List VMs with Secure Boot enabled on Windows Server 2022

Since Microsoft released: KB5022842 a lot of customers has experienced Windows Server 2022 not being able to boot. On vSphere 7 this might be a problem if you have installed the patch at enabled secure boot for the server.

More information is available here: VMware KB90947

If you need to find VM that are running Windows Server 2022 and have enabled Secure Boot it is not that easy.

The problem is that your cannot always be sure that the OS selected for the VM is the OS actually installed in the VM. If for instance you installed Windows Server 2022 before is was officially supported in vSphere you might have chosen Windows Server 2019. So you will need to use the OS name that VMware tools are reporting.

But what is VMware tools is not running. That’s a problem.

The following script will find VMs with Secure Boot enabled that are running Windows Server 2022, but also VM’s where we are not certain because VMware Tools is not running.

Continue reading List VMs with Secure Boot enabled on Windows Server 2022

NSX-T Troubleshooting IDFW rules

So you have migrated to NSX-T 3.2 and you are using IDFW rules to allow users to dynamically gain access when they log in to any physical device in the domain.

Only trouble is that now it is not really working, and VMware did not yet implement a way in the gui to see the effective members of Groups that contains Active Directory members.

Well there is a way you can see who is in the group at least, but there are a couple of steps.

How to find the effective group members

Step one is to identify the rule you are troubleshooting. Make a note of the rule id.

Next find the host the destination VM is running on. You can do this manually in vCenter or use powershell. That’s up to you.

Continue reading NSX-T Troubleshooting IDFW rules

Reconnect ESXi host after reinstall

After a VMware ESXi host reinstall reconnecting your host is not as easy as changing the state of the host by using the Set-VMHost -State command in VMware PowerCLI. The reason is that your host has gotten a new certificate. So to do this scripted you need to retrieve the SSL thumbprint and specify that during the reconnect.

Continue reading Reconnect ESXi host after reinstall

Enable IPv6 using PowerCLI

This is a PowerCLI script to enable IPv6 on VMware ESXi hosts in you vCenter.

This problem is that disabling IPv6 in newer versions of ESXi can sometimes result in PSOD, so even if you are not using IPv6 in your environment, you should keep it enabled. https://kb.vmware.com/s/article/2150794

Import-Module VMware.PowerCLI

Connect-VIServer <Insert vCenter name>

$VMHost = Get-VMHost <insert hostname>

$esxcli = Get-EsxCli -VMHost $VMhost -V2
$argument = $esxcli.system.module.parameters.set.CreateArgs()
$argument.module = "tcpip4"
$argument.parameterstring = "ipv6=1"
$esxcli.system.module.parameters.set.Invoke($argument)
Write-Host "IPv6 Enabled for host: $($VMHost)"
Write-Host "You need to put the host in maintenance mode and reboot for changes to take effect."

Hope this helps you. Keep in mind that use of this script is entirely your responsibility, and you should always understand what a script does before you run it.

To detect which host that has IPv6 disabled check this post: https://vm.knutsson.it/?p=1193

Check if IPv6 is disabled

This is a PowerCLI script to list VMware ESXi host that has IPv6 disabled in you vCenter.

This problem is that disabling IPv6 in newer versions of ESXi can sometimes result in PSOD, so even if you are not using IPv6 in your environment, you should keep it enabled. https://kb.vmware.com/s/article/2150794

Import-Module VMware.PowerCLI

Connect-VIServer <Insert vCenter server FQDN>
$VMHosts = Get-VMHost | Sort-Object

foreach ($VMHost in $VMHosts) {
    if ($VMHost.ConnectionState -ne "Connected" ) { 
        $status = "Unknown. Host Status: $($VMHost.Connectionstate)"
        Write-host("$($VMHost): $($status)")
    } else {
        $value = ($VMHost | Get-VMHostModule tcpip4).Options
        if ($value -match "ipv6=1") {
            $status = "Enabled"
            #Write-host("$($VMHost): $($status)")
        } elseif ($value -match "ipv6=0") {
            $status = 'Disabled'
            Write-host("$($VMHost): $($status)")
        } else {
            $status = "Unknown"
            Write-host("$($VMHost): $($status) - $($value)")
        }
    }
}

Hope this helps you. Keep in mind that use of this script is entirely your responsibility, and you should always understand what a script does before you run it.

To enable IPv6 on hosts using PowerCLI check this post: https://vm.knutsson.it/?p=1198

Automating VMware Workstation LAB

I am often working with quite large test environments. Powering on ESXi hosts with nested VMs can be a pain when you need to get it running quickly.

Here are some of my tricks to automating VMware Workstation

Continue reading Automating VMware Workstation LAB

PowerCLI: TPM Encryption Recovery Key Backup

From vSphere 7.0 Update 2 and onwards VMware encurage you to make a backup of your host encryptions keys, when you are using TPM. https://kb.vmware.com/s/article/81661

Here is a script that will make it easy for you if you cannot be bothered with logging in to each host using SSH.

The script will list all hosts and their keys for safe keeping.

Import-Module VMware.PowerCLI
Connect-VIServer <vCenter>

$VMHosts = get-vmhost | Sort-Object

foreach ($VMHost in $VMHosts) {
    $esxcli = Get-EsxCli -VMHost $VMHost
    try {
        $key = $esxcli.system.settings.encryption.recovery.list()
        Write-Host "$VMHost;$($key.RecoveryID);$($key.Key)"
    }

    catch {
        
    }
}

PowerCLI: Migrate DRS VM Group Members

When ever you need to migrate to from one vCenter instance to another there are lots of things you need to migrate.

This PowerCLI script will help you migrate members from one DRS VM group to another. It can easily be modified to be part of a bigger context, or migrate all groups available.

Prerequisites

The prerequisites are that you have both the new and the old vCenter running, and that you have disconnected you hosts in the old vCenter and connected them to the new one. Do NOT remove them from you old vCenter. Leave them disconnected.

Continue reading PowerCLI: Migrate DRS VM Group Members

VMware HA Cluster: Set-Advanced HA Settings

Recently a adjustment was made to the vCenter Cluster HA Agent timeout Settings.

Ref: https://kb.vmware.com/s/article/2017778

Performing a Reconfigure for VMware HA operation on a primary node causes an unexpected virtual machine failover

This calles for at script, because there is no way we are going to do this by hand! Feel free to use or alter the script, just remember. It is all done at your own risk.

Continue reading VMware HA Cluster: Set-Advanced HA Settings

Control OpenSLP on ESXi hosts using PowerCLI

I light of recent security vulnerabilities found in the OpenSLP service on ESXi. A recommended workaround is to disable the OpenSLP service all together.

Vulnerability information: https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Workaround KB: https://kb.vmware.com/s/article/82374

This powershell script will help you control the OpenSLP service.

Continue reading Control OpenSLP on ESXi hosts using PowerCLI