An Update Manager baseline is a grouping of multiple bulletins. A baseline group is a collection of non-conflicting baselines.
Depending on their target inventory object, the Update Manager baselines are two types: host baselines and virtual machine baselines. Depending on how they are created and managed, you can use predefined baselines, system-managed baselines, or custom baselines.
When you scan hosts and virtual machines, you evaluate them against baselines and baseline groups to determine their level of compliance.
In the vSphere Client, the baselines and baseline groups are displayed on the Baselines tab of the Update Manager home view.
Depending on the purpose for which you want to use them, host baselines can contain a collection of one or more patches, extensions, or upgrades. Therefore host baselines are upgrade, extension, or patch baselines. To update or upgrade your hosts you can use the Update Manager default baselines, or the custom baselines that you create.
Virtual machine baselines are predefined. You cannot create custom virtual machine baselines.
The default baselines are the predefined and system managed baselines.
System Managed Baselines
The Update Manager displays system managed baselines that are generated by vSAN. These baselines appear by default when you use vSAN clusters with ESXi hosts of version 6.0 Update 2 and later in your vSphere inventory. If your vSphere environment does not contain any vSAN clusters, no system managed baselines are created.
The system managed baselines automatically update their content periodically, which requires Update Manager to have constant access to the Internet. The vSAN system baselines are typically refreshed every 24 hours.
You use system managed baselines to upgrade your vSAN clusters to recommended critical patches, drivers, updates or the latest supported ESXi host version for vSAN.
System managed baselines cannot be edited or deleted. You do not attach system managed baselines to inventory objects in your vSphere environment. You can create a baseline group of multiple system managed baselines, but you cannot add any other type of baseline to that group. Similarly, you cannot add a system managed baseline to a baseline group that contains upgrade, patch, and extension baselines.
Predefined Baselines
Predefined baselines cannot be edited or deleted, you can only attach or detach them to the respective inventory objects.
On the Baselines tab in Update Manager home view, you can see the following predefined baselines:
- Critical Host Patches (Predefined)
- Checks ESXi hosts for compliance with all critical patches.
- Non-Critical Host Patches (Predefined)
- Checks ESXi hosts for compliance with all optional patches.
- VMware Tools Upgrade to Match Host (Predefined)
- Checks virtual machines for compliance with the latest VMware Tools version on the host. Update Manager supports upgrading of VMware Tools for virtual machines on hosts that are running ESXi 6.0.x and later.
- VM Hardware Upgrade to Match Host (Predefined)
- Checks the virtual hardware of a virtual machine for compliance with the latest version supported by the host. Update Manager supports upgrading to virtual hardware version vmx-15 on hosts that are running ESXi 6.7.
Custom Baselines
Custom baselines are the baselines that you create.
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain and you have an Update Manager instance for each vCenter Server system in the group, the baselines and baseline groups that you create and manage are applicable only to the inventory objects managed by the vCenter Server system where the selected Update Manager instance runs.
Baseline Groups
You create a baseline group by assembling existing baselines. A baseline group might contain one upgrade baseline and one or more patch and extension baselines, or it might contain a combination of multiple patch and extension baselines.
To create, edit, or delete baselines and baseline groups, you must have the Manage Baseline privilege. To attach baselines and baseline groups to target inventory objects, you must have the Attach Baseline privilege. The privileges must be assigned on the vCenter Server system where Update Manager runs. For more information about managing users, groups, roles, and permissions, see the vCenter Server and Host Management documentation. For a list of all Update Manager privileges and their descriptions, see Update Manager Privileges.