If you only have one single ESXi Hosts than with VUM you cant solve that chicken and egg problem. You have to apply the patches from commandline (apply a update zip or fetch downloads from vmware.com (similar to WSUS)) or when booting and performing an update/installation with the help of an ISO.
In such constellation VUM will only tell you if youre complient or whats missing but cant remidiate.
Regards,
Joerg
