PUNTOREAR
Contributor
Contributor

remove all pci devices on all vm's using powershell

Jump to solution

I wish to harden all my vm's on an esxi host. However I don't know how to remove all pci devices. Any help ?

0 Kudos
36 Replies
LucD
Leadership
Leadership

Just type it at PS prompt and hit <Enter>


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
PUNTOREAR
Contributor
Contributor


$global:defaultviservers

Name                           Port  User                         
----                           ----  ----                         
192.                  443   VSPHERE.LOCAL\Administrator  
192.                  443   VSPHERE.LOCAL\Administrator  
192.                  443   root                         

0 Kudos
LucD
Leadership
Leadership

Ok, that explains the multiple entries.

You have multiple connections open.

Can you close them all, and open just 1 connection to the vCenter?

And then try my script again?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
PUNTOREAR
Contributor
Contributor

$vm = Get-VM -Name vm4
$vm.ExtensionData.Config.Hardware.Device |
where{$_ -is [VMware.Vim.VirtualPCIPassthrough]} |
Select @{N='Label';E={$_.DeviceInfo.Label}},
   @{N='Key';E={$_.Key}},
   @{N='ControllerKey';E={$_.ControllerKey}},
   @{N='Unit';E={$_.UnitNumber}},
   @{N='Summary';E={$_.DeviceInfo.Summary}},
   @{N='vGPU';E={$_.Backing.VGpu}}

Name                           Port  User                         
----                           ----  ----                         
192.168.217.8                  443   VSPHERE.LOCAL\Administrator  
Get-VM : 05/03/2019 11:56:20 Get-VM  There was no endpoint listening at https://192.168.217.6/sdk that could accept the message. This is often caused by an incorrect
address or SOAP action. See InnerException, if present, for more details.
At line:2 char:10
+    $vm = Get-VM -Name vm4
+          ~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-VM], VimException
    + FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.GetVM

Label         : PCI device 0
Key           : 13000
ControllerKey : 100
Unit          : 18
Summary       : NVIDIA GRID vGPU NVIDA
vGPU          : NVIDA

0 Kudos
PUNTOREAR
Contributor
Contributor

connection to my esxi host shows:

PS C:\WINDOWS\system32> Connect-VIServer -Server 192.168.217.6 -Protocol https -User root -Password Password1$
   $vm = Get-VM -Name vm4
$vm.ExtensionData.Config.Hardware.Device |
where{$_ -is [VMware.Vim.VirtualPCIPassthrough]} |
Select @{N='Label';E={$_.DeviceInfo.Label}},
   @{N='Key';E={$_.Key}},
   @{N='ControllerKey';E={$_.ControllerKey}},
   @{N='Unit';E={$_.UnitNumber}},
   @{N='Summary';E={$_.DeviceInfo.Summary}},
   @{N='vGPU';E={$_.Backing.VGpu}}

Name                           Port  User                         
----                           ----  ----                         
192.168.217.6                  443   root                         

Label         : PCI device 0
Key           : 13000
ControllerKey : 100
Unit          : 18
Summary       : NVIDIA GRID vGPU NVIDA
vGPU          : NVIDA


Label         : PCI device 0
Key           : 13000
ControllerKey : 100
Unit          : 18
Summary       : NVIDIA GRID vGPU NVIDA
vGPU          : NVIDA

0 Kudos
LucD
Leadership
Leadership

There seems to be an issue with your vCenter connection.

You'll have to fix that!

When it returns more than  result, you might have again multiple connections open.
Did you do a Disconnect-VIServer?

What is in $global:defaultviservers?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
PUNTOREAR
Contributor
Contributor

PS C:\WINDOWS\system32> $global:defaultviservers

Name                           Port  User                         
----                           ----  ----                         
192.168.217.6                  443   root                         
192.168.217.8                  443   VSPHERE.LOCAL\Administrator  

0 Kudos
LucD
Leadership
Leadership

You are again connected to the vCenter and the ESXi node, which explains the double results.

Try like this (first replace the fields in the Connect-VIServer line with your vCenter and your account).

Disconnect-VIServer -Server * -Force -Confirm:$false

Connect-VIServer -Server <your-vCenter> -User <your-account> -Password <your-password>

$global:DefaultVIServers


$vm = Get-VM -Name vm4

$vm.ExtensionData.Config.Hardware.Device |

where{$_ -is [VMware.Vim.VirtualPCIPassthrough]} |

Select @{N='Label';E={$_.DeviceInfo.Label}},

   @{N='Key';E={$_.Key}},

   @{N='ControllerKey';E={$_.ControllerKey}},

   @{N='Unit';E={$_.UnitNumber}},

   @{N='Summary';E={$_.DeviceInfo.Summary}},

   @{N='vGPU';E={$_.Backing.VGpu}}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
PUNTOREAR
Contributor
Contributor

PS C:\WINDOWS\system32> Disconnect-VIServer -Server * -Force -Confirm:$false
Connect-VIServer -Server 192.... -Protocol https -User administrator@vsphere.local -Password xxxxxx
$global:defaultviservers
$vm = Get-VM -Name vm4
$vm.ExtensionData.Config.Hardware.Device |
where{$_ -is [VMware.Vim.VirtualPCIPassthrough]} |
Select @{N='Label';E={$_.DeviceInfo.Label}},
   @{N='Key';E={$_.Key}},
   @{N='ControllerKey';E={$_.ControllerKey}},
   @{N='Unit';E={$_.UnitNumber}},
   @{N='Summary';E={$_.DeviceInfo.Summary}},
   @{N='vGPU';E={$_.Backing.VGpu}}
Disconnect-VIServer : 05/03/2019 13:07:40 Disconnect-VIServer  The server '192.xxxxxxx' is already disconnected.
At line:1 char:1
+ Disconnect-VIServer -Server * -Force -Confirm:$false
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (192.xxxxxxx:VIServerImpl) [Disconnect-VIServer], InvalidState
    + FullyQualifiedErrorId : Core_DisconnectVIServer_DoWork_ServerNotConnected,VMware.VimAutomation.ViCore.Cmdlets.Commands.DisconnectVIServer

Name                           Port  User                         
----                           ----  ----                         
192.xxxxxxx                443   VSPHERE.LOCAL\Administrator  
192.1xxxxx                 443   VSPHERE.LOCAL\Administrator  

Label         : PCI device 0
Key           : 13000
ControllerKey : 100
Unit          : 18
Summary       : NVIDIA GRID vGPU NVIDA
vGPU          : NVIDA

0 Kudos
LucD
Leadership
Leadership

There seems to be something wrong with your vCenter connection.

From where are you running the code?

From the PS prompt? Or the ISE or VSC?

Try to stop the prompt or editor, and start it again.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
PUNTOREAR
Contributor
Contributor

Disconnect-VIServer -Server 19xxxxx -Force -Confirm:$false
PS C:\Users\Michael Shaoul> Connect-VIServer -Server 19xxxxxx -Protocol https -User administrator@vsphere.local -Password xxxxxxxxx
$global:defaultviservers
$vm = Get-VM -Name vm4
$vm.ExtensionData.Config.Hardware.Device |
where{$_ -is [VMware.Vim.VirtualPCIPassthrough]} |
Select @{N='Label';E={$_.DeviceInfo.Label}},
   @{N='Key';E={$_.Key}},
   @{N='ControllerKey';E={$_.ControllerKey}},
   @{N='Unit';E={$_.UnitNumber}},
   @{N='Summary';E={$_.DeviceInfo.Summary}},
   @{N='vGPU';E={$_.Backing.VGpu}}

Name                           Port  User                         
----                           ----  ----                         
192.xxxxxxxx                  443   VSPHERE.LOCAL\Administrator  
192.xxxxxxxx                  443   VSPHERE.LOCAL\Administrator  

Label         : PCI device 0
Key           : 13000
ControllerKey : 100
Unit          : 18
Summary       : NVIDIA GRID vGPU NVIDA
vGPU          : NVIDA

I am running VMware workstation.

I am running code from ISE.

Stopped and started

0 Kudos
LucD
Leadership
Leadership

That is better.

Now try the script from Re: remove all pci devices on all vm's using powershell again.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
PUNTOREAR
Contributor
Contributor

I only get this

PS C:\Users\Michael Shaoul> Connect-VIServer -Server 192xxxx -Protocol https -User administrator@vsphere.local -Password xxxx
Get-VM |   Get-PassthroughDevice |   Remove-PassthroughDevice -Confirm:$false

Name                           Port  User                         
----                           ----  ----                         
192xxxxxxx              443   VSPHERE.LOCAL\Administrator  
Get-PassthroughDevice : 05/03/2019 14:04:26 Get-PassthroughDevice  Unable to cast object of type 'VMware.Vim.VirtualPCIPassthroughVmiopBackingInfo' to type
'VMware.Vim.VirtualPCIPassthroughDeviceBackingInfo'.
At line:2 char:12
+ Get-VM |   Get-PassthroughDevice |   Remove-PassthroughDevice -Confir ...
+            ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-PassthroughDevice], VimException
    + FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.VirtualDevice.GetPassthroughDevice

Get-PassthroughDevice : 05/03/2019 14:04:26 Get-PassthroughDevice  Unable to cast object of type 'VMware.Vim.VirtualPCIPassthroughVmiopBackingInfo' to type
'VMware.Vim.VirtualPCIPassthroughDeviceBackingInfo'.
At line:2 char:12
+ Get-VM |   Get-PassthroughDevice |   Remove-PassthroughDevice -Confir ...
+            ~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-PassthroughDevice], VimException
    + FullyQualifiedErrorId : Core_BaseCmdlet_UnknownError,VMware.VimAutomation.ViCore.Cmdlets.Commands.VirtualDevice.GetPassthroughDeviceI still

0 Kudos
LucD
Leadership
Leadership

That is not the script I pointed to!
We know by now that the cmdlets have an issue, hence I pointed to the API method.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
PUNTOREAR
Contributor
Contributor

Genius, thanks for your persistence with me! it works

0 Kudos
PUNTOREAR
Contributor
Contributor

Your API method script is for one vm called 'MyVM'.

How would I change the script to remove pci devices from all vm's ?

I don't want to import a list of vm's.

and

I cant use Get-VM, as the script only works with Get-VM -Name $Var

0 Kudos
LucD
Leadership
Leadership

You can do that in a loop.

Something like this for example.

Get-VM | ForEach-Object -Process {

   $pci = $_.ExtensionData.Config.Hardware.Device | where {$_ -is [VMware.Vim.VirtualPCIPassthrough]}


   if ($pci) {

   $spec = New-Object VMware.Vim.VirtualMachineConfigSpec

   $dev = New-Object VMware.Vim.VirtualDeviceConfigSpec

   $dev.operation = "remove"

   $dev.Device = $pci

   $spec.DeviceChange += $dev


   $_.ExtensionData.ReconfigVM($spec)

   }

   else {

   Write-Host "No CPI device found on VM $($_.Name)"

   }

}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos