Home > Blogs > VMware vSphere Blog

Quickest Way to Patch an ESX/ESXi Using the Command-line

By William Lam, Sr. Technical Marketing Engineer

As you know, when it comes to automating patch management for your vSphere infrastructure, we highly recommend leveraging our vSphere Update Manager (VUM) which is part of the vSphere vCenter Suite to help simplify the update process. Though not all environments have the luxury of running vCenter Server to manage their ESX(i) hosts. An example of this could be 1-2 hosts running at a ROBO (remote office/branch office) site or single test/dev host in a home or office lab where VUM is not available.

However, it is still possible to patch/upgrade your ESX(i) host using the command-line without the need of VUM, but you will have to manually identify the patch dependencies and ensure host compliance.

Depending on the version of ESX or ESXi you are running, you may have several options that could include local and/or remote command-line utilities that are available in following four forms:

  • ESX Service Console
    • esxupdate – Local utility found on classic ESX hosts to manage/install patches
  • ESXi Shell
    • ESXCLI – Local utility found on ESXi 5.0 hosts that can be used manage/install patches
  • vCLI (Windows/Linux or use vMA)
    • vihostupdate35 – Remote utility to manage/install patches for ESXi 3.5
    • vihostupdate – Remote utility to manage/install patches for ESX(i) 4.0 & 4.1
    • ESXCLI – Remote utility to manage/install patches for ESXi 5.0 (patch capability introduced in vSphere 5 for ESXi 5.0 hosts only)
  • PowerCLI(Windows)
    • InstallVMHostPatch – Remote utility using PowerCLI to manage/install patches for ESX(i) 4.0 and 4.1

Note: If you are using vSphere Hypervisor (Free ESXi), you will not be able to leverage any of the the remote CLI’s but you can still use the local CLI.

Here is a table summarizing all available command-line options based on the version of ESX(i) you are running:

Hypervisor Version Local Command vCLI Remote Command PowerCLI Remote Command
ESX 3.5 esxupdate −−bundle=<zip> update N/A N/A
ESXi 3.5 N/A vihostupdate35
−−bundle=<zip> −−install
ESX 4.0 esxupdate −−bundle=<zip> update vihostupdate <<bundle=<zip> −−install Install-VMHostPatch
ESXi 4.0 N/A vihostupdate −−bundle=<zip> −−install Install-VMHostPatch
ESX 4.1 esxupdate −−bundle=<zip> update vihostupdate −−bundle=<zip> −−install Install-VMHostPatch
ESXi 4.1 N/A vihostupdate −−bundle=<zip> −−install Install-VMHostPatch
ESXi 5.0 esxcli software vib update −−depot=/vmfs/volumes/[datastore]/<zip> esxcli software vib update −−depot=/vmfs/volumes/[datastore]/<zip> Install-VMHostPatch
Or Get-ESXCLI with the local command referenced in this table.

Note: When you download patches from VMware, there is an associated VMware KB article and it provides a link to the patch management documentation. You should always refer to that for more details and information for different methods of applying a patch.

Here is an example of using esxupdate on a classic ESX host. The patch bundle needs to be uploaded to ESX host using scp or winSCP and then specifying the full path on the command-line:

$ esxupdate −−bundle=ESX400-200907001.zip update

Here is an example of using the remote vihostupdate utility for an ESXi host, you will need to specify the ESXi host using the −−server parameter and −−username/−−password for remote authenication. You may choose to leave off −−password and you will be prompted to enter your credentials. The patch bundle does not need to be uploaded to ESXi host, it can reside on the system that is running the vihostupdate command. During the execution, the patch bundle will automatically be transfered to the host:

$ vihostupdate −−server [ESXI-FQDN] −−username [USERNAME] −−bundle=ESXi410-201011001.zip −−install

Here is an example of using the local esxcli utility for an ESXi 5.0 host. The patch bundle needs to be uploaded to ESXi host using scp or winSCP and then specifying the full path on the command-line:

$ esxcli software vib update −−depot=/vmfs/volumes/datastore1/ESXi500-201112001.zip

Here is an example of using the remote esxcli utility for an ESXi 5 host, you will need to specify the ESXi host using the −−server parameter and −−username/−−password for remote authenication. You may choose to leave off −−password and you will be prompted to enter your credentials. The patch bundle needs to be uploaded to ESXi host using scp/winSCP or vCLI’s vifs utility and then specifying the full path on the command-line:

$ vifs −−server [ESXI-FQDN] −−username [USERNAME] -p ESXi500-201112001.zip “[datastore1] ESXi500-201112001.zip”
$ esxcli −−server [ESXI-FQDN] −−username [USERNAME] software vib update −−depot=/vmfs/volumes/datastore1/ESXi500-201112001.zip

Note: In ESXi 5, −−depot only supports local server path or remote URL. The latter is to help centralize the location of your patches and help reduce manual transfer. This is why you need to transfer the patch to host if you do not have a patch depot.

Here is an example of using Install-VMHostPatch utility for an ESXi host:

Get-VMHost ESXI-FQDN | Set-VMHost -State Maintenance
$DS = Get-VMHost ESXI-FQDN | Get-Datastore datastore1
Copy-DatastoreItem C:\tmp\ESXi500-201112001\ $DS.DatastoreBrowserPath -Recurse
Get-VMHost ESX-FQDN | Install-VMHostPatch -Hostpath “/vmfs/volumes/datastore1/ESXi500-201112001/metadata.zip”

Note: The Install-VMHostPatch cmdlet does have a -LocalPath parameter for you to specify a local path to the patch. For larger files it is recommended you use the Copy-Datastore cmdlet to upload the file to a datastore on the host and then the -HostPath parameter as can be seen in the example above.

As you can see over the releases, we have had several methods of patching a host using the command-line both locally/remotely and it may not always be intuitive. When we converged to only ESXi with the release of vSphere 5.0, you will see that patching from the command-line has also converged to a single command-line utility using ESXCLI and a common patch format called a VIB. ESXCLI was first introduced in vSphere 4.0 and it had some limited capabilities. With vSphere 5.0, it has been significantly enhanced and now supports patching as one of it’s many capabilities. The syntax and expected output is exactly the same if you execute ESXCLI locally or remotely on an ESXi host with the exception of the remote authentication that is required for a remote execution. This should provide for a better user experience and consistency going forward.

An alternative method to patching from the command-line if you do not have VUM is using VMware Go, which is an online service (SaaS) provided by VMware. VMware Go can help manage your ESXi host but it also provides a patching capability similar to that of VUM.

Get notification of new blog postings and more by following lamw on Twitter:  @lamw

47 thoughts on “Quickest Way to Patch an ESX/ESXi Using the Command-line

    1. Pankaj

      Hello William,
      I read this article but this article seems not useful..!!
      I am having ESXi 5.0.0 and I want to install WIndows Server 2012 for testing purpose. As per VMWARE KB (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2006859) we must install the Update. I installed vCLI Package for windows and installed it. I tried all possible options and its keep saying the command not supported in 5.0.

      Please suggest if I am doing any mistake or I am @ wrong location.


  1. Pingback: Patching your ESXi 5 Host – Without vCenter - It's in the Cloud!

  2. John Bond

    This seems to be off now for the current release of ESXi 5.0.1. The command as typed would get an error: “Error: Invalid option -depot” The command line should have a double dash and not a single dash to be syntactically correct. But the bad news is that that still will not work because the new command is looking for the file index.html and not the .vib file. So there is a small disconnect in this procedure and the contents of the .ZIP files current format/contents Should I extract the zip file and use the –vibnme=XXX argument instead of the depot arugument?

    1. William LamWilliam Lam Post author

      Hi John Bond,

      Actually I do have “double dash” but for whatever reason, the formatting is showing it as “single dash”. What patch are you trying to install? You should not need to extract anything, but make sure that what you have is in fact a VIB … there are some 3rd party drivers such as tg3 which contains both the VIB and offline bundle and you need to provide the VIB as input

      1. Jeremy


        The double dashes (--) converging into an en dash (–) is a feature of WordPress.

        To fix it, you must edit your post to surround the code examples in <code> tags. WordPress knows not to convert dashes within code tags.


  3. Pingback: Manually Patching VMware ESXi 5 with vCLI esxcli | FireDaemon

  4. Cas V

    According to your article you can’t use any of the remote CLIs to patch vSphere Hypervisor (Free ESXi) but you can still use the local CLI. However your table shows no local command for patching ESXi 3.5, 4.0 and 4.1. Does that mean there is no supported method for patching vSphere Hypervisor (Free ESXi) 3.5, 4.0 or 4.1?

    1. William LamWilliam Lam Post author

      The article primarily focused on using the CLI, but if you are using vSphere Hypervisor (3.5, 4.0 & 4.1), you can still patch by using VMware Infrastructure Update Windows Utility

    2. Bob Dingman

      “If you are using vSphere Hypervisor (Free ESXi), you will not be able to leverage any of the the remote CLI’s but you can still use the local CLI.”

      In fact, I believe this comment is incorrect. I have several times used vihostupdate via the (remote) vShpere CLI client 4.1 to patch ESXi 4.1. I would add that it seems like a more mature patching methodology than the (local, at least) esxcli approach in ESXi 5.x. I’m not sure if William’s note above refers to a technical or licensing limitation.

  5. Jesus

    I am unable to get into the hidden console on ESXi 5.1.0 by typing “unsupported”. Tried many times and nothing ever happens. I need to access it to update ESXi 5.1 as it does not detect my server’s 2nd nic (Fujitsu Primergy TX100 S3P) for some reason.
    I also tried my root password, but nothing. Does anyone know at all how the heck to get into my ESXi 5.1 hidden console? Can’t do anything until I access it! sigh…

  6. Ronny

    Hi William,

    thanks for this great overview!
    Do you know if it’s also possible to execute (local or remote) the remediation of staged VUM patches?

      1. JohnW

        I have a one host environment at the moment. My vCenter is running VUM and is a VM. If I schedule the updates to run and power off the vCenter/VUM vm, will the schedule execute? I was not sure if the schedule is sent to the host or if it was fired off from VUM itself at the specified time.


  7. The Drew

    Could they make it any harder to patch the free ESXi? They want you to use vSphere client, it controls just about everything, but they couldn’t build update / patching into the vSphere Client? Who’s brilliant idea? It’s not like clustering or vMotion. This is a sloppy marketing descision.

  8. Andreas

    What is the best way to identify the patch dependencies and ensure host compliance? Can this be done on the command line of the host?

  9. Tony

    New job with ESX 3.5, 4.1, 5.0 Mostly the free versions a couple of v centers spread accross multiple locations. None of the hosts were patched after install. I have been searching for patches and patch processes for this mess. Any help (magical link) ? Since they were installed at different times they are at different patch levels even using the vm patch page to get what is needed fails for the 3.5 build i have.

    1. William LamWilliam Lam Post author

      Hi Tony,

      You can find all patches here http://www.vmware.com/go/downloadpatches which I assume you already looked. Each patch set has a KB that provides links to the documentation on how to apply the patch. If you’re working with classic ESX, you’ll most likely be using the old esxupdate command which is found within the Service Console as noted in the table.

      1. Tony

        Thanks for the quick reply. The link tells me no results found for 3.5 build 110268. I did find 1 time at least 15 patches that looked like they would apply to this, but cant find it again not sure if it was for this build or for another one. Is there a rollup patch/update that would get me close enough to at least get a result from the link you provided. Thinking that at least one update may be cumulative. One of my concerns is that i would miss a patch and create a problem without knowing it.

  10. William LamWilliam Lam Post author

    That page will provide you with all the patches released for the version of ESX or ESXi. If you’re just trying to bring your system up to date, you can take a look at one of the major patch set U1, U2, etc. (an example for ESX 3.5 is ESX350-Update05a UPDATE). You can see it rolls-up quite a bit but even after that, there are still patches after it if you want to be on the latest/greatest. If the hosts are being managed by vCenter Server, then I would recommend using VUM (Update Manager) and that’ll help you find all the dependency if you want to patch to the latest.

  11. Tony

    i have vmware infrastructure client ver 2.5.0 no plugins installed and when i try to install vcenter server they all reference 4.0 or higher. for this 3.5 server i am lucky in that it is not in use currently it needs to get back into the 3 server farm it was in before the (raid 0) (now raid 1) that was the OS drive had a drive failure i would like to take this small window to get it fully patched and get a good process for the update before the other 2 hosts get rebuilt they are also raid 0. While typing this i found a dell optimized 3.5 update 5 iso will be rebuilding it with that still would like to get VUM if possible.

  12. Ferry


    this doesn’t work on recent HP servers (on which the default vmware ISO doesn’t install either – need the HP version). That is, the patches get installed, machine reboots, NICs are gone. Apparently removes the custom drivers from the image…

    (esxcli software vib install -d -d )

    Works fine on ESXi systems without custom/async drivers.

    1. Ferry

      Heh, didn’t like my formatting it should read:
      esxcli software vib install -d /path/to/patch1.zip -d /path/to/patch2.zip

      with brackets around the path – probably stripped because of html.

    2. Ferry

      Using 5.1 btw.

      esxcli software vib update -d /path/to/patch.zip

      works fine.

      esxcli software vib install -d /path/to/patch.zip

      Kills the custom vib’s apparently.

      1. William LamWilliam Lam Post author

        I have updated the article to use the “update” option in case you are using default offline bundle from VMware which may or may not include drivers for your system.

  13. core10

    William- Great Summary. For those of us with vCenter Server (and update manager) running as a vm on one of our hosts, I suppose we would need to use update manager for staged patching. (ESXi V5.1)

    UpdateManager would put the patches in the standard location.
    We would use vSphere Client to put the host in maintenance mode, then use one of the commands in the table to manually remediate (load the patches). Then vSphere Client to reboot.

    Any tricks or recommendations? Don’t have shared storage so can’t easily move vCenter Server. Besides, once the vCenterServer is moved and gets a different IP address, one must repoint the vmhosts to the new IP address

  14. William LamWilliam Lam Post author

    If you do not have shared storage, then you would stage the patches to all other ESXi hosts but for the one that’s hosting vCenter Server, you will need to manually upgrade. You will need to download the patch and upload it to datastore since the stage files by VUM would not be in the same format that ESXCLI expects them to be (I believe they’re decompressed from the main .zip file). Once you have patched the host running vCenter Server/VUM, then you can use that to patch the rest of infrastructure.

    1. core10

      William– I used a VUM/vCenterServer to update its own host, just now. Remediation progressed to 100%, then VUM waited for maintenance mode and a reboot. I shutdown the vm that runs vCenter Server using vSphere Client and rebooted the host using vSphere Client.

      These updates required a reboot, not maintenance mode installation (as stated under impact in VUM).
      Any reason why I can’t do this going forward, and only manually install the updates that impact states require maintenance mode?

      1. William LamWilliam Lam Post author

        If you were able to do the above and the ESXi host was upgraded successfully after the reboot, then yes you can use this method. Upgrades of ESXi will always require a reboot.

  15. David Kirchmer


    The table in your post shows N/A in the ESXi 4.1 Local Command column/row.

    On our ESXi 4.1 system the esxupdate command is found in the /sbin folder and works as expected.

    ~ # esxupdate query
    —-Bulletin ID—– —–Installed—– ————–Summary—————
    ESXi410-201101224-UG 2011-10-11T04:56:54 vxge: net driver for VMware ESXi
    ESXi410-201101223-UG 2011-10-11T04:56:54 3w-9xxx: scsi driver for VMware ESXi
    ESXi410-201301402-BG 2013-04-16T17:46:42 Updates VMware tools
    ESXi410-201301401-SG 2013-04-16T17:46:42 Updates Firmware

    Is this something that was added back to this version or is my system not normal?



    1. William LamWilliam Lam Post author

      Hi David,

      Though the command is available, I don’t believe it’s supported. It’s recommended that you use the remote CLI to perform the upgrade.

  16. Pingback: VCAP5-DCD Objective 3.6 – Determine Datacenter Management Options for a vSphere 5 Physical Design - VirtuallyHyper

  17. Pingback: VMWare Tools Ereignis-ID: 1000 | Dreadnik

  18. John Woodall

    Recently ran the HP-flavored ESXi 5.1 upgrade against 5.0 and we must downgrade the VIBs.

    When attempting to run the command against the .zip file, I get errors.

    ~ # esxcli software vib install -d /vmfs/volumes/50007f82-fbabe078-a3b5-2c768a

    -sh: /sbin/esxcli: line 7:
    Copyright 2008-2011 VMware, Inc. All rights reserved.
    -- VMware Confidential

    This module is the esxcli cmd module
    : not found
    -sh: /sbin/esxcli: line 8: __author__: not found
    -sh: /sbin/esxcli: line 10: import: not found
    -sh: /sbin/esxcli: line 15: syntax error: unexpected "("

    When I run update instead of install:

    esxcli software vib update -d hp-esxi5.0uX-bundle-1.3-12.zip
    Could not download from depot at zip:/var/log/vmware/hp-esxi5.0uX-bundle-1.3-12.zip?index.xml, skipping (('zip:/var/log/vmware/hp-esxi5.0uX-bundle-1.3-12.zip?index.xml', '', "Error extracting index.xml from /var/log/vmware/hp-esxi5.0uX-bundle-1.3-12.zip: [Errno 2] No such file or directory: '/var/log/vmware/hp-esxi5.0uX-bundle-1.3-12.zip'"))
    url = zip:/var/log/vmware/hp-esxi5.0uX-bundle-1.3-12.zip?index.xml
    Please refer to the log file for more details.

  19. Richard

    Hi, I´m trying to install a Mellanox Infiniband driver for “Mellanox MHQH29-XTC”.´The driver downloaded is: MLNX-OFED-ESX- but although the infiniband card is shown in ESXi Console, it appears to be disconnected. I don´t know if I need some other hw/sw, firmware … Please, could you tell me what am I doing wrong?


  20. Pingback: ESXi Patch « DiGiBoY

  21. Thor

    I found this article helpful.
    Having maintained ESXi 4.1 using esxcli, I now needed to patch another (new) host on 5.5 and found the terms and association confusing.

    For example why “VIB update” for both patch files that end in zip and vib – anyway thanks again, used it as a template an my updates work.

    Now to look for how to list applied patches.

  22. Pavan

    HI William,

    Quick query is there anyway we can automate the process of downloading the patches from VMware via Powercli.




Leave a Reply

Your email address will not be published. Required fields are marked *