Nazaudy, a spark in your curious mind

Install critical patches on ESXi 6.0

In your vSphere environment, it is compulsory to install critical patches on ESXi 6.0 released by VMware on regular basis; I have seen cases where all host were on purple screens just because the Network Manager refused to install security updated for the ESXi, leading to the inevitable. Don't let yourself be caught and always stay just a little bit behind in regards to the update, not at the front line (do not install updates the very same day they come out!) and neither too far behind.

Okay, needless to say that prior to install any patches or upgrades on your vSphere environment, you need to have "Update Manager" configured

VMware Update Manager

At the moment "Update Manager" only works with Microsoft Windows, so you should have installed it on a Windows box. In this article I'm not covering the installation of Update Manager, etc, that is quite easy :)

Once you got it install it, open the add-on in vCenter and do as follows:

  1. Visit the Manage tab
  2. Visit the "Host Baselines" tab"
  3. Click on the green  "+"  sign to add a new baseline

Install critical patches on ESXi 6.0

Call it "Host Patches" > select Host Patch and click on "Next"

ESXi host patch

 

Use a "Dynamic" base baseline, so that you don't have to update every time new patches become available

Dynamic patch options

 For the following sections, I would only choose

  • Patch Vendor? = VMware
  • Product? = The ESXi running on your hosts, in this example 6.0.0
  • Severity? = Critical
  • Category? = Leave as any

Note that at the end of your selection a number of patches would have already been selected, on the example below the number is "26"

Install critical patches

Don't select anything on the next two screens, that include the "EXCLUDE" and "INCLUDE" selection of additional patches, and when you're ready to complete, just click on Finish.

Before click on "Remediate" there are two things that you need to do:

  1. Ensure the relevant host you want to patch is on maintenance mode
  2. Visit the cluster and untick the option "Host Monitoring"

Turn on vSphere HA

To remediate the hosts, now click on the "Go to compliance view" section

ESXi go to compliance view to Install critical patches on ESXi 6.0

Then click on "Remediate" and choose the Host Remediation with the Patch Baselines; ensure before that no running VMs are functioning in the selected host, and that you have entered the host on "maintenance mode"

Patch baselines

Ensure you disable DPM, FT and HA, even if you don't have the license for it, the "yellow exclamation mark" clearly warns you about this

Disable DPM

Job done, once the upgrade is finished go and check the "configuration" page of the host and verify that it has a new build number, thus reflecting that the patches have been successfully installed

 VMware ESXi 6 build numbers

 

If you enjoyed reading this article about how to install critical patches on ESXi 6.0, you might enjoy this other article of mine too:
Upgrade VMware vSphere 5.0 to VMware vSphere 5.5

 

London, 10 February 2018

 

References:

https://kb.vmware.com/s/article/1024331