Category: PowerCLI

How to Quickly Check/Backup ESXi Host TPM Encryption Recovery Key Using PowerCLI

Managing encryption across multiple ESXi hosts can be a bit of a hassle. But don’t worry. I’ve got a simple PowerCLI script that’ll save you time and headaches by quickly retrieving encryption status and recovery keys from your VMware environment.

Why Do You Need This?

Ensuring your ESXi hosts are correctly encrypted is essential for security. Regular checks help prevent surprises later, especially during troubleshooting or audits.

Getting Started

First, make sure you’re connected to your vCenter:

Connect-VIServer -Server

Replace with your vCenter IP or FQDN.

The Script Breakdown

Here’s a quick rundown of the PowerCLI script to verify encryption settings across all ESXi hosts and who Recovery key for each ESXi host. (link to GitHub repository and file tpm_recovery_key_backup.ps1):

# Connect to your vCenter server (if not already connected)
# Connect-VIServer -Server <VCENTER_IP_OR_FQDN>

$esxis  = get-vmhost | Sort-Object

foreach ($esx in $esxis) {
    $key= @()
    $enc = @()
    if ($esx.ConnectionState -ne "Connected" -and $esx.ConnectionState -ne "Maintenance") {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host "🚫 SKIPPED HOST" -ForegroundColor Yellow
        Write-Host "Host                : $($esx.Name)" -ForegroundColor DarkYellow
        Write-Host "Reason              : Not powered on or disconnected." -ForegroundColor DarkYellow
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host ""
        continue
    }
    $esxcli = Get-EsxCli -VMHost $esx -V2
    try {
        $key = $esxcli.system.settings.encryption.recovery.list.Invoke()
        $enc =  $esxcli.system.settings.encryption.get.Invoke()

        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host "🔹 ESXi Host        : $($esx.Name)" -ForegroundColor Cyan
        Write-Host "🔐 Recovery ID      : $($key.RecoveryID)" -ForegroundColor Green
        Write-Host "🗝️  Recovery Key     : $($key.Key)" -ForegroundColor Yellow
        Write-Host "🔒 Encryption Mode  : $($enc.Mode)" -ForegroundColor Magenta
        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host ""
    }
    catch {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host "❌ ERROR for host    : $($esx.Name)" -ForegroundColor Red
        Write-Host "⚠️  Failed to get encryption key for $($esx.Name) ."
        Write-Host "🧨 Error details     : $_"
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host ""
    }
}

What the Script Does

  • Connects to each ESXi host.
  • Checks if the host is Connected or in Maintenance mode.
  • Retrieves the Encryption Recovery ID and Key.
  • Shows the current encryption mode.
  • Gracefully handles hosts that are offline or disconnected, clearly indicating skipped or problematic hosts.

Output

Connected hosts or in Maintenance with Encryption keys

Powered off or disconnected hosts – Skipped hosts

Hosts without encryption keys or with errors

Wrapping It Up

This quick script helps you stay on top of ESXi encryption keys effortlessly. Just copy, adjust if needed, and run. Happy scripting!

Give Your ESXi Host a Personal Touch with a Custom Welcome Message – the PowerShell way


Ever wanted to spruce up that default login screen on your ESXi host or have some fun with your DCUI? Then you’re in the right place! In this post, I’ll walk through using the Annotations.WelcomeMessage advanced setting to display a custom welcome message on your ESXi host. Best of all, I’ll share a neat PowerShell function to make it easy.

Why Customize the Welcome Message?

  • Personalization: Display a personal greeting, instructions, or a quick reminder for anyone logging into the ESXi console.
  • Useful Info: Share contact details or support info in case someone needs to know who to call if something breaks.
  • Fun Factor: It’s always nice to see something other than “Welcome to VMware ESXi” from time to time at least in homelab.
  • Security: Display security/legal warning.

The Advanced Setting: Annotations.WelcomeMessage

Annotations.WelcomeMessage is an advanced ESXi host parameter. It’s where you store the text you want displayed in DCUI on the default console screen (replacing some default text, similar to screenshot below).

(virtual ESXi)


PowerShell Script: Set-WelcomeMessage Function


Here is the star of the show—my simple PowerShell function that taps into VMware’s PowerCLI to set Annotations.WelcomeMessage on your ESXi host. It even shows you the old message before setting the new one.

You can download it from my GitHub repo in ESXi folder from my GitHub repo: https://github.com/musil/vSphere_scripts or use this direct link to a script file: https://github.com/musil/vSphere_scripts/blob/main/ESXi/set_welcome_message.ps1

Function Set-WelcomeMessage {
    <#
        .SYNOPSIS
        This function retrieves the vCenter version and build number. 
        Based on https://knowledge.broadcom.com/external/article/315410/
    
        .NOTES
        File Name      : set_welcome_message.ps1
        Author         : Stanislav Musil
        Prerequisite   : PowerShell
        Website        : https://vpxd.dc5.cz/index.php/category/blog/
        X (Twitter)    : https://www.x.com/stmusil
    
        .DESCRIPTION
        The script is a function that takes a single parameter, the vCenter server name. Retrieves the version and build number. 
        To use the function, you can dot-source the script and then call the function. 
        Windows:   . .\set_welcome_message.ps1
        Mac/Linux: . ./set_welcome_message.ps1
    
        .EXAMPLE
        Set-WelcomeMessage -Hostname "ESXi.example.com" -WelcomeMessage "Welcome to {{hostname}"

    #>
    param (
        [string]$HostName,
        [string]$WelcomeMessage
    )
   
    # Ensure PowerCLI module is imported
    if (-not (Get-Module -Name VMware.VimAutomation.Core -ErrorAction SilentlyContinue)) {
        Import-Module VMware.VimAutomation.Core
    }`

# Define the target host and the parameter values
$ESXihost = Get-VMHost -Name $HostName
$paramName = "Annotations.WelcomeMessage"

$current = Get-AdvancedSetting -Entity $ESXihost -Name $paramName
Write-Host "Current Weclome message:"  $current.Value

# Set the advanced parameter
Get-AdvancedSetting -Entity $ESXihost -Name $paramName | Set-AdvancedSetting -Value $WelcomeMessage -Confirm:$false

# Verify the change
$updatedSetting = Get-AdvancedSetting -Entity $ESXihost -Name $paramName
Write-Output "New $paramName value on $ESXihost : $($updatedSetting.Value)"

}

How to Run It

1. Dot-source the script (so the function is recognized):

  • On Windows:
. .\set_welcome_message.ps1
  • On Mac/Linux:
. ./set_welcome_message.ps1

2. Execute the function:

Set-WelcomeMessage -Hostname "ESXi.example.com" -WelcomeMessage "Welcome to my ESXi host!"


3. That’s it! Now when you check the DCUI over iDRAC/IPMI/iLO etc.. or on directly on console screen, you’ll see your brand-new custom text.

Change it back to default

just set empty parameter 🙂

Set-WelcomeMessage -Hostname "ESXi.example.com" -WelcomeMessage ""

Final Thoughts

Customizing your ESXi’s welcome message is quick, easy, and surprisingly fun. Whether you’re adding a helpful notice or just a silly greeting, a personal touch goes a long way. Give it a try, and see if your team notices!


Happy customizing!

Manual way

https://knowledge.broadcom.com/external/article/315410

Advanced Examples

To get much awesome welcome message you need to use much complicated formating tags.

Welcome DCUI screen from my homelab:

My Homelab Welcome Message

To make it more easy I just “save” all the parameters of the welcome message into the variable $a. 


$a="
{align:left}{bgcolor:black}{color:white} {esxproduct} (VMKernel Release {esxversion})
{bgcolor:black}{align:left}
{align:left}{bgcolor:black}{color:white} DC5 - Homelab
{bgcolor:black}{align:left}
{align:left}{bgcolor:black}{color:white} Memory: {memory}
{bgcolor:black}{align:left}
{align:left}{bgcolor:black}{color:white}NOTE:
{align:left}{bgcolor:black}{color:white}     if you need help contact support@homelab
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black} To manage this host, go to:                                                                                                
{bgcolor:yellow}{color:black} http://{ip}                                                                                                         
{bgcolor:yellow}{color:black} http://{hostname}                                                                                               
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{align:left}{bgcolor:black} {color:red} <F2> Customize System/View Logs                                                                   <F12> Shut Down/Restart {/align}
"

And then just run the same command and instead of welcome message I used the $a variable

Set-WelcomeMessage -Hostname "fs-vsan-05.int.dc5.cz" -WelcomeMessage $a

Happy experimenting with different colors 🙂

Another screenshots from my testing

Easily Identify Your vCenter Version and Update Needs with PowerShell (Get-vCenterVersion)

If you are working with VMware environments, particularly with vCenter Server, it’s important to keep track of the version and build number of your vCenter instances. This script/function, Get-vCenterVersion, is designed to help you retrieve these details effortlessly. Here, we’ll break down my script, explaining each section, and provide examples of how to use it.

Overview of the Script

The Get-vCenterVersion function is a PowerShell script that retrieves the version and build number of a specified vCenter Server. It compares the build number against a predefined mapping to provide detailed information about the vCenter version, release date, and other associated details. This can be extremely useful for maintaining and upgrading your VMware infrastructure.

You can find the full script linked at the end of this article. 🙂

Sections of the Script

  1. Script Header and Metadata
<#
    .SYNOPSIS
    This function retrieves the vCenter version and build number. 
    Based on https://knowledge.broadcom.com/external/article?legacyId=2143838

    .NOTES
    File Name      : get-vcenter-version.ps1
    Author         : Stanislav Musil
    Prerequisite   : PowerShell
    Website        : https://vpxd.dc5.cz/index.php/category/blog/
    X (Twitter)    : https://www.x.com/stmusil

    .DESCRIPTION
    The script is a function that takes a single parameter, the vCenter server name. Retrieves the version and build number. 
    To use the function, you can dot-source the script and then call the function. 
    Windows:   . .\get-vcenter-version.ps1
    Mac/Linux: . ./get-vcenter-version.ps1

    .EXAMPLE
    Get-vCenterVersion -vCenterServer "vCenter.DC5.cz"
    or
    Get-vCenterVersion
#>

This section provides a summary of what the script does, including the author’s information, and usage instructions. It also includes an example of how to invoke the function. This is a standard way to document PowerShell scripts and makes it easier for others to understand and use your script.

  1. Parameter Declaration
Param (
    [Parameter(Mandatory=$false)]
    [VMware.VimAutomation.ViCore.Util10.VersionedObjectImpl]$vCenterServer
)

Here, the script defines a parameter $vCenterServer, which is not mandatory. If the user does not provide a value, the script will use the default vCenter Server from the global environment variable $global:DefaultVIServer.

  1. vCenter Version Mappings
$vCenterVersionMappings = @{
    "24026615"="vCenter Server 7.0 Update 3r","17.06.2024","7.0.3.02000","24026615","24026615"
    "23788036"="vCenter Server 7.0 Update 3q","21.05.2024","7.0.3.01900","23788036","23788036"
    ...
}

This dictionary (hashtable) contains a mapping of vCenter Server build numbers to their corresponding versions, release dates, and other details. This is the core of the script, enabling it to look up detailed information based on the build number.

  1. Retrieving and Matching vCenter Build and Version
$vCenterServerVersion = $vCenterServer.Version
$vCenterServerBuild = $vCenterServer.Build
$vCenterVersion,$vCenterReleaseDate,$vCenterVersionFull,$vCenterReleaseDate,$vCenterMobVersion = "Unknown","Unknown","Unknown","Unknown","Unknown"
$vCenterName = $vCenterServer.Name

The script retrieves the version and build number from the provided or default vCenter Server. If the build number exists in the predefined mappings, the script retrieves the corresponding details.

  1. Outputting the Information
$out = [pscustomobject] @{
    vCenter_Name = $vCenterName;
    vCenter_Build = $vCenterServerBuild;
    vCenter_ReleaseName = $vCenterServerVersion;
    vCenter_MOB = $vCenterMobVersion;
    vCenter_VAMI = $VAMI;
    vCenter_Version_Full = $vCenterVersionFull;
    Release_Date = $vCenterReleaseDate;
}
$out

The script constructs a custom PowerShell object to output the details in a structured format. This makes it easy to further process or display the information.

  1. Upgrade Check
if ($vCenterServerBuild -lt $greatestKey) {
    Write-Host "vCenter upgrade possible. `n" -ForegroundColor Red
} elseif ($vCenterServerBuild -eq $greatestKey) {
    Write-Host "Latest version/ up to date. `n" -ForegroundColor Green
} else {
    Write-Host "Update this script, looks like it's outdated. `n"  -ForegroundColor Magenta
}

Finally, the script compares the retrieved build number with the highest build number in the mapping to determine if an upgrade is available, if the system is up to date, or if the script itself needs updating.

Example Usage

Example 1: Retrieve vCenter Version with Default Server

If you are already connected to a vCenter Server and set it as the default ($global:DefaultVIServer), you can simply run:

Get-vCenterVersion

Example 2: Specify a vCenter Server

To retrieve the version for a specific vCenter Server, provide the server’s name:

Get-vCenterVersion -vCenterServer "vCenter.DC5.cz"

This will output detailed information about the vCenter Server, including its version, build number, and release date. If the vCenter Server is not on the latest version, the script will suggest that an upgrade is possible.

My homelab:

Conclusion

The Get-vCenterVersion script is a powercli function for anyone managing VMware vCenter Servers. By automating the retrieval and checking of vCenter versions, it helps ensure that your infrastructure is always up to date and secure. Whether you’re managing a single vCenter Server or multiple instances, this script can save you time and reduce the risk of version mismatches.

Feel free to customize the script to fit your environment, and remember to keep the version mapping updated as new vCenter Server versions are released!

Source code is on GitHub:

https://github.com/musil/vSphere_scripts/blob/main/vCenter/get-vcenter-version.ps1