Important Update - On Mar 20 2018, VMware VMSA-2018-0004.3 announced that CVE-2017-5715 (Spectre-2) mitigation is now included in the latest patch that you should be using instead of the older patch featured in the original article below. You'll find the newer article that features an even easier update method here:

Article below as it originally appeared.

It's that time of year when some IT Pros are lucky enough to have a few days off to spend upgrading their home labs. This VMware update arrives just in time for the holidays, and this article gets us ready to start 2018 off right, featuring an easy upgrade method that works even for the free hypervisor that has no connection to a VCSA. Of course, it's a lot more fun to have VCSA in your home lab, and doing so beyond the 60 day trial has gotten a whole lot more affordable.

Below, you'll find both the detailed Step-By-Step Instructions and the walk-thru Video, but you should really read the whole article first, including a way to backup your ESXi media before you begin described in the Prerequisites section, and a way to roll-back easily if things don't go right, see Reverting to a previous version of ESXi (1033604).

Once you've performed this patch and rebooted, various UIs will show your ESXi version, depending upon where you look:

• 6.5.0 Update 1 (Build 7388607)
• Version: 6.5.0 Update 1 (Build 7388607)
• (Updated) ESXi-6.5.0-20171204001-standard (VMware, Inc.)
• 6.5.0 #1 SMP Release build-7388607 Dec 18 2017 03:01:41 x86_64 x86_64 x86_64 ESXi

If you'd like to see how to use VMware Update Manager (VUM) instead, it's all detailed here, requiring an active my.vmware.com account and a some more download/upload steps, a better way to go once you've already made it to a 6.5.x release.

You may be interested in the new NVMe inbox (included) driver that just arrived in this 6.5 Path 02, it's named:

• Version: 1.2.0.32-5vmw.650.1.36.7388607

VMware ESXI 6.5 Patch 02

Read both of these KB articles for details on what this Express Patch fixes:

• VMware ESXi 6.5, Patch Release ESXi650-201712001 (2151102)
  kb.vmware.com/kb/2151081

  Release Date: December 19, 2017
  Download Filename:
  ESXi650-201712001.zip

See also details about the original 6.5 Update 1 Release below.

VMware ESXI 6.5 U1

Release Notes. The simple update method that this article details below means you won't need the ISO Download Page for:
ESXi 6.5 U1 27 JULY 2017 Build 5969303

Warning:

1. vCenter/VCSA 6.5 should be upgraded to 6.5 Update 1d before upgrading your host(s) to ESXi 6.5 Patch 02 Build 7388607, see:
   How to easily update your VMware vCenter Server Appliance from 6.5.x to 6.5 Update 1d (VCSA 6.5 U1d)
   Jul 28 2017
2. I have only tested this method when upgrading from 6.5.0 U1 EP4 Build 5969303 to Build 7388607, your experience from earlier 6.x versions may vary.
3. I have been able to replicate that the Xeon D 10GbE X552/X557 driver VIB needs to be re-installed right after the upgrade.
4. This is not official VMware documentation, it's merely a convenient upgrade technique that may help in lab tests, a little simpler than the official procedure VMware documents and demonstrates in KB2008939. It's up to you to adhere to the backup-first advice detailed below, full Disclaimer found at below-left, at the bottom of very TinkerTry page.
5. See also the Drawbacks section below.

Why ESXCLI?

All the background story on how this easy ESXCLI upgrade method came about was covered in my earlier articles about updating 6.0 U2 and 6.5.
If you're in production, beware, this code just came out just 3 days ago. This article is for the lab, where you may want to give this critical patch a try.

Benefits

1. No new license needed to go from 6.0.x or 6.5.x to 6.5 U1 Build 6765664
2. Users of the free hypervisor and folks who can't download the GA Offline bundle now have a path forward as well, without needing to read TinkerTry's My VMware's 'You either are not entitled or do not have permissions to download this product.' error, and what to do about it.

Drawbacks

1. See also Differences Between vSphere Upgrades and Updates and Upgrade or Update a Host with Image Profiles:

   The esxcli software profile update command brings the entire contents of the ESXi host image to the same level as the corresponding upgrade method using an ISO installer. However, the ISO installer performs a pre-upgrade check for potential problems, and the esxcli upgrade method does not. The ISO installer checks the host to make sure that it has sufficient memory for the upgrade, and does not have unsupported devices connected. For more about the ISO installer and other ESXi upgrade methods, see Upgrade Options for ESXi 6.0.

2. See also Upgrading Hosts by Using esxcli Commands and Overview of the ESXi Host Upgrade Process.
3. Before proceeding, you should read Overview of the ESXi Host Upgrade Process. This article below is just about the quick and easy way, effective and safe for most folks. For those more interested in 'clean installs', where you login to My VMware, download the ESXi 6.5U1 ISO, shut down the ESXi on USB that you're already running, eject that USB flash drive and label it and set it aside, then boot from another USB drive like the SanDisk Ultra Fit with a fresh install of 6.5U1 imaged onto it. This clean install is much more time consuming than the easy method outlined below. Why? This is because once ESXi 6.5U1 is freshly installed, at a minimum you'll also have to use Datastore Browser to locate your VMs on your VMFS datastores, then add those files with *.vmx extensions back into your inventory, then add the host back to your cluster that should already be at 6.5U1. While this extra work may help you be sure that you don't have any drivers or changes carried over from your previous build, for many users, that's not a concern.

Prerequisites

Once you've completed ALL of the following preparation steps:

1. upgraded to the latest VCSA, which is currently 6.5 U1f, see How to easily update your VMware vCenter Server Appliance from 6.5.x to 6.5 Update 1f (VCSA 6.5 U1f) for Meltdown/Spectre-1 mitigation

2. read and understood Mike Foley's warnings in Secure Boot for ESXi 6.5 – Hypervisor Assurance

   ...
   Possible upgrade issues
   UEFI secure boot requires that the original VIB signatures are persisted. Older versions of ESXi do not persist the signatures, but the upgrade process updates the VIB signatures.

   If your host was upgraded using the ESXCLI command then your bootloader wasn’t upgraded and doesn’t persist the signatures. When you enable Secure Boot after the upgrade, an error occurs. You can’t use Secure Boot on these installations and will have to re-install from scratch to gain that support.
   ...

3. ensured your ESXi 6.5.x host has a working internet connection
4. reviewed the release notes
5. reviewed How to easily update your VMware Hypervisor to ESXi 6.0 Update 2 for the full back story that includes some warnings about potential gotchas/driver issues
6. backed up the ESXi 6.5.x you've already got, if its on USB or SD, then use something like one of the home-lab-friendly and super easy methods such as USB Image Tools under Windows, as detailed by Florian Grehl here

you can now continue with this simple approach to upgrading your lab environment. Unsupported, at your own risk, see the full disclaimer at below-left.

You should wind up with the same results after this upgrade as folks who upgrade by downloading the full ESXi 6.5 U1 ISO / creating bootable media from that ISO / booting from that media (or mounting the ISO over IPMI/iLO/iDRAC/IMM/iKMV) and booting from it:

File size: 332.63 MB
File type: iso
Name: VMware-VMvisor-Installer-6.5.0.update01-5969303.x86_64.iso
Release Date: 2017-07-27
Build Number: 5969303

installing it, rebooting, then running the patch process described below.

Upgrade Step-by-Step

Download and upgrade to 6.5 Patch 02 update using the patch directly from the VMware Online Depot

The entire process including reboot is usually well under 10 minutes, and many of the steps below are optional, making it appear more difficult than it is. Triple-clicking on a line of code below highlights the whole thing with a carriage return, so you can then right-click and copy it into your clipboard, which gets executed immediately upon pasting into your SSH session. If you want to edit the line before it's executed, manually swipe your mouse across the code rather than triple-clicking the lines of code.

1. Open an SSH session (eg. PuTTY) to your ESXi 6.0.x server
   (if you forgot to enable SSH, here's how)
2. Turn on maintenance mode, or ensure you've set your ESXi host to automatically gracefully shutdown all VMs upon host reboot, or shutdown all the VMs gracefully that you care about, including VCSA.
3. Firewall allow outbound http requests - This command might not be needed, but I'm trying to make these instructions applicable to the broadest set of readers. Paste the one line below into into your SSH session, then press enter:

   More details about the firewall here.

4. Pull down ESXi Image Profile using https and run patch script - Paste the line below into into your SSH session, then hit enter and wait while nothing seems to happen, taking somewhere between roughly 3 to 10 minutes before the completion screen (sample below) appears:

   It MAY just do it's thing after a several minute pause, or it may immediately fail and warn you what VIBs will be removed if you proceed. Note that next command is the same as the one above, but with
   --ok-to-remove
   added at the end. This allows the upgrade to proceed, now that you've been properly warned. Be sure to make note of what VIBs it says will be removed, just in case the inbox (included) drivers it installs don't work for your system.

   If you don't have Xeon D, the next command is:

   and you're done!

Be sure all your devices still work afterward, and if not, you'll need to locate the original VIB download site and install it, using the detailed install instructions usually found at the vendor's VIB download site. Now that the included AHCI/SATA driver has been fixed, home lab enthusiasts are likely to find such issues much less common.
If these esxcli software profile install commands fails, you may want to try changing update to install, details below, see also Douglas' comment. Wait time for the successful install depending mostly on the the speed of the ESXi's connection to the internet, and somewhat on the write speed of the storage media that ESXi is installed on.

1. OPTIONAL - Xeon D with 10GbE - If your system includes two 10GbE Intel X552/X557 RJ45 or SFP+ NICs ports, they can be used for 1GbE or 10GbE speeds, but you'll need to regain the 10GbE Intel driver VIB that the upgrade process replaced with an older one that doesn't work with your X557. Simply copy and paste the following one-liner fix:

   as described in detail here before proceeding.

2. OPTIONAL - Xeon D-1567 - If your system uses the Xeon D-1567 (12 core) you may find the VMware ESXi 6.0 igbn 1.4.1 NIC Driver for Intel Ethernet Controllers 82580,I210,I350 and I354 family performs better for the service console on either ETH0 or ETH1 instead of the included-with-6.5U1EP4 VMware inbox driver for I-350 called
   VMW_bootbank_net-igb_5.0.5.1.1-5vmw.650.0.0.4564106. No need to download separately. Simply copy and paste the following one-liner fix:

   before proceeding.

3. OPTIONAL - Intel Optane P4800X - If your system has an Intel Optane P4800X NVMe SSD of either the PCIe or U.2 type, or a consumer 900P version, you'll need the Intel driver for full speed support under ESX. First, find your NVMe firmware version, then reference this version to verify the exact VIB you should be using on the VMware HCL - IO Devices Keyword P4800X. If it's intel-nvme version 1.3.2.4, simply paste the easy one-liner fix:

   before proceeding. This method is here as a reference only, you should use your own internal web host to make pulling/installing this VIB easy, or just download it to a local directory on the ESXi and install it from there.

4. Firewall disallow outbound http requests - To return your firewall to how it was before this online upgrade, simply copy and paste the following:
5. If you turned on maintenance mode earlier, remember to turn maintenance mode off.
6. If you normally leave SSH access off, go ahead and disable it now.
7. Type or paste

   and hit return (to restart your ESXi server), or use your favorite ESXi UI to restart the host.

8. After the reboot is done, it would be a good idea to test login using ESXi host client, pointing your browser to the IP or hostname of your just-graded server, to be sure everthing seems to be working right.

You're done!

Special thanks to VMware ESXi Patch Tracker by Andreas Peetz at the VMware Front Experience Blog. This upgrade test was performed on a TinkerTry'd VMware HCL system. Yes, on both the very popular 8 core and the rather special 12 core version of the beloved Supermicro SuperServer SYS-5028D-TN4T system.

That's it! When the reboot is complete, you'll see for yourself that you now have the latest ESXi, Build 7388607, as pictured above. Now you have more spare time to read more TinkerTry articles!

When the upgrade is complete, on the ESXi Host Client UI, under Host / Configuration, you should see the following 'Image profile'
(Updated) ESXi-6.5.0-20171204001-standard (VMware, Inc.)

Potential gotchas

1. Depending upon your ESXi firewall configuration, if the above command results in a network related error such as:
   'NoneType' object has no attribute 'close'
   then you skipped the firewall configuration step above, try again!

Video

Closing Thoughts

Alternatively, you could have used VMware Update Manager on a Windows system or VM, but for one-off upgrades typical in a small home lab, pasting these 3 or 4 lines of code is pretty darn easy.

Looking ahead, since VUM is now built into VCSA 6.5, this adds another way to do future upgrades and patches, even in a small home lab environment.

This release is also known as:

• ESXi 6.5 U1 Patch 2
• ESXi 6.5 U1 EP4
• ESXi 6.5 U1 P02
• ESXi 6.5U1 P02
• ESXi 6.5 U1 P2
• ESXi 6.5U1P2

All ESXi releases have been nicely documented by VMware here:

From the above table, I created this summary of this 6.5U1EP4 release:

• Version - ESXi 6.5 U1 Express Patch 4
  Release Date - 2017-10-05
  Build Number - 6765664
  Installer Build Number - N/A

It's quite possible the above upgrade technique will work for all of the following 6.x versions of ESXi, but I haven't tested:

Jan 03 2018 Update

Did you realize that vSAN Support Insight arrives in this ESXi 6.5 U1 Express Patch patch?

• vSAN Support Insight
  Dec 18 2017 by John Nicholson at VMware Virtual Blocks

Don't miss the overview video featuring Pete Fletcha's always pleasant voiceover at the vSAN Support Insight page on storagehub, as also seen below.

Jan 05 2018 Update

Nice short summary of CVE-2017-5753 & CVE-2017-5715 (Spectre) & CVE-2017-5754 (Meltdown) by William Lam:

VMware Customers - See https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html … for addressing CVE-2017-5753 & CVE-2017-5715 (Spectre) & CVE-2017-5754 (Meltdown)

FYI - VMware Hypervisors not affected by Meltdown but you still need to apply whatever patches are issued by the GuestOS vendors

See also:

• Meltdown and Spectre – what you need to know!
  Jan 05 2018 - Michael White at Notes from MWhite

Jan 24 2018 Update

See also

where you'll discover that it recommends ESXi 6.5 users patch with ESXi650-201712101-SG from https://my.vmware.com/group/vmware/patch that has this documentation. That is the very same ESXi650-201712101-SG that is included in the ESXi650-201712001 patch that this article above is all about! In other words, currently, this article covers what is currently the Spectre/Meltdown mitigation patch. The more recent patch ESXi650-201801001 (ESXi Build 7388607) that I covered in my more recent article has been pulled, based on Intel's findings.

Feb 01 2018 Update

VMware support has informed me that it's now recommended that Intel I350 NICs get the Sep 20 2017 version 1.4.1, found here.

References to 5.3.3:
VMware ESXi 6.0 igb 5.3.3 NIC Driver for Intel Ethernet Controllers 82580, I210, I350, and I354
have now been removed from the above article.

Reference to 4.5.3 removed as well.

See also at TinkerTry

• Meltdown and Spectre side-channel attack risk mitigation information from processor, server, and software vendors
  Jan 10 2018

• How to easily update your VMware vCenter Server Appliance from 6.5.x to 6.5 Update 1d (VCSA 6.5 U1d)
  Dec 23 2017

• VMware vSphere Taskbar Shortcuts Unleashed - profile switcher isolated and uncluttered Chrome Browser UIs act like native Windows apps!
  Mar 27 2017

See also

• VMware vSAN 6.6 GA - Download Links Available
  Apr 18 2017 by Florian Grehl

• ESXi 6.5 Release Notes for free license and white box users
  Nov 24 2016 by Andreas Peetz at VMware Front Experience

• VMware ESXi Patch Tracker
  Nov 24 2016 by Andreas Peetz at VMware Front Experience

• VMware vSphere 6.5 Documentation Center - Upgrade or Update a Host with Image Profiles
  VMware

Upgrade Log

Below, I've pasted the full text of my upgrade, helps you see what drivers were touched, use the horizonal scroll bar or shift + mousewheel to look around, and Ctrl+F to Find stuff quickly: