The easiest way to manage ESXi host patches is with Update Manager, and for most of us this simply entails letting Update Manager automatically downloads patches as they become available and then scheduling a time to remediate the hosts.  However, there are situations where Update Manager may not be allowed access to the Internet in order to automatically download patches.  In addition, there are some who, for whatever reason, either cannot or choose not to use Update Manager.  For these folks patching is still very easy, although a little bit more involved.

Probably the easiest way to get a list of available patches is from VMware’s online patch portal at  From the patch portal you simply select the architecture (ESX or ESXi), specify your version, and then click the search button.  The screen shot below shows my query to get all the ESXi 5.0 patches.


The search will return a list showing all the available ESXi 5.0 patches.  For each patch you will see the name, size, and download information on the left and a list of all the updates included in the patch on the right.  Note that for each fix there is also a link to a related KB article where you can get more information about a specific fix or update.


To download the patch simply select it by clicking in the checkbox next to the patch name and click the “Download Now” button.  You can download a single patch or multiple patches.   Each patch will be saved as a separate .zip file.  Once you’ve downloaded the patches you have a few options on how to install them.  Again, probably the easiest way to install patches is using Update Manager, but you can also use the ESXCLI command or PowerCLI.

Patches are cumulative. VMware typically release patch bundles every 3 months. A new patch bulletin will include all the updates/fixes from any earlier bulletins


Install Patches Using Update Manager

Begin by logging onto the vSphere client.  From the vSphere client home screen click on the “Update Manager” icon.  From the Update Manager Administration window select the “Patch Repository” tab.  Upload the ESXi patches by selecting the “Import Patches” link in the top right corner.


This will launch the “Import Patches” pop-up.  Click the Browse button to browse to the location where you saved the patch archive (.zip) and then click next.  Note that you do not need to extract the contents of the .zip archive; Update Manager understands the format of the .zip archive and will extract the contents as it imports the patches.  If the import fails, verify the checksum of the .zip archive to make sure the file didn’t get corrupted during the download.


That’s it.  As you can see manually adding ESXi patches to Update Manager is very easy to do.  With the patches loaded into Update Manager the next step is to create a baseline group that you can use to remediate your hosts.  I’ll go ahead and give you a quick overview on how to do this, but be sure to refer to the Update Manager guide for more information.

To create a baseline go to the Update Manager home screen select the “Baselines and Groups” tab, from the “Baseline” section on the left click the “Create” link:


The “New Baseline” wizard will start and walk you through the steps to create a new baseline.  Give the baseline a name and select “Host Patch” as the baseline type.  I recommend giving the baseline a name that coincides with the patch name used by VMware as it will make it easier to track things over time:


The next step is to set the baseline as a “Fixed” or “Dynamic”.  For this example I will make the baseline Fixed.


Next you will select the patches to include in the baseline.  Select each patch and then click the down arrow to add it to the baseline.


The last step is to review the baseline to make sure it has all the patches you want and then click Finish.

The patch baseline will now be shown under the list of Baselines.


With the baseline created the last step is to attach the baseline to your hosts and to apply the patch.  To do this you need to go to the Update Manager “Compliance” view.  There are a couple ways to get there but what I typically do is go to the Host and Cluster view, select the host and then choose the Update Manager tab on the far right.


Click the “Attach…” link and from inside the pop-up select the patch-update baseline you just created and click attach.

With the baseline attached you can now apply the patches to your host by simply clicking the remediate button.  Note that Update Manager works best if DRS is enabled in fully automated mode as that will allow the VMs to be migrated off the host as part of the remediation.  If you are not running DRS in fully automated mode you will need to manually migrate or shutdown the VMs prior to the remediation.

Source: VMware Blogs