Notes About Virtual Machines

Requirements

  • Dual boot systems (for example, a virtual machine with two partitions, each containing a different operating system) are not supported.
  • When scanning offline virtual machines that are supported by VMware, please keep in mind the following:
    • You cannot mount encrypted virtual disks.
    • You cannot mount a virtual disk if any of its .vmdk files are compressed or have read-only permissions.
    • You cannot mount a virtual disk that is currently being used by a running or suspended virtual machine.
    • Linked clones and compressed images are not supported.

General Notes

  • Only the current state of the virtual machine will be scanned and patched. Snapshots of virtual machines are not scanned or patched.
  • A virtual machine is counted only once against the total number of license seats available, even if it is scanned both in online (powered on) mode and offline (powered off) mode.
  • In machine groups and in scan results, special icons will distinguish an offline virtual machine () from a physical machine or an online virtual machine () and from a virtual machine template ().
  • Avoid using network drive letters when defining offline virtual machines in a machine group. The recommended practice is to instead specify the Uniform Naming Convention (UNC) path. This comes into play when performing a scheduled scan on an offline virtual machine. Network drive mappings are session-specific, so it is very possible that a specified mapping will no longer exist when the scheduled scan process is run.
  • Within a machine group, the Scan only filters do not apply to offline virtual machines or to virtual machine templates.
  • It is possible for two offline virtual machines to have the same domain and computer name. This will be the case if you clone a virtual machine and do not change either the computer name or domain on one or both machines. In this situation, of the two duplicate virtual machines, only the last one scanned will be visible in Machine View. The machines displayed in Machine View are keyed on domain and computer name and duplicates are not allowed.
  • Virtual machines that are offline (powered off) will be mounted before they are scanned. Virtual machines that are online (powered on) do not need to be mounted as they are treated no differently than a physical machine.
  • When performing a patch scan or an asset scan, a virtual machine that was added to a machine group as an offline virtual machine but that is online at the time of a scan will be scanned if it is hosted on an ESX server and if the proper credentials are available in order to access that machine. Online virtual machines that are hosted on workstations will fail to mount and will not be scanned.
  • When performing a patch scan, all of the configured download sources in your vSphere Lifecycle Manager are honored.
  • Upgrades of minor versions, such as from 7.0.1 to 7.0.2 are supported.
  • When scanning or deploying to an offline virtual machine, TCP Port 902 must be available in order for the virtual disk to be mounted.
  • When scanning multiple offline virtual machines that are hosted on one workstation, it is possible to reach the connection limit for that workstation. If the connection limit is reached an error will occur and the scans will fail. The maximum number of simultaneous connections supported varies for each Windows OS.

Patch Deployments

  • When deploying patches to an offline virtual machine that is hosted on a server, the virtual machine will be powered on, the patches installed, and the virtual machine powered down. See Deploying Patches to Virtual Machines for more details.
  • When deploying patches to an offline virtual machine that is hosted on a server, VMware tools must be installed on the virtual machine.
  • When deploying patches to an offline virtual machine that is hosted on a server, the following VMware server permissions are required in order to manage snapshots and to change the power state of the machine during the deployment process:
    • VirtualMachine.State.CreateSnapshot
    • VirtualMachine.State.RemoveSnapshot
    • VirtualMachine.Interact.PowerOn
    • VirtualMachine.Interact.PowerOff
    • VirtualMachine.Interact.DeviceConnection (to disable/enable the network card)
  • For offline virtual machines, patching products installed on virtual disks with the disk mode set to either Independent – Persistent or Independent – Nonpersistent is not supported. If a virtual machine has both dependent and independent disks, you can still install patches for products that are installed on the dependent disks.
  • When deploying patches to an offline virtual machine that resides on a workstation, the new deployment job will overwrite any older deployment jobs that have not yet been performed. For this reason you should deploy all desired patches in a single deployment.
  • Example: You deploy Patch A to a workstation-based offline virtual machine. The virtual machine is still offline a month later when you deploy Patches B and C. Because the first deployment job was never executed it gets overwritten and only Patches B and C are now scheduled for deployment. To avoid this you simply include Patch A along with Patches B and C in the second deployment job.

    One way to manage this is to use a patch group to define the patches you want deployed to your workstation-based offline virtual machines. When new patches are identified you simply add them to the list of patches in the patch group. This is particularly useful when specifying a patch group within a patch scan template and then choosing to automatically deploy missing patches on the Run Operation dialog. See Creating a New Patch Scan Template and Automatically Deploying Patches for more details about these options.

Agents

  • Security Controls Agent operations are not supported on offline virtual machines.
  • If you install Security Controls Agent on an online virtual machine and then later scan the virtual machine while it is in an offline state, Security Controls may report the wrong agent status for that image. For example, it may show that the agent is not installed, or it may let you attempt to uninstall the agent. This occurs because Security Controls Agent operations are not supported on offline virtual machines. The correct status will be reported once the virtual machine is brought back online and rescanned by Security Controls.