PowerCLI Script: Check if you have VMs with USB contollers

I light of many serious vulnerabilities in vSphere ESXi revolve around the USB controller, here is a script that will list the virtual machines that have an USB controller attached.


You need to have the VMware.PowerCLI module installed. This can be done with the commands:

Install-Module VMware.PowerCLI
Import-Module VMware.PowerCLI

You also need to be connected to vCenter. This can be accomplished with the following command:

Connect-VIServer <vCenter FQDN>

Function Get-USBEnabledVMs {
.SYNOPSIS Find VMs that have USB enabled
.DESCRIPTION Returns the VMs that have USB enabled. https://www.vmware.com/security/advisories/VMSA-2018-0025.html
.NOTES  Author:  Brian F. Knutsson CRIT Solutions
   PS> Get-USBEnabledVMs
    #Find VMs with USB Controller enabled
    $vms = Get-View -ViewType VirtualMachine -Property Name,Config.Hardware.Device
    $deviceList = @()

    ForEach ($vm in $vms) {
        try {
            #$VM.Config.Hardware.Device | Where-Object {$_.GetType().Name -eq "VirtualUSBController"} | fl 
            $devices = $VM.Config.Hardware.Device | Where-Object {$_.GetType().Name -eq "VirtualUSBController"} | Select-Object -property @{N="VM";E={$VM.Name}},@{N="Controller";E={$_.DeviceInfo.Label}} -ErrorAction:Stop
        catch { continue }

        $deviceList += $devices

    $deviceList | Where-Object {$_.Enable3DSupport}


# To Execute

As always, use at you own risk.

3 thoughts on “PowerCLI Script: Check if you have VMs with USB contollers”

  1. Hello,

    Specific to VMSA-2020-0026 this script would return the wrong output as the ‘USB xHCI Controller’ is a different type of device and would not get returned by the script above.

    the correct code to retrieve the xHCI contollers would be:

    $VM.Config.Hardware.Device | Where-Object { $_.DeviceInfo.Where({$_.Label -match “USB xHCI controller”}) } | Select-Object -property @{N=”VM”;E={$VM.Name}},@{N=”Controller”;E={$_.DeviceInfo.Label}} -ErrorAction:Stop


Leave a Reply

Your email address will not be published. Required fields are marked *