Q
Get started Bring yourself up to speed with our introductory content.

What are the best VM patch management guidelines?

Every IT pro knows that it's important to install critical patches to virtual machines in a timely manner, but what about the less serious updates?

Every virtual machine is based on software that includes the hypervisor, the guest operating system and the actual...

workload (application) running in each virtualized instance. As with any software, it can be important to apply patches and updates when security flaws are corrected, software bugs are fixed, performance or compatibility improvements become available or desirable new capabilities appear.

Generally, there is no set schedule for patching hosts or virtual machines, but there are some VM patch management guidelines. Software developers may try to release patches on a regular basis, though critical patches may be released at any time. The challenge for IT professionals is to recognize that a patch is available, then determine if the patch corrects a problem or adds value that will benefit the business. For example, if a software vendor releases an emergency patch to fix a glaring security flaw, a business will typically work to test and install the patch as soon as possible -- even tolerating a small amount of service disruption or downtime in order to complete the patch. By comparison, a patch that fixes spelling errors or changes tool tip layouts will most probably wait for a more convenient patch window.

However, all VM patch management should start with a review of software dependencies and a proof-of-concept test in a lab environment before the patch is rolled out to production systems. The goal is to ensure first that any supporting software required by the patch is also updated and see that the patch process is understood and working properly, then to verify that all related procedures continue to operate as expected. For example, if Hyper-V servers require a System Center Data Protection Manager update, it may be necessary to update Integration Components (drivers) to the latest-version before applying the DPM patch. Otherwise backups through DPM might be affected.

It's best to evaluate the patch and look for unforeseen consequences in a lab rather than risking extensive disruption of production platforms if the patch goes sideways. If a problem is actually identified in the lab, a business will have the option of further study and time to discover workarounds, or there may be an option to wait for a subsequent patch that will address the issue.

The actual patching process depends on the tools that are deployed, such as Windows Server Update Services (WSUS), VMware vSphere Update Manager, System Center Configuration Manager or third-party VM patch management tools like Shavlik Patch. But there is no substantial difference between patching virtualized and nonvirtualized systems. In addition, it is possible to use a mix of tools to patch different platforms. For example, WSUS can patch Windows servers, while Linux VMs can easily be patched manually from the Linux console.

This was last published in October 2014

Dig Deeper on Virtualization security and patch management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

Close