Deploying Patches to Virtual Machines and to Virtual Machine Templates

The method for initiating a patch deployment is the same regardless of whether you are deploying to a physical machine, an online virtual machine, an offline virtual machine, or a virtual machine template. It's what happens after you initiate the deployment, however, that is slightly different for virtual machines and for virtual machine templates.

Note: For deployments to virtual machines that are hosted on a server it is recommended you use the Virtual Machine Standard deployment template. Also, in all cases, during deployment the virtual network will need to remain connected.

Immediate Patch Deployments

Note: Also applies to Install at next reboot patch deployments performed on offline hosted virtual machines.

When you perform an immediate deployment to a physical machine, an online workstation virtual machine, or an offline workstation virtual machine, the files required for the deployment are copied to the target machine immediately and the deployment is scheduled to occur immediately using the scheduler on the target machine. The online/offline status of these machine types is determined at the time you initiate the deployment. The actual patch installation is performed on the target machines and the console is not actively involved in the patch installation.

When you perform an immediate deployment to a virtual machine that is hosted on a server, the entire deployment process occurs on the Shavlik Protect console machine.  The console determines the online/offline status of the hosted virtual machines and the console service is actively involved during the patch installation. This allows the console service to modify the state of the hosted virtual machines during the deployment.

The following table summarizes what happens at the time you perform an immediate deployment based on where the virtual machines are defined within the machine group.

 

Machine Group Tab Used to Define the Virtual Machine

Target Machine is Online

Target Machine is Offline

Machine Name, Domain Name,
IP Address/Range, Organizational Unit

 

Push files and initiate deployment immediately.

Fail

Workstation Virtual Machines

Fail

Push files and schedule on target; deployment will occur the next time the virtual machine is brought online.

Hosted Virtual Machines

Push files and initiate deployment immediately. The process is the same as a physical machine except that snapshots will be taken as directed by the deployment template.

*See steps below.

VMware tools must be installed on the virtual machine in order for the deployment to be successful.

 

*During deployment to an offline hosted virtual machine or an offline virtual machine template, the following steps occur:

  1. [Conditional: Templates Only] Convert the virtual machine template to an offline virtual machine.

  2. (Optional) Take a snapshot if the deployment template is configured to take a pre-deployment snapshot.

  1. (Optional) Delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.

  2. Copy the patches to the offline virtual machine.

  3. Reconfigure the following on the offline virtual machine:

  4. Power on the virtual machine.

  5. Install the patches.

  6. Power down the virtual machine.

  7. Reset the machine configuration to its original network connection and Sysprep settings.

  8. (Optional) Take a snapshot if the deployment template is configured to take a post-deployment snapshot.

  9. (Optional) Delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.

  10. [Conditional: Templates Only] Convert the offline virtual machine back to a virtual machine template.

Scheduled Patch Deployments

Note: Also applies to Install at next reboot patch deployments performed on online hosted virtual machines and offline workstation virtual machines.

When you schedule a deployment to a physical machine, an online workstation virtual machine, or an offline workstation virtual machine, the files required for the deployment are copied to the target machine immediately and the deployment is scheduled using the scheduler on the target machine. The online/offline status of these machine types is determined at the time you schedule the deployment. The actual patch installation is performed on the target machines and the console is not actively involved at the time the patches are installed.

When you schedule a deployment to a virtual machine that is hosted on a server, the entire deployment process is scheduled to occur on the Shavlik Protect console machine using the scheduler on the console. The online/offline status of the hosted virtual machines is determined at the scheduled time, and the console is actively involved at the time the patches are installed. This allows the console to modify the state of the hosted virtual machines during the deployment.

The following table summarizes what happens at the time you schedule a deployment based on where the virtual machines are defined within the machine group.

 

Machine Group Tab Used to Define the Virtual Machine

Target Machine is Online
When Scheduled

Target Machine is Offline
When Scheduled

Machine Name, Domain Name,
IP Address/Range, Organizational Unit

Push files to the target and schedule the deployment on the target. The deployment will occur the next time both of the following are true:

  • The machine is online

  • The scheduled time has passed

Fail

Workstation Virtual Machines

Fail

Push files to the target and schedule the deployment on the target.  The deployment will occur the next time both these are true:

  • The machine is online

  • The scheduled time has passed

Hosted Virtual Machines

Schedule the deployment on the console.  At the scheduled time (or, for Install at next reboot deployments, when the machine is restarted), treat as an immediate deployment. See Hosted Virtual Machines in the previous table.

 

If the scheduled deployment contains a mix of hosted virtual machines and other types of machines, the machines are separated into two groups. The deployment of the hosted virtual machines is scheduled to occur on the console at the scheduled time. For all machines other than hosted virtual machines, the files are copied to the target machines immediately and the deployment is scheduled to occur using the scheduler on the target machine.

Power State and Credential Requirements for a Successful Deployment

Note: Keep in mind that, from Shavlik Protect's point of view, the definition of a successful deployment depends on where the virtual machine is located. A successful deployment to a hosted virtual machine means the machine is fully patched, while a successful deployment to a workstation-based virtual machine means the patches have been pushed to the offline virtual machine.

An offline virtual machine (workstation-based or hosted on a server) is a file or set of files. To scan or deploy to an offline virtual machine requires permissions to the file system where the files reside. An online virtual machine is almost indistinguishable from a physical machine. To deploy patches to an online virtual machine requires credentials for an administrator account on the virtual machine operating system.

Because of these differences between online and offline virtual machines, you may need to provide two sets of credentials – one for when the virtual machine is in the online state and one for when it is in the offline state.  

For workstation virtual machines, if you wish to scan and/or deploy to the virtual machine in either its online or offline state, you should add the virtual machine to the machine group twice:

For hosted virtual machines, you only need to specify the machine once, on the Hosted Virtual Machines tab. Separate credentials, however, are still required to access the machine in either the online or offline state. The browse credentials you enter when connecting to the VMware server are used when the machine is in the offline state. You should enter online credentials for each hosted virtual machine using the Set Admin Credentials option in the bottom pane of the machine group editor.

The following table summarizes the credentials used for various machine types.

 

Machine Type

Machine State

Machine Group Tab Used to Define the Virtual Machine

Credentials Required

Physical Machine

Online

Machine Name, Domain Name, IP Address/Range, Org Unit

Machine or machine group credentials

Workstation VM

Online

Machine Name, Domain Name, IP Address/Range, Org Unit

Machine or machine group credentials

Workstation VM

Offline

Workstation Virtual Machines

Machine or machine group credentials

Hosted VM

Online

Hosted Virtual Machines

Machine or machine group credentials

Hosted VM

Offline

Hosted Virtual Machines

Browse credentials (the creds used to log on to the VM server)

Note: Integrated credentials will not work for deployments to offline virtual machines.

If you specify both online and offline credentials for virtual machines, you will be able to scan and deploy to those virtual machines whether they are online or offline.