic task that checks for

notifications is disabled.

6 Configure the download task settings.

a Select the Download patches check box.

b (Optional) Enter a new task name.

Additional details about the task can be entered in the Description text box.

c To receive notification emails after the task finishes, enter one or more emails.

You must configure mail settings for the vSphere Client to be able to use this option. For more

information, see the vCenter Server and Host Management documentation.

d Click Save.

The task runs according to the time you specified.

What to do next

To download all updates immediately, select Administration Settings > Patch Downloads and click

Download Now.

Configure Checking for Updates in the
vSphere Web Client

Update Manager checks for host patches, and extensions at regular intervals. Generally, the default

schedule settings are sufficient, but you can change the schedule if your environment requires more or

less frequent checks.

In some cases you might want to decrease the duration between checks for updates. If you are not

concerned about the latest updates and want to reduce network traffic, or if you cannot access the update

servers, you can increase the duration between checks for updates.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 68

By default the task to download update metadata and binaries is enabled and is called

VMware vSphere Update Manager Update Download task. By modifying this task, you can configure

checking for updates.You can modify the VMware vSphere Update Manager Check Notification task in

one of the following ways:

n

The Configure tab of the Update Manager Administration view.

n

In the vSphere Web Client, navigate to Monitor tab, select the Tasks & Events tab, and select

Scheduled Tasks.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

To download update data, the machine on which Update Manager is installed must have Internet access.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Download Schedule.

5 Click Edit.

The Edit Download Schedule wizard opens.

6 Select Enable scheduled task check box, and click Next.

If you deselect the check box, the scheduled task that checks for notifications is disabled. However,

you can still force a check and download notifications by clicking the Download Now button in

Download Settings pane.

7 Specify a task name and, optionally, a description, or keep the defaults.

8 Click Change to specify the time when notification checks run, and click OK.

The Configure Scheduler dialog box opens.

Option Description

Run this action now Runs the notification check immediately.

Schedule this option to run later Runs the notification check at the time that you schedule for the task.

Setup a recurring schedule for this

action

Runs the notification check recurrently at the frequency, interval, and start time

that you schedule for the task.

9 (Optional) Specify one or more email addresses where notifications about patch recalls or email alerts

are sent, and click Next.

You must configure mail settings for the vSphere Web Client system to enable this option. For more

information, see vCenter Server and Host Management.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 69

10 Review the Ready to Complete page, and click Finish.

The task runs according to the time you specified.

Configuring and Viewing Notifications

At regular time intervals, Update Manager contacts VMware and downloads notifications about patch

recalls, new fixes, and alerts.

When patches with issues or potential issues are released, the patch metadata is updated, and

Update Manager marks the patches as recalled. If you try to install a recalled patch, Update Manager

notifies you that the patch is recalled and does not install it on the host. Update Manager notifies you if a

recalled patch is already installed on certain hosts. Update Manager also deletes all the recalled patches

from the patch repository.

When a patch fixing an issue is released, Update Manager downloads the new patch and prompts you to

install it to fix the issues that the recalled patch might cause. If you have already installed a recalled

patch, Update Manager alerts you that the patch is recalled and that you must install the fix that is

available.

Update Manager supports patch recalls for the offline bundles that you have imported. Patches from an

imported offline bundle are recalled when you import a new offline bundle. The metadata.zip file

contains information about the patches that must be recalled. Update Manager removes the recalled

patches from the patch repository and after you import a bundle that contains fixes, Update Manager

notifies you about the fixes and sends email notifications if you have enabled them.

If you use a shared repository as a source for downloading patches and notifications, Update Manager

downloads recall notifications from the shared repository to the Update Manager patch repository, but it

does not send recall email alerts. For more information about using a shared repository, see Use a

Shared Repository as a Download Source orUse a Shared Repository as a Download Source in the

vSphere Web Client.

Note After a download of patch recall notifications, Update Manager flags recalled patches but their

compliance state does not refresh automatically. You must perform a scan to view the updated

compliance state of patches affected by the recall.

Configure Notifications Checks

By default, Update Manager checks regularly for notifications about patch recalls, patch fixes, and alerts.

You can modify this schedule.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

To configure notification checks, make sure that the machine on which Update Manager is installed has

Internet access.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 70

Procedure

1 Use the vSphere Client to log in to a vCenter Server Appliance.

Note In vSphere 6.7 and later, using the Update Manager functionality in the vSphere Client is only

supported for Update Manager that runs in the vCenter Server Appliance.

2 Navigate to Menu > Update Manager.

3 Click the Settings tab.

4 Select Administration Settings > Recall Notifications.

5 Click Edit.

The Edit Settings for Automatic Notification Checks dialog box appears. The Check notification

check box is selected by default. If you deselect the check box, the automatic task that checks for

notifications is disabled.

6 Configure the automatic notification checks.

a Select the Check notification check box.

b Select the start date and the frequency for the download task.

c (Optional) Enter a new task name.

Additional details about the task can be entered in the Description text box.

d To receive notification emails after the task finishes, enter one or more emails.

You must configure mail settings for the vSphere Client to be able to use this option. For more

information, see the vCenter Server and Host Management documentation.

e Click Save.

7 (Optional) Select Settings > Administration Settings > Recall Notifications and click Check

Notifications.

You immediately download all new notifications that are available on the VMware website. The

notifications are downloaded even if you have disabled the automatic notifications checks.

The task runs according to the time you specified.

Configure Notifications Checks in the vSphere Web Client

By default Update Manager checks for notifications about patch recalls, patch fixes, and alerts at certain

time intervals. You can modify this schedule.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

To configure notification checks, make sure that the machine on which Update Manager is installed has

Internet access.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 71

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Notification Check Schedule.

5 Click Edit.

The Edit Notifications Check Schedule wizard opens.

6 Select Enable scheduled task check box, and click Next.

If you deselect the check box, the scheduled task that checks for notifications is disabled. However,

you can still force a check and download notifications by clicking the Download Now button in

Download Settings pane.

7 Specify a task name and, optionally, a description, or keep the defaults.

8 Click Change to specify the time when notification checks run, and click OK.

The Configure Scheduler dialog box opens.

Option Description

Run this action now Runs the notification check immediately.

Schedule this option to run later Runs the notification check at the time that you schedule for the task.

Setup a recurring schedule for this

action

Runs the notification check recurrently at the frequency, interval, and start time

that you schedule for the task.

9 (Optional) Specify one or more email addresses where notifications about patch recalls or email alerts

are sent, and click Next.

You must configure mail settings for the vSphere Web Client system to enable this option. For more

information, see vCenter Server and Host Management.

10 Review the Ready to Complete page, and click Finish.

The task runs according to the time you specified.

View Notifications and Run the Notification Checks Task Manually

The notifications that Update Manager downloads are displayed on the Notifications tab in the

Update Manager Home.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 72

Procedure

1 Use the vSphere Client to log in to a vCenter Server Appliance.

Note In vSphere 6.7 and later, using the Update Manager functionality in the vSphere Client is only

supported for Update Manager that runs in the vCenter Server Appliance.

2 Navigate to Menu > Update Manager.

3 Click the Monitor tab.

4 Click the Notifications button.

5 To view notification details, double-click a notification.

6 Select Settings > Administration Settings > Recall Notifications and click Check Notifications.

You immediately download all new notifications that are available on the VMware website. The

notifications are downloaded even if you have disabled the automatic notifications checks.

View Notifications and Run the Notification Checks Task Manually
in the vSphere Web Client

Notifications that Update Manager downloads are displayed on the Notifications tab of the

Update Manager Administration view.

Prerequisites

Connect the vSphere Web Client to a vCenter Server system with which Update Manager is registered,

and on the Home page, click Update Manager icon.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Monitor tab.

4 Click the Notifications tab.

5 To view the notification details, double-click a notification.

6 To check for notifications immediately, click Check Notifications on the upper right of the

notifications list.

You immediately download all new notifications that are available on the VMware website. The

notifications are downloaded even if the Enable scheduled download check box is not selected in

Manage > Settings > Notification Check Schedule.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 73

Types of Update Manager Notifications

Update Manager downloads all notifications that are available on the VMware Web site. Some

notifications can trigger an alarm. By using the Alarm Definitions wizard, you can configure automated

actions to be taken when an alarm is triggered.

Notifications appear in the Notifications tab that is located under the Monitor tab in the Update Manager

Admin View.

Information

notifications

Information notifications do not trigger an alarm. Clicking an information

notification opens the Notification Details window.

Warning notifications Warning notifications trigger an alarm, which appears in the

vSphere Web Client Alarms pane. Warning notifications are typically fixes

for patch recalls. Clicking a warning notification opens the Patch Recall

Details window.

Alert notifications Alert notifications trigger an alarm, which appears in the

vSphere Web Client Alarms pane. Alert notifications are typically patch

recalls. Clicking an alert notification opens the Patch Recall Details window.

Configuring Host and Cluster Settings

There are several host and cluster settings that you can use to organize the Update Manager behavior

during host patch and host upgrade operations.

Host and Cluster Settings

When you update vSphere objects in a cluster with vSphere Distributed Resource Scheduler (DRS),

vSphere High Availability (HA), and vSphere Fault Tolerance (FT) enabled, you can temporarily disable

vSphere Distributed Power Management (DPM), HA admission control, and FT for the entire cluster.

When the update completes, Update Manager restores these features.

Updates might require the host to enter maintenance mode during remediation. Virtual machines cannot

run when a host is in maintenance mode. To ensure availability, vCenter Server can migrate virtual

machines to other ESXi hosts within the cluster before the host is put into maintenance mode.

vCenter Server migrates the virtual machines if the cluster is configured for vSphere vMotion, and if DRS

is enabled.

Еnable Enhanced vMotion Compatibility (EVC) to help ensure vSphere vMotion compatibility between the

hosts in the cluster. EVC ensures that all hosts in a cluster present the same CPU feature set to virtual

machines, even if the actual CPUs on the hosts differ. Use of EVC prevents migrations with

vSphere vMotion from failing because of incompatible CPUs. You can enable EVC only in a cluster where

host CPUs meet the compatibility requirements. For more information about EVC and the requirements

that the hosts in an EVC cluster must meet, see vCenter Server and Host Management.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 74

If a host has no running virtual machines, DPM might put the host in standby mode and interrupt an

Update Manager operation. To make sure that scanning and staging complete successfully,

Update Manager disables DPM during these operations. To ensure a successful remediation, have

Update Manager disable DPM and HA admission control before the remediation operation. After the

operation completes, Update Manager restores DPM and HA admission control. Update Manager

disables HA admission control before staging and remediation but not before scanning.

If DPM has already put hosts in standby mode, Update Manager powers on the hosts before scanning,

staging, and remediation. After the scanning, staging, or remediation is complete, Update Manager turns

on DPM and HA admission control and lets DPM put hosts into standby mode, if needed.

Update Manager does not remediate powered off hosts.

If hosts are put into standby mode and DPM is manually disabled for a reason, Update Manager does not

remediate or power on the hosts.

Within a cluster, temporarily disable HA admission control to let vSphere vMotion to proceed. This action

prevents downtime of the machines on the hosts that you remediate. After the remediation of the entire

cluster, Update Manager restores HA admission control settings.

If FT is turned on for any of the virtual machines on hosts within a cluster, temporarily turn off FT before

performing any Update Manager operations on the cluster. If FT is turned on for any of the virtual

machines on a host, Update Manager does not remediate that host. Remediate all hosts in a cluster with

the same updates, so that FT can be reenabled after the remediation. A primary virtual machine and a

secondary virtual machine cannot reside on hosts of different ESXi version and patch levels.

Host and Cluster Settings with Eect on vSAN Clusters

As you remediate hosts that are part of a vSAN cluster, be aware of the following behavior:

n

The host remediation process might take an extensive amount of time to complete.

n

By design, only one host from a vSAN cluster can be in a maintenance mode at any time.

n

Update Manager remediates hosts that are part of a vSAN cluster sequentially even if you set the

option to remediate the hosts in parallel.

n

If a host is a member of a vSAN cluster, and any virtual machine on the host uses a VM storage

policy with a setting for "Number of failures to tolerate=0", the host might experience unusual delays

when entering maintenance mode. The delay occurs because vSAN has to migrate the virtual

machine data from one disk to another in the vSAN datastore cluster. Delays might take up to hours.

You can work around this by setting the "Number of failures to tolerate=1" for the VM storage policy,

which results in creating two copies of the virtual machine files in the vSAN datastore.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 75

Quick Boot Setting for Optimizing Host Patch and Host Upgrade
Operations

Quick Boot of an ESXi host is a setting that lets Update Manager optimize the remediation time of hosts

that undergo patch and upgrade operations. A patch or upgrade operation does not affect the hardware of

a host. If the Quick Boot feature is enabled, Update Manager skips the hardware reboot (the BIOS or

UEFI firmware reboot). As a result, the time an ESXi host spends in Maintenance Mode shortens and the

risk of failures during remediation is minimized.

Configure Host Settings

ESXi host updates might require that the host enters maintenance mode before the updates are applied.

Update Manager puts ESXi hosts in maintenance mode before applying these updates. You can

configure how Update Manager responds if the host fails to enter maintenance mode.

You cannot use vMotion to migrate virtual machines that run on individual hosts or on hosts that are not in

a cluster. If vCenter Server cannot migrate the virtual machines to another host, you can configure how

Update Manager responds.

Hosts that are in a vSAN cluster can enter maintenance mode only one at a time. This is a peculiarity of

the vSAN cluster.

If a host is a member of a vSAN cluster, and any virtual machine on the host uses a VM storage policy

with a setting for "Number of failures to tolerate=0", the host might experience unusual delays when

entering maintenance mode. The delay occurs because vSAN has to migrate the virtual machine data

from one disk to another in the vSAN datastore cluster. Delays might take up to hours. You can work

around this by setting the "Number of failures to tolerate=1" for the VM storage policy, which results in

creating two copies of the virtual machine files in the vSAN datastore.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 Use the vSphere Client to log in to a vCenter Server Appliance.

Note In vSphere 6.7 and later, using the Update Manager functionality in the vSphere Client is only

supported for Update Manager that runs in the vCenter Server Appliance.

2 Navigate to Menu > Update Manager.

3 Click the Settings tab.

4 Select Remediation Settings > Hosts.

5 Click Edit.

The Edit Settings for Host Remediation dialog box opens.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 76

6 Select an option from the drop-down menu to determine the change of the power state of the virtual

machines that run on the host to be remediated.

Option Description

Power Off virtual machines Powers off all virtual machines before remediation.

Suspend virtual machines Suspends all running virtual machines before remediation.

Do Not Change VM Power State Leaves virtual machines in their current power state. This is the default setting.

7 (Optional) Select the Retry entering maintenance mode in case of failure check box, and specify

the retry delay, and the number of retries.

If a host fails to enter maintenance mode before remediation, Update Manager waits for the retry

delay period and retries putting the host into maintenance mode as many times as you indicate in the

Number of retries text box.

8 (Optional) Select Allow installation of additional software on PXE booted ESXi hosts check box.

Selecting this option enables installation of software for solutions on PXE booted ESXi hosts in the

vSphere inventory that you manage with this Update Manager instance.

9 (Optional) Select the Migrate powered off and suspended virtual machines to other hosts in the

cluster, if a host must enter maintenance mode check box.

Update Manager migrates the suspended and powered off virtual machines from hosts that must

enter maintenance mode to other hosts in the cluster. You can select to power off or suspend virtual

machines before remediation in the Maintenance Mode Settings pane.

10 Click Save.

These settings become the default failure response settings. You can specify different settings when you

configure individual remediation tasks.

System Requirements for Using Quick Boot During Remediation

The Quick Boot of ESXi hosts is an option that allows Update Manager to reduce the time a host

remediation takes by skipping the physical reboot of the host.

Using Quick Boot is supported with a limited set of hardware platforms, drivers, and is not supported on

ESXi hosts that use TPM or passthru devices. For more information about a host compatibility to Quick

Boot option, see the following KB Article: https://kb.vmware.com/s/article/52477.

Configure Using Quick Boot During Host Remediation in the
vSphere Web Client

Configure Update Manager to reduce the remediation time during host patch or host upgrade operations.

Prerequisites

n

Required privileges: VMware vSphere Update Manager.Configure

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 77

n

Verify your ESXi hosts environment is compatible with Quick Boot. See System Requirements for

Using Quick Boot During Remediation.

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Host/Cluster Settings.

5 Click Edit.

The Edit Host/Cluster Settings dialog box opens.

6 Select Enable Quick Boot check box to allow Update Manager to reduce the host reboot time during

remediation.

7 Click OK.

These settings become the default failure response settings. You can specify different settings when you

configure individual remediation tasks.

Configure Host Maintenance Mode Settings in the
vSphere Web Client

ESXi host updates might require that the host enters maintenance mode before they can be applied.

Update Manager puts the ESXi hosts in maintenance mode before applying these updates. You can

configure how Update Manager responds if the host fails to enter maintenance mode.

For hosts in a container different from a cluster or for individual hosts, migration of the virtual machines

with vMotion cannot be performed. If vCenter Server cannot migrate the virtual machines to another host,

you can configure how Update Manager responds.

Hosts that are part of a vSAN cluster can enter maintenance mode only one at a time. This is a specificity

of the vSAN clusters.

If a host is a member of a vSAN cluster, and any virtual machine on the host uses a VM storage policy

with a setting for "Number of failures to tolerate=0", the host might experience unusual delays when

entering maintenance mode. The delay occurs because vSAN has to migrate the virtual machine data

from one disk to another in the vSAN datastore cluster. Delays might take up to hours. You can work

around this by setting the "Number of failures to tolerate=1" for the VM storage policy, which results in

creating two copies of the virtual machine files in the vSAN datastore.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 78

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Host/Cluster Settings.

5 Click Edit.

The Edit Host/Cluster Settings dialog box opens.

6 Under Host Settings, select an option from the VM Power state drop-down menu to determine the

change of the power state of the virtual machines that run on the host to be remediated.

The option that you select determines how the power state changes for the virtual machines that run

on the host when the host enters maintenance mode before remediation.

Option Description

Power Off virtual machines Powers off all virtual machines before remediation.

Suspend virtual machines Suspends all running virtual machines before remediation.

Do Not Change VM Power State Leaves virtual machines in their current power state. This is the default setting.

7 (Optional) Select Retry entering maintenance mode in case of failure, and specify the retry delay,

and the number of retries.

If a host fails to enter maintenance mode before remediation, Update Manager waits for the retry

delay period and retries putting the host into maintenance mode as many times as you indicate in

Number of retries.

8 (Optional) Select Temporarily disable any removable media devices that might prevent a host

from entering maintenance mode.

Update Manager does not remediate hosts on which virtual machines have connected CD/DVD or

floppy drives. All removable media drives that are connected to the virtual machines on a host might

prevent the host from entering maintenance mode and interrupt remediation.

After remediation, Update Manager reconnects the removable media devices if they are still available.

9 Click OK.

These settings become the default failure response settings. You can specify different settings when you

configure individual remediation tasks.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 79

Configure Cluster Settings in the vSphere Web Client

For ESXi hosts in a cluster, the remediation process can run either in a sequence or in parallel. Certain

features might cause remediation failure. If you have VMware DPM, HA admission control, or Fault

Tolerance enabled, you should temporarily disable these features to make sure that the remediation is

successful.

Note Remediating hosts in parallel can improve performance significantly by reducing the time required

for cluster remediation. Update Manager remediates hosts in parallel without disrupting the cluster

resource constraints set by DRS. Avoid remediating hosts in parallel if the hosts are part of a vSAN

cluster. Due to the specifics of the vSAN cluster, a host cannot enter maintenance mode while other hosts

in the cluster are currently in maintenance mode.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Host/Cluster Settings.

5 Click Edit.

The Edit Host/Cluster Settings dialog box opens.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 80

6 Under Cluster Settings, select the check boxes for options that you want to disable or enable.

Option Description

Distributed Power Management (DPM) VMware DPM monitors the resource use of the running virtual machines in the

cluster. If sufficient excess capacity exists, VMware DPM recommends moving

virtual machines to other hosts in the cluster and placing the original host into

standby mode to conserve power. If the capacity is insufficient, VMware DPM

might recommend returning standby hosts to a powered-on state.

If you do not choose to disable DPM, Update Manager skips the cluster on which

VMware DPM is enabled. If you choose to temporarily disable VMware DPM,

Update Manager disables DPM on the cluster, remediates the hosts in the cluster,

and re-enables VMware DPM after remediation is complete.

High Availability (HA) admission

control

Admission control is a policy used by VMware HA to ensure failover capacity

within a cluster. If HA admission control is enabled during remediation, the virtual

machines within a cluster might not migrate with vMotion.

If you do not choose to disable HA admission control, Update Manager skips the

cluster on which HA admission control is enabled. If you choose to temporarily

disable HA admission control, Update Manager disables HA admission control,

remediates the cluster, and re-enables HA admission control after remediation is

complete.

Fault Tolerance (FT) FT provides continuous availability for virtual machines by automatically creating

and maintaining a secondary virtual machine that is identical to the primary virtual

machine. If you do not choose to turn off FT for the virtual machines on a host,

Update Manager does not remediate that host.

Enable parallel remediation for hosts in

cluster

Update Manager can remediate hosts in clusters in a parallel manner. Update

Manager continuously evaluates the maximum number of hosts it can remediate

in parallel without disrupting DRS settings. If you do not select the option,

Update Manager remediates the hosts in a cluster sequentially.

By design only one host from a vSAN cluster can be in a maintenance mode at

any time. Update Manager remediates hosts that are part of a vSAN cluster

sequentially even if you select the option to remediate them in parallel.

Migrate powered off and suspended

virtual machines to other hosts in the

cluster, if a host must enter

maintenance mode

Update Manager migrates the suspended and powered off virtual machines from

hosts that must enter maintenance mode to other hosts in the cluster. You can

select to power off or suspend virtual machines before remediation in the

Maintenance Mode Settings pane.

7 Click OK.

These settings become the default failure response settings. You can specify different settings when you

configure individual remediation tasks.

Enable Remediation of PXE Booted ESXi Hosts in the
vSphere Web Client

You can configure Update Manager to let other software initiate remediation of PXE booted ESXi hosts.

The remediation installs patches and software modules on the hosts, but typically the host updates are

lost after a reboot.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 81

The global setting in the Update Manager Configuration tab enables solutions such as ESX Agent

Manager or Cisco Nexus 1000V to initiate remediation of PXE booted ESXi hosts. In contrast, the Enable

patch remediation of powered on PXE booted ESXi hosts setting in the Remediate wizard enables

Update Manager to patch PXE booted hosts.

To retain updates on stateless hosts after a reboot, use a PXE boot image that contains the updates. You

can update the PXE boot image before applying the updates with Update Manager, so that the updates

are not lost because of a reboot. Update Manager itself does not reboot the hosts because it does not

install updates requiring a reboot on PXE booted ESXi hosts.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select Host/Cluster Settings.

5 Click Edit.

The Edit Host/Cluster Settings dialog box opens.

6 Under Host Settings, select Allow installation of additional software on PXE booted ESXi hosts.

Selecting this option enables installation of software for solutions on PXE booted ESXi hosts in the

vSphere inventory that you manage with this Update Manager instance.

7 Click OK.

Take Snapshots Before Remediation

By default, Update Manager is configured to take snapshots of virtual machines before applying updates

to the VMs. If the remediation fails, you can use the snapshot to return the virtual machine to its state

before the remediation.

Update Manager does not take snapshots of fault tolerant virtual machines and virtual machines of virtual

machine hardware version 3. If you decide to take snapshots of such virtual machines, the remediation

might fail.

You can choose to keep snapshots for an indefinite or fixed period of time. Use the following guidelines

when managing snapshots.

n

Keeping snapshots indefinitely might consume a large amount of disk space and degrade virtual

machine performance.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 82

n

Keeping no snapshots saves space, ensures best virtual machine performance, and might reduce the

time needed to complete remediation. However, keeping no snapshots limits the availability of a

rollback.

n

Keeping snapshots for a set period of time uses less disk space and offers a backup for a short time.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 Use the vSphere Client to log in to a vCenter Server Appliance.

Note In vSphere 6.7 and later, using the Update Manager functionality in the vSphere Client is only

supported for Update Manager that runs in the vCenter Server Appliance.

2 Navigate to Menu > Update Manager.

3 Click the Settings tab.

4 Select Remediation Settings > VMs.

5 Click Edit.

The Edit Default Settings for VM Rollback dialog box opens.

6 Configure the settings for VM Rollback.

a To enable or disable taking of snapshots of virtual machines before remediating them, select or

deselect the Take snapshot of VMs check box.

The option to take snapshots is selected by default.

b Configure snapshots.

n

Keep snapshots indefinitely.

n

Keep snapshots for a fixed period.

7 Click Save.

These settings become the default rollback option settings for virtual machines. You can specify different

settings when you configure individual remediation tasks.

Take Snapshots Before Remediation in the
vSphere Web Client

By default, Update Manager is configured to take snapshots of virtual machines before applying updates.

If the remediation fails, you can use the snapshot to return the virtual machine to the state before the

remediation.

Update Manager does not take snapshots of fault tolerant virtual machines and virtual machines that are

running virtual machine hardware version 3. If you decide to take snapshots of such virtual machines, the

remediation might fail.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 83

You can choose to keep snapshots indefinitely or for a fixed period. Use the following guidelines when

managing snapshots:

n

Keeping snapshots indefinitely might consume a large amount of disk space and degrade virtual

machine performance.

n

Keeping no snapshots saves space, ensures best virtual machine performance, and might reduce the

amount of time it takes to complete remediation, but limits the availability of a rollback.

n

Keeping snapshots for a set period uses less disk space and offers a backup for a short time.

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and select VM Settings.

5 Click Edit.

The Edit VM Settings dialog box opens.

6 To enable or disable taking of snapshots of virtual machines before remediating them, select the Take

a snapshot of the virtual machines before remediation to enable rollback check box.

The option to take snapshots is selected by default.

7 Configure snapshots to be kept indefinitely or for a fixed period.

8 Click Apply.

These settings become the default rollback option settings for virtual machines. You can specify different

settings when you configure individual remediation tasks.

Configure Smart Rebooting in the vSphere Web Client

Smart rebooting selectively restarts the virtual machines in the vApp to maintain startup dependencies.

You can enable and disable smart rebooting of virtual machines in a vApp after remediation.

A vApp is a prebuilt software solution, consisting of one or more virtual machines and applications, which

are potentially operated, maintained, monitored, and updated as a unit.

Smart rebooting is enabled by default. If you disable smart rebooting, the virtual machines are restarted

according to their individual remediation requirements, disregarding existing startup dependencies.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 84

Prerequisites

Required privileges: VMware vSphere Update Manager.Configure

Procedure

1 In the Home view of the vSphere Web Client, select the Update Manager icon.

2 From the Objects tab, select an Update Manager instance.

The Objects tab also displays all the vCenter Server system to which an Update Manager instance is

connected.

3 Click the Manage tab.

4 Click Settings, and click vApp Settings.

5 Click Edit.

The vApp Settings dialog box opens.

6 Click the Enable smart reboot after remediation check box to enable or disable smart rebooting.

Configure the Update Manager Patch Repository Location

When you install Update Manager, you can select the location for storing the downloaded patches and

upgrade binaries. To change the location after installation, you must manually edit the vci-

integrity.xml file.

Procedure

1 Log in as an administrator to the machine on where Update Manager server runs.

2 Stop the Update Manager service.

a Right-click My Computer and click Manage.

b In the left pane, expand Services and Applications, and click Services.

c In the right pane, right-click VMware vSphere Update Manager Service and click Stop.

3 Navigate to the Update Manager installation directory and locate the vci-integrity.xml file.

The default location is C:\Program Files (x86)\VMware\Infrastructure\Update Manager.

4 (Optional) In case you want to revert to the previous configuration, create a backup copy of this file.

5 Edit the file by changing the following items:

<patchStore>your_new_location</patchStore>

The default patch download location is

C:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manage

r\Data\.

The directory path must end with \.

6 Save the file in UTF-8 format, replacing the existing file.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 85

7 Copy the contents from the old patch store directory to the new folder.

8 Start the Update Manager service by right-clicking VMware vSphere Update Manager Service in

the Computer Management window and selecting Start.

Run the VMware vSphere Update Manager Update
Download Task

If you change the patch download source settings, you must run the VMware vSphere Update Manager

Update Download task to download any new patches, extensions, and notifications.

Procedure

1 In the vSphere Web Client, select an inventory object, and select the Monitor tab.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter

Single Sign-On domain, specify the Update Manager instance to configure.

2 Click the Task & Events tab, and select Scheduled Tasks.

3 Right-click the VMware vSphere Update Manager Update Download task, and select Run.

You can see the running task listed in the Recent Tasks pane.

Update Manager Privileges

To configure Update Manager settings, to manage baselines, patches, and upgrades, you must have the

proper privileges. You can assign Update Manager privileges to different roles from the

vSphere Web Client and the vSphere Client.

Update Manager privileges cover distinct functionalities.

Table 5‑3. Update Manager Privileges

Privilege Group Privilege Description

Configure Configure Service Configure the Update Manager service and

the scheduled patch download task.

Manage Baseline Attach Baseline Attach baselines and baseline groups to

objects in the vSphere inventory.

Manage Baseline Create, edit, or delete baseline and baseline

groups.

Manage Patches and Upgrades Remediate to Apply Patches,

Extensions, and Upgrades

Remediate virtual machines and hosts to apply

patches, extensions, or upgrades. In addition,

this privilege allows you to view compliance

status.

Scan for Applicable Patches,

Extensions, and Upgrades

Scan virtual machines and hosts to search for

applicable patches, extensions, or upgrades.

Stage Patches and Extensions Stage patches or extensions to hosts. In

addition, this privilege allows you to view

compliance status of the hosts.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 86

Table 5‑3. Update Manager Privileges (Continued)

Privilege Group Privilege Description

View Compliance Status View baseline compliance information for an

object in the vSphere inventory.

Upload File Upload File Upload upgrade images and offline patch

bundles.

For more information about managing users, groups, roles, and permissions, see vCenter Server and

Host Management.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 87

Installing, Setting Up, and Using
Update Manager Download

Service 6

VMware vSphere Update Manager Download Service (UMDS) is an optional module of Update Manager.

UMDS downloads patch metadata, patch binaries, and notifications that would not otherwise be available

to the Update Manager server.

For security reasons and deployment restrictions, vSphere, including Update Manager, might be installed

in a secured network that is disconnected from other local networks and the Internet. Update Manager

requires access to patch information to function properly. If you are using such an environment, you can

install UMDS on a computer that has Internet access to download upgrades, patch binaries, and patch

metadata, and then export the downloads to a portable media drive so that they become accessible to the

Update Manager server.

In a deployment where the machine on which Update Manager is installed has no Internet access, but is

connected to a server that has Internet access, you can automate the export process and transfer files

from UMDS to the Update Manager server by using a Web server on the machine on which UMDS is

installed.

UMDS 6.7 supports patch recalls and notifications. A patch is recalled if the released patch has problems

or potential issues. After you download patch data and notifications with UMDS, and export the

downloads so that they become available to the Update Manager server, Update Manager deletes the

recalled patches and displays the notifications on the Update Manager Notifications tab. For more

information about patch recalls and notifications, see Configuring and Viewing Notifications.

With Update Manager release 6.7, the UMDS is available for installation on Windows and Linux-based

operating systems. The machine on which you install UMDS must have Internet access.

For UMDS that runs on Windows, only Administrator or users that are part of the Administrators group

can download patches. Administrator access is not a requirement for downloading patches with UMDS

that runs on Linux.

This chapter includes the following topics:

n

Compatibility Between UMDS and the Update Manager Server

n

Installing UMDS on a Windows Operating System

n

Installing and Upgrading UMDS on a Linux-Based Operating System

n

Setting Up and Using UMDS

VMware, Inc.

88

Compatibility Between UMDS and the Update Manager
Server

UMDS must be of the same version as the Update Manager server.

For example, Update Manager 6.7 is compatible and can work only with UMDS 6.7. If you are using

Update Manager server of 6.7 Update release version, UMDS must be of the same 6.7 Update release

version.

Installing UMDS on a Windows Operating System

You can install and use UMDS to download patch binaries, patch metadata, and notifications if

Update Manager does not have access to the Internet. The machine on which you install UMDS must

have Internet access.

Note You cannot upgrade UMDS 6.0 or UMDS 6.5 to UMDS 6.7. You can perform a fresh installation of

UMDS 6.7 according to all system requirements, and use an existing patch store from UMDS 6.0 or

UMDS 6.5. You can install UMDS only on 64-bit machines.

Installing UMDS 6.7 in an Environment With Update Manager 6.7
Instances Only

In the UMDS 6.7 installation wizard for Windows, you can select the patch store to be an existing

download directory from an earlier UMDS 6.0 or UMDS 6.5 installation and reuse the applicable

downloaded updates in UMDS 6.7. You must uninstall existing UMDS 6.0 or UMDS 6.5 instances before

reusing the patch store. Once you associate an existing download directory with UMDS 6.7, you cannot

use it with earlier UMDS versions.

If you install UMDS with an existing download directory, make sure that you perform at least one

download by using UMDS 6.7 before you export updates.

Installing UMDS 6.7 in an Environment With Both Update Manager

6.0 and Update Manager 6.7 Instances

You must not install UMDS 6.7 with an existing UMDS 6.5 download directory if your environment

contains both Update Manager 6.5 and Update Manager 6.7 instances. In such a case, you need a

UMDS 6.5 and a UMDS 6.7 installation on two separate machines, so that you can export updates for the

respective Update Manager versions.

Regardless of the version, you must not install the UMDS on the same machine as the Update Manager

server.

Install UMDS on a Windows Operating System

Install UMDS if the machine on which Update Manager is installed does not have access to the Internet.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 89

Prerequisites

n

Verify that the machine on which you install UMDS has Internet access, so that UMDS can download

upgrades, patch metadata, and patch binaries.

n

Uninstall any 6.5 or earlier instance of UMDS if it is installed on the machine. If such a version of

UMDS is already installed, the installation wizard displays an error message and the installation

cannot proceed.

n

UMDS and Update Manager must be installed on different machines.

n

To ensure optimal performance, install UMDS on a system with requirements same as the ones for

the Update Manager server listed in System Requirements.

n

Update Manager installation requires installation of the Microsoft .NET framework 4.7. Consider the

following before proceeding with the installation.

n

Installing Microsoft .NET framework 4.7 is not supported on Microsoft Windows Server 2008

Service Pack 2 64-bit.

n

Installing Microsoft .NET framework 4.7 might require you to install some additional Windows

updates. Relevant links to the Windows updates are provided during the Microsoft .NET

framework 4.7.

n

Installing Microsoft .NET framework 4.7 might require you to reboot your host operating system.

n

If you plan to install Update Manager server on the same Windows machine where

vCenter Server runs (typical installation), the vCenter Server service might temporarily disconnect

if the a reboot is invoked on the system by the .NET Microsoft .NET framework 4.7 installation.

n

After installing or upgrading the Microsoft .NET framework 4.7, follow the prompts of the

Update Manager server or the UMDS installation wizards.

Procedure

1 Mount the ISO image of the vCenter Server installer to the Windows virtual machine or physical

server on which you want to install the vSphere Update Manager Download Service (UMDS).

2 In the mounted directory, double-click the autorun.exe file of the VMware vCenter Installer, and

select vSphere Update Manager > Download Service.

3 Select the option to install the Microsoft .NET framework 4.7.

Note If you do not select to install Microsoft .NET framework 4.7, the Update Manager Download

Service installation will fail with an error message.

4 On the VMware vCenter Installer, click Install.

The VMware vCenter Installer wizard remains open, and a language selection dialog box opens.

5 Select the language for the vSphere Update Manager Download Service installer, and click OK.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 90

6 (Optional) If the wizard prompts you, install the required items such as Windows Installer 4.5.

This step is required only if Windows Installer 4.5 is not present on your machine and you must

perform it the first time you install a vSphere 5.x product. After the system restarts, the installer starts

again.

7 Review the Welcome page and click Next.

8 Read and accept the license agreement, and click Next.

9 Accept the terms in the license agreement and click Next.

10 Enter the Update Manager Download Service proxy settings and click Next.

11 Select the Update Manager Download Service installation and patch download directories and click

Next.

If you do not want to use the default locations, you can click Change to browse to a different

directory. You can select the patch store to be an existing download directory from a previous UMDS

6.0 or UMDS 6.5 installation and reuse the applicable downloaded updates in UMDS 6.7. After you

associate an existing download directory with UMDS 6.7, you cannot use it with earlier UMDS

versions.

12 (Optional) In the warning message about the disk free space, click OK.

13 Click Install to begin the installation.

14 Click OK in the Warning message notifying you that .NET Framework 4.7 is not installed.

The UMDS installer installs the prerequisite before the actual product installation.

15 Click Finish.

UMDS is installed.

Installing and Upgrading UMDS on a Linux-Based
Operating System

In vSphere 6.7 release, the UMDS 6.7 is bundled with the vCenter Server Appliance 6.7. You can use the

UMDS bundle from the vCenter Server Appliance to install UMDS 6.7 on a separate Linux-based system.

UMDS is a 64-bit application and requires a 64-bit Linux-based system.

You cannot upgrade UMDS that runs on a Linux-based operating system. You can uninstall the current

version of UMDS, perform a fresh installation of UMDS according to all system requirements, and use the

existing patch store from the UMDS that you uninstalled.

Supported Linux-Based Operating Systems for Installing UMDS

The Update Manager Download Service (UMDS) can run on a limited number of Linux-based operating

systems.

n

Ubuntu 14.0.4

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 91

n

Ubuntu 18.04

n

Red Hat Enterprise Linux 7.4

n

Red Hat Enterprise Linux 7.5

Install UMDS on a Linux OS

If the vCenter Server Appliance 6.7 in which Update Manager runs does not have access to the Internet,

you can install UMDS on a Linux-based operating system to download patch binaries and metadata.

Prerequisites

n

Verify you have administrative privileges on the Linux machine where you install the UMDS.

n

Mount the ISO file of the vCenter Server Appliance 6.7 to the Linux machine.

Procedure

1 In the Linux machine, open the Command Shell.

2 From the vCenter Server Appliance ISO that you mounted to the Linux machine, copy the VMware-

UMDS-6.7.0.-build_number.tar.gz file to the Linux machine.

3 Unarchive the VMware-UMDS-6.7.0.-build_number.tar.gz file, and navigate to the newly

extracted directory /vmware-umds-distrib.

For example, if you unarchived the VMware-UMDS-6.7.0.-build_number.tar.gz file, to a directory

you created with the name umds, your navigation path is /umds/vmware-umds-distrib.

4 Run the file UMDS installation script.

The script has the following filename: vmware-install.pl.

5 Read and accept the EULA.

6 Select a directory where to install the UMDS.

7 Enter the UMDS proxy settings.

You can also change proxy configuration after you install UMDS by using the following command:

vmware-umds -S --proxy <proxyAddress:port>

8 Select a directory where to store the patches.

Important The patch store directory must be different from the UMDS installation directory.

UMDS is installed.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 92

Uninstall UMDS from a Linux OS

To use the latest version of the Update Manager Download Service (UMDS) on your Linux-based system,

first you must uninstall the current version of UMDS. No direct upgrade path is available to a later version

of UMDS, which runs on a Linux-based system.

Prerequisites

n

Verify you have administrative privileges on the Linux machine where UMDS runs.

Procedure

1 In the Linux machine, open the Command Shell.

2 Navigate to the UMDS installation directory, and locate the file vmware-uninstall-umds.pl.

3 Run the following command:

./vmware-uninstall-umds.pl

4 To confirm that you want to uninstall UMDS from the system, enter Yes.

The UMDS uninstallation procedure starts.

5 (Optional) Remove PostgreSQL Database from you Linux machine.

For information about uninstalling PostgreSQL Database, go to the official PostgreSQL

documentation.

UMDS is uninstalled from the Linux system.

What to do next

You can upgrade your Linux OS, and install a later compatible version of UMDS.

Setting Up and Using UMDS

You can set up UMDS to download patches and notifications for ESXi hosts. You can also set up UMDS

to download ESXi 6.0, ESXi 6.5, and ESXi 6.7 patch binaries, patch metadata, and notifications from

third-party portals.

For UMDS that runs on Windows, only Administrator or users that are part of the Administrators group

can download patches. Administrator access is not a requirement for downloading patches with UMDS

that runs on Linux.

After you download the upgrades, patch binaries, patch metadata, and notifications, you can export the

data to a Web server or a portable media drive and set up Update Manager to use a folder on the Web

server or the media drive (mounted as a local disk) as a shared repository.

You can also set up UMDS to download ESXi 6.0, ESXi 6.5, and ESXi 6.7 patches and notifications from

third-party portals.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 93

To use UMDS, the machine on which you install it must have Internet access. After you download the

data you want, you can copy it to a local Web server or a portable storage device, such as a CD or USB

flash drive.

The best practice is to create a script to download the patches manually and set it up as a Windows

Scheduled Task that downloads the upgrades and patches automatically.

Set Up the Data to Download with UMDS

By default UMDS downloads patch binaries, patch metadata, and notifications for hosts. You can specify

which patch binaries and patch metadata to download with UMDS.

Procedure

1 Log in to the machine where UMDS is installed, and open a Command Prompt window.

2 Navigate to the directory where UMDS is installed.

n

The default location in 64-bit Windows is C:\Program Files

(x86)\VMware\Infrastructure\Update Manager.

n

The default location in 64-bit Linux is /usr/local/vmware-umds.

3 Specify the updates to download.

n

To set up a download of all ESXi host updates run the following command:

vmware-umds -S --enable-host

n

To disable the download of host updates, run the following command:

vmware-umds -S --disable-host

What to do next

Download the selected data.

Change the UMDS Patch Repository Location

UMDS downloads upgrades, patch binaries, patch metadata, and notifications to a folder that you can

specify during the UMDS installation.

The default folder to which UMDS downloads patch binaries and patch metadata on a Windows machine

is C:\Documents and Settings\All Users\Application Data\VMware\VMware Update

Manager\Data.

The default folder to which UMDS downloads patch binaries and patch metadata on a Linux machine

is /var/lib/vmware-umds .

You can change the folder in which UMDS downloads data after you install UMDS.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 94

If you have already downloaded any host updates, make sure that you copy all the files and folders from

the old location to the new patch store location. The folder in which UMDS downloads patch binaries and

patch metadata must be located on the machine on which UMDS is installed.

Procedure

1 Log in as an administrator to the machine where UMDS is installed, and open a Command Prompt

window.

2 Navigate to the directory where UMDS is installed.

n

The default location in 64-bit Windows is C:\Program Files

(x86)\VMware\Infrastructure\Update Manager.

n

The default location in 64-bit Linux is /usr/local/vmware-umds.

3 Change the patch repository directory by running the command:

vmware-umds -S --patch-store your_new_patchstore_folder

In this example, your_new_patchstore_folder is the path to the new folder in which you want to

download the patch binaries and patch metadata.

You successfully changed the directory in which UMDS stores patch data.

What to do next

Download data using UMDS.

Configure URL Addresses for Hosts

You can configure UMDS to connect to the websites of third-party vendors to download ESXi 6.0, ESXi

6.5, and ESXi 6.7 host patches and notifications.

Procedure

1 Log in to the machine where UMDS runs, and open a Command Prompt window.

2 Navigate to the directory where UMDS is installed.

n

The default location in 64-bit Windows is C:\Program Files

(x86)\VMware\Infrastructure\Update Manager.

n

The default location in 64-bit Linux is /usr/local/vmware-umds.

3 Configure UMDS to download data from the new URL address.

u

To add a new URL address for downloading patches and notifications for ESXi 6.0, ESXi 6.5, or

ESXi 6.7 hosts, run the following command:

vmware-umds -S --add-url https://host_URL/index.xml --url-type HOST

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 95

4 (Optional) Remove a URL address, so that UMDS does not download data from it anymore.

Downloaded data is retained and can be exported.

n

If you are using UMDS on a Windows machine, use the following command:

vmware-umds.exe -S --remove-url https://URL_to_remove/index.xml

n

If you are using UMDS on a Linux machine, use the following command:

vmware-umds -S --remove-url https://URL_to_remove/index.xml

You configured UMDS to download host patches and notifications from specific URL addresses.

What to do next

Download the patches and notifications by using UMDS.

Download the Specified Data Using UMDS

After you set up UMDS, you can download upgrades, patches and notifications to the machine on which

UMDS is installed.

Prerequisites

n

If you are using UMDS on Windows, log in as an Administrator, or a user that belongs to the

Administrators group. Administrator level access is not a requirement for downloading data with

UMDS that runs on Linux.

Procedure

1 Log in to the machine where UMDS is installed, and open a Command Prompt window.

2 Navigate to the directory where UMDS is installed.

n

The default location in 64-bit Windows is C:\Program Files

(x86)\VMware\Infrastructure\Update Manager.

n

The default location in 64-bit Linux is /usr/local/vmware-umds.

3 Download the selected updates.

vmware-umds -D

This command downloads all the upgrades, patches and notifications from the configured sources for

the first time. Subsequently, it downloads all new patches and notifications released after the previous

UMDS download.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 96

4 (Optional) If you have already downloaded upgrades, patches, and notifications and want to

download them again, you can include the start and end times to restrict the data to download.

The command to re-download patches and notifications deletes the existing data from the patch store

(if present) and re-downloads it.

To re-download the upgrades, patches and notifications that were downloaded in November 2010, for

example, run the following command:

vmware-umds -R --start-time 2010-11-01T00:00:00 --end-time 2010-11-30T23:59:59

The data previously downloaded for the specified period is deleted and downloaded again.

What to do next

Export the downloaded upgrades, patches, and notifications.

Export the Downloaded Data

You can export downloaded upgrades, patches, and notifications to a specific location that serves as a

shared repository for Update Manager. You can configure Update Manager to use the shared repository

as a patch download source. The shared repository can also be hosted on a Web server.

Prerequisites

n

If you are using UMDS on Windows, log in as an Administrator, or a user that belongs to the

Administrators group. Administrator level access is not a requirement for exporting the downloaded

data with UMDS that runs on Linux.

n

If you installed UMDS with an existing download directory, make sure that you perform at least one

download by using UMDS 6.7 before you export updates.

Procedure

1 Log in to the machine where UMDS is installed and open a Command Prompt window.

2 Navigate to the directory where UMDS is installed.

n

The default location in 64-bit Windows is C:\Program Files

(x86)\VMware\Infrastructure\Update Manager.

n

The default location in 64-bit Linux is /usr/local/vmware-umds.

3 Specify the export parameters and export the data.

vmware-umds -E --export-store repository_path

In the command, you must specify the full path of the export directory.

If you are working in a deployment in which the Update Manager server is installed on a machine

connected to the machine on which UMDS is installed, repository_path can be the path to the folder

on the Web server that serves as a shared repository.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 97

If the Update Manager server is installed on a machine in an isolated and secure environment,

repository_path can be the path to a portable media drive. Export the downloads to the portable

media drive to physically transfer the patches to the machine on which Update Manager is installed.

The data you downloaded by using UMDS is exported to the path you specify. Make sure that all files

are exported. You can periodically perform export from UMDS and populate the shared repository so

that Update Manager can use the new patch binaries and patch metadata.

4 (Optional) You can export the ESXi patches that you downloaded during a specified time window.

For example, to export the patches downloaded in November 2010, run the following command:

vmware-umds -E --export-store repository-path --start-time 2010-11-01T00:00:00 --end-time

2010-11-30T23:59:59

What to do next

Configure Update Manager to use a shared repository as a patch download source. For more information,

see Use a Shared Repository as a Download Source in the vSphere Web Client.

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 98

Working with Baselines and

Baseline Groups 7

Update Manager baselines are hosts baselines and virtual machine baselines. To upgrade objects in your

vSphere inventory, you can use predefines baselines, system-managed baselines, or custom baselines

that you create.

When you scan hosts and virtual machines you evaluate them against baselines and baseline groups to

determine their level of compliance.

In the vSphere Web Client, the baselines and baseline groups are displayed on the Host Baselines and

VMs Baselines tabs of the Update Manager Admin view.

Depending on the purpose for which you want to use them, host baselines can contain a collection of one

or more patches, extensions, or upgrades. Therefore host baselines are upgrade, extension, or patch

baselines. To update or upgrade your hosts you can use the Update Manager default baselines, or

custom baselines that you create.

The VMs baselines are predefined. You cannot create custom VMs baselines.

The default baselines are the predefined and system managed baselines.

System Managed Baselines

The Update Manager displays system managed baselines that are generated by vSAN. These baselines

appear by default when you use vSAN clusters with ESXi hosts of version 6.0 Update 2 and later in your

vSphere inventory. If your vSphere environment does not contain any vSAN clusters, no system managed

baselines are created.

The system managed baselines automatically update their content periodically, which requires Update

Manager to have constant access to the Internet. The vSAN system baselines are typically refreshed

every 24 hours.

You can use the system managed baselines to upgrade your vSAN clusters to recommended critical

patches, drivers, updates or latest supported ESXi host version for vSAN.

Predefined Baselines

Predefined baselines cannot be edited or deleted, you can only attach or detach them to the respective

inventory objects.

VMware, Inc.

99

Under the Host Baselines tab in Update Manager Admin view, you can see the following predefined

baselines:

Critical Host Patches

(Predefined)

Checks ESXi hosts for compliance with all critical patches.

Non-Critical Host

Patches (Predefined)

Checks ESXi hosts for compliance with all optional patches.

Under the VMs Baselines tab in Update Manager Admin view, you can see the following predefined

baselines:

VMware Tools Upgrade

to Match Host

(Predefined)

Checks virtual machines for compliance with the latest VMware Tools

version on the host. Update Manager supports upgrading of VMware Tools

for virtual machines on hosts that are running ESXi 6.0.x and later.

VM Hardware Upgrade

to Match Host

(Predefined)

Checks the virtual hardware of a virtual machine for compliance with the

latest version supported by the host. Update Manager supports upgrading

to virtual hardware version vmx-14 on hosts that are running ESXi 6.7.

Custom Baselines

Custom baselines are the baselines you create.

If your vCenter Server system is connected to other vCenter Server systems by a common vCenter

Single Sign-On domain and you have an Update Manager instance for each vCenter Server system in the

group, the baselines and baseline groups you create and manage are applicable only to inventory objects

managed by the vCenter Server system with which the selected Update Manager instance is registered.

You can use an Update Manager instance only with a vCenter Server system with which the instance is

registered.

Baseline Groups

Baseline groups are assembled from existing baselines. A baseline group might contain one upgrade

baseline, and one or more patch and extension baselines, or might contain a combination of multiple

patch and extension baselines.

To create, edit, or delete baselines and baseline groups, you must have the Manage Baseline privilege.

To attach baselines and baseline groups, you must have the Attach Baseline privilege. Privileges must

be assigned on the vCenter Server system with which Update Manager is registered. For more

information about managing users, groups, roles, and permissions, see vCenter Server and Host

Management. For a list of Update Manager privileges and their descriptions, see Update Manager

Privileges.

This chapter includes the following topics:

n

Creating and Managing Baselines

n

Creating and Managing Baseline Groups

vSphere Update Manager Installation and Administration Guide

VMware, Inc. 100