Update Manager scans objects to determine how they comply with the attached baselines and baseline groups. You can review compliance by examining results for a single virtual machine, template, or ESXi host, as well as for a group of virtual machines or hosts.

Supported groups of virtual machines or ESXi hosts include virtual infrastructure container objects such as folders, vApps, clusters, and datacenters.

Baselines and baseline groups interact with virtual machines, templates, and hosts in the following ways:

  • Objects must have an attached baseline or baseline group to be examined for compliance information.
  • Compliance with baselines and baseline groups is assessed at the time of viewing, so a brief pause might occur while information is gathered to make sure that all information is current.
  • Compliance status is displayed based on privileges. Users with the privilege to view a container, but not all the contents of the container are shown the aggregate compliance of all objects in the container. If a user does not have permission to view an object, its contents, or a particular virtual machine, the results of those scans are not displayed. To view the compliance status, the user must also have the privilege to view compliance status for an object in the inventory. Users that have privileges to remediate against patches, extensions, and upgrades and to stage patches and extensions on a particular inventory object, can view the compliance status of the same object even if they do not have the view compliance privilege. For more information about the Update Manager privileges, see Update Manager Privileges. For more information about managing users, groups, roles and permissions, see vCenter Server and Host Management.

In the vSphere infrastructure hierarchy, the baseline and baseline groups you attach to container objects are also attached to the child objects. Consequently, the computed compliance state is also inherited. For example, a baseline or baseline group attached to a folder is inherited by all objects in the folder (including subfolders), but the status of inherited baselines or baseline groups propagates upwards, from the contained objects to the folder. Consider a folder that contains two objects A and B. If you attach a baseline (baseline 1) to the folder, both A and B inherit baseline 1. If the baseline state is noncompliant for A and compliant for B, the overall state of baseline 1 against the folder is non-compliant. If you attach another baseline (baseline 2) to B, and baseline 2 is incompatible with B, the overall status of the folder is incompatible.

Note: After a download of patch recall notifications, Update Manager flags recalled patches but their compliance state does not refresh automatically. You must perform a scan to view the updated compliance state of patches affected by the recall.