Product Announcements

Understanding ESXi Patches – Manually Adding Patches to Update Manager

Kyle Gleed, Sr. Technical Product Manager, VMware

In my previous post I went over the steps to manually download ESXi host patches.  In this post I will go over the steps to manually add the downloaded patches into Update Manger.  Normally, Update Manager is configured to automatically download patches as they become available, but if your security policy doesn’t allow Update Manager to access the Internet you will need to manually download and add the patches.  Let’s go over the steps to do this.

I’m going to assume that you have Update Manager installed and registered and that you’ve downloaded the ESXi patches as I discussed in my previous blog.  For information on how to install and configure update manager refer to the Update Manager guide.  

Begin by logging onto the vSphere client.  From the vSphere client home screen click on the “Update Manager” icon.  From the Update Manager Administration window select the “Patch Repository” tab.  Upload the ESXi patches by selecting the “Import Patches” link in the top right corner. 


This will launch the “Import Patches” pop-up.  Click the Browse button to browse to the location where you saved the patch archive (.zip) and then click next.  Note that you do not need to extract the contents of the .zip archive; Update Manager understands the format of the .zip archive and will extract the contents as it imports the patches.  If the import fails, verify the checksum of the .zip archive to make sure the file didn’t get corrupted during the download. 


That’s it.  As you can see manually adding ESXi patches to Update Manager is very easy to do.  With the patches loaded into Update Manager the next step is to create a baseline group that you can use to remediate your hosts.  I’ll go ahead and give you a quick overview on how to do this, but be sure to refer to the Update Manager guide for more information.

To create a baseline go to the Update Manager home screen select the “Baselines and Groups” tab, from the “Baseline” section on the left click the "Create" link:


The “New Baseline” wizard will start and walk you through the steps to create a new baseline.  Give the baseline a name and select “Host Patch” as the baseline type.  I recommend giving the baseline a name that coincides with the patch name used by VMware as it will make it easier to track things over time:


The next step is to set the baseline as a “Fixed” or “Dynamic”.  For this example I will make the baseline Fixed.


Next you will select the patches to include in the baseline.  Select each patch and then click the down arrow to add it to the baseline.


The last step is to review the baseline to make sure it has all the patches you want and then click Finish. 

The patch baseline will now be shown under the list of Baselines. 


With the baseline created the last step is to attach the baseline to your hosts and to apply the patch.  To do this you need to go to the Update Manager “Compliance” view.  There are a couple ways to get there but what I typically do is go to the Host and Cluster view, select the host and then choose the Update Manager tab on the far right.


Click the “Attach…” link and from inside the pop-up select the patch-update baseline you just created and click attach.

With the baseline attached you can now apply the patches to your host by simply clicking the remediate button.  Note that Update Manager works best if DRS is enabled in fully automated mode as that will allow the VMs to be migrated off the host as part of the remediation.  If you are not running DRS in fully automated mode you will need to manually migrate or shutdown the VMs prior to the remediation.

Follow me on twitter @VMwareESXi