It isn’t exactly a secret that Microsoft publishes lots and lots of updates for its products. Typically, Windows virtual machines are configured to point to an update server (such as WSUS) so that they are able to download updates as they become available. But what about your Hyper-V hosts and other infrastructure components? Although these servers can (and should) also be pointed to a Windows Server Update Service (WSUS) server, it is also possible to link a WSUS server directly to System Center Virtual Machine Manager. By doing so, it becomes possible to establish update compliance baselines and to perform compliance audits that compare infrastructure servers against your baselines to make sure that those servers are in compliance.
Linking a WSUS server to Virtual Machine Manager
To add a WSUS server to System Center Virtual Machine Manager, open the Virtual Machine Manager console and then select the Fabric workspace. Now, go to the Home tab, and click the Add Resources icon, found on the taskbar. Upon doing so, you will be presented with a list of several different types of resources that you can add. Choose the Update Server option, as shown in the screenshot below.
At this point, Virtual Machine Manager will display the Add Windows Server Update Services Server dialog box. This dialog box prompts you for a few basic pieces of information. As you would probably expect, you will need to specify the fully qualified domain name of your WSUS server as well as the TCP/IP port number that it is configured to use, as shown below.
Incidentally, the port number associated with WSUS can vary considerably. The default port number varies depending on the version of Windows Server that is hosting WSUS, and depending on whether or not the WSUS server is configured for SSL communications. For WSUS servers running on Windows Server 2008 R2 and earlier, use port 80, unless SSL is being used, in which case you should use port 433. For WSUS servers running on Windows Server 2012 and above, use 8531 for SSL communications, or 8530 for non-SSL communications. If your WSUS server is set up to use SSL, then be sure to select the Use Secure Sockets Layer (SSL) checkbox shown in the previous screenshot.
The last step in the process is to enter a set of administrative credentials for the WSUS server. You can opt to use a Virtual Machine Manager RunAs account instead, but if you decide to do that, then you will need to manually grant the account administrative privileges to the WSUS server.
One of the main reasons for associating a WSUS server with Virtual Machine Manager is that doing so allows you to create compliance baselines that define the updates that are required for various types of resources. You can then perform compliance scans to ensure that resources are in compliance with your baselines.
To create a compliance baseline, go to the Library workspace. From there, click on the Create option on the taskbar, and then choose the Baseline option. This will cause Virtual Machine Manager to launch the Update Baseline Wizard.
The wizard’s initial screen requires you to enter a name for the baseline that you are creating. It’s a good idea to use a name that reflects the purpose of the baseline. For example, you might call it Update Baseline for Hyper-V 2016 Hosts. Keep in mind that you can establish baselines for a variety of VMM roles including things like library servers, management servers, and more.
Click Next, and you will be taken to the wizard’s Updates screen. You will need to use this screen to specify the updates that you want to include in the baseline. For example, if you wanted to select all of the critical updates for inclusion in the baseline, then you would click Add, and then filter the selection to include critical updates. Now, just select the updates that you want to include (it is possible to select more than one update at a time), and click Add.
Click Next and you will be taken to the assignment scope screen. The assignment scope determines what the baseline will apply to. Typically, an assignment scope applies to host groups, but you can choose from a variety of resource types. After making your selection, click Next to go to the wizard’s Summary screen. Take a moment to make sure that the summary information is accurate, and then click Finish to create the new baseline.
Scanning for compliance
Now that you have created a baseline, performing a compliance scan is easy. Go back to the Fabric workspace, select the computers that you want to scan, and then click the Scan icon, found in the toolbar.
It can take a while for a compliance scan to complete, but when the process finishes you can click on the server for which you want to view compliance information, and then look at the summary information shown at the bottom of the console. When you select a Hyper-V host for instance, the Virtual Machine Manager console displays a Compliance section (among other status information) at the bottom of the screen. Here you can see the compliance status, the operational status, and the date and time of the most recent scan.
If you have a server that is found to be out of compliance, you can perform automatic remediation, which will apply missing updates to the server. Generally speaking, the process involves selecting the server (within the Fabric workspace), going to the Home tab, and clicking the Remediate icon on the toolbar. From there, the rest of the process varies depending on the type of server (or cluster) you are remediating. The process should be relatively straightforward, but if you need help, you can find documentation at Microsoft’s website.