Highlighted
Contributor
Contributor

Different outputs in get-compliance

Jump to solution

Hi,

i want to check the patch compliance of ESXi (VSAN) hosts und use a simple command :

get-vmhost | Scan-Inventory -Verbose

get-vmhost | Get-Compliance -Detailed

Baseline         Status   Complian NotCompl UnknownP NotApplica

                          tPatches iantPatc aches    blePatches

                                   hes                        

--------         ------   -------- -------- -------- ----------    

Critical Host... NotCo... 0        0        0        56       

Non-Critical ... NotCo... 0        0        0        194 

The output shows no missing patches but if I use this command 2 patches are missing:

(Get-Compliance -Entity hostname -Detailed).NotCompliantPatches 

                                                                                            

Name                 Product         Release Date    Severity   Vendor Id                   

----                 -------         ------------    --------   ---------                   

VMware ESXi 6.7 P... {embeddedEsx... 07.04.2020 0... Important  ESXi670-202004001           

Updates esx-base,... {embeddedEsx... 07.04.2020 0... Important  ESXi670-202004301-BG        

   

Regards

Mike

0 Kudos
1 Solution

Accepted Solutions
Highlighted
User Moderator
User Moderator

Correct, that is the latest version.

I would suggest opening an SR, this is a cmdlet issue.

And if GSS claims you need a Developer Support contract, point them to PowerCLI Support Breakdown (para 3 & 4)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
9 Replies
Highlighted
User Moderator
User Moderator

On your first command the Status seems to say 'NotCompliant'.
Can you expand that output?

Get-VMHost | Get-Compliance -Detailed | Select-Object -Property *


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Contributor
Contributor

Here ist the output of one host. The patches are listed. The question is why the counter is 0 ?

CompliantPatches                        : {VMware ESXi 6.7 Complete Update 3, VMware ESXi 6.7 Patch Release, Updates esx-base, vsan, vsanhealth and

                                          esx-update VIBs}

NotCompliantPatches                     : {}

UnknownPatches                          : {}

NotApplicablePatches                    : {Updates esx-base, Updates esx-base, Updates esx-base, Updates tools-light...}

StagedPatches                           : {}

ConflictPatches                         : {}

ObsoletedByHostPatches                  : {VMware ESXi 6.7 Patch Release, Updates esx-base, esx-update, vsan and vsanhealth VIBs, Updates lpfc VIB,

                                          Updates brcmfcoe VIB...}

MissingPackagePatches                   : {}

IncompatibleHardwarePatches             : {}

NotInstallablePatches                   : {}

NewModulePatches                        : {}

UnsupportedUpgradePatches               : {}

ConflictingNewModulePatches             : {}

InstalledRecalledPatches                : {}

NotApplicableRecalledPatches            : {}

InstalledPrerequisiteRecalledPatches    : {}

NotInstalledPrerequisiteRecalledPatches : {}

NotInstalledRecalledPatches             : {}

NewModuleRecalledPatches                : {}

Entity                                  : svsan01

Status                                  : Compliant

Baseline                                : VMware.VumAutomation.Types.PatchBaselineImpl

CompliantPatches                        : {Updates esx-ui VIB, Updates nvme VIB, Updates lsi-mr3 VIB, Updates lsi-msgpt35 VIB...}

NotCompliantPatches                     : {VMware ESXi 6.7 Patch Release, Updates esx-base, esx-update, vsan and vsanhealth VIBs}

UnknownPatches                          : {}

NotApplicablePatches                    : {Updates esx-base, Updates tools-light, Updates misc-drivers, Updates scsi-bnx2i...}

StagedPatches                           : {}

ConflictPatches                         : {}

ObsoletedByHostPatches                  : {VMware ESXi 6.7 Patch Release, Updates esx-base, vsan, and vsanhealth VIBs, Updates cpu-microcode VIB,

                                          Updates tools-light VIB...}

MissingPackagePatches                   : {}

IncompatibleHardwarePatches             : {}

NotInstallablePatches                   : {}

NewModulePatches                        : {}

UnsupportedUpgradePatches               : {}

ConflictingNewModulePatches             : {}

InstalledRecalledPatches                : {}

NotApplicableRecalledPatches            : {}

InstalledPrerequisiteRecalledPatches    : {}

NotInstalledPrerequisiteRecalledPatches : {}

NotInstalledRecalledPatches             : {}

NewModuleRecalledPatches                : {}

Entity                                  : vsan01

Status                                  : NotCompliant

Baseline                                : VMware.VumAutomation.Types.PatchBaselineImpl

CompliantPatches                        : {VMware ESXi 6.7 Complete Update 3, VMware ESXi 6.7 Patch Release}

NotCompliantPatches                     : {}

UnknownPatches                          : {}

NotApplicablePatches                    : {}

StagedPatches                           : {}

ConflictPatches                         : {}

ObsoletedByHostPatches                  : {}

MissingPackagePatches                   : {}

IncompatibleHardwarePatches             : {}

NotInstallablePatches                   : {}

NewModulePatches                        : {}

UnsupportedUpgradePatches               : {}

ConflictingNewModulePatches             : {}

InstalledRecalledPatches                : {}

NotApplicableRecalledPatches            : {}

InstalledPrerequisiteRecalledPatches    : {}

NotInstalledPrerequisiteRecalledPatches : {}

NotInstalledRecalledPatches             : {}

NewModuleRecalledPatches                : {}

Entity                                  : svsan01

Status                                  : Compliant

Baseline                                : VMware.VumAutomation.Types.PatchBaselineImpl

0 Kudos
Highlighted
User Moderator
User Moderator

Are you sure you are looking at the same ESXi nodes?

In your first command it is not clear for which ESXi node that is.

There should be for every ESXi node a line for each baseline you attached.

In the latest detailed output I see only 1 host that requires patches, and 2 nodes with the same name.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Contributor
Contributor

Yes that's correct. I run the command only with one host zu reduce the output length. The state of both hosts is equal.

This is interesting. I run the first command and added the hostname and get a correct output:

get-vmhost svsan01 |  Get-Compliance -Detailed

Entity           Baseline         Status   Complian NotCompl UnknownP NotApplica

                                           tPatches iantPatc aches    blePatches

                                                    hes

------           --------         ------   -------- -------- -------- ----------

svsan01......... Critical Host... Compl... 3        0        0        65

svsan01......... Non-Critical ... NotCo... 22       2        0        230

svsan01......... VMware ESXi 6... Compl... 2        0        0        0

get-vmhost svsan02 |  Get-Compliance -Detailed

Entity           Baseline         Status   Complian NotCompl UnknownP NotApplica

                                           tPatches iantPatc aches    blePatches

                                                    hes

------           --------         ------   -------- -------- -------- ----------

svsan02......... Critical Host... Compl... 3        0        0        65

svsan02......... Non-Critical ... NotCo... 22       2        0        230

svsan02......... VMware ESXi 6... Compl... 2        0        0        0

get-vmhost |  Get-Compliance -Detailed                               

                                                                                 

Entity           Baseline         Status   Complian NotCompl UnknownP NotApplica 

                                           tPatches iantPatc aches    blePatches 

                                                    hes                          

------           --------         ------   -------- -------- -------- ---------- 

svsan01......... Critical Host... Compl... 0        0        0        56         

svsan01......... Non-Critical ... NotCo... 0        0        0        194        

svsan01......... VMware ESXi 6... Compl... 0        0        0        0          

svsan02......... Critical Host... Compl... 0        0        0        56         

svsan02......... Non-Critical ... NotCo... 0        0        0        194        

svsan02......... VMware ESXi 6... Compl... 0        0        0        0          

0 Kudos
Highlighted
User Moderator
User Moderator

That seems to be indeed a "feature" in that cmdlet.
Which PowerCLI version is that?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
Highlighted
Contributor
Contributor

I think this is the actual version.

PS C:\code> $PSVersionTable

Name                           Value

----                           -----

PSVersion                      5.1.18362.628

PSEdition                      Desktop

PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}

BuildVersion                   10.0.18362.628

CLRVersion                     4.0.30319.42000

WSManStackVersion              3.0

PSRemotingProtocolVersion      2.3

SerializationVersion           1.1.0.1

PS C:\code> Get-InstalledModule -Name vmware.powercli | select Version

                      

Version               

-------               

12.0.0.15947286       

0 Kudos
Highlighted
User Moderator
User Moderator

Correct, that is the latest version.

I would suggest opening an SR, this is a cmdlet issue.

And if GSS claims you need a Developer Support contract, point them to PowerCLI Support Breakdown (para 3 & 4)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
Highlighted
Contributor
Contributor

Thanks a lot for your fast help. I will try to open the SR and will update the discussion when I have a result. In the meantime I will mark the quest as solved.

Regards

Mike

0 Kudos
Highlighted
Contributor
Contributor

Update:

I opened an SR but we were not able to reproduce the error again. After I run the the cmdlet inclusive the hostname against all hosts the command now works correctly.

I will add an update if I run in this strange issue again.

Regards

Mike

0 Kudos