VMware Cloud Community
PGinhoux
Enthusiast
Enthusiast
‎10-16-2017 07:47 AM

Question on the VM Hardening and VM.disable-unexposed-features

Hi,

I have upgraded one of my ESXi in my lab to ESXi 6.5 Update 1 Build 5969303.

In this blog Secure By Default - VM.disable-unexposed-features - VMware vSphere Blog  from Mike Fowley, it is said that :

Where were the settings changed?

The default values for the settings were/are changed in the ESXi code. For ESXi 6.0 there is no reason anymore to add these settings to the VMX/VM Advanced Settings starting with 6.0 Patch 5.

How do I enable them?

You don’t! It’s been done for you in ESXi. If you are using VUM to update your hosts to 6.0 Patch 5 then when VM’s are migrated to an updated host they will be running with the updated values. You don’t need to power them down in this scenario.

Changed Settings

Below are the guideline ID’s, their new value setting set in ESXi itself and the configuration parameter. If you are manually setting any of these settings on 6.0 then apply Patch 5 and you don’t have to set them anymore!

Even if settings of some "disable-unexposed-features" are now set to true by default, when I migrate a VM to an updated host, should I see them in the VM Advanced Settings view ?

Thanks in advance for the answers.

Regards

Patrick

0 Kudos
3 Replies
mhampto
VMware Employee
VMware Employee
‎10-18-2017 06:52 AM

These should appear in the advanced settings of the virtual machine. Are these not appearing for you?

Example from the Hardening guide:

VM.disable-unexposed-features-autologon


From the vSphere web client, select each VM and click "Manage" -> "Settings" -> "VM Options". Expand "Advanced Settings". Scroll the list of "Configuration Parameters" and ensure that the desired configuration parameter is present with the desired value.

0 Kudos
PGinhoux
Enthusiast
Enthusiast
‎10-18-2017 07:10 AM

Well,

I have done 2 tests :

- migrate a VM from another ESXi to the updated ESXi

- create a new VM from scratch

But for these 2 VMs, VM.disable-unexposed-features don't appear in the list of "Configuration Parameters".

0 Kudos
PGinhoux
Enthusiast
Enthusiast
‎11-01-2017 02:08 AM

Hi,

I'm still looking for the information about the VM.disable-unexposed-features as these settings don't appear in the list of "Configuration Parameters".

Any thoughts on this question ?

Regards

Patrick.

0 Kudos