Microsoft offline virtual patching not really ‘offline’

Microsoft has released an updated version of what they call their ‘offline virtual machine servicing tool’. This tool is intended to aid administrators in patching Microsoft Virtual Machines that are currently offline (turned off).

Microsoft makes a good case for the need to patch offline VM images – something that Shavlik has been saying for quite a while: “Offline machines do not automatically receive operating system, antivirus, or application updates that would keep them compliant with current IT policy. An out-of-date virtual machine may pose a risk to the IT environment. If deployed and started, the out-of-date virtual machine might be vulnerable to attack or could be capable of attacking other network resources. Therefore, IT groups must take measures to ensure that offline virtual machines remain up-to-date and compliant.”

Microsoft states that their solution can patch the offline images. If you look deeper at their solution, however, you find that this isn’t really the case. As Microsoft continues: “At present, these measures involve temporarily bringing the virtual machine online, applying the necessary updates, and then storing it again.”

Wow. This isn’t offline patching. This is called ‘online patching’. The Microsoft solution moves the offline image to another server, launches the image (turns it on), has the image checking with a WSUS or SCCM server, performs an online patch assessment and an online patch copy and deployment. When done, it turns the image off and moves it back to the original image repository.

How is this offline patching? Rather than leveraging efficiencies gained from evaluating the offline image, the Microsoft solution requires the administrator to launch each of the VM images, scan them, patch them, and turn them off. This requires CPU and memory for each VM, additional servers, storage, and networks to move and launch the VM in a private network, and more time to launch the VM before it can even be assessed.

According to Microsoft’s documentation, their solution “brings groups of virtual machines online just long enough for them to receive updates from either System Center Configuration Manager 2007 or Windows Server Update Services. As soon as the virtual machines are up-to-date, the tool returns them to the offline state in the Virtual Machine Manager library.”

By contrast, the Shavlik solution doesn’t require the VM images to be turned on in order to perform a patch assessment. The Shavlik engine scans the offline image when it is turned off – a true offline solution. Shavlik’s scan function doesn’t require that the image be moved to another system or network and doesn’t require that the image be turned on. This approach saves both time and hardware and allows for scanning a much larger number of images in less time. Additionally, the Shavlik solution can scan and patch many more applications (both Microsoft and third party) than Microsoft’s WSUS and SCCM solution.

As an IT administrator, I’d prefer to understand the patch status before I turn on the image. I’d also like to prep all the patches for installation on the image before turning it on. Then, when I do turn on the image, the patches can install right away. By copying the patches to the system when it’s offline, we’ve eliminated the time needed to download the patches to each image after it’s turned on.

To protect unpatched systems from being hacked when turned on (and before patch installation) the administrator can launch the VM images in a ‘network disconnected’ state. Once the patches have been installed and the system rebooted, it can be joined back to the network. (Microsoft accomplishes this protection by launching the VM image on a private internal network.) Future versions of Shavlik’s solution will automate the ‘network disconnection’ process when launching the VM image in order to install the patches.

Shavlik’s solution is unique in the marketplace. I’m not aware of any other solution (aside from VMware’s solution which leverages Shavlik’s scan engine) that can truly perform patch assessment and prep deployment against offline VM images.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: