In a vSphere environment, VMware states that vSphere Update Manager (VUM) is the preferred method of upgrading and patching vSphere. Fortunately for PowerShell users, PowerCLI supports performing the functions of VUM.

Using VUM to upgrade ESXi hosts in a GUI is a relatively straightforward process, which Jim Jones shows on 4sysops here. Using PowerCLI, I will show you how to update a single ESXi host and an entire cluster. Please note I am using PowerShell v5.1, PowerCLI v6.3, and vSphere v6 in these examples.

Update Manager baselines ^

VUM uses baselines, which are a group of patches that you can "attach" to a template, virtual machine (VM), ESXi host, cluster, data center, folder, or virtual application (vApp). After attaching a baseline to one of these entities, you can scan to see if it is in compliance, meaning whether it is missing any patches that apply to it in the baseline. Below you can see how to retrieve compliance information about a host with the Get-Compliance cmdlet.

$Baseline = Get-Baseline -Name 'Critical Host Patches (Predefined)'
C:\> Get-Compliance -Entity VMHost-1 -Baseline $Baseline
Entity                         Baseline                            Status
------                         --------                            ------
VMHost-1                       Critical Host Patches (Predefined)  Compliant

In this article, I will be using the "Critical Host Patches" baseline exclusively. This built-in baseline includes any critical patches for your ESXi hosts.

If you run the Get-BaseLine cmdlet for the critical baseline in PowerCLI, you can see that it is dynamic. This means it will add new critical patches as they are released and downloaded to this baseline. I have added important updates to this baseline as well. It is a good practice to have VUM download any new patches each day and notify you via email.

Output of Get Baseline

Output of Get Baseline

Patch a single ESXi host ^

This is the usual process I go through when patching ESXi hosts:

  • Update Manager alerts me via email that it has downloaded new patches.
  • I take one or more ESXi hosts, scan, stage, patch, and ensure the patch does not break any functionality.
  • I then run Update-Entity to deploy the patch to my hosts.

Here I will go through the process of installing patches on just one ESXi host with PowerCLI. The cmdlets used for this are all part of the PowerCLI PowerShell module.

First, I will connect to vCenter.

C:\> Connect-VIServer vcenter
Name                           Port  User
----                           ----  ----
vcenter                        443   DOMAIN\Dan

Next, I will put the ESXi host VMHost-1 into maintenance mode with the Set-VMHost command. Notice I specify ‑State Maintenance. Putting the host in maintenance mode automatically triggers a vMotion of all VMs the host is running to other hosts in the cluster.

C:\> Set-VMHost -VMHost VMHost-1 -State Maintenance

Now I will place the critical host baseline into the $Baseline variable for use in future commands.

C:\> $Baseline = Get-Baseline -Name 'Critical Host Patches (Predefined)'

I ensure the baseline is attached to VMHost-1 with the Add-EntityBaseline command.

C:\> Add-EntityBaseline -Entity VMHost-1 -Baseline $Baseline

To test whether the host is in compliance, I will run Test-Compliance against VMHost-1, followed by Get-Compliance. As you can see, VMHost-1 is "NotCompliant" and needs to be patched.

C:\> Test-Compliance -Entity VMHost-1
C:\> Get-Compliance -Entity VMHost-1 -Baseline $Baseline
Entity                         Baseline                            Status
------                         --------                            ------
VMHost-1                   Critical Host Patches (Predefined)  NotCompliant

To stage the patches to the host, I run Copy-Patch, which will simply copy the patches to the host for installation.

C:\> Copy-Patch -Entity VMHost-1

Finally, it is time to install the patches. Using Update-Entity while specifying the baseline and host will begin to install patches. Notice I use ‑RunAsync. This means that the command will not wait for the process to complete to take me back to the console. I use this mainly because PowerCLI usually throws a "time out" error when waiting for the remediation to complete.

C:\> Update-Entity -Baseline $baseline -Entity VMHost-1 -RunAsync -Confirm:$False
Name                           State      % Complete Start Time   Finish Time
----                           -----      ---------- ----------   -----------
Remediate entity               Running             0 03:51:04 PM

Patch all ESXi hosts in a cluster ^

One of the great features of Update Manager is the capability to upgrade or patch an entire data center or cluster with one command. With Update-Entity I can automatically begin the process of patching or upgrading all the hosts in a cluster with the option of performing remediation in parallel. While performing remediation in parallel, vCenter will automatically calculate how many hosts it can remediate concurrently and load balance VMs using Distributed Resource Scheduler (DRS) on the hosts it is not remediating.

The process of patching a cluster is almost identical to performing a patch on an ESXi host. The main difference is that I am specifying the cluster in the -Entity parameter as well as some additional parameters in the Update-Entity command.

In this example I remediate "TestCluster" against the critical host baseline.

C:\> Connect-VIServer -Server vcenter
Name                           Port  User
----                           ----  ----
vcenter                        443   DOMAIN\Dan

C:\> $Cluster = Get-Cluster -Name 'TestCluster'
C:\> $Baseline = Get-Baseline -Name 'Critical Host Patches (Predefined)'
C:\> Add-EntityBaseline -Entity $Cluster -Baseline $Baseline
C:\> Test-Compliance -Entity $Cluster
C:\> Get-Compliance -Entity $Cluster -Baseline $Baseline
Entity                         Baseline                            Status
------                         --------                            ------
VMHost-1                       Critical Host Patches (Predefined)  NotCompliant
VmHost-2                       Critical Host Patches (Predefined)  NotCompliant
C:\> Copy-Patch -Entity $Cluster -Baseline $Baseline

As you can see the ESXi hosts VMHost-1 and VMHost-2 are not compliant and can be patched. Now I can run Update-Entity specifying to disable distributed power management, high availability, and fault tolerance, which VMware recommends. I also specify in the command to perform remediation in parallel with ‑ClusterEnableParallelRemediation:$true.

Subscribe to 4sysops newsletter!

C:\> Update-Entity -Entity $Cluster -Baseline $Baseline ‑ClusterDisableDistributedPowerManagement:$true ‑ClusterDisableHighAvailability:$true ‑ClusterDisableFaultTolerance:$true ‑ClusterEnableParallelRemediation:$true ‑RunAsync ‑Confirm:$False

Name                           State      % Complete Start Time   Finish Time
----                           -----      ---------- ----------   -----------
Remediate entity               Running             0 09:37:37 AM
  1. Will 5 years ago

    This post is a huge help, thanks!

  2. Rishabh 3 years ago

    In patching all Esxi hosts in a cluster how do we put the hosts into Maintenance mode ? Does it go into maintenance mode itself ???

    • Shane 2 years ago

      Yes it does, so long as you do not have anything preventing the VMs from vMotioning.

  3. Pete Foret 2 years ago

    I would suggest you run a script to detach and CDRom and unmount any VMWare tools install

  4. Pete Foret 2 years ago

    Question about disabling alarms. So we are on the same page I am talking about when you right-click a host and left-click disable alarms. 


    I can't find a script that will allow me to disable the alarm and then enable the alarm on a per-host basis. Do you by chance have anything?

    • Rainer 11 months ago
      #disable alarm
      $alarmMgr = Get-View AlarmManager
      get-vmhost -Location cluster1,cluster2 | foreach-object{
      #reenable alarm
      $alarmMgr = Get-View AlarmManager
      get-vmhost -Location Scluster1,cluster2 | Where-Object {$_.ConnectionState -eq "Connected"}|foreach-object{

  5. Pete Foret 2 years ago

    Another question'


    How would you combine baselines? For example, Critical Host Patches (Predefined) and Non-Critical Host Patches (Predefined)

    • Matt 2 years ago

      Add them with commas

      $Baseline = Get-Basline -Name "Baseline Name 1", "Baseline Name 2"

      Great post, thanks.

  6. Firasath 1 year ago

    For the command;

    #Update-Entity -Baseline $baseline -Entity VMHost-1 -RunAsync -Confirm:$False

    It's not allowed to run it on multiple hosts. Not sure about the Cluster, but I tried to choose a few Hosts to run this command, and the operation wasn't allowed.

  7. Firasath 1 year ago

    To exit Maintenance mode on ESXi Hosts;

    Set-VMHost -VMhost VMHost-1 -State Connected

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account