Hi,
i want to check the patch compliance of ESXi (VSAN) hosts und use a simple command :
get-vmhost | Scan-Inventory -Verbose
get-vmhost | Get-Compliance -Detailed
Baseline Status Complian NotCompl UnknownP NotApplica
tPatches iantPatc aches blePatches
hes
-------- ------ -------- -------- -------- ----------
Critical Host... NotCo... 0 0 0 56
Non-Critical ... NotCo... 0 0 0 194
The output shows no missing patches but if I use this command 2 patches are missing:
(Get-Compliance -Entity hostname -Detailed).NotCompliantPatches
Name Product Release Date Severity Vendor Id
---- ------- ------------ -------- ---------
VMware ESXi 6.7 P... {embeddedEsx... 07.04.2020 0... Important ESXi670-202004001
Updates esx-base,... {embeddedEsx... 07.04.2020 0... Important ESXi670-202004301-BG
Regards
Mike
Correct, that is the latest version.
I would suggest opening an SR, this is a cmdlet issue.
And if GSS claims you need a Developer Support contract, point them to PowerCLI Support Breakdown (para 3 & 4)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
On your first command the Status seems to say 'NotCompliant'.
Can you expand that output?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Here ist the output of one host. The patches are listed. The question is why the counter is 0 ?
CompliantPatches : {VMware ESXi 6.7 Complete Update 3, VMware ESXi 6.7 Patch Release, Updates esx-base, vsan, vsanhealth and
esx-update VIBs}
NotCompliantPatches : {}
UnknownPatches : {}
NotApplicablePatches : {Updates esx-base, Updates esx-base, Updates esx-base, Updates tools-light...}
StagedPatches : {}
ConflictPatches : {}
ObsoletedByHostPatches : {VMware ESXi 6.7 Patch Release, Updates esx-base, esx-update, vsan and vsanhealth VIBs, Updates lpfc VIB,
Updates brcmfcoe VIB...}
MissingPackagePatches : {}
IncompatibleHardwarePatches : {}
NotInstallablePatches : {}
NewModulePatches : {}
UnsupportedUpgradePatches : {}
ConflictingNewModulePatches : {}
InstalledRecalledPatches : {}
NotApplicableRecalledPatches : {}
InstalledPrerequisiteRecalledPatches : {}
NotInstalledPrerequisiteRecalledPatches : {}
NotInstalledRecalledPatches : {}
NewModuleRecalledPatches : {}
Entity : svsan01
Status : Compliant
Baseline : VMware.VumAutomation.Types.PatchBaselineImpl
CompliantPatches : {Updates esx-ui VIB, Updates nvme VIB, Updates lsi-mr3 VIB, Updates lsi-msgpt35 VIB...}
NotCompliantPatches : {VMware ESXi 6.7 Patch Release, Updates esx-base, esx-update, vsan and vsanhealth VIBs}
UnknownPatches : {}
NotApplicablePatches : {Updates esx-base, Updates tools-light, Updates misc-drivers, Updates scsi-bnx2i...}
StagedPatches : {}
ConflictPatches : {}
ObsoletedByHostPatches : {VMware ESXi 6.7 Patch Release, Updates esx-base, vsan, and vsanhealth VIBs, Updates cpu-microcode VIB,
Updates tools-light VIB...}
MissingPackagePatches : {}
IncompatibleHardwarePatches : {}
NotInstallablePatches : {}
NewModulePatches : {}
UnsupportedUpgradePatches : {}
ConflictingNewModulePatches : {}
InstalledRecalledPatches : {}
NotApplicableRecalledPatches : {}
InstalledPrerequisiteRecalledPatches : {}
NotInstalledPrerequisiteRecalledPatches : {}
NotInstalledRecalledPatches : {}
NewModuleRecalledPatches : {}
Entity : vsan01
Status : NotCompliant
Baseline : VMware.VumAutomation.Types.PatchBaselineImpl
CompliantPatches : {VMware ESXi 6.7 Complete Update 3, VMware ESXi 6.7 Patch Release}
NotCompliantPatches : {}
UnknownPatches : {}
NotApplicablePatches : {}
StagedPatches : {}
ConflictPatches : {}
ObsoletedByHostPatches : {}
MissingPackagePatches : {}
IncompatibleHardwarePatches : {}
NotInstallablePatches : {}
NewModulePatches : {}
UnsupportedUpgradePatches : {}
ConflictingNewModulePatches : {}
InstalledRecalledPatches : {}
NotApplicableRecalledPatches : {}
InstalledPrerequisiteRecalledPatches : {}
NotInstalledPrerequisiteRecalledPatches : {}
NotInstalledRecalledPatches : {}
NewModuleRecalledPatches : {}
Entity : svsan01
Status : Compliant
Baseline : VMware.VumAutomation.Types.PatchBaselineImpl
Are you sure you are looking at the same ESXi nodes?
In your first command it is not clear for which ESXi node that is.
There should be for every ESXi node a line for each baseline you attached.
In the latest detailed output I see only 1 host that requires patches, and 2 nodes with the same name.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Yes that's correct. I run the command only with one host zu reduce the output length. The state of both hosts is equal.
This is interesting. I run the first command and added the hostname and get a correct output:
get-vmhost svsan01 | Get-Compliance -Detailed
Entity Baseline Status Complian NotCompl UnknownP NotApplica
tPatches iantPatc aches blePatches
hes
------ -------- ------ -------- -------- -------- ----------
svsan01......... Critical Host... Compl... 3 0 0 65
svsan01......... Non-Critical ... NotCo... 22 2 0 230
svsan01......... VMware ESXi 6... Compl... 2 0 0 0
get-vmhost svsan02 | Get-Compliance -Detailed
Entity Baseline Status Complian NotCompl UnknownP NotApplica
tPatches iantPatc aches blePatches
hes
------ -------- ------ -------- -------- -------- ----------
svsan02......... Critical Host... Compl... 3 0 0 65
svsan02......... Non-Critical ... NotCo... 22 2 0 230
svsan02......... VMware ESXi 6... Compl... 2 0 0 0
get-vmhost | Get-Compliance -Detailed
Entity Baseline Status Complian NotCompl UnknownP NotApplica
tPatches iantPatc aches blePatches
hes
------ -------- ------ -------- -------- -------- ----------
svsan01......... Critical Host... Compl... 0 0 0 56
svsan01......... Non-Critical ... NotCo... 0 0 0 194
svsan01......... VMware ESXi 6... Compl... 0 0 0 0
svsan02......... Critical Host... Compl... 0 0 0 56
svsan02......... Non-Critical ... NotCo... 0 0 0 194
svsan02......... VMware ESXi 6... Compl... 0 0 0 0
That seems to be indeed a "feature" in that cmdlet.
Which PowerCLI version is that?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I think this is the actual version.
PS C:\code> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.18362.628
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.18362.628
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
PS C:\code> Get-InstalledModule -Name vmware.powercli | select Version
Version
-------
12.0.0.15947286
Correct, that is the latest version.
I would suggest opening an SR, this is a cmdlet issue.
And if GSS claims you need a Developer Support contract, point them to PowerCLI Support Breakdown (para 3 & 4)
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks a lot for your fast help. I will try to open the SR and will update the discussion when I have a result. In the meantime I will mark the quest as solved.
Regards
Mike
Update:
I opened an SR but we were not able to reproduce the error again. After I run the the cmdlet inclusive the hostname against all hosts the command now works correctly.
I will add an update if I run in this strange issue again.
Regards
Mike