VxRail: How to manually update ESXi nodes

VMware by Broadcom periodically issues advisories to address security vulnerabilities. The following steps detail the manual update options to mitigate security risks in VMware infrastructure. This is in case there is a delay in VxRail/VCF upgrade releases, or the customer is unable to perform a full upgrade due to any circumstances. 

This is in case there is a delay in the VxRail/VCF upgrade release, or the customer is unable to perform a full upgrade due to any circumstances. 

Dell VXRAIL HIGHLY RECOMMNEDS THAT CUSTOMERS WAIT FOR THE VXRAIL OR VCF-ON-VxRail VERSIONS THAT INCLUDE THE FIXES

Procedures to upgrade ESXi on hosts outside of a VxRail, or VCF-on-VxRail upgrade.

Manual updating may trigger VxRail Manager noncompliance alarms in vCenter. The ESXi version does not match the version aligned with the VxRail build which triggers the alarm. This may impact on future upgrades which require support interaction to remediate.
 

1. Upload the ESXi patch to the service datastore on each host. 
2. Place the node into Maintenance Mode with the Ensure Accessibility option.
   
    
    
3. Run the following commands:

   The version below is used for reference in the Knowledge Base (KB). The original fixed version may differ from the version used in the command example. 

    

   # esxcli software sources profile list --depot='/<patch_location>/VMware-ESXi-7.0U3s-24585291-depot.zip'
   # esxcli software profile update -p ESXi-7.0U3s-24585291-standard --depot='/<patch_location>/VMware-ESXi-7.0U3s-24585291-depot.zip' 

   
    
      

   Use --no-hardware-warning argument in the command, to bypass the hardware check, if needed.

   esxcli software profile update -d /vmfs/volumes/*-datastore-name*/VMware-ESXi-8.0U2d-24585300-depot.zip -p ESXi-8.0U2d-24585300-standard --no-hardware-warning

    
4. Reboot the node and take it out from the Maintenance-mode.
5. Repeat the steps on the remaining nodes, one at a time.