Recently I added some hardware, and once I did, my vSphere hosts were no longer within the profile; neither were they at the latest patch level. I would have expected little to change within the host profile, but once you add hardware, things change in the host. The same thing happens during every update in which either new features are added or bug fixes are made to the subsystems a host profile cares about.
So, what does it take to keep things in sync? There is an easy way to recover host profile compliance:
Step 0: Recheck your host profiles
It is always good to reverify your host profiles to see if they are out of sync after every update or change to your hardware. You may find that nothing need to be done, or that you left a troubleshooting mode open on a host. This simple check could save quite a bit of time. If all verifies as good, then there is no need to proceed. But, I have found this is rarely the case after an upgrade.
Step 1: Copy your host profile settings from your target host
Since we modified the host in some way, our host profile is bound to be out of sync. Therefore, we update the host profile from one of our changed hosts. Host profiles do not know if there was an update; you have to update the profile by hand.
Step 2: Edit your host profile to ensure the storage subsystem is properly handled (see step 7 of this post)
Your updated host profile will be a copy of your existing machine without any edits you made previously. Basically, you have to edit your profile once more, as if it were new.
Step 3: Run compliance checks once more
It may not seem necessary, but running your compliance checks once more may be just the ticket to avoid remediating a host. I have yet to find an update where this is not the case, but I always check just to be sure.
Step 4: Remediate each host as required for compliance with your host profile
To maintain compliance, you will need to remediate each host, which will make minor changes to the host from the new host profile. As new features are added into host profiles, new remediations are required.
The goal is to ensure all of your hosts are compliant with updates and host profiles. For many hosts, this could be a larger project. As such, it is best to use the vSphere SDK to automate compliance checks as well as to roll remediations.
Basically, anytime you update or change a host, you will need to update, check, and possibly reapply your host profiles. In addition, I export the current host profile to an offline location as a part of a disaster recovery plan.
Edward L. Haletky, aka Texiwill, is an author, analyst, developer, technologist, and business owner. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and TVP Strategy where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.