PowerShell – Discover Secure boot enabled Hosts

PowerShell – Discover Secure boot enabled Hosts

As sometimes happens someone from the community got in touch to ask me the question below.

“Iā€™m currently banging my head against the proverbial trying to understand the Get-EsxCli command. What I am after is a listing of Secure-boot Enabled or disabled against all are ESXi hosts using PowerCli. Normal esxcli would be SSH to each ESXi host and then run: esxcli system settings encryption get…”

As luck would have it I had a free 10 mins and a lab environment I could repurpose to help solve this challenge.

When working with the get-esxcli we can effectivly pass the same esxcli command that we would over SSH to the host via powershell and return an output, we just have to change the syntax and replace spaces with “.”

The syntax for the above command would therefore be

$esxcli.system.settings.encryption.Get()

Where the closing ā€˜()ā€™ is executing the command. example output below.

Of course doing this for one host at a time is no real time saver, so we can build out a foreach loop.

$esxs = Get-VMHost
 
foreach($esx in $esxs){
    $n = ("$($esx.name)")
    $esxcli = Get-Esxcli -VMHost $n
    $esxcli.system.settings.encryption.Get() | select@{Name="VMhost";expression={$esx.name}},Mode,RequireExecutablesOnlyFromInstalledVIBs,RequireSecureBoot
    }

Get-VMhost is returning all host objects in the connected VC.

Then using that captured variable in our foreach loop, the script captures the name in the loop and passes that to our esxcli variable before executing the command string to discover secure boot enabled hosts.

The select string after the pipe builds out a table to display the results. example output below.

Building on that we can capture this information into a CSV using export-csv.

$esxs = Get-VMHost
 
foreach($esx in $esxs){
    $n = ("$($esx.name)")
    $esxcli = Get-Esxcli -VMHost $n
    $esxcli.system.settings.encryption.Get() | select@{Name="VMhost";expression={$esx.name}},Mode,RequireExecutablesOnlyFromInstalledVIBs,RequireSecureBoot | export-csv c:\filelocation.csv
    }

If you had vROPs, you could look at combining some of the methods used here with the methods used to Add Virtual Machine advanced settings to custom properties in vRealize Operations as a way of tracking, reporting and alerting on changes.

Thanks

Simon