Virtual Machine Template Patching Requirements & Informational Document

Version 2

    Most of the following information can also be found within Protect under Help > Contents > Quick Start Information > How to Manage Your Virtual Machines > Notes About Virtual Machine Templates.

     

    • Only virtual machine templates that are hosted on a VMware server are supported by Shavlik Protect. The templates are added to a machine group using the Hosted Virtual Machines tab. Virtual machine templates that reside on individual workstations are not supported.
    • A unique icon is used to identify virtual machine templates. You will see this icon when adding a template to a machine group and when viewing scan results in Scan View and in Machine View. The icon can be seen below:

      VMTEMPLATE.jpg
    • During a scan, a template will be accessed using the VMware server credentials. Any individual credentials supplied for the template are ignored.
    • When you initiate a patch or an asset scan of a virtual machine template, Shavlik Protect will scan the template in its current state and will report the results the same way it does for virtual machines and physical machines.
    • You should supply online (individual) credentials for any virtual machine template that will be included in a patch deployment process. During the patch deployment process the template is converted to a virtual machine and powered on -- Shavlik Protect will need the supplied credentials in order to access the online virtual machine.
    • When deploying patches to a virtual machine template, the following VMware server permissions are required in order to manage snapshots and to perform the deployment: 
      • VirtualMachine.State.CreateSnapshot

      • VirtualMachine.State.RemoveSnapshot

      • VirtualMachine.Provisioning.MarkAsTemplate

      • VirtualMachine.Provisioning.MarkAsVM

    • When you initiate a patch deployment to a virtual machine template, Shavlik Protect will do the following: 

    1. Convert the virtual machine template to an offline virtual machine.

    2. (Optional) Take a snapshot if the patch deployment template is configured to take a pre-deployment snapshot.

    3. (Optional) Delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.

    4. Push the patches to the offline virtual machine.

    5. Reconfigure the following on the offline virtual machine:

      • Disable the network adaptor's Connect at power on option. This is done so that the machine is isolated from the network when the patch process is run.

      • If Sysprep is scheduled to run, disable it so it will not automatically configure the machine's operating system when the machine is first powered on.

    6.   Power on the virtual machine. 
    7. Install the patches.

    8. Power down the virtual machine.

    9. Reset the machine configuration to its original network connection and Sysprep settings.

    10. (Optional) Take a snapshot if the patch deployment template is configured to take a post-deployment snapshot.

    11. (Optional) Delete old snapshots if one of the snapshot thresholds defined on the patch deployment template is exceeded.

    12. Convert the offline virtual machine back to a virtual machine template.

    • The patch deployment template you use must not specify the use of a distribution server. The offline virtual machine will be disconnected from the network and unable to download the patches from the distribution server.
    • The patch deployment template you use must not specify the use of a Office media path. The offline virtual machine will be disconnected from the network and unable to access the location of the original Office installation media.
    • The patch deployment template you use should not specify a pre-deploy reboot (the program will be unable to initiate the reboot because the machine will be offline) and it should always perform a post-deploy reboot (this is a "best practice" when deploying patches). For deployments to virtual machine templates it is recommended you use the Virtual Machine Standard deployment template.
    • During a patch deployment, a virtual machine template that may normally be available only to an administrator will become visible to other users. This is because during the patch deployment process the template is temporarily converted to a virtual machine and powered on.
    • As with anything that involves components on a network, errors can occur if connections go bad, if servers are shut down, if a template is modified while being accessed by Shavlik Protect, etc. In general, the templates should not be touched at any time during the scanning or patch deployment process.