Before anyone says ‘this has been out for ages!’ – yes, I know, but there’s a new version out!  I just haven’t had chance to blog anything about it yet!  For those of you who haven’t heard about the Offline Virtual Machine Servicing tool, this is your lucky day!

Firstly, what is it?

Well, the name is a bit of a giveaway, unfortunately.  I say unfortunately, as it’s probably one of the most boring names I’ve seen for a product, but, at least you won’t download it wondering what it is!  The tool, as the name suggests, allows you to keep virtual machines that may be offline for a while, up to date with patches and the like.  Imagine the scenario; virtual machines may be left offline (stored in a non-operating state) for extended periods of time, which conserves resources when the server capacities of the virtual machines are not needed or frees up physical computing resources for other purposes.

However, offline machines do not automatically receive operating system, antivirus, or application updates that would keep them compliant with current IT policy. An out-of-date virtual machine may pose a risk to the IT environment. If deployed and started, the out-of-date virtual machine might be vulnerable to attack or could be capable of attacking other network resources.

Therefore, IT groups must take measures to ensure that offline virtual machines remain up-to-date and compliant. At present, these measures involve temporarily bringing the virtual machine online, applying the necessary updates, and then storing it again.

In the future, image updating solutions may be able to update virtual machines while they remain offline. Until such solutions become available, the Offline Virtual Machine Servicing Tool, a Solution Accelerator from Microsoft, provides a way to automate the process of updating virtual machines.

How does it work?

OVMST

Firstly however, what do you need to make it work?  Well, System Center Virtual Machine Manager for starters – this tools supports as far back as SCVMM 2007, but works fine and dandy with the most recent release, SCVMM 2008 R2.  You also need some mechanism for actually patching/updating the virtual machines.  This is handled by one of the following:

  • Windows Server Update Services (WSUS) 3.0 or WSUS 3.0 SP1
  • System Center Configuration Manager 2007, Configuration Manager 2007 SP1, or Configuration Manager 2007 R2.

The ‘flow’ is as follows:

OVMST uses “servicing jobs” to manage the update operations based on lists of existing virtual machines stored in VMM. Using Windows Workflow Foundation technology, a servicing job runs snippets of Windows PowerShell scripts (against SCVMM, which is built on PowerShell) to work with virtual machines. For each virtual machine, the servicing job:

  • “Wakes” the virtual machine (deploys it to a host and starts it).
  • Triggers the appropriate software update cycle (Configuration Manager or WSUS).
  • Shuts down the updated virtual machine and returns it to the library.

Couple of key concepts to mention there.  The VM that is offline will reside in the Library, which is effectively the storage side of SCVMM.  From there, it’s deployed onto a host.  This host, ideally, will be known as a maintenance host, and may be disconnected (not completely!) from your ‘production area’.  The reason for this?  Well, think about it – if you start up an out of date VM, that could be vulnerable, where would you want to start it up?  An isolated, controlled environment, or alongside your main environment?  Remember, this ‘maintenance host’ could be a Hyper-V Server, which is a very cost effective way to provide isolation.

Any caveats?

Well, for starters, here’s a big one – one of the objects you typically store in the Library is a Template.  This is different from an offline virtual machine, as an offline virtual machine is something that has been started, configured, and placed in the library, ready to be started again at any time.  A Template however, is a pre-built VM, with a sysprepped OS.  The way the OVMST works, is it starts the VM, patches it, then shuts it down.  This can’t happen with a sysprepped OS – it would start up, but then you’d have to go through the whole out of box experience to ‘personalise’ the OS with Time Zone, Computer Name etc, before WSUS/SCCM could deploy patches into it.  This, I believe, will be solved in the future when injecting patches into offline VHDs becomes reality.

Summary

I really like the OVMST – apart from the name!  It’s a free tool that can help you solve a key business problem.  A lot of organisations I speak to, typically keep their VMs running at all times, but if there are a few servers that only get launched once a month, or quarter, and that need to be kept up to date in line with policy, then this is a great tool to automate that process for you, and the best bit?  It integrates into commonly used tools, like WSUS, or like SCCM.  I guess it’s a shame it doesn’t integrate with 3rd Party technologies for managing patches, but maybe that will make it into a future release.

Who knows – maybe I’ll record a video on it’s use sometime in the near future!

You can get all the info, and download the OVMST here.