Both the original and remediate image are Dell image.

5.5 is ESXi-5.501331820(A01)

5.5U1 is ESXi-5.5U1-1746018-A01

Both from Dell.

I know this is an older post, but the issue is possibly the same with U2 -

I just went thru the same issue with my 4 host servers reading as "Non-compliant" when I scanned & remediated via Update Manager.  I didn't let it go because I wanted to know that everything was working as it should with regards to Update Manager - Because I had just upgrade vCenter and each of the hosts from 5.0 to 5.5 and then focused on ensuring Update Manager was all set up for the future updates.

Longer story shorter... after three tech's and two weeks of waiting because I wanted the ESX 5.5.0 imported ISO to show as compliant on my hosts, I spoke to a third and final tech who made it more clear to me....  not sure if I just wanted it to be clear so I could finally just accept it and move on.... but, it worked for me

Hope this is your solution as well...

When you have Update manage configured to download updates on a scheduled basis as I do, those updates appear in the "Patch Repository" tab with Update Manager's Admin view.

When you import a newly downloaded ISO (I tested both the Dell ISO & the VMware ISO with the same results), and attach to a host, it is compared to the updates within the "Patch Repository" , causing the attached ISO baseline as non-compliant.  The way the tech put it was to compare it to a Microsoft CD, as soon as it ships, there are updates to it (don't we all know that).  The mounted ISO, when you've installed via CD and then import and attach as a host baseline, will show as non-compliant when you have newer patches downloaded by Update Manager.  Simply because the ISO will always be out of date compared to the patch repository contents.

So, he showed me that after I imported the ISO, attached as a baseline to the host and ran a scan/remediation/Install/reboot - It showed as non-compliant because I had newer patches for that same ISO version in the patch repository - He said, do the scan/remediation/install/reboot on the ISO, then after the reboot, remove the baseline from the host and add the critical and non-critical patches (not ISO) to the host, then run the scan/remediation/reboot/install on the host and you will see the patches are all reporting as compliant.

Worked for me!  I used the ISO just for the simplicity of deploying the U2 update, then removed the baseline and now rely solely on the critical and non-critical to show proper compliance.

As a side note, my NetScaler broke after migrating it to a 5.5.0, 2143827 host - I migrated it back to the 5.5.0, 2068190 (U2 only) host and it works again - no solution currently.

If that was true, one of the host where we installed 5.5U1 from scratch (And not updated from lower version) should also show non-compliant but it shows compliant on the base image.  This is also after the critical updates have been installed on top of the base image.

Thank you. you save me probably....2 to three hours (being optimistic) with VMware support

Thank you for the post

I'm having the exact same problem, and I don't buy support's answer here either.

I have 1 ISO.  If I "upgrade" via VUM, hosts come up upgraded, but non-compliant in VUM.  If I install fresh via booting the *EXACT* same ISO, it comes back up compliant.  I haven't installed a single patch after the ISO on any of these hosts.

Follow this instructions from "pparkeriipparkerii" answer

So, he showed me that after I imported the ISO, attached as a baseline to the host and ran a scan/remediation/Install/reboot - It showed as non-compliant because I had newer patches for that same ISO version in the patch repository - He said, do the scan/remediation/install/reboot on the ISO, then after the reboot, remove the baseline from the host and add the critical and non-critical patches (not ISO) to the host, then run the scan/remediation/reboot/install on the host and you will see the patches are all reporting as compliant.

I shouldn't have to remove the baseline, the whole point is that you apply the baseline and leave it there.  I didn't remove the baseline on the server that I installed from scratch, and it shows as compliant.

If your theory about the patches being the problem, then I should be seeing the opposite -- the server installed from scratch would be non-compliant and the one I upgraded would be compliant.

If you want to see why it's reporting as non-compliant, try checking esxupdate.log on the hosts.

Regardless, I'd recommend not mixing install methods on hosts from the same cluster when you have the option. I.E., either install them all, or upgrade them all, using the same method.