Deploying Patches to Virtual Machines and to Virtual Machine Templates

The method for initiating a patch deployment is the same regardless of whether you are deploying to a physical machine, an online virtual machine, an offline virtual machine, or a virtual machine template. It's what happens after you initiate the deployment, however, that is slightly different for virtual machines and for virtual machine templates.

For deployments to virtual machines that are hosted on a server it is recommended you use the Virtual Machine Standard deployment template. Also, in all cases, during deployment the virtual network will need to remain connected.

Also applies to Install at next reboot patch deployments performed on offline hosted virtual machines.

When you perform an immediate deployment to a physical machine, an online workstation virtual machine, or an offline workstation virtual machine, the files required for the deployment are copied to the target machine immediately and the deployment is scheduled to occur immediately using the scheduler on the target machine. The patch installation is performed on the target machines and the console is not actively involved. If the machine is in a different power state from when it was last scanned, the deployment will fail.

When you perform an immediate deployment to a virtual machine that is hosted on a server, the entire deployment process occurs on the Security Controls console machine. The console determines the online/offline status of the hosted virtual machines and the console service is actively involved during the patch installation. This allows the console service to modify the state of the hosted virtual machines during the deployment.

The following table summarizes what happens at the time you perform an immediate deployment based on where the virtual machines are defined within the machine group.

Machine Group Tab Used to Define the Virtual Machine

Target Machine is Online

Target Machine is Offline

Machine Name, Domain Name,
IP Address/Range, Organizational Unit

Push files and initiate deployment immediately.

Fail

Workstation Virtual Machines

Fail

Push files and schedule on target; deployment will occur the next time the virtual machine is brought online.

Hosted Virtual Machines

Push files and initiate deployment immediately. The process is the same as a physical machine except that snapshots will be taken and deleted as directed by the deployment template.

*See steps below.

VMware tools must be installed on the virtual machine in order for the deployment to be successful.

If you are operating in an NTLM- or SPN-restricted environment and you specify FQDN as your connection method, progress messages will not be displayed when deploying patches to offline hosted virtual machines.

*During deployment to an offline hosted virtual machine or an offline virtual machine template, the following steps occur:

  1. [Conditional: Templates Only] Convert the virtual machine template to an offline virtual machine.
  2. (Optional) Take a snapshot if the deployment template is configured to take a pre-deployment snapshot.
  3. (Optional) Delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.
  4. Copy the patches to the offline virtual machine.
  5. Reconfigure the following on the offline virtual machine:
    • Disable the network adaptor's Connect at power on option. This is done so that the machine is isolated from the network when the patch process is run.
    • Disable Sysprep so it will not automatically configure the machine's operating system when the machine is first powered on.
  6. Power on the virtual machine.
  7. Install the patches.
  8. Power down the virtual machine.
  9. Reset the machine configuration to its original network connection and Sysprep settings.
  10. (Optional) Take a snapshot if the deployment template is configured to take a post-deployment snapshot.
  11. (Optional) Delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.
  12. [Conditional: Template Only] Convert the offline virtual machine back to a virtual machine template.

Also applies to Install at next reboot patch deployments performed on online hosted virtual machines and offline workstation virtual machines.

When you schedule a deployment to a physical machine, an online workstation virtual machine, or an offline workstation virtual machine, the files required for the deployment are copied to the target machine immediately and the deployment is scheduled using the scheduler on the target machine. The patch installation is performed on the target machines and the console is not actively involved. At the time of the actual deployment, if the machine is in a different power state from when it was last scanned, the deployment will fail.

When you schedule a deployment to a virtual machine that is hosted on a server, the entire deployment process is scheduled to occur on the Security Controls console machine using the scheduler on the console. The online/offline status of the hosted virtual machines is determined at the scheduled time, and the console is actively involved at the time the patches are installed. This allows the console to modify the state of the hosted virtual machines during the deployment.

The following table summarizes what happens at the time you schedule a deployment based on where the virtual machines are defined within the machine group.

Machine Group Tab Used to Define the Virtual Machine

 Target Machine is Online
When Scheduled		 Target Machine is Offline
When Scheduled

Machine Name, Domain Name,
IP Address/Range, Organizational Unit

Push files to the target and schedule the deployment on the target. The deployment will occur the next time both of the following are true:

  • The machine is online
  • The scheduled time has passed

Fail

Workstation Virtual Machines

Fail

Push files to the target and schedule the deployment on the target. The deployment will occur the next time both these are true:

  • The machine is online
  • The scheduled time has passed

Hosted Virtual Machines

Schedule the deployment on the console. At the scheduled time (or, for Install at next reboot deployments, when the machine is restarted), treat as an immediate deployment. See Hosted Virtual Machines in the previous table.

If the scheduled deployment contains a mix of hosted virtual machines and other types of machines, the machines are separated into two groups. The deployment of the hosted virtual machines is scheduled to occur on the console at the scheduled time. For all machines other than hosted virtual machines, the files are copied to the target machines immediately and the deployment is scheduled to occur using the scheduler on the target machine.

Keep in mind that, from Security Controls's point of view, the definition of a successful deployment depends on where the virtual machine is located. A successful deployment to a hosted virtual machine means the machine is fully patched, while a successful deployment to a workstation-based virtual machine means the patches have been pushed to the offline virtual machine.

When performing the deployment, the program will attempt to authenticate to the target machine using the credentials defined in the Manage Machine Properties dialog. If the credential is invalid the deployment will fail. For workstation-based virtual machines, if the power state of the machine has changed since the scan, the deployment will fail.

For more information, see Power State and Credential Requirements for VMs.