VMware Cloud Community
alanrenouf
VMware Employee
VMware Employee
Jump to solution

Patch Compliance for a host

Ok, Loving the cmdlets for VUM, great job !

I am trying to get a list of the updates which apply to my host, I have done the following so far:

$VMHostObj = Get-VMHost testesx

$Baseline = Get-Baseline "ESXi Updates"

$Baseline | Attach-Baseline -Entity $VMHostObj

$VMHostObj | Scan-Inventory

Get-Compliance -Entity $VMHostObj

I would have thought the Get-Complance object would contain a list of the patches which are missing from my host as per the below screenshot, but I cant seam to find them, any ideas? am I missing something ?

!Patches.jpg!

Alan Renouf

Blog: http://virtu-al.net Twitter: http://twitter.com/alanrenouf Co-author of the PowerCLI Book: http://powerclibook.com
Tags (2)
Reply
0 Kudos
1 Solution

Accepted Solutions
bbambalova
VMware Employee
VMware Employee
Jump to solution

Hi Alan,

Thanks for the positive feedback!

You must use the –Detailed parameter. The returned detailed compliance status contains lists of patches per each of the compliance statuses. You can retrieve the missing patches this way:

$complianceStatus = Get-Compliance -Entity $VMHostObj –Detailed

$complianceStatus.NotCompliantPatches

The NotCompliantPatches contains a list of the patches with NotCompliant/Missing status.

Biliana

View solution in original post

Reply
0 Kudos
7 Replies
bbambalova
VMware Employee
VMware Employee
Jump to solution

Hi Alan,

Thanks for the positive feedback!

You must use the –Detailed parameter. The returned detailed compliance status contains lists of patches per each of the compliance statuses. You can retrieve the missing patches this way:

$complianceStatus = Get-Compliance -Entity $VMHostObj –Detailed

$complianceStatus.NotCompliantPatches

The NotCompliantPatches contains a list of the patches with NotCompliant/Missing status.

Biliana

Reply
0 Kudos
alanrenouf
VMware Employee
VMware Employee
Jump to solution

Brilliant thanks, I missed that parameter, havent seen it done like that before on any of the PowerCLI cmdlets, is that to speed things up unless the information is needed, kinda like adding retrieving the full object with Get-View ?

If you found this information useful, please consider awarding points for Correct or Helpful.

Alan Renouf

Blog: http://virtu-al.net Twitter: http://twitter.com/alanrenouf Co-author of the PowerCLI Book: http://powerclibook.com
Reply
0 Kudos
bbambalova
VMware Employee
VMware Employee
Jump to solution

Yes, Alan you are right. This is to speed things up. It is similar to the way the Get-View provides the ability to specify the level of detail through –Property parameter, but in opposite direction. The default behavior of Get-View cmdlet is to return a VIObject with its full details/properties, while the Get-Compliance returns the possible smallest level of detail, until the -Detailed parameter is not used.

Biliana

Reply
0 Kudos
FrankLuciano
Contributor
Contributor
Jump to solution

Hi,

I'm trying to do the same as Alan but for VMs, I tried the same solution but it didn't work for me:

When I execute the second command:

$complianceStatus.NotCompliantPatches

it doesn't bring any answer, but if I used just the variable $complianceStatus it respond with all the detailed information.

It's there a reason because the command doesn't show just one field of the detailed information keep on the variable?

Reply
0 Kudos
bbambalova
VMware Employee
VMware Employee
Jump to solution

Hi Frank,

All patches are grouped in properties(lists of patches) according to their compliance status. You can see these properties by running:

$complianceStatus | gm -MemberType property *patches

I suppose that the patches you are looking for are not with NotCompliant status, therefore the $complianceStatus.NotCompliantPatches list is empty. They should be represented in some of the other properties (patch lists). Could you check this?

One more thing, I presume that the $complianceStatus in your case is a single object. If it is an array you have to explore each element of the array. Each element represents an association between

inventory item - baseline - patches included in the baseline, devided by their status.

Thanks,

Biliana

Reply
0 Kudos
FrankLuciano
Contributor
Contributor
Jump to solution

Hi Biliana,

I saved the result for the Get-Compliance -Entity $VMHostObj –Detailed into the variable $Test, then try to returns the values for each one of the properties that a got from the command $complianceStatus | gm -MemberType property *patches,but non of this returned any data.

About what you said of the $complianceestatus, I'm trying the command for a single VM, and the VM has attached the two default baseline for the VMs:

Critical VM Patches

Non-Critical VM Patches

But when I run the Get-Compliance command, in Baseline what I got is:

VMware.VumAutomation.Types.UpgradeBaselineImpl, and

VMware.VumAutomation.Types.PatchBaselineImpl

Could this be related or I have to look somewhere else?

Thanks.

Reply
0 Kudos
RvdNieuwendijk
Leadership
Leadership
Jump to solution

Frank,

you can get the not compliant patches with:

$VMHostObj = Get-VMHost YourHost.YourDomain.YourCountry
$ComplianceStatus = Get-Compliance -Entity $VMHostObj -Detailed
$ComplianceStatus | Select-Object -expandProperty NotCompliantPatches

You can get the values of the other VMware.VumAutomation.Types.Patch[] properties of $ComplianceStatus in the same way.

Robert

Blog: https://rvdnieuwendijk.com/ | Twitter: @rvdnieuwendijk | Author of: https://www.packtpub.com/virtualization-and-cloud/learning-powercli-second-edition
Reply
0 Kudos