Command-Line ESXi Patching: A Controlled Workflow for Hosts Outside the Happy Path

There are times when the normal ESXi patching path is exactly what you should use: SDDC Manager, vSphere Lifecycle Manager, a tested cluster image, prechecks, staged remediation, and a maintenance workflow that keeps inventory and compliance aligned.

Then there are the other days.

A host might be standalone. A lab host might not be attached to vCenter. A break-fix situation might require a surgical patch outside the normal lifecycle workflow. A vendor or Broadcom support case might point you to a command-line path because the standard remediation workflow is blocked. That is where KB 343840 becomes useful, but it should not be treated as a casual shortcut.

The goal is not “patch ESXi from SSH because it is faster.” The goal is to run a controlled, evidence-backed workflow when the host is outside the happy path.

Broadcom’s KB343840 describes command-line ESXi patching with esxcli software profile, and it specifically calls out that profile update is the recommended method for applying patches because it applies newer patch content while ignoring lower-revision content already on the host. The same KB warns that profile install can overwrite or downgrade packages and should be used carefully.

This walkthrough focuses on the operational version of that process: when to use it, what to capture before you touch the host, how to choose the right image profile, how to validate the result, and how to document drift afterward.

What You Will Accomplish

By the end of this walkthrough, you will have a repeatable command-line workflow for patching an ESXi host using an offline bundle.

The workflow covers:

when CLI patching is appropriate

maintenance mode and workload evacuation

host configuration backup

offline bundle staging

image profile selection

dry-run validation

patch execution

reboot planning

post-patch verification

drift documentation for vCenter, SDDC Manager, or operational records

This is written for administrators and engineers who already understand ESXi operations but want a safer command-line pattern than copying a single esxcli command from a KB and hoping the environment cooperates.

Where CLI Patching Fits

Command-line patching is an exception path. It has value, but the context matters.

ScenarioCLI patching fitOperational noteStandalone ESXi host with no vCenterStrong fitOften the cleanest supported path when lifecycle tooling is not present.Isolated site or disconnected environmentGood fitUse an offline bundle and document the source, checksum, and profile.vLCM or SDDC Manager workflow blocked by a known issueConditional fitUse only when the KB or support case explicitly supports the workaround.Routine VCF workload domain patchingPoor fitPrefer SDDC Manager and vSphere Lifecycle Manager workflows.Cluster with unclear hardware/OEM image stateRiskyValidate OEM bundle requirements before applying a generic profile.No working backup, no rollback window, no console accessStopFix the maintenance plan first.

The reason this distinction matters is simple: in VCF-managed environments, out-of-band ESXi updates can create lifecycle drift. Broadcom documents a case where SDDC Manager precheck fails because ESXi hosts were upgraded manually outside SDDC Manager workflows, causing a version mismatch between the actual host deployment and the SDDC Manager inventory database.

That does not mean you can never patch from the CLI in a VCF-adjacent environment. It means you need to treat the CLI patch as a controlled exception and record what changed.

The Workflow at a Glance

The most important part of this process is sequencing. Do not start with the profile update command. Start with evidence, readiness, and rollback.

Notice what the diagram does not show: “SSH to the host and immediately run the patch.” The safe workflow is slower up front and faster when something goes wrong.

Prerequisites and Assumptions

This walkthrough assumes:

You have administrative access to the ESXi host.

You have a maintenance window approved for workload evacuation and reboot.

You have console access or out-of-band management available.

You have downloaded the correct ESXi offline bundle.

You know whether the host requires an OEM-customized image.

You understand whether the host is standalone, vCenter-managed, or VCF-managed.

You have enough datastore space to stage the bundle.

You have a rollback or reinstall path if the host does not return cleanly.

Broadcom’s ESXi Shell guidance describes ESXi Shell as primarily intended for break-fix scenarios and exceptional cases that cannot be handled through standard management or CLI tools. That framing is useful. Enabling SSH or ESXi Shell for patching should be temporary, intentional, and logged.

Step 1: Confirm the Current Host State

Before staging a patch, capture the current version, build, image profile, and maintenance context.

From the ESXi shell:

vmware -v
vmware -vl

esxcli system version get
esxcli software profile get
esxcli software vib list | sort

Broadcom documents vmware -v as a CLI method to determine the ESXi build number. The image profile matters because a host can show one ESXi version while its underlying image profile is not aligned. Broadcom has documented cases where image profile mismatch can break later VIB-related operations, and the ideal state is for the ESXi version and image profile details to align.

Capture the output into your change record. At minimum, record:

ItemWhy it mattersHost FQDNTies the patch record to the asset.Current ESXi version and buildConfirms starting state.Current image profileHelps detect drift or mismatched remediation history.Current acceptance levelHelps identify unsigned or nonstandard packages.Installed OEM/vendor VIBsPrevents accidental removal or replacement.vCenter or SDDC Manager domainIdentifies lifecycle ownership.Offline bundle filenameSupports auditability.Target profile nameConfirms the selected remediation target.

For current build mapping, Broadcom maintains an ESXi build-number table that lists ESXi and ESX builds by release date.

Step 2: Back Up the Host Configuration

Do not skip the host configuration backup.

From the ESXi shell:

vim-cmd hostsvc/firmware/sync_config
vim-cmd hostsvc/firmware/backup_config

The first command synchronizes configuration changes to persistent storage. The second command generates a URL for downloading the configuration bundle. Broadcom documents both commands in the ESXi host configuration backup workflow.

Download the generated configBundle-<host>.tgz and store it with the change record.

A host configuration backup is not the same thing as a full bare-metal image. It is still valuable because it gives you a recovery path after reinstalling the same ESXi build, assuming the restore conditions are met. Broadcom notes that restore requires the destination host build number to match the build from which the backup was taken and that the UUID remains the same.

If you prefer to collect this evidence from PowerCLI before entering the break-fix window, you can use a small evidence script.

# Connect to vCenter or directly to the ESXi host, depending on your environment.
# Update these values before running.
$ServerName = “vcsa01.lab.local”
$HostName = “esx01.lab.local”
$EvidenceRoot = “.esxi-patch-evidence”
$Stamp = Get-Date -Format “yyyyMMdd-HHmmss”
$EvidencePath = Join-Path $EvidenceRoot “$HostName-$Stamp”

New-Item -ItemType Directory -Path $EvidencePath -Force | Out-Null

Connect-VIServer -Server $ServerName

$VMHost = Get-VMHost -Name $HostName

# Capture the inventory view from vCenter.
$VMHost |
Select-Object Name, Version, Build, ConnectionState, PowerState, Parent |
Export-Csv -Path (Join-Path $EvidencePath “vmhost-inventory-before.csv”) -NoTypeInformation

# Capture host services visible through PowerCLI.
Get-VMHostService -VMHost $VMHost |
Select-Object VMHost, Key, Label, Running, Policy |
Export-Csv -Path (Join-Path $EvidencePath “vmhost-services-before.csv”) -NoTypeInformation

# Optional: capture a host configuration backup when network and policy allow it.
Get-VMHostFirmware -VMHost $VMHost -BackupConfiguration -DestinationPath $EvidencePath

Disconnect-VIServer -Server $ServerName -Confirm:$false

What to change:

$ServerName should be your vCenter Server or target ESXi host.

$HostName should be the ESXi host being patched.

$EvidenceRoot should point to your change record or operations share.

Broadcom documents PowerCLI-based ESXi configuration backup using Get-VMHostFirmware -BackupConfiguration, with the note that HTTP 80 and HTTPS 443 are required for the cmdlet to work.

Step 3: Download and Stage the Offline Bundle

Use the offline bundle ZIP, not the ISO, for the esxcli software profile update workflow.

Broadcom’s download guidance states that only product versions with active licensing appear in the Broadcom Support Portal, and it separates ISO releases under Products from patch releases under Solutions. For ISO releases, Broadcom also notes that the desired download type can include an ISO or offline bundle ZIP.

Stage the bundle on a datastore accessible by the target host. A clean pattern is to create a dedicated directory:

mkdir /vmfs/volumes/<datastore-name>/patches

Then upload the ZIP through the datastore browser, SCP, or another approved file-transfer method.

Example staged path:

/vmfs/volumes/datastore1/patches/VMware-ESXi-8.0U3x-########-depot.zip

Use your actual bundle filename. Do not rename it in a way that hides the version or build.

Step 4: Put the Host in Maintenance Mode

Before patching, migrate or power off running virtual machines, then place the host into maintenance mode.

vim-cmd /hostsvc/maintenance_mode_enter
vim-cmd /hostsvc/hostsummary | grep inMaintenanceMode

Broadcom’s KB 343840 includes the maintenance mode entry command and the hostsummary validation command as part of the command-line patch workflow.

If the host is part of a DRS-enabled cluster, vCenter can migrate workloads after maintenance mode is initiated. Broadcom also notes that when vCLS is running on the target host, vCenter will automatically migrate off or shut down the vCLS VM and that you should not manually migrate or power off vCLS VMs unless instructed by Broadcom VCF Global Support.

For vSAN clusters, treat this as a storage-impacting operation, not just a compute evacuation. Confirm the evacuation mode, object health, and policy impact before continuing.

Step 5: List the Image Profiles in the Offline Bundle

Now inspect the bundle before applying anything.

esxcli software sources profile list -d /vmfs/volumes/<datastore-name>/patches/<bundle-name>.zip

Example:

esxcli software sources profile list -d /vmfs/volumes/datastore1/patches/VMware-ESXi-8.0U3x-########-depot.zip

Broadcom’s command-line patch KB uses this exact pattern to list profile names from the offline bundle.

This is where image profile awareness matters. You may see profiles such as:

Profile typeTypical meaningstandardSecurity and bugfix image including VMware Tools image updates.no-toolsSecurity and bugfix image without VMware Tools image updates.security-only style profileSecurity-only image, depending on bundle naming and release notes.OEM/vendor profileHardware-vendor-customized image profile, if supplied by the vendor.

Broadcom’s KB 390985 documents common VMware original offline bundle profile patterns, including standard, no-tools, and security-only profile examples. It also states that when a hardware vendor provides custom offline bundles for specific hardware, you should use the vendor bundle instead of the VMware original offline bundle.

This is one of the most common places where operators create long-term drift. If the host was installed from a Dell, HPE, Lenovo, Cisco, or other OEM-customized image, verify whether the target patch should also come from the OEM channel.

Step 6: Run a Dry Run

Do not apply the patch first. Simulate the transaction.

esxcli software profile update
-d /vmfs/volumes/<datastore-name>/patches/<bundle-name>.zip
-p <profile-name>
–dry-run

Example:

esxcli software profile update
-d /vmfs/volumes/datastore1/patches/VMware-ESXi-8.0U3x-########-depot.zip
-p ESXi-8.0U3x-########-standard
–dry-run

KB 343840 documents –dry-run as an option that simulates the installation and reports actions without making changes.

Review the output for:

VIBs to be installed

VIBs to be removed

dependency errors

acceptance-level warnings

hardware compatibility warnings

signature warnings

reboot requirement

OEM or custom package removal

Do not treat –force, –no-sig-check, or hardware-warning bypass options as normal operational switches. KB 343840 states that –force bypasses dependency and security checks and is not recommended unless instructed by VMware Support. It also states that –no-sig-check disables security verification and poses a high security risk.

Step 7: Apply the Profile Update

If the dry run is clean and the maintenance window is active, apply the update.

esxcli software profile update
-d /vmfs/volumes/<datastore-name>/patches/<bundle-name>.zip
-p <profile-name>

Example:

esxcli software profile update
-d /vmfs/volumes/datastore1/patches/VMware-ESXi-8.0U3x-########-depot.zip
-p ESXi-8.0U3x-########-standard

Use profile update as the default. Use profile install only when you explicitly intend to replace the image profile and understand the package-removal and downgrade implications. Broadcom’s KB 343840 makes the distinction clear: update is recommended for applying patches, while install can overwrite existing packages, remove old packages, or downgrade packages.

Also avoid using esxcli software vib update or esxcli software vib install for ESXi 8.0 Update 2 and later update/upgrade workflows. Broadcom states that starting with ESXi 8.0 Update 2, upgrading or updating ESXi using those VIB commands is no longer supported.

Step 8: Reboot the Host

After the patch transaction completes successfully, reboot the host.

esxcli system shutdown reboot -r ‘apply patch’

Broadcom’s KB 343840 includes this reboot step after patch installation. KB 390985 is even more explicit operationally: upgrading, updating, or applying a patch is not finished until the ESXi host completes the reboot after the update command.

Do not power off the server during this window. Watch the out-of-band console, iDRAC, iLO, IMM/XCC, UCS Manager, or your platform equivalent until the host has fully returned.

Step 9: Validate the Result

After the host boots, validate from both the host and the management plane.

From ESXi:

vmware -v
vmware -vl

esxcli system version get
esxcli software profile get
esxcli software vib list | sort

Confirm:

ESXi version and build match the expected target.

The image profile matches the selected target profile.

The host services are running as expected.

vmkernel adapters, storage adapters, and uplinks are present.

datastores are visible.

vSAN, NSX, or other platform-specific services are healthy where applicable.

no unexpected OEM or custom VIBs were removed.

Then exit maintenance mode:

vim-cmd hostsvc/maintenance_mode_exit

KB 343840 includes exiting maintenance mode after the host finishes booting.

If the host is vCenter-managed, validate through vCenter as well:

$ServerName = “vcsa01.lab.local”
$HostName = “esx01.lab.local”
$EvidencePath = “.esxi-patch-evidence$HostName-post”

New-Item -ItemType Directory -Path $EvidencePath -Force | Out-Null

Connect-VIServer -Server $ServerName

$VMHost = Get-VMHost -Name $HostName

$VMHost |
Select-Object Name, Version, Build, ConnectionState, PowerState, Parent |
Export-Csv -Path (Join-Path $EvidencePath “vmhost-inventory-after.csv”) -NoTypeInformation

Get-VMHostService -VMHost $VMHost |
Select-Object VMHost, Key, Label, Running, Policy |
Export-Csv -Path (Join-Path $EvidencePath “vmhost-services-after.csv”) -NoTypeInformation

Disconnect-VIServer -Server $ServerName -Confirm:$false

The output gives you a before-and-after record for the change ticket.

Step 10: Document Drift in VCF or Lifecycle-Managed Environments

This is the part that separates a controlled exception from a future outage.

If the host belongs to a VCF-managed domain, do not assume that a successful ESXi boot means lifecycle management is clean. SDDC Manager may still have inventory or version metadata that needs to catch up.

Broadcom documents a version synchronization API for VCF inventory after an out-of-band upgrade. The API can perform global or per-domain inventory version synchronization and can filter by product type, including ESXi. The same KB notes that inventory sync runs daily at 03:00 local server time, but it also provides an API workflow when manual synchronization is needed.

Your drift record should include:

Drift itemCaptureWhy CLI patching was usedChange ticket, support case, KB reference, or operational constraint.Normal lifecycle tool bypassedSDDC Manager, vLCM, standalone host, or direct ESXi.Target host and domainHost FQDN, cluster, workload domain, vCenter.Starting version/build/profilePre-change command output.Target bundle and profileBundle filename and selected image profile.Dry-run outputSaved terminal output or transcript.Final version/build/profilePost-change command output.Inventory sync actionAutomatic wait, API sync, or support case reference.Follow-up remediationRe-run prechecks, vLCM compliance, SDDC Manager inventory check.

Do not leave this as tribal knowledge. The next upgrade precheck will surface the gap, and the person troubleshooting it may not be the person who patched the host.

Troubleshooting and Common Issues

“No image profile found with name”

This usually means the profile name was typed incorrectly or copied from the wrong bundle.

Run the profile list command again:

esxcli software sources profile list -d /vmfs/volumes/<datastore-name>/patches/<bundle-name>.zip

Copy the exact profile name.

“The host is not in maintenance mode”

Verify maintenance mode:

vim-cmd /hostsvc/hostsummary | grep inMaintenanceMode

If it returns false, evacuate or power off workloads and re-enter maintenance mode.

Hardware or dependency warnings

Stop and review. Do not blindly add bypass flags.

If the host uses an OEM image, confirm whether you are using the right vendor bundle. Broadcom notes that when hardware vendors provide custom offline bundles for specific hardware, you should use those instead of the VMware original offline bundle.

VIB command guidance conflicts with older notes

Older articles, scripts, or personal notes may still reference esxcli software vib update. For ESXi 8.0 Update 2 and later update/upgrade workflows, Broadcom states that VIB update/install commands are no longer supported for upgrading or updating ESXi. Use esxcli software profile update for the host image profile path.

SDDC Manager shows mixed host versions after manual patching

Treat this as lifecycle drift, not just a cosmetic warning. Broadcom documents that SDDC Manager can show mixed host versions when ESXi hosts were manually upgraded outside SDDC Manager workflows, causing mismatch between actual deployment and SDDC Manager inventory. Review the VCF inventory version synchronization guidance and rerun the relevant prechecks.

Rollback is needed

Your realistic rollback options depend on the host state, bootbank behavior, and whether the previous version can be reverted. Broadcom’s ESXi patching KB references rollback guidance and also notes that if rollback cannot be used, reinstalling the old ESXi version and restoring the configuration backup may still be an option.

This is why the configuration backup and pre-change evidence are not optional.

Command Reference

TaskCommandCheck ESXi versionvmware -vCheck ESXi version and release detailvmware -vlCheck system versionesxcli system version getCheck current image profileesxcli software profile getBack up config syncvim-cmd hostsvc/firmware/sync_configGenerate config backupvim-cmd hostsvc/firmware/backup_configEnter maintenance modevim-cmd /hostsvc/maintenance_mode_enterConfirm maintenance modevim-cmd /hostsvc/hostsummary | grep inMaintenanceModeList profiles in bundleesxcli software sources profile list -d <bundle.zip>Dry run profile updateesxcli software profile update -d <bundle.zip> -p <profile> –dry-runApply profile updateesxcli software profile update -d <bundle.zip> -p <profile>Reboot after patchingesxcli system shutdown reboot -r ‘apply patch’Exit maintenance modevim-cmd hostsvc/maintenance_mode_exit

Wrap-Up

Command-line ESXi patching is useful when the host is outside the normal lifecycle path, but it should never feel informal.

The safe pattern is:

Confirm the host state.

Back up the host configuration.

Stage the correct offline bundle.

Enter maintenance mode cleanly.

List and choose the correct image profile.

Run a dry run.

Apply the profile update.

Reboot and validate.

Document drift and lifecycle ownership.

KB 343840 gives the core command-line mechanics. The operational value comes from wrapping those mechanics in a controlled workflow that respects image profiles, maintenance mode, offline bundle provenance, reboot planning, and VCF inventory state.

That is the difference between “I patched a host from SSH” and “I executed a controlled exception with evidence.”

External Sources

Broadcom KB 343840: Patching ESXi host using Command Line

Broadcom KB 390985: Upgrading, updating, or applying a patch to ESXi host using esxcli command

Broadcom KB 313510: How to back up and restore the ESXi host configuration

Broadcom KB 390727: SDDC Manager Precheck Out-Of-Band Upgrade Error

Broadcom KB 324050: Synchronize inventory versions after out-of-band upgrade in a VMware Cloud Foundation Environment

Broadcom KB 316595: Build numbers and versions of VMware ESXi/ESX

Broadcom KB 345263: Determining the build number of VMware ESXi

Broadcom KB 311213: Using ESXi Shell in ESXi

Broadcom KB 406874: ESXUpdate image profile mismatch error reference

Broadcom KB 372545: Download ESXi patch and ISO guidance

ESXi PSOD Triage: Turning a Purple Screen into an Evidence-Driven Escalation
A purple screen on an ESXi host creates an immediate operational problem, but the bigger risk is what happens next. The first…

The post Command-Line ESXi Patching: A Controlled Workflow for Hosts Outside the Happy Path appeared first on Digital Thought Disruption.