{"id":14239,"date":"2013-03-07T13:33:00","date_gmt":"2013-03-07T13:33:00","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=14239"},"modified":"2013-03-07T13:33:00","modified_gmt":"2013-03-07T13:33:00","slug":"using-vmm-2012-sp1-baselines-compliance-to-orchestrate-patching-of-hyper-v-hosts","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=14239","title":{"rendered":"Using VMM 2012 SP1 Baselines & Compliance To Orchestrate Patching Of Hyper-V Hosts"},"content":{"rendered":"

System Center 2012 Virtual Machine Manager SP1 includes the ability to manage the patching of your Hyper-V hosts (Windows Server 2012 or Windows Server 2008 R2) from the VMM console.<\/p>\n

WSUS is used to synchronize the catalog and download updates from Microsoft.  You can use a dedicated WSUS installation<\/a> (on your VMM server for small environments or dedicated VM otherwise) or you can use a shared WSUS install<\/a> (such as with ConfigMgr).<\/p>\n

Then you need to add the WSUS server to your fabric in VMM.  Go to Fabric, Update Server, and click Add Resources (Ribbon) > Update Server.  Step through the wizard to take control of your WSUS server from VMM.<\/p>\n

What you\u2019ll see won\u2019t look too unusual if you\u2019re used to WSUS administration.  In my lab, I only sync updates for Windows Server 2012 and Windows Server 2008 R2.<\/p>\n

\"image\"<\/a><\/p>\n

Here\u2019s a gotchya: VMM does not sync the catalog automatically.  You synchronize by right-licking on the Update Server, and selecting the Synchronize action.  You can figure out the POSH to do this and set up a scheduled task.<\/p>\n

Now you\u2019re pulling down updates.  The next step is to figure out what updates need to be applied.  This requires one or more Baselines, which you\u2019ll manage in Library > Update Catalog And Baselines > Update Baselines.  The role of a baseline is to list a set of updates that you expect to find on your hosts.  If they are not present then VMM can install them for you.<\/p>\n

You can create a new Baseline from the Ribbon by clicking Create > Baseline.  You have to manually select the updates that you want to include in the baseline.  This is \u2026 not pleasant.  There may be a POSH way to do this \u2013 I\u2019ve not looked into it.  You also set the scope of the fabric that you want to update too.  This includes clusters, hosts, and parts of the VMM fabric too.<\/p>\n

\"image\"<\/a><\/p>\n

Now you\u2019re going to check host\/cluster compliance.  Go back to Fabric, navigate to the cluster or host, and select Compliance in the Ribbon.  Hit Scan on the Ribbon and wait \u2013 tip: do not scan a cluster and a cluster member at the same time or you\u2019ll create a refresher job deadlock that renders the cluster unmanageable from VMM.  <\/p>\n

The compliance of the hosts with the assigned baseline will be presented, as shown here.  You can right lick on the compliance properties to see what updates are missing.  You can create exemptions for updates on specific hosts if required.<\/p>\n

\"image\"<\/a><\/p>\n

To fix the compliance issue, select the cluster\/host and hit Remediate in the Ribbon.  A new job will start.  This will put hosts into maintenance and use Live Migration to vacate cluster nodes of highly available VMs (keeping services online and operational without affecting SLAs).  Patching and reboots will happen.  As usual with Windows Updates, you may require several runs\/reboots to get compliant.<\/p>\n

\"image\"<\/a><\/p>\n

Note that you do not need to configure the usual Windows Update GPOs or registry values to use this feature; the patch deployment is an action of the VMM agent and operates independently of these settings.  In my lab, the hosts are configured via GPO to download patches from another WSUS server with manual patching install.  I still can use VMM to do baseline compliance scanning and remediation.<\/p>\n

What do I think of this feature?  In my opinion, this is not a solution for regular patching.  The amount of required manual effort is not good; manual patching = no patching.  Conficker has proven this.  I\u2019m sure POSH wizards can automate all of this<\/a> but it\u2019ll be fragile. I would much rather prefer to use Windows Server 2012 Failover Clustering.<\/p>\n

However, I still see uses for this VMM solution:<\/p>\n