Microsoft's latest version of its Offline Virtual Machine Servicing Tool has been criticised by Shavlik.

 

Eric Schultze, CTO at Shavlik, claimed that the design of the tool will not keep virtual machines offline, but bring them online to apply the updates and store them again.

 

The tool is designed to help organisations maintain their virtual machines that are stored offline in a Microsoft system centre virtual machine manager library.

 

The company claims that as the virtual machines are stored they do not receive operating system updates, but this tool provides a way to keep offline virtual machines up-to-date so that bringing a virtual machine online does not introduce vulnerabilities into the organisation's IT infrastructure

 

Shavlik said: “This isn't offline patching. This is called ‘online patching'. The Microsoft solution moves the offline image to another server, launches the image (turns it on), has the image checking with a WSUS or SCCM server, performs an online patch assessment and an online patch copy and deployment. When done, it turns the image off and moves it back to the original image repository.

 

“How is this offline patching? Rather than leveraging efficiencies gained from evaluating the offline image, the Microsoft solution requires the administrator to launch each of the VM images, scan them, patch them, and turn them off. This requires CPU and memory for each VM, additional servers, storage, and networks to move and launch the VM in a private network, and more time to launch the VM before it can even be assessed.”

 

He further claimed that he, and other IT administrators, would prefer to

understand what the patch status is before turning on the image, and also prep all the patches for installation on the image before turning it on. This way when the image is turned on, the patches can install straight away.

 

Shavlik said: “By copying the patches to the system when it's offline, we've eliminated the time needed to download the patches to each image after it's turned on.

 

“To protect unpatched systems from being hacked when turned on, and before patch installation, the administrator can launch the VM images in a 'network disconnected' state. Once the patches have been installed and the system rebooted, it can be joined back to the network. “