Patching Hyper-V environment

I have a number of Hyper-V servers running Windows 2012 Core which have not been patched in some time.  Can I just patch the Hyper-V hosts or do I need to patch the VM's as well.  

For background, this is a legacy environment and they people that built it have left the company some time ago without any handover.  Windows Update service has been disabled on all the vm's for some reason.  The vm's are a mix of Windows 7 and Windows 2008R2.

Is it just enough to patch the Hyper-V hosts?
carbonbaseAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PeeterBIT Support TechCommented:
No, not enough just to patch the Hosts ... you need to patch VMs as well .... and, if that hasn't been done for a while expect GBs of patches to be downloaded and installed ...
bbaoIT ConsultantCommented:
if you are talking about a production environment, then both Hyper-V host and the VMs running on it should be updated, and always do so as a best practice.

FYI - the Hyper-V host here provides only hardware support for the VMs including physical memory, storage and processor power. every VM works individually like a real server, hence they need to be updated as normal servers.
madunixCommented:
Patch management is a preventive control that corrects discovered weaknesses by applying a patch to the original program code that eliminates the weakness preventing exploitation.
• Make sure that a patch management system is in place to ensure that all relevant patches are installed. This is especially important for any patches released that apply to the virtualization software itself. Also, carefully determine when and if general operating system patches should also be installed on the host and guests.
• Pay special attention to how you configure virtual networking devices, enabling network connectivity between systems only when necessary.
• Consistently capture snapshots, or the state of the virtual environment at a certain point in time, to provide a quick and easy way to recover the entire environment should it be compromised.
• Carefully monitor the number of virtual machines to avoid VM sprawl.

https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
https://www.sans.org/reading-room/whitepapers/threats/paper/34450

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Both the hosts and the guests need to be patched.

Expect downtime for the guests that are running on the host to be patched. If the hosts are domain joined then Shared Nothing Live Migration could be used to move the VMs to another host (mindful of licensing) to avoid downtime.

There is a just released patch for the Remote Desktop Protocol that is patching a vulnerability that is WannaCry like in that the bad actors can worm across all operating systems with the vulnerability.

Long and short of it is to patch! I suggest subscribing to www.patchmanagement.org. It's an awesome resource.
carbonbaseAuthor Commented:
Thanks all for your comments.  As I suspected, but thanks for confirming.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.