Use baselines to ensure patch compliance for Hyper-V virtual machines

Although it is undeniably important for an organization to maintain its virtual machines, it is equally important to maintain the underlying hosting infrastructure. This means (among other things) making sure that Hyper-V hosts, VMM servers, and other infrastructure servers are running a consistent set of patches. A while back I wrote an article explaining how to attach a WSUS server to VMM, and in that article, I briefly touched on the subject of creating a compliance baseline. In this article, I want to revisit the topic and show you exactly what is involved in establishing a patch compliance baseline for your Hyper-V hosts.

Deploy a WSUS server

The first step in the patch compliance process is to deploy a WSUS server, and then attach it to System Center Virtual Machine Manager. If you don’t know how to do this, then be sure to check out the article mentioned above. It will walk you through the process.

Once VMM has been configured to recognize the WSUS server, it will automatically create two sample patch compliance baselines – one for security updates and one for critical updates. You can find these sample baselines by going to the Library workspace and then expanding the Update Catalog and Baselines container and selecting the Update Baselines object, as shown below.

patch compliance
As I explained in my article on attaching a WSUS server to VMM, you can create your own baseline by right-clicking on the Update Baselines object and choosing the Create Baseline command from the shortcut menu. For the purposes of this article, however, let’s instead use one of the sample baselines.

If you look back at the screenshot above, you will notice that the console lists the number of updates and the number of assignments for each baseline. Right now the number of assignments is listed as 0 because the baselines have not been applied to any infrastructure resourced.

To apply a baseline, right-click on the baseline, and choose the Properties command from the shortcut menu. This will open the baseline’s properties sheet. The properties sheet’s General tab lists the baseline’s name and description, and the Updates tab lists the updates that make up the baseline. As you can see in the next figure, you can use the Add and Remove buttons to make adjustments to the baseline on an as-needed basis.

patch compliance
Baseline assignments are made through the properties sheet’s Assignment Scope tab. As you can see in the next figure, the baseline can be applied to a host group, an individual Hyper-V host, or to various types of infrastructure servers. This underscores the fact that these baselines are not used to update virtual machines, but rather their underlying infrastructure.

After you make your selection, you will see the Assignments column update to reflect the number of assignments that you have made. If you look at the screenshot below, for example, you can see that one assignment exists for the Critical Updates sample baseline.
patch compliance

Performing a compliance check

So now that we have established a baseline, let’s use it to check to see if a particular Hyper-V host is compliant with the baseline settings. To do so, go to the Fabric workspace, and then click on the host group within which the host resides. In my case, the host that I want to check is in the All Hosts group. Selecting the host group will reveal the hosts within that group. You can see what this looks like in the figure below.

patch compliance
With the desired Hyper-V host selected, go to the Home tab at the top of the screen, and click on the Compliance button found on the toolbar. This will change the host’s operational status to Pending Compliance Scan, as shown in the next figure.

Now, click the Scan button, which you can see in the toolbar in the figure above. This will change the host’s operational status to Scanning. It may take several minutes for the scan to complete. As you can see in the next figure, this particular Hyper-V host is compliant with the baseline that has been assigned to it.

If the Hyper-V host were found to be out of compliance with the baseline, the Compliance Status column would display the words Non Compliant. If that were to happen, you can bring the host into a compliant state by clicking on the Remediate button.

The remediation option causes the Hyper-V host to be put into maintenance mode. Assuming that the host is a part of a cluster, the VMs running on the host will be live migrated to another host. At that point, updates are installed onto the host and the host is rebooted. VMM will then perform an additional compliance check and will either install any remaining updates or bring the Hyper-V host back out of maintenance mode.

Infrastructure servers

If you need to perform a compliance scan on an infrastructure server, then the procedure for doing so is slightly different. Rather than clicking on a host within the host group, you would select a container such as the Update Servers container or the VMM Server container, as shown in the next figure.
patch compliance

Revisit patch compliance baselines regularly

Using VMM makes it easy to assess whether your Hyper-V hosts and supporting infrastructure servers are in a compliant state, and to take corrective action if necessary. In a real-world environment, however, it will be necessary to revisit the compliance baselines on a regular basis, so that new patches can be added to the baseline.

Featured image: Shutterstock

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top