Solved: Re: Turn on Virtualization based security from pow...

v6rr · ‎01-15-2019

I have made quite long google search but have not found that command. For Hyper-V there is Set-VMSecurity. Is there something similar for vSphere?

Main goal is to deploy new VM from command line with VBS turned on.

LucD · ‎01-09-2020

Try like this

$vm = Get-VM MyVM

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi

$spec.NestedHVEnabled = $true

$boot = New-Object VMware.Vim.VirtualMachineBootOptions

$boot.EfiSecureBootEnabled = $true

$spec.BootOptions = $boot

$flags = New-Object VMware.Vim.VirtualMachineFlagInfo

$flags.VbsEnabled = $true

$flags.VvtdEnabled = $true

$spec.flags = $flags

$vm.ExtensionData.ReconfigVM($spec)

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

View solution in original post

JimGn · ‎11-19-2019

Here's how to check in powershell

(Get-VM myVM).extensiondata.config.flags.VbsEnabled

And how to set

$vm = Get-VM myVM
$spec = New-Object VMware.Vim.VirtualMachineConfigSpec
$flags = New-Object VMware.Vim.VirtualMachineFlagInfo
$flags.VbsEnabled = $true
$spec.flags = $flags
$vm.ExtensionData.ReconfigVM($spec)

v6rr · ‎01-09-2020

Thanks, but in my setup it does not work.

Exception calling "ReconfigVM" with "1" arguments (0): "Invalid virtual machine configuration. Secure Boot should be enabled when enabling VBS (Virtualization-Based Security). Nested Hardware-Assisted Virtualization should be enabled when enabling VBS (Virtualization-Based Security). VVTD (Intel Virtualization Technology for Directed I/O) should be enabled when enabling VBS (Virtualization-Based Security)"

+$vm.ExtensionData.ReconfigVM($spec)

Probably those 3 features needs to be enabled via powercli before enabling VBS. For VVTD probably VvtEnabled flag can be used similar way, but what about NHAV?

Secure Boot example:

$vm = Get-VM TestVM
$spec = New-Object VMware.Vim.VirtualMachineConfigSpec
$spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi
$vm.ExtensionData.ReconfigVM($spec)

Enable or Disable UEFI Secure Boot for a Virtual Machine

scott28tt · ‎01-09-2020

Moderator: Moved to PowerCLI

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog

LucD · ‎01-09-2020

Try like this

$vm = Get-VM MyVM

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi

$spec.NestedHVEnabled = $true

$boot = New-Object VMware.Vim.VirtualMachineBootOptions

$boot.EfiSecureBootEnabled = $true

$spec.BootOptions = $boot

$flags = New-Object VMware.Vim.VirtualMachineFlagInfo

$flags.VbsEnabled = $true

$flags.VvtdEnabled = $true

$spec.flags = $flags

$vm.ExtensionData.ReconfigVM($spec)

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

v6rr · ‎01-09-2020

Works well!

EmmettBrown · ‎06-17-2022

I had posted a reply here asking how to do this for multiple VMs using a list in a .txt file but I figured out the solution:

foreach($vmlist in (Get-Content -Path "C:\VMList.txt")){
$vm = Get-VM -Name $vmlist
$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi

$spec.NestedHVEnabled = $true

$boot = New-Object VMware.Vim.VirtualMachineBootOptions

$boot.EfiSecureBootEnabled = $true

$spec.BootOptions = $boot

$flags = New-Object VMware.Vim.VirtualMachineFlagInfo

$flags.VbsEnabled = $true

$flags.VvtdEnabled = $true

$spec.flags = $flags

$vm.ExtensionData.ReconfigVM($spec)
}

All

Turn on Virtualization based security from powercli