Automation – Page 4

Quick Tip - Audit vCenter Server Role & Permission Usage

02.26.2025 by William Lam // 2 Comments

vCenter Server ships out of the box a number of system and custom roles, which can be used or users can create their own custom roles containing the required privileges. If you wanted to understand which roles are actively being used, the following PowerCLI snippet can help provide insights to roles that have been assigned. Furthermore, the script will also output to a file, that contains all he privileges defined for the vCenter Roles that are in active use.

$roles = Get-VIRole
$permissions = Get-VIPermission

$results = @{}
foreach ($permission in $permissions) {
    $role = $permission.Role
    if($results.ContainsKey($role)) {
        $results[$role]+=1
    } else {
        $results[$role]=1
    }
}

Write-Host "`nTotal Roles: $($roles.count)"
Write-Host "Total Roles Used: $($results.count)"
Write-Host "Role Usage:"

$results.GetEnumerator() | Sort-Object -Property Value -Descending

$outfile = "used-roles.txt"
foreach ($key in $results.keys) {
    $role = Get-VIRole $key
    if(!$role.IsSystem) {
        $key | Out-File -Append -LiteralPath $outfile
        "=========================================================" | Out-File -Append -FilePath $outfile
        $role.ExtensionData.Privilege | Out-File -Append -LiteralPath $outfile
        "" | Out-File -Append -LiteralPath $outfile
    }
}

Here is an example output of running the script:

Here is an example output from used-roles.txt file that is generated, which contains the list of privileges for each role that is in use:

Quick Tip - Auditing ESXi boot firmware type

02.10.2025 by William Lam // Leave a Comment

I had a customer that recently reached out asking how they could easily audit their entire ESXi infrastructure to determine which hosts was still booting using the legacy BIOS firmware, which has been deprecated and will be removed in a future vSphere release, in favor of the industry standard UEFI firmware type.

In vSphere 8.0 Update 2, a new vSphere API property called firmwareType was introduced and added to the ESXi Hardware BIOS info object that makes it very simple to retrieve with the following PowerCLI 1-Liner:

(Get-VMHost).ExtensionData.Hardware.BiosInfo

Here is an example output for an ESXi host booting with UEFI firmware:

Here is an example output for an ESXi host booting with BIOS firmware:

Since this vSphere API property was recently introduced in vSphere 8.0 Update 2, if you attempt to use this on an ESXi host that is not running 8.0 Update 2, then you will see the field being blank if you are using a newer release of PowerCLI that understands this new property or it will simply not show if you are using an older version of PowerCLI.

Alternatively, if you still need to retrieve this information, you can go directly to ESXi host via SSH, not ideal but you can use the following VSISH command to retrieve this exact information:

vsish -e get /hardware/firmwareType

vSAN ESA hardware mock VIB for physical ESXi deployment for VMware Cloud Foundation (VCF)

02.03.2025 by William Lam // Leave a Comment

Several weeks back I had shared a solution in which you can install a hardware mock VIB for Nested ESXi when using vSAN Express Storage Architecture (ESA) and VMware Cloud Foundation (VCF) to work around the vSAN ESA certified disks pre-check validations.

While the majority of my testing uses Nested ESXi, I have recently been deploying a physical VCF environment and I due to the limited number of NVMe devices, I wanted to use vSAN ESA for the VCF Management Domain but of course I would run into the same vSAN ESA certified disks pre-check validations, which would prevent the installer from proceeding.

I was hoping that I could also use the mocking method to allow my physical deployment but after some trial and error, I ran into inconsistent behaviors and after speaking with Engineering, I came to learn that the existing solution would also apply to a physical ESXi deployment as the physical storage controllers are made hidden by the mocking method and as long as you have vSAN ESA capable NVMe devices, it should allow vSAN ESA HCL pre-check to pass and continue with the installation!

[Read more...]