For information on using virtual machine templates in patch scans, asset scans, and patch deployments, see Roadmap of Tasks.
The type of virtual machine template (server template, workstation template, etc.) does not matter, they are all supported by Security Controls.
Only virtual machine templates that are hosted on a VMware server are supported by Security Controls. The templates are added to a machine group using the Hosted Virtual Machines tab. Virtual machine templates that reside on individual workstations are not supported.
A unique icon () is used to identify virtual machine templates. You will see this icon when adding a template to a machine group and when viewing scan results in Scan View and in Machine View.
As with anything that involves components on a network, errors can occur if connections go bad, if servers are shut down, if a template is modified while being accessed by Security Controls, etc. In general, the templates should not be touched at any time during the scanning or patch deployment process.
When you initiate a patch or an asset scan of a virtual machine template, Security Controls will scan the template in its current state and will report the results the same way it does for virtual machines and physical machines.
During a scan, a template will be accessed using the VMware server credentials. Any individual credentials supplied for the template are ignored.
You should supply online credentials for any virtual machine template that will be included in a patch deployment process. During the patch deployment process the template is converted to a virtual machine and powered on -- Security Controls will need the supplied credentials in order to access the online virtual machine.
When scanning or deploying to an offline virtual machine template, TCP Port 902 must be available in order for the virtual disk to be mounted.
Patch Deployments
When deploying patches to a virtual machine template, the following VMware server permissions are required in order to manage snapshots and to perform the deployment:
VirtualMachine.State.CreateSnapshot
VirtualMachine.State.RemoveSnapshot
VirtualMachine.Provisioning.MarkAsTemplate
VirtualMachine.Provisioning.MarkAsVM
When you initiate a patch deployment to a virtual machine template, Security Controls will do the following:
Convert the virtual machine template to an offline virtual machine.
(Optional) Take a snapshot if the patch deployment template is configured to take a pre-deployment snapshot.
(Optional) Delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.
Push the patches to the offline virtual machine.
Reconfigure the following on the offline virtual machine:
Disable the network adaptor's Connect at power on option. This is done so that the machine is isolated from the network when the patch process is run.
If Sysprep is scheduled to run, disable it so it will not automatically configure the machine's operating system when the machine is first powered on.
Power on the virtual machine.
Install the patches.
Power down the virtual machine.
Reset the machine configuration to its original network connection and Sysprep settings.
(Optional) Take a snapshot if the patch deployment template is configured to take a post-deployment snapshot.
(Optional) Delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.
Convert the offline virtual machine back to a virtual machine template.
The patch deployment template you use must not specify the use of a distribution server. The offline virtual machine will be disconnected from the network and unable to download the patches from the distribution server.
The patch deployment template you use should not specify a pre-deploy reboot (the program will be unable to initiate the reboot because the machine will be offline) and it should always perform a post-deploy reboot (this is a "best practice" when deploying patches). For deployments to virtual machine templates it is recommended you use the Virtual Machine Standard deployment template.
During a patch deployment, a virtual machine template that may normally be available only to an administrator will become visible to other users. This is because during the patch deployment process the template is temporarily converted to a virtual machine and powered on.
) is used to identify virtual machine templates. You will see this icon when adding a template to a machine group and when viewing scan results in Scan View and in Machine View.