As a Technical Account Manager (TAM) working closely with VMware customers, I often find myself navigating complex environments to ensure that their infrastructure stays secure, efficient, and up-to-date. One of my most recent engagements involved a customer who was facing the challenge of applying the latest security patches to their VMware Cloud Foundation (VCF) environment—specifically, VMSA-2025-0004 for ESXi.
This patch had just been released by VMware, addressing critical security vulnerabilities, and our goal was to implement it as part of a comprehensive SDDC (Software-Defined Data Center) upgrade. But what made this task even more exciting was the new feature in VCF 5.2.x: the Flexible Bill of Materials (BOM), a game-changer that allows customers to choose specific versions of components during the workload domain upgrade. This capability would enable the customer to not only apply the latest security patches but also streamline their lifecycle management for future updates.
Here’s how the journey unfolded…
Understanding the Customer’s Challenges
My customer had a multi-tenant private cloud environment running on VMware Cloud Foundation, comprising several workload domains that supported multiple business-critical applications. Like many organizations, they had a rigorous patching policy, which required them to stay up-to-date with security patches, especially those affecting ESXi hosts. However, they were also mindful of the operational complexity and potential downtime that came with updating the entire environment.
To make things more challenging, the customer was running VCF 5.0.x at the time, which meant the current lifecycle management process was more rigid, requiring them to update the entire stack as a single unit. This led to operational overhead, especially when VMware released security updates or bug fixes for individual components like ESXi or vCenter.
With VMSA-2025-0004 being critical for their environment, it was time to upgrade their environment to VCF 5.2.x. This would not only bring them up to speed with the latest patches but also allow them to leverage Flexible BOM, enabling more granular control over their updates and patches.
Introducing the Flexible BOM Feature
I had already prepared the ground by discussing VCF 5.2.x’s new Flexible BOM feature with the customer. Here’s a quick breakdown of what it could do:
-
Granular Component Selection: With Flexible BOM, customers could select specific versions of individual components (like ESXi, vCenter, NSX, etc.) during a workload domain upgrade.
-
Customized Upgrade Paths: This provided the flexibility to patch just the components that needed upgrading, instead of the entire environment, reducing the time and complexity of the upgrade process.
-
Faster Patch Deployment: With more targeted updates, customers could apply security patches like VMSA-2025-0004 faster without affecting the entire workload domain.
The customer was particularly excited about this feature because it meant that ESXi could be upgraded independently of other components, which would allow them to patch ESXi hosts with the latest VMSA patch while keeping the rest of the environment stable.
Planning the Upgrade Process
Once we agreed on leveraging the Flexible BOM feature, the next step was to plan the upgrade path for the customer’s environment. Here’s how we approached it:
Step 1: Review the Current Environment
First, I helped the customer assess the current state of their VMware Cloud Foundation environment. We performed an inventory of all the components running in their environment, including:
-
vSphere (ESXi & vCenter versions)
-
NSX-T for networking
-
vSAN for storage
-
vRealize Suite (if applicable)
We also checked their current BOM (Bill of Materials) version, which would serve as the baseline for the upgrade.
Step 2: Review the Latest VMSA Update
I made sure to walk them through the details of VMSA-2025-0004, which was a critical security update for ESXi. The patch addressed several high-severity vulnerabilities that could potentially allow attackers to exploit the host and gain unauthorized access. We discussed the impact of not applying the patch and ensured that the ESXi hosts in the environment were prioritized for this update.
Step 3: Leveraging Flexible BOM for a Targeted Upgrade
Now, the fun part: I showed them how to use Flexible BOM to select the version of ESXi that contained the latest patch, without needing to upgrade other components unless necessary. This was a huge win, as they could apply the patch on ESXi hosts independently of vCenter and other components.
We began by:
-
Selecting the desired ESXi version (which included the latest patch for VMSA-2025-0004) in the BOM.
-
Ensuring compatibility with other infrastructure components (NSX-T, vSAN, etc.).
-
Planning for a non-disruptive upgrade by following VMware’s best practices for upgrading ESXi in place without affecting VM workloads.
Step 4: Scheduling the Upgrade
Since VMware Cloud Foundation allows for streamlined upgrades, I worked with the customer to schedule the upgrade during a maintenance window. We planned to upgrade the ESXi hosts first, ensuring that the VMs were migrated to other hosts in the environment before starting the upgrade process.
By taking advantage of Flexible BOM, we avoided downtime on the entire stack and only upgraded ESXi, ensuring that the customer could continue using their vCenter, NSX, and other components without interruption.
Executing the Upgrade: Smooth Sailing
With the plan in place, we moved ahead with the upgrade process. Using VMware Cloud Foundation’s lifecycle management tools, I guided the customer through the following steps:
-
Initiating the Upgrade: The upgrade process was initiated from the VCF Lifecycle Manager, where we selected the new ESXi version from the Flexible BOM.
-
Monitoring the Process: During the upgrade, I ensured that all pre-checks were successful, and we monitored the upgrade progress. VMware’s lifecycle management tools provided detailed logs, allowing us to keep track of each step in the process.
-
Post-Upgrade Validation: After the upgrade, we validated the new ESXi version and applied the VMSA-2025-0004 patch. I walked them through the validation steps to ensure that the environment was secure and operational.
Results and Benefits
The upgrade was successful, and the customer was thrilled with the results. By using Flexible BOM, they were able to:
-
Patch their ESXi hosts quickly and independently of other components.
-
Reduce downtime and disruption to their environment by avoiding a full stack upgrade.
-
Stay compliant with security best practices by applying VMSA-2025-0004 without delay.
The customer also expressed appreciation for the seamless experience and the ability to use Flexible BOM to control the pace of future upgrades. This flexibility allowed them to apply critical patches in a more controlled, predictable manner.
Conclusion: A TAM’s Role in Empowering Customers
As a TAM, my role isn’t just about troubleshooting or helping with day-to-day operations; it’s about empowering customers with the tools and strategies that best fit their needs. Helping them navigate new features like Flexible BOM and apply important security patches like VMSA-2025-0004 in a way that minimizes risk and maximizes uptime is immensely rewarding.
With VCF 5.2.x and its Flexible BOM, customers now have a much more flexible and efficient way of managing their SDDC lifecycle, especially when it comes to security patches and updates. I’m proud to be part of the journey, ensuring that customers not only stay secure but also leverage the full potential of VMware Cloud Foundation.
Useful Resources
By sharing this experience, I hope to highlight how VMware Cloud Foundation’s Flexible BOM feature can streamline your patching process and help you keep your environment secure with minimal disruption.
