Monday, March 21, 2016

How to update ESXi via CLI

If you don't want to use VMware Update Manager (VUM) you can leverage several CLI update alternatives.

First of all you should download patch bundle from VMware Product Patches page available at It is important to know that patch bundles are cumulative. That means you need to download and install only the latest Patch Bundle to make ESXi fully patched.

You can use esxcli command on each ESXi host.

To list image profiles that are provided by the Patch Bundle use following command
esxcli software sources profile list -d /path/to/.zip
The output will look like this:
[root@esx01:~] esxcli software sources profile list -d /vmfs/volumes/NFS-SYNOLOGY-SATA/ISO/
Name                              Vendor        Acceptance Level
--------------------------------  ------------  ----------------
ESXi-6.0.0-20160301001s-no-tools  VMware, Inc.  PartnerSupported
ESXi-6.0.0-20160302001-standard   VMware, Inc.  PartnerSupported
ESXi-6.0.0-20160301001s-standard  VMware, Inc.  PartnerSupported
ESXi-6.0.0-20160302001-no-tools   VMware, Inc.  PartnerSupported
Now you can update the system with a specific profile:
esxcli software profile update -d /vmfs/volumes/NFS-SYNOLOGY-SATA/ISO/ -p ESXi-6.0.0-20160302001-no-tools 
The output will look like this:
[root@esx01:~] esxcli software profile update -d /vmfs/volumes/NFS-SYNOLOGY-SATA/ISO/ -p ESXi-6.0.0-20160302001-no-tools 
Update Result   Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.   Reboot Required: true

The last task is to reboot ESXi host as seen in the output above.
[root@esx01:~] reboot 
After reboot, you can ssh to ESXi host and verify current version.
[root@esx01:~] esxcli system version get   Product: VMware ESXi   Version: 6.0.0   Build: Releasebuild-3620759   Update: 2   Patch: 34

Note 1: The VMware online software depot is located at, therefore you can use this online depot instead of local depot downloaded manually from VMware download site. To allow outgoing HTTP (tcp ports 80,443) you have to enable httpClient rule in ESXi firewall.
esxcli network firewall ruleset set -e true -r httpClient
you can disable it after update
esxcli network firewall ruleset set -e false -r httpClient

Note 2: You can run an ESXCLI vCLI command remotely against a specific host or against a vCenter Server system.

ESXCLI over PowerCLI
The same can be done via PowerCLI. The code below is optimized for ESXCLI-Version2 releases in PowerCLI 6.3 R1.

#get esxcli object on particular host
$esxcli = Get-EsxCli -VMhost -V2

#list profiles in patch bundle
$arguments = $
$arguments.depot = "vmfs/volumes///"

#update to patch bundle profile
$arguments = $
$arguments.depot = "vmfs/volumes///"
$arguments.profile = "ESXi-5.5.0-profile-standard"

PowerCLI Install-VMHostPatch
You can also use special PowerCLI cmdlet Install-VMHostPatch

  1. Download the Update file “ESXi Offline Bundle”
  2. Extract the ZIP file and upload the resulting folder to a datastore on the Virtual Host.
  3. Put host in to maintenance mode
  4. Open PowerCLI
  5. Connect-VIServer
  6. Install-VMHostPatch -HostPath /vmfs/volumes/Datastore/update-from-esxi6.0-6.0_update02/
Note: For Install-VMHostPatch method Patch Bundle must be explicitly unzipped. 


  • VMware Product Patches
  • VMware : Are ESXi Patches Cumulative 
  • Andreas Peetz : Are ESXi 5.x patches cumulative?
  • Quickest Way to Patch an ESX/ESXi Using the Command-line
  • Install-VMHostPatch
  • Home Lab Upgrade to 6.0u2

    Unknown said...

    Can you upgrade from 5.1 directly to 6.0U2? Or do I need to go to 6.0.0 first?

    DS said...

    Can you upgrade from 5.1 directly to 6.0U2, or do I need to go to 6.0.0 first?

    David Pasek said...

    Yes. You can upgrade directly from 5.1 to 6.0U2.

    7Level said...

    In the profile list, I understand the 'standard' and 'no-tools' option. However, which to choose and what is the diff? 'ESXi-6.0.0-20160302001-standard' or 'ESXi-6.0.0-20160301001s-standard'. Thanks for your help

    David Pasek said...

    Hi 7Level.

    Good question.

    The letter "s" stands for image profiles with just security patches.

    This is very nicely described by Andreas Peetz here

    BTW: this link is mentioned in references at the end of blog post ;-)