Security4all has a post about a new (or rather: updated) tool from Microsoft. The title, “Patching offline virtual machines” immediately captured my attention; unfortunately, the tool doesn’t enable offline patching just yet. Here’s the description of the Offline Virtual Machine Servicing Tool

The tool uses “servicing jobs” to manage the update operations based on lists of existing virtual machines stored in VMM. Using Windows Workflow Foundation technology, a servicing job runs snippets of Windows PowerShell™ scripts to work with virtual machines. For each virtual machine, the servicing job:

  • “Wakes” the virtual machine (deploys it to a host and starts it).
  • Triggers the appropriate software update cycle (Configuration Manager or WSUS).
  • Shuts down the updated virtual machine and returns it to the library.



While this sounds like a pretty good strategy, Microsoft is a bit late with this tool, and it doesn’t appear to offer the features that VMWare’s update manager has. Update Manager also has the ability to scan Linux machines, and can place VM’s in a quarantined network segment when a network connection is needed. More information can be found in the data sheet; while it’s a bit lighter on the technical details than the Microsoft tool, it does have prettier pictures:


Regardless of the virtualization platform you use, these tools highlight what might become a big problem in the coming years. Because it is so easy to create or copy a VM, there will be more unpatched, out-of-date systems on your network than you might be aware of… There is also an issue that is ignored by both tools: no matter how up-to-date your virtual machine is, if somebody restores an old snapshot all your patching efforts were wasted. It will be interesting to see what creative solutions VMware and Microsoft will come up with to prevent out-of-date snapshots from being booted!