v6rr
Contributor
Contributor

Turn on Virtualization based security from powercli

Jump to solution

I have made quite long google search but have not found that command. For Hyper-V there is Set-VMSecurity. Is there something similar for vSphere?

Main goal is to deploy new VM from command line with VBS turned on.

1 Solution

Accepted Solutions
LucD
Leadership
Leadership

Try like this

$vm = Get-VM MyVM

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi

$spec.NestedHVEnabled = $true


$boot = New-Object VMware.Vim.VirtualMachineBootOptions

$boot.EfiSecureBootEnabled = $true

$spec.BootOptions = $boot


$flags = New-Object VMware.Vim.VirtualMachineFlagInfo

$flags.VbsEnabled = $true

$flags.VvtdEnabled = $true

$spec.flags = $flags


$vm.ExtensionData.ReconfigVM($spec)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
5 Replies
JimGn
Contributor
Contributor

Here's how to check in powershell

(Get-VM myVM).extensiondata.config.flags.VbsEnabled

And how to set

$vm = Get-VM myVM

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$flags = New-Object VMware.Vim.VirtualMachineFlagInfo

$flags.VbsEnabled = $true

$spec.flags = $flags

$vm.ExtensionData.ReconfigVM($spec)

v6rr
Contributor
Contributor

Thanks, but in my setup it does not work.

Exception calling "ReconfigVM" with "1" arguments (0): "Invalid virtual machine configuration. Secure Boot should be enabled when enabling VBS (Virtualization-Based Security). Nested Hardware-Assisted Virtualization should be enabled when enabling VBS (Virtualization-Based Security). VVTD (Intel Virtualization Technology for Directed I/O) should be enabled when enabling VBS (Virtualization-Based Security)"

+$vm.ExtensionData.ReconfigVM($spec)

Probably those 3 features needs to be enabled via powercli before enabling VBS. For VVTD probably VvtEnabled flag can be used similar way, but what about NHAV?

Secure Boot example:

$vm = Get-VM TestVM

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi

$vm.ExtensionData.ReconfigVM($spec)

Enable or Disable UEFI Secure Boot for a Virtual Machine

0 Kudos
scott28tt
VMware Employee
VMware Employee

Moderator: Moved to PowerCLI


-------------------------------------------------------------------------------------------------------------------------------------------------------------
VMware Training & Certification blog
0 Kudos
LucD
Leadership
Leadership

Try like this

$vm = Get-VM MyVM

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi

$spec.NestedHVEnabled = $true


$boot = New-Object VMware.Vim.VirtualMachineBootOptions

$boot.EfiSecureBootEnabled = $true

$spec.BootOptions = $boot


$flags = New-Object VMware.Vim.VirtualMachineFlagInfo

$flags.VbsEnabled = $true

$flags.VvtdEnabled = $true

$spec.flags = $flags


$vm.ExtensionData.ReconfigVM($spec)


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

0 Kudos
v6rr
Contributor
Contributor

Works well!

0 Kudos