PowerCLI: TPM Encryption Recovery Key Backup

From vSphere 7.0 Update 2 and onwards VMware encurage you to make a backup of your host encryptions keys, when you are using TPM. https://kb.vmware.com/s/article/81661

Here is a script that will make it easy for you if you cannot be bothered with logging in to each host using SSH.

The script will list all hosts and their keys for safe keeping.

Import-Module VMware.PowerCLI
Connect-VIServer <vCenter>

$VMHosts = get-vmhost | Sort-Object

foreach ($VMHost in $VMHosts) {
    $esxcli = Get-EsxCli -VMHost $VMHost
    try {
        $key = $esxcli.system.settings.encryption.recovery.list()
        Write-Host "$VMHost;$($key.RecoveryID);$($key.Key)"

    catch {

Devices that are only supported in 6.7

Back in 2017 VMware changed their policy on VMKlinux Inbox Drivers. This has now come into effect from vSphere 7.0 and onwards.

Unfortunately this means that some otherwise supported hardware platforms, now are having support issue. And you might see the following error in vCenter Skyline Health:

Devices that are only supported in 6.7 or earlier by a VMKlinux inbox driver. This support has been removed in 7.0

This is the case for many Lenovo SR650 servers if they are booting from a SD card, as many will be configured with the Lewisburg SATA AHCI Controller.

Continue reading Devices that are only supported in 6.7

Migrate Tags from one vCenter to another

When upgrading to vSphere 7 or any other version, you might choose to create a brand new vCenter instead of migrating the old one. But what about folder structure, tags, distributed switches and so on.

Here I will demonstrate how you can easily migrate your tags from one vCenter to another using VMware PowerCLI.

Continue reading Migrate Tags from one vCenter to another