PowerCLI

Is there a way in powercli to check if a host is secure bot enabled?

You can use

$esxcli = Get-EsxCli -VMHost MyEsx -V2
$esxcli.system.settings.encryption.get.Invoke()

thank you !

This must be something new, and I have no idea what I am suppose to do. I replace the IP with each host ip, name, same with the vcenter ip, and name.
I tried connecting to vcenter with powercli first, and I just kep getting this error.

PS C:\powercli\connect> $esxcli = Get-EsxCli 10.11.12.13 -V2
Get-EsxCli : 9/29/2022 6:01:26 PM Get-EsxCli Could not find VIServer with name '10.11.12.13'.
At line:1 char:11
+ $esxcli = Get-EsxCli 10.11.12.13 -V2
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (10.11.12.13:String) [Get-EsxCli], VimException

+ FullyQualifiedErrorId : Core_ObnSelector_SelectObjectByNameCore_ObjectNotFound,VMware.VimAutomation.ViCore.Cmdlets.Commands.EsxCli.GetEsxCli

Is that the name of the ESXi node or the IP address of the ESXi node?
Try this

$esx = Get-VMHost -Name 10.11.12.13
$esxcli = Get-EsxCli -VMHost $esx  -V2

Yes, that worked. 
I got this:

=============================

EsxCli: name.name.local
   Elements:  
---------
   device
   esxcli
   fcoe
   graphics
   hardware
   iscsi
   network
   nvme
   rdma
   sched
   software
   storage
   system
   vm
   vsan

Then try

$esxcli.system.settings.encryption.get.Invoke()

Sadly no...

PS C:\script\powercli\connect> $esx = Get-VMHost -Name name.name.local
PS C:\script\powercli\connect> $esxcli = Get-EsxCli -VMHost $esx  -V2
PS C:\script\powercli\connect> $esxcli.system.settings.encryption.get.Invoke()
You cannot call a method on a null-valued expression.
At line:1 char:1
+ $esxcli.system.settings.encryption.get.Invoke()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Which version is that ESXi node running?

6.7

I tested in a vSphere 7 environment, and there the method works.
Could be a version issue.

Does the native esxcli command work when you run it at the ESXi console (or via an SSH session)?

Sorry, I don't know how to do that. I log into the esx host and I don't see a way to open command line. I see about getting it for chrome, but chrome says it is depreciated.

I investigated further and it looks as if that specific esxcli command was introduced in 7.*
That explains why it doesn't work in 6.7

Besides checking via the Web Client (Monitor/Security and the Attestation column) I don't know if there is a public API method in 6.7
Which probably explains why this esxcli command was introduced in 7.* 

Thanks for taking the time to look at it.

Unfortunately, this command does NOT report the secure boot status. You can only see if you configured secure boot enforcement (which requires an activated TPM).

If you do, the host will not boot if the UEFI secure boot option is disabled. Therefore the host must have used secure boot if it is up and running.

But if you did not configure secure boot enforcement, you don't get any information about the secure boot status.

I wasn't able to find any PowerCLI command or property about secure boot and no info on the web either. But you can query this at the commandline :

/usr/lib/vmware/secureboot/bin/secureBoot.py --help

usage: secureBoot.py [-h] [-a | -c | -s]

optional arguments:
-h, --help show this help message and exit
-a, --acceptance-level-check
Validate acceptance levels for installed vibs
-c, --check-capability
Check if the host is ready to enable secure boot
-s, --check-status Check if UEFI secure boot is enabled