Virtual Machine Manager (VMM) is able to manage Microsoft updates and the compliance of the fabric servers as Hyper-V hosts, VMM servers, PXE servers, Library servers and so on. For that VMM must be connected to a WSUS. When VMM is connected to a WSUS, the updates are visible in the VMM console and can be added to an update baseline. Once the baseline is created, it can be applied to the fabric servers.
VMM can be connected to an upstream or a downstream WSUS but not to a WSUS replica. Moreover, if you have System Center Configuration Manager (SCCM) already connected to a WSUS, you can use the same on VMM.
For example, in my lab, I have a server that hosts SCCM and the WSUS. This server is called VMCMG01. So I will connect my VMM to VMCMG01 to manage fabric servers updates from Virtual Machine Manager.
Add an Update server to VMM
First of all, add a RunAs account to the local Administrators group on the WSUS server:
Next, open the VMM console and navigate to the fabric. Right click on Update Server and select Add Update Server.
Specify the WSUS server hostname, the TCP port of WSUS (by default: HTTP: 8530, HTTPS: 8531) and the RunAs account. Don’t forget to tick the checkbox if you use SSL to communicate with WSUS.
Once you have clicked on Add, a job is launched to add the Update Server.
Once it is finished, you should have an Update Server in responding state.
Create and assign a baseline
Now that Virtual Machine Manager is connected to a WSUS, the update catalog should contain updates. To open the update catalog, navigate to the library and Update Catalog and Baselines.
By default, no baseline is assigned to fabric servers. So I will create a baseline that will contain only security updates. So I right click on Update Baselines and I select new baseline.
First specify a name and a description of the baseline.
In updates screen, click on Add to add updates to the baseline.
At the top of the window you can specify a filter to display only updates you want. So I type Security and I select all updates. Then I click on Add.
Once the updates are added to the baseline, you can click on next.
Next select on which fabric servers you want to apply the baseline. Because I have created this baseline for Hyper-V, I select all host groups.
To finish, click on … finish J.
At the end, my baseline is assigned to one host group (the top level host group) and contains 177 updates.
Check the compliance
Now open the fabric tab and navigate to your host groups. Right click on a Hyper-V host. You should see Scan, Remediate and Compliance Properties:
- Scan: enables to check the compliance status to verify if all updates are installed;
- Remediate: install the updates to be compliance with the baseline;
- Compliance Properties: open a view to verify the compliance status regarding baseline
Below the Compliance Properties window on the hyperv01 Hyper-V host. Because no compliance scan has been run on this Hyper-V host, the compliance status is unknown.
So I run a compliance scan on HyperV01 by clicking on Scan.
When the compliance scan is finished, I come back to the compliance properties and I can see that my HyperV01 is compliant.
You can have an overview on the compliance status of the fabric servers by selecting the Compliance view as below:
My HyperV02 is non compliant, so I decide to run a remediation. I right click on the Hyper-V host and I select Remediate. In the update remediation window I select my baseline and I just click on Remediate.
$managedComputer = Get-SCVMMManagedComputer -ComputerName "hyperv02.home.net" $baseline = Get-SCBaseline -Name "HomeCloud Security Baseline" Start-SCUpdateRemediation -VMMManagedComputer $managedComputer -Baseline $baseline –RunAsynchronously
And after some time, my HyperV02 is compliant J