Upgrading VMware tools on ESXi hosts - using a baseline

In this guide I will show you how to create a baseline for VMware tools, so this can be deployed to the hosts in your cluster, and later, the guest VMs.

VMware tools are akin to a driver pack for virtual devices and include Network adapters, storage controllers, display drivers, audio and security offerings such as vTPM – to name but a few.

A word of note, VCSA and the ESXi hosts themselves should also be periodically updated to fix vulnerabilities and critical bugs.

Let's get started on applying updates to the VMware tools on our hosts. First ensure you have an active sync with the VMware repositories and an update has taken place recently, head over to the burger menu (the 3 lines at the top left)

Select the Lifecycle manager option, then at the top right check the last sync time, if it's not recent or you want to refresh the updates list, click actions on the upper left side, then sync updates, give it a few minutes for the new list of updates to populate.

Now that we're up to date on the lists, let's get a baseline configured. Select the baselines menu, then click new, baseline.

Let's give it a name, description and select the content type 'Patch'

On the next page we can limit our criteria to make it easier, in my example, under 'vendor' I select VMware, under 'severity' I leave this as any, under 'product' I have selected embeddedEsx 7.0.* and embeddedEsx 8.0.* because these are the only versions of ESXi I have available - you could leave this as any if you wished. The 'category' I have selected bug fix. Now choose the 'matched' tab at the top - the number in brackets is how many patches for your selection have been found.

Because I am only interested in the latest build, I sort the column by name, and tick the one(s) I want, any you do not wish to include in the updates, deselect, you should have something similar to below.

On the next page we can manually add additional patches (or we could have skipped the first part by simply removing the tick from 'automatically update this baseline with patches that match the following criteria'). I am not adding any further, so I move next, the final page is a summary of patches to be included and similarly, excluded. NB: If the patch - in this case, the VMware tools, required a host reboot, it would say so under the 'impact' tab - if you can't see it, make some of your other columns smaller. If it is blank, there is no impact in applying these.

Now head back to the burger menu and select inventory, choose your cluster or datacentre if you have more than one cluster or an individual host, then choose the updates menu.

Under the updates tab are some sub-options, Baselines, Image, VMware tools and VM Hardware. The baselines are pre-defined or custom patch groups - like the one we just created. The Image option is for host upgrades, for example from ESXi 7.x to 8.x, you can include hardware drivers, vendor specific drivers, firmware and so on, this helps keep all your hosts the same by using a base image. VMware tools option will allow you to see at a glance which systems have the tools installed, which are out of date, and which are problematic - we'll use this one later. The VM hardware option is similar to the tools one but shows what VM hardware level the guest is at - newer virtual hardware means newer CPU features and underlying hardware can be passed through to the guest, among other things, VMware tools need to be updated first before you proceed to the VM hardware levels.

Let's click on the VMware tools option, then click 'check status' give it a few minutes, it will check all VM guests to see if their tools are up to date. Note, guest managed are typically Linux or non-Windows Oses, these are controlled by the underlying OS so will not apply here.

Pick one that is showing up to date, head over to that VMs summary page, where we can see the current version (in my case it is build 12320, if you click the (I) symbol you will see the version (12.1). The latest as of today is 12.1.5, build 12325. The specific release notes can be found here

Now we know what our currently installed latest is, and the latest we are updating to, lets apply the baseline to our hosts. Go back to the cluster, updates and select baselines. On the main baselines page, you will see a quick overview of how many hosts you have and what ESXi versions they each run. Scroll down and select Attach, then baseline or baseline group, select our newly created 'VMware tools' baseline and attach it, scroll down and select this baseline, then scroll a little more and it will show your hosts. The status will either say unknown or non-compliant. Scroll back up to the top and select 'check compliance' give this a moment to run, then scroll down again and check the status, if it now says or still says, non-compliant we can apply this to our hosts to make it compliant.

To apply this baseline and distribute the new VMware tools versions to our hosts, select the baseline and click remediate, we will be given an overview of the actions and which hosts this will apply to, to deploy the tools the hosts do not need to be in maintenance mode, nor will they need a reboot (unless it advised you, they will earlier when we created this). Once you are happy to proceed, click remediate and wait a couple of minutes for this to take place. Once complete, you can rescan your hosts using the check compliance as before, the hosts should now say compliant. We can now move on to the VM guests. If you do not wish to apply this to all hosts, select a host and run through the same process, rinse and repeat until you are happy.

We can go back to our cluster, updates and select VMware tools. If we now 'check status', you'll find that those that were up to date, now have upgrades available. We would update the tools as per our usual patching cycle in case they need a reboot. It will depend on the guest OS, the existing tools version and what the updated tools replaces. I won't cover applying the tools to the guests here, but if a guide on this would be useful, let me know.

This concludes how to configure a baseline for VMware tools versions