Using VMM 2012 SP1 Baselines & Compliance To Orchestrate Patching Of Hyper-V Hosts

System Center 2012 Virtual Machine Manager SP1 includes the ability to manage the patching of your Hyper-V hosts (Windows Server 2012 or Windows Server 2008 R2) from the VMM console.

WSUS is used to synchronize the catalog and download updates from Microsoft.  You can use a dedicated WSUS installation (on your VMM server for small environments or dedicated VM otherwise) or you can use a shared WSUS install (such as with ConfigMgr).

Then you need to add the WSUS server to your fabric in VMM.  Go to Fabric, Update Server, and click Add Resources (Ribbon) > Update Server.  Step through the wizard to take control of your WSUS server from VMM.

What you’ll see won’t look too unusual if you’re used to WSUS administration.  In my lab, I only sync updates for Windows Server 2012 and Windows Server 2008 R2.


Here’s a gotchya: VMM does not sync the catalog automatically.  You synchronize by right-licking on the Update Server, and selecting the Synchronize action.  You can figure out the POSH to do this and set up a scheduled task.

Now you’re pulling down updates.  The next step is to figure out what updates need to be applied.  This requires one or more Baselines, which you’ll manage in Library > Update Catalog And Baselines > Update Baselines.  The role of a baseline is to list a set of updates that you expect to find on your hosts.  If they are not present then VMM can install them for you.

You can create a new Baseline from the Ribbon by clicking Create > Baseline.  You have to manually select the updates that you want to include in the baseline.  This is … not pleasant.  There may be a POSH way to do this – I’ve not looked into it.  You also set the scope of the fabric that you want to update too.  This includes clusters, hosts, and parts of the VMM fabric too.


Now you’re going to check host/cluster compliance.  Go back to Fabric, navigate to the cluster or host, and select Compliance in the Ribbon.  Hit Scan on the Ribbon and wait – tip: do not scan a cluster and a cluster member at the same time or you’ll create a refresher job deadlock that renders the cluster unmanageable from VMM. 

The compliance of the hosts with the assigned baseline will be presented, as shown here.  You can right lick on the compliance properties to see what updates are missing.  You can create exemptions for updates on specific hosts if required.


To fix the compliance issue, select the cluster/host and hit Remediate in the Ribbon.  A new job will start.  This will put hosts into maintenance and use Live Migration to vacate cluster nodes of highly available VMs (keeping services online and operational without affecting SLAs).  Patching and reboots will happen.  As usual with Windows Updates, you may require several runs/reboots to get compliant.


Note that you do not need to configure the usual Windows Update GPOs or registry values to use this feature; the patch deployment is an action of the VMM agent and operates independently of these settings.  In my lab, the hosts are configured via GPO to download patches from another WSUS server with manual patching install.  I still can use VMM to do baseline compliance scanning and remediation.

What do I think of this feature?  In my opinion, this is not a solution for regular patching.  The amount of required manual effort is not good; manual patching = no patching.  Conficker has proven this.  I’m sure POSH wizards can automate all of this but it’ll be fragile. I would much rather prefer to use Windows Server 2012 Failover Clustering.

However, I still see uses for this VMM solution:

  • Compliance Scanning: Maybe TeamA manages WSUS for the entire network.  TeamB might manage the fabric and use Baselines and Compliance to verify that their fabric is up to date.  The remediation has nothing to do with the system and settings that are used by TeamA.
  • Some organizations, e.g. pharma, need complete control over change.  The manual nature of patch selection, compliance, and remediation may suit their challenging needs.
  • WS2012 has CAU to automate the orchestration of patching on clustered hosts.  Windows Server 2008 R2 does not have this feature.  Some wizards might figure out how to do this using System Center 2012 Orchestrator SP1 (here’s an Opalis [pre-Orchestrator] link), but others might choose to do the patching via VMM.

I think I would try to restrict my usage of this VMM feature purely to compliance operations, maybe done once per year or quarter.  CAU is a superior and easier to manage feature, and leverages existing investments in patching that span the entire network including the cloud, data centre and client devices.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.