You configure vSphere Update Manager to apply updates on the management components of the SDDC according to the objectives of this design.

UMDS Virtual Machine Specification

You allocate resources to and configure the virtual machines for UMDS according to the following specification:

Table 1. vSphere Update Manager Download Service (UMDS) Virtual Machine Specifications



vSphere Update Manager Download Service

vSphere 6.5

Number of CPUs



2 GB

Disk Space

120 GB

Operating System

Ubuntu 14.04 LTS

ESXi Host and Cluster Settings

When you perform updates by using the vSphere Update Manager, the update operation affects certain cluster and host base settings. You customize these settings according to your business requirements and use cases.

Table 2. Host and Cluster Settings That Are Affected by vSphere Update Manager



Maintenance mode

During remediation, updates might require the host to enter maintenance mode. Virtual machines cannot run when a host is in maintenance mode. For availability during a host update, virtual machines are migrated to other ESXi hosts within a cluster before the host enters maintenance mode. However, putting a host in maintenance mode during update might cause issues with the availability of the cluster.


When using vSAN, consider the following factors when you update hosts by using vSphere Update Manager:

  • Host remediation might take a significant amount of time to complete because, by design, only one host from a vSAN cluster can be in maintenance mode at any one time.

  • vSphere Update Manager remediates hosts that are a part of a vSAN cluster sequentially, even if you set the option to remediate the hosts in parallel.

  • If the number of failures to tolerate is set to 0 for the vSAN cluster, the host might experience delays when entering maintenance mode. The delay occurs because vSAN copies data between the storage devices in the cluster.

    To avoid delays, set a vSAN policy where the number failures to tolerate is 1 .The number of failures to tolerate is 1 by default .

You can control the update operation by using a set of host and cluster settings in vSphere Update Manager.

Table 3. Host and Cluster Settings for Updates



Host settings

  • VM Power state when entering maintenance mode. You can configure vSphere Update Manager to power off, suspend or do not control virtual machines during remediation. This option applies only if vSphere vMotion is not available for a host.

  • Retry maintenance mode in case of failure. If a host fails to enter maintenance mode before remediation, vSphere Update Manager waits for a retry delay period and retries putting the host into maintenance mode as many times as you indicate. Will attempt to enter maintenance mode with the configured parameter settings, if an initial attempt fails.

  • Allow installation of additional software on PXE-booted hosts. This option is limited to software packages that do not require a host reboot after installation.

Cluster settings

  • Disable vSphere Distributed Power Management (DPM), vSphere High Availability (HA) Admission Control, and Fault Tolerance (FT).

  • Enable parallel remediation of hosts. vSphere Update Manager can remediate multiple hosts.


    Parallel remediation is not supported if you use vSAN.

  • Migrate powered-off or suspended virtual machines. vSphere Update Manager migrates the suspended and powered-off virtual machines from hosts that must enter maintenance mode to other hosts in the cluster. The migration is launched on virtual machines that do not prevent the host from entering maintenance mode.

Virtual Machine and Virtual Appliance Update Settings

vSphere Update Manager supports remediation of virtual machines and appliances. You can control the virtual machine and appliance updates by using the following settings:

Table 4. vSphere Update Manager Settings for Remediation of Virtual Machines and Appliances



Take snapshots before virtual machine remediation

Test before you commit the changes.

Define the window in which a snapshot persists for a remediated virtual machine

Automatically clean up virtual machine snapshots that are taken before remediation.

Enable smart rebooting for VMware vSphere vApps remediation

Start virtual machines post remediation to maintain start-up dependencies no matter if some of the virtual machines are not remediated.

ESXi Image Configuration

You can store full images that you can use to upgrade ESXi hosts. You cannot download such images from the patch repositories and must upload them by using vSphere Update Manager. Import into the repository the ESXi builds that are available in the environment.

By using Image Builder, add the NSX software packages esx-vdpi, esx-vsip and esx-vxlan into the ESXi upgrade image so that you can use the hosts being upgraded in a software-defined networking setup.

Baselines and Groups

vSphere Update Manager baselines and baseline groups are collections of patches that can be assigned to a cluster or host entity in the environment. Depending on the business requirements, the default baselines might not be allowed until patches are tested or verified on development or pre-production hosts. Baselines can be confirmed so that the tested patches are applied to hosts and only updated when appropriate.

Two types of baselines exist:

  • Dynamic baselines that can change as items are added to the repository.

  • Fixed baselines that remain the same.

vSphere Update Manager contains the following default baselines. Each of these baselines is configured for dynamic selection of new items.

Critical host patches

Upgrades hosts with a collection of critical patches that are high priority as defined by VMware.

Non-critical host patches

Upgrades hosts with patches that are not classified as critical.

VMware Tools Upgrade to Match Host

Upgrades the VMware Tools version to match the host version.

VM Hardware Upgrade to Match Host

Upgrades the virtual machine hardware version to match the host version.

VA Upgrade to Latest

Upgrades a virtual appliance to the latest version available.

vSphere Update Manager Logical Design Decisions

This design applies the following decisions on the logical design of vSphere Update Manager and update policy:

Table 5. vSphere Update Manager Logical Design Decisions

Design ID

Design Decision

Design Justification

Design Implication


Use the default patch repositories by VMware.

No additional sources required.



Set the VM power state to Do Not Power Off.

Ensures highest uptime of management components and compute workload virtual machines.

Manual intervention will be required if migration fails.


Enable parallel remediation of hosts assuming that there are enough resources available to support update of multiple hosts at the same time.

Remediation of host patches can occur more quickly.

More resources unavailable at the same time during remediation.


Enable migration of powered-off virtual machines and templates.

Ensures that templates stored on all management hosts are accessible.

Increases the amount of time to start remediation for templates to be migrated.


Use the default critical and non-critical patch baselines for the Consolidated cluster.

No customized baselines required.

All patches are added to the baselines as soon as they are released.


Use the default schedule of a once-per-day check and patch download.

No change required for this engagement.



Remediate hosts, virtual machines, and virtual appliances once a month or per business guidelines.

Ensures up to date hosts, virtual machines and virtual appliances.

Schedule must be aligned to the business policies.


Use Image Builder to add NSX for vSphere software packages to the ESXi upgrade image.

  • Ensures that the ESXi hosts are ready for software-defined networking immediately after the upgrade.

  • Allows for parallel remediation of ESXi hosts.

  • Additional NSX remediation is not required.

  • You must enable the Image Builder service.

  • NSX for vSphere updates might require new ESXi images updates.


Configure an HTTP Web server on each UMDS service that the connected vSphere Update Manager servers must use to download the patches from.

Without a Web service running, vSphere Update Manager is unable to download patches automatically from UMDS. The alternative is to copy media from one place to another manually.

You must be familiar with third party Web server such as Nginx or Apache.