List VMs with Secure Boot enabled on Windows Server 2022

Since Microsoft released: KB5022842 a lot of customers has experienced Windows Server 2022 not being able to boot. On vSphere 7 this might be a problem if you have installed the patch at enabled secure boot for the server.

More information is available here: VMware KB90947

If you need to find VM that are running Windows Server 2022 and have enabled Secure Boot it is not that easy.

The problem is that your cannot always be sure that the OS selected for the VM is the OS actually installed in the VM. If for instance you installed Windows Server 2022 before is was officially supported in vSphere you might have chosen Windows Server 2019. So you will need to use the OS name that VMware tools are reporting.

But what is VMware tools is not running. That’s a problem.

The following script will find VMs with Secure Boot enabled that are running Windows Server 2022, but also VM’s where we are not certain because VMware Tools is not running.

Continue reading List VMs with Secure Boot enabled on Windows Server 2022

NSX-T Troubleshooting IDFW rules

So you have migrated to NSX-T 3.2 and you are using IDFW rules to allow users to dynamically gain access when they log in to any physical device in the domain.

Only trouble is that now it is not really working, and VMware did not yet implement a way in the gui to see the effective members of Groups that contains Active Directory members.

Well there is a way you can see who is in the group at least, but there are a couple of steps.

How to find the effective group members

Step one is to identify the rule you are troubleshooting. Make a note of the rule id.

Next find the host the destination VM is running on. You can do this manually in vCenter or use powershell. That’s up to you.

Continue reading NSX-T Troubleshooting IDFW rules

Reconnect ESXi host after reinstall

After a VMware ESXi host reinstall reconnecting your host is not as easy as changing the state of the host by using the Set-VMHost -State command in VMware PowerCLI. The reason is that your host has gotten a new certificate. So to do this scripted you need to retrieve the SSL thumbprint and specify that during the reconnect.

Continue reading Reconnect ESXi host after reinstall

Enable IPv6 using PowerCLI

This is a PowerCLI script to enable IPv6 on VMware ESXi hosts in you vCenter.

This problem is that disabling IPv6 in newer versions of ESXi can sometimes result in PSOD, so even if you are not using IPv6 in your environment, you should keep it enabled. https://kb.vmware.com/s/article/2150794

Import-Module VMware.PowerCLI

Connect-VIServer <Insert vCenter name>

$VMHost = Get-VMHost <insert hostname>

$esxcli = Get-EsxCli -VMHost $VMhost -V2
$argument = $esxcli.system.module.parameters.set.CreateArgs()
$argument.module = "tcpip4"
$argument.parameterstring = "ipv6=1"
$esxcli.system.module.parameters.set.Invoke($argument)
Write-Host "IPv6 Enabled for host: $($VMHost)"
Write-Host "You need to put the host in maintenance mode and reboot for changes to take effect."

Hope this helps you. Keep in mind that use of this script is entirely your responsibility, and you should always understand what a script does before you run it.

To detect which host that has IPv6 disabled check this post: https://vm.knutsson.it/?p=1193

Check if IPv6 is disabled

This is a PowerCLI script to list VMware ESXi host that has IPv6 disabled in you vCenter.

This problem is that disabling IPv6 in newer versions of ESXi can sometimes result in PSOD, so even if you are not using IPv6 in your environment, you should keep it enabled. https://kb.vmware.com/s/article/2150794

Import-Module VMware.PowerCLI

Connect-VIServer <Insert vCenter server FQDN>
$VMHosts = Get-VMHost | Sort-Object

foreach ($VMHost in $VMHosts) {
    if ($VMHost.ConnectionState -ne "Connected" ) { 
        $status = "Unknown. Host Status: $($VMHost.Connectionstate)"
        Write-host("$($VMHost): $($status)")
    } else {
        $value = ($VMHost | Get-VMHostModule tcpip4).Options
        if ($value -match "ipv6=1") {
            $status = "Enabled"
            #Write-host("$($VMHost): $($status)")
        } elseif ($value -match "ipv6=0") {
            $status = 'Disabled'
            Write-host("$($VMHost): $($status)")
        } else {
            $status = "Unknown"
            Write-host("$($VMHost): $($status) - $($value)")
        }
    }
}

Hope this helps you. Keep in mind that use of this script is entirely your responsibility, and you should always understand what a script does before you run it.

To enable IPv6 on hosts using PowerCLI check this post: https://vm.knutsson.it/?p=1198

Automating VMware Workstation LAB

I am often working with quite large test environments. Powering on ESXi hosts with nested VMs can be a pain when you need to get it running quickly.

Here are some of my tricks to automating VMware Workstation

Continue reading Automating VMware Workstation LAB

Nested or Native

Should you buy dedicated hardware or a OP workstation for you next testing environment. If you are not sharing it with others, this might be useful for you.

History

For many years now VMware Workstation has been my secret weapon an daily tool for just about everything in regards to customer remote connections, test environments as so on.

Recently I needed to do some advanced testing with NSX-V and NSX-T. This required a lot more power than what I normally use so I needed to upgrade my testing platform.

The consideration is always with these things. How much are you going to invest, and what are the benefits. For a long time I have been considering buying 4 Intel NUC PC’s for doing these tests, but the problem is that to get a real setup that is flexible you need to invest a lot. Also it is not very flexible as you need to maintain them, and reinstall them everytime you need to play with a newer or older version.

Continue reading Nested or Native

Control OpenSLP on ESXi hosts using PowerCLI

I light of recent security vulnerabilities found in the OpenSLP service on ESXi. A recommended workaround is to disable the OpenSLP service all together.

Vulnerability information: https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Workaround KB: https://kb.vmware.com/s/article/82374

This powershell script will help you control the OpenSLP service.

Continue reading Control OpenSLP on ESXi hosts using PowerCLI

Devices that are only supported in 6.7

Back in 2017 VMware changed their policy on VMKlinux Inbox Drivers. This has now come into effect from vSphere 7.0 and onwards.

Unfortunately this means that some otherwise supported hardware platforms, now are having support issue. And you might see the following error in vCenter Skyline Health:

Devices that are only supported in 6.7 or earlier by a VMKlinux inbox driver. This support has been removed in 7.0

This is the case for many Lenovo SR650 servers if they are booting from a SD card, as many will be configured with the Lewisburg SATA AHCI Controller.

Continue reading Devices that are only supported in 6.7

PowerCLI Script: Check if you have VMs with USB contollers

I light of many serious vulnerabilities in vSphere ESXi revolve around the USB controller, here is a script that will list the virtual machines that have an USB controller attached.

Requirements:

You need to have the VMware.PowerCLI module installed. This can be done with the commands:

Continue reading PowerCLI Script: Check if you have VMs with USB contollers