You use baselines and baseline groups to update the ESXi hosts in your vSphere inventory. The vSphere Lifecycle Manager baselines are three types: predefined baselines, recommendation baselines, or custom baselines, which you create. Depending on their content, baselines can be patch, extension, or upgrade baselines.
When you initiate a compliance check for an ESXi host, you evaluate it against baselines and baseline groups to determine its level of compliance to those baselines or baseline groups.
If your vCenter Server system is connected to other vCenter Server systems by a common vCenter Single Sign-On domain, the baselines and baseline groups that you create and manage are applicable only to the inventory objects managed by the vCenter Server system where the selected vSphere Lifecycle Manager instance runs.
In the vSphere Client, the baselines and baseline groups are displayed on the Baselines tab of the vSphere Lifecycle Manager home view.
Predefined, Recommendation, and Custom Baselines
- Predefined baselines
Predefined baselines cannot be edited or deleted, you can only attach or detach them to inventory objects.On the Baselines tab in the vSphere Lifecycle Manager home view, you can see the following predefined baselines.
- Host Security Patches
The Host Security Patches baseline checks ESXi hosts for compliance with all security patches.
- Critical Host Patches
The Critical Host Patches baseline checks ESXi hosts for compliance with all critical patches.
- Non-Critical Host Patches
The Non-Critical Host Patches baseline checks ESXi hosts for compliance with all optional patches.
The Host Security Patches, and Critical Host Patches predefined baselines are attached by default to the vCenter Server instance where vSphere Lifecycle Manager runs.
- Host Security Patches
- Recommendation Baselines
Recommendation baselines are predefined baselines that vSAN generates.
You use recommendation baselines to update your vSAN clusters with recommended critical patches, drivers, updates, or the latest supported ESXi host version for vSAN.
These baselines appear by default when you use vSAN clusters with ESXi hosts of version 6.0 Update 2 and later in your vSphere inventory. If your vSphere environment does not contain any vSAN clusters, no recommendation baselines are created.
Recommendation baselines update their content periodically, which requires vSphere Lifecycle Manager to have constant access to the Internet. The vSAN recommendation baselines are typically refreshed every 24 hours.
Recommendation baselines cannot be edited or deleted. You do not attach recommendation baselines to inventory objects in your vSphere environment. You can create a baseline group by combining multiple recommendation baselines, but you cannot add any other type of baseline to that group. Similarly, you cannot add a recommendation baseline to a baseline group that contains upgrade, patch, and extension baselines.
You create a baseline group by assembling existing and non-conflicting baselines. Baseline groups allow you to scan and remediate objects against multiple baselines at the same time.
The following are valid combinations of baselines that can make up a baseline group:
- Multiple host patch and extension baselines.
- One upgrade baseline, multiple patch, and extension baselines.
To create, edit, or delete baselines and baseline groups, you must have the Manage Baseline privilege. To attach baselines and baseline groups to target inventory objects, you must have the Attach Baseline privilege. The privileges must be assigned on the vCenter Server system where vSphere Lifecycle Manager runs.
For more information about managing users, groups, roles, and permissions, see the vSphere Security vSphere Security documentation.
For a list of all vSphere Lifecycle Manager privileges and their descriptions, see vSphere Lifecycle Manager Privileges For Using Baslines.
Creating Baselines in vSphere 7.0 and Later Releases
Because in vSphere 7.0 and later releases the official VMware online depot hosts certified partner content in addition to VMware content, a broader set of OEM bulletins are available in the vSphere Lifecycle Manager depot. As a result, in the Create Baseline and Edit Baseline wizards, you also see a broader set of OEM bulletins. Some of these bulletins might have dependencies that must be pulled into the baselines that you create, so that the remediation against those baselines is successful. Always consult the KB article for an individual bulletin before you include it in a baseline. The KB article contains information about the bulletin deployment specifics and required dependencies. You must include in the baseline, only bulletins compatible with the hardware on which the host is running. Otherwise, remediation might fail.
Starting with vSphere 7.0, some changes are also introduced in the way VMware content is packaged. As a result, at patch and update releases, you might see additional bulletins on the patch selection page of the Create Baseline and Edit Baseline wizards. Those bulletins are usually of the Enhancement or BugFix category. When you include those bulletins in a baseline, you might need to also include base ESXi bulletins in that baseline. To ensure successful application of VMware patches and updates, always include the appropriate roll-up bulletin into your baselines. Otherwise, remediation may fail.