• This article explains the steps for Updating and installing patches on an ESXi host using the command-line interface.
  
  Note: 
• The update command is the recommended method for applying patches. It applies all newer content in a patch, including security fixes, while ignoring any content with a lower revision than the existing packages on the system.
• The install command, on the other hand, overwrites the existing packages with the content from the patch, which may include new packages or removal of old ones. It can also downgrade packages, which is why it should be used cautiously. However, the install command can be used to downgrade a system (for image profiles only) if the --allow-downgrade flag is set.

Before performing any patch or upgrade on an ESXi host, ensure you have a backup of the ESXi host configuration. Follow Broadcom's official documentation for guidance on backing up and restoring the ESXi configuration. 

1. To download the Patch or ISO image, refer Download ESXi patches and ISOs for latest releases
2. Upload the patch to a datastore on your ESXi host using the Datastore Browser from the vCenter Server or a direct connection to the ESXi host using the vSphere Web client.
   Note: Broadcom recommends creating a new directory on the datastore and uploading the patch file to this directory.

Steps to Patch or Upgrade an ESXi Host using esxcli software profile:

1. Log in to the ESXi Shell on your host . For details on how to enable and use ESXi Shell, see Using ESXi Shell in ESXi.
2. Migrate or power off all virtual machines and then put the host into maintenance mode:
3. Put the Host into Maintenance Mode:
   
   vim-cmd /hostsvc/maintenance_mode_enter
   
   
4. To check if the host is in maintenance mode:
   
   vim-cmd /hostsvc/hostsummary | grep inMaintenanceMode
   
   
5. To Update the host using esxcli software profile:

•  Step 1: Apply the Patch Using esxcli software profile (Recommended for profile-based updates):

• • Run the below command to list the profile name from the Image:

esxcli software sources profile list -d <location of ZIP file>

example:

esxcli software sources profile list -d /vmfs/volumes/Datastore/DirectoryName/PatchName.zip

or

esxcli software sources profile list -d /vmfs/volumes/<UUID>/DirectoryName/PatchName.zip

Where PatchName.zip is the name of the patch file you uploaded to the datastore.

Note: Use the output from Step 1 to update the profile_name in Step 2.

• Step 2: Update the existing image profile by running the below command:

esxcli software profile update -p <profile_name> -d <location of ZIP file>

example:

esxcli software profile update -p name_of_the_Image_Profile -d /vmfs/volumes/Datastore/DirectoryName/PatchName.zip

      6. To Install the patch using esxcli software profile: Replace esxcli software profile update to esxcli software profile install.

Note:  Options to the update and install commands allow you to perform a dry run, to bypass acceptance level verification, to ignore hardware compatibility check warnings, and so on. The option to bypass hardware compatibility check warnings is only available for ESXi 6.7 Update 1 or later. Do not bypass verification on production systems.

• Options: 

--profile | -p – Specifies the image profile name for the host update. (Required)

--depot | -d – Specifies the full remote URL of the depot index.xml or the offline bundle (.zip) file location. (Required)

--dry-run – Performs a simulation of the installation, reporting actions without making changes.

--force | -f – Bypasses dependency and security checks. Not recommended unless instructed by VMware Support; triggers a warning in the vSphere Client.

--maintenance-mode – Simulates maintenance mode for installations that require it but does not affect reboot-required remediations.

--allow-downgrades – Installs VIBs that update, downgrade, or are new to the host. Without this option, only updates and new VIBs are installed.

--no-live-install – Forces installation to /altbootbank even if live installation is possible; skipped for PXE-booted hosts.

--no-sig-check – Disables security verification, including signing, posing a high security risk and triggering a SECURITY ALERT in vSphere Client.

--proxy – Defines the proxy server for HTTP, FTP, and HTTPS connections in the format proxy-url:port.

--help – For options help.

      7. After the patch has been installed, reboot the ESXi host

reboot

      8. After the host has finished booting, exit maintenance mode and power on the virtual machines:

vim-cmd hostsvc/maintenance_mode_exit

Note: Starting with ESXi 8.0 Update 2, upgrading or updating ESXi using the commands esxcli software vib update or esxcli software vib install is no longer supported.

           For more details, refer to the KB article: "ESXi version change is not allowed using esxcli software vib commands."

 Steps to Patch or Upgrade an ESXi Host using esxcli software vib: (Alternate way to Patch prior to ESXi 8.0.2)

     1. To Update the host using esxcli software vib:

• Using local Setup:

esxcli software vib update -d "/vmfs/volumes/Datastore/DirectoryName/PatchName.zip"

Where PatchName.zip is the name of the patch file you uploaded to the datastore.

Note: Alternatively, you can use the datastore's UUID instead of the DirectoryName.

For example:

esxcli software vib update -d "/vmfs/volumes/datastore1/patch-directory/server name-201111001.zip"

or

esxcli software vib update -d "/vmfs/volumes/<UUID>patch-directory/server name-201111001.zip"

• Using http setup:

esxcli software vib update -v viburl

Where viburl is the URL to the http depot where VIB packages reside.

For example:

esxcli software vib update -v https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/esx/vmw/vib20/tools-light/VMware_locker_tools-light_5.0.0-0.7.515841.vib 

     2. To Install the patch using esxcli software vib: Replace esxcli software vib update to esxcli software vib install.
     3. Verify that the VIBs are installed on your ESXi host:

esxcli software vib list

         example:

esxcli software vib list

Name                Version                   Vendor  Acceptance Level Install Date
----------------- --------------------------- ------ ---------------- ------------
ata-pata-amd      0.3.10-3vmw.500.0.0.469512  VMware   VMwareCertified xxxx-xx-xx
ata-pata-atiixp   0.4.6-3vmw.500.0.0.469512   VMware   VMwareCertified xxxx-xx-xx
ata-pata-cmd64x   0.2.5-3vmw.500.0.0.469512   VMware   VMwareCertified xxxx-xx-xx
ata-pata-hpt3x2n  0.3.4-3vmw.500.0.0.469512   VMware   VMwareCertified xxxx-xx-xx
 

     4. After the patch has been installed, reboot the ESX host:

reboot


     5. After the host has finished booting, exit maintenance mode and power on the virtual machines:

vim-cmd hostsvc/maintenance_mode_exit

• Reference: Upgrade or Update a Host with Image Profiles
• To download and install vibs manually in ESXi, see Download and install async drivers in VMware ESXi.
• For more information on installing VIBs on an ESXi host, see Update a Host with Individual VIBs