Automation

 View Only
  • 1.  Turn on Virtualization based security from powercli

    Posted Jan 16, 2019 07:02 AM

    I have made quite long google search but have not found that command. For Hyper-V there is Set-VMSecurity. Is there something similar for vSphere?

    Main goal is to deploy new VM from command line with VBS turned on.



  • 2.  RE: Turn on Virtualization based security from powercli

    Posted Nov 19, 2019 09:23 PM

    Here's how to check in powershell

    (Get-VM myVM).extensiondata.config.flags.VbsEnabled

    And how to set

    $vm = Get-VM myVM

    $spec = New-Object VMware.Vim.VirtualMachineConfigSpec

    $flags = New-Object VMware.Vim.VirtualMachineFlagInfo

    $flags.VbsEnabled = $true

    $spec.flags = $flags

    $vm.ExtensionData.ReconfigVM($spec)



  • 3.  RE: Turn on Virtualization based security from powercli

    Posted Jan 09, 2020 10:40 AM

    Thanks, but in my setup it does not work.

    Exception calling "ReconfigVM" with "1" arguments (0): "Invalid virtual machine configuration. Secure Boot should be enabled when enabling VBS (Virtualization-Based Security). Nested Hardware-Assisted Virtualization should be enabled when enabling VBS (Virtualization-Based Security). VVTD (Intel Virtualization Technology for Directed I/O) should be enabled when enabling VBS (Virtualization-Based Security)"

    +$vm.ExtensionData.ReconfigVM($spec)

    Probably those 3 features needs to be enabled via powercli before enabling VBS. For VVTD probably VvtEnabled flag can be used similar way, but what about NHAV?

    Secure Boot example:

    $vm = Get-VM TestVM

    $spec = New-Object VMware.Vim.VirtualMachineConfigSpec

    $spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi

    $vm.ExtensionData.ReconfigVM($spec)

    Enable or Disable UEFI Secure Boot for a Virtual Machine



  • 4.  RE: Turn on Virtualization based security from powercli
    Best Answer

    Posted Jan 09, 2020 12:00 PM

    Try like this

    $vm = Get-VM MyVM

    $spec = New-Object VMware.Vim.VirtualMachineConfigSpec

    $spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi

    $spec.NestedHVEnabled = $true


    $boot = New-Object VMware.Vim.VirtualMachineBootOptions

    $boot.EfiSecureBootEnabled = $true

    $spec.BootOptions = $boot


    $flags = New-Object VMware.Vim.VirtualMachineFlagInfo

    $flags.VbsEnabled = $true

    $flags.VvtdEnabled = $true

    $spec.flags = $flags


    $vm.ExtensionData.ReconfigVM($spec)



  • 5.  RE: Turn on Virtualization based security from powercli

    Posted Jan 10, 2020 06:35 AM

    Works well!



  • 6.  RE: Turn on Virtualization based security from powercli

    Posted Jun 17, 2022 05:36 PM

    I had posted a reply here asking how to do this for multiple VMs using a list in a .txt file but I figured out the solution:

    foreach($vmlist in (Get-Content -Path "C:\VMList.txt")){
    $vm = Get-VM -Name $vmlist
    $spec = New-Object VMware.Vim.VirtualMachineConfigSpec

    $spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi

    $spec.NestedHVEnabled = $true


    $boot = New-Object VMware.Vim.VirtualMachineBootOptions

    $boot.EfiSecureBootEnabled = $true

    $spec.BootOptions = $boot


    $flags = New-Object VMware.Vim.VirtualMachineFlagInfo

    $flags.VbsEnabled = $true

    $flags.VvtdEnabled = $true

    $spec.flags = $flags

    $vm.ExtensionData.ReconfigVM($spec)
    }



  • 7.  RE: Turn on Virtualization based security from powercli

    Broadcom Employee
    Posted Jan 09, 2020 10:49 AM

    Moderator: Moved to PowerCLI