You can use Update Manager to apply third-party software patches to the ESXi hosts in your vSphere inventory.
This workflow describes the overall process to apply third-party patches to the hosts in your vSphere inventory. You can apply patches to hosts at the folder, cluster or datacenter level. You can also apply patches to a single host. This workflow describes the process to apply patches to multiple hosts in a container object.
Make the third-party software patches available to the Update Manager server.
Download the third-party patches from the Internet to make them available to the Update Manager server.
If the machine on which the Update Manager server is installed has access to the Internet, you must either configure Update Manager to download patch binaries and patch metadata from third-party Web sites, or you must manually download the third-party patches and import them into the Update Manager patch repository as an offline bundle.
By default, Update Manager contacts VMware at regular configurable intervals to gather information about the latest available patches. You can add third-party URLs to download third-party patches that are applicable to the ESXi 5.x and ESXi 6.0 hosts in your inventory. You can configure the Update Manager download source from the Configuration tab of the Update Manager Administration view. For a detailed procedure about configuring Update Manager to use third-party download URL addresses as patch download sources, see Add a New Download Source.
You can import offline bundles in the Update Manager repository from the Configuration tab of the Update Manager Administration view. For a detailed procedure about importing offline bundles, see Import Patches Manually.
Use UMDS to download third-party patches and make the patches available to the Update Manager server.
If the machine on which the Update Manager server is installed is not connected to the Internet, you can use UMDS to download the third-party patches. For more information about configuring UMDS to download third-party patches, see Configure URL Addresses for Hosts and Virtual Appliances.
The patch metadata and patch binaries that you download using UMDS must be associated with the Update Manager server so that Update Manager can patch the hosts in your vSphere environment. For more information about associating the UMDS depot with the Update Manager server, see Associating the UMDS Patchstore Depot with the Update Manager Server.
Configure the Update Manager host and cluster settings.
Some updates might require that the host enters maintenance mode during remediation. You should configure the Update Manager response when a host cannot enter maintenance mode. If you want to apply updates at a cluster level, you should configure the cluster settings as well. You can configure the Update Manager settings from the Configuration tab of the Update Manager Administration view. For more information and the detailed procedure about configuring host and cluster settings by using Update Manager, see Configuring Host and Cluster Settings.
Create fixed or dynamic patch baselines containing the third-party software patches that you downloaded to the Update Manager repository.
You can create patch baselines from the Baselines and Groups tab of the Update Manager Administration view. For more information about creating fixed patch baselines, see Create a Fixed Patch Baseline. For detailed instructions about creating a dynamic patch baseline, see Create a Dynamic Patch Baseline.
Attach the patch baselines to a container object containing the hosts that you want to scan or remediate.
The container object can be a folder, cluster, or datacenter. You can attach baselines and baseline groups to objects from the Update Manager Compliance view. For more information about attaching baselines and baseline groups to vSphere objects, see Attach Baselines and Baseline Groups to Objects.
Scan the container object.
After you attach baselines to the selected container object, you must scan it to view the compliance state of the hosts in the container. You can scan selected objects manually to start the scanning immediately. For detailed instructions on how to scan your hosts manually, see Manually Initiate a Scan of ESXi Hosts.
You can also scan the hosts in the container object at a time convenient for you by scheduling a scan task. For more information and detailed instructions about scheduling a scan, see Schedule a Scan.
Review the scan results displayed in the Update Manager Client Compliance view.
For a detailed procedure about viewing scan results and for more information about compliance states, see Viewing Scan Results and Compliance States for vSphere Objects.
Remediate the container object.
Remediate the hosts that are in Non-Compliant state to make them compliant with the attached baselines. For more information about remediating hosts against patch or extension baselines, see Remediate Hosts Against Patch or Extension Baselines.
After remediation is completed, the compliance state of the hosts against the attached baseline is updated to Compliant.