ESXi – Stanislav Musil

How to Quickly Check/Backup ESXi Host TPM Encryption Recovery Key Using PowerCLI

Managing encryption across multiple ESXi hosts can be a bit of a hassle. But don’t worry. I’ve got a simple PowerCLI script that’ll save you time and headaches by quickly retrieving encryption status and recovery keys from your VMware environment.

Why Do You Need This?

Ensuring your ESXi hosts are correctly encrypted is essential for security. Regular checks help prevent surprises later, especially during troubleshooting or audits.

Getting Started

First, make sure you’re connected to your vCenter:

Connect-VIServer -Server

Replace with your vCenter IP or FQDN.

The Script Breakdown

Here’s a quick rundown of the PowerCLI script to verify encryption settings across all ESXi hosts and who Recovery key for each ESXi host. (link to GitHub repository and file tpm_recovery_key_backup.ps1):

# Connect to your vCenter server (if not already connected)
# Connect-VIServer -Server <VCENTER_IP_OR_FQDN>

$esxis  = get-vmhost | Sort-Object

foreach ($esx in $esxis) {
    $key= @()
    $enc = @()
    if ($esx.ConnectionState -ne "Connected" -and $esx.ConnectionState -ne "Maintenance") {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host "🚫 SKIPPED HOST" -ForegroundColor Yellow
        Write-Host "Host                : $($esx.Name)" -ForegroundColor DarkYellow
        Write-Host "Reason              : Not powered on or disconnected." -ForegroundColor DarkYellow
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host ""
        continue
    }
    $esxcli = Get-EsxCli -VMHost $esx -V2
    try {
        $key = $esxcli.system.settings.encryption.recovery.list.Invoke()
        $enc =  $esxcli.system.settings.encryption.get.Invoke()

        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host "🔹 ESXi Host        : $($esx.Name)" -ForegroundColor Cyan
        Write-Host "🔐 Recovery ID      : $($key.RecoveryID)" -ForegroundColor Green
        Write-Host "🗝️  Recovery Key     : $($key.Key)" -ForegroundColor Yellow
        Write-Host "🔒 Encryption Mode  : $($enc.Mode)" -ForegroundColor Magenta
        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host ""
    }
    catch {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host "❌ ERROR for host    : $($esx.Name)" -ForegroundColor Red
        Write-Host "⚠️  Failed to get encryption key for $($esx.Name) ."
        Write-Host "🧨 Error details     : $_"
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host ""
    }
}

What the Script Does

Connects to each ESXi host.
Checks if the host is Connected or in Maintenance mode.
Retrieves the Encryption Recovery ID and Key.
Shows the current encryption mode.
Gracefully handles hosts that are offline or disconnected, clearly indicating skipped or problematic hosts.

Output

Connected hosts or in Maintenance with Encryption keys

Powered off or disconnected hosts – Skipped hosts

Hosts without encryption keys or with errors

Wrapping It Up

This quick script helps you stay on top of ESXi encryption keys effortlessly. Just copy, adjust if needed, and run. Happy scripting!

Centralized ESXi Logs: Quick Guide to Syslog Configuration (WebUI & CLI)

Configuring syslog on your ESXi host is essential for centralized logging and efficient monitoring. Having your logs centrally managed simplifies troubleshooting and helps with compliance and security audits. Below you’ll find an easy-to-follow guide for setting up syslog both via the WebUI and CLI. Don’t forget to verify connectivity and regularly check your centralized logs for effective monitoring.

Configure Syslog Service (vmsyslogd) on ESXi for Remote Logging

1. Configure Syslog Using the vSphere Client

Navigate to the Configure tab.
Under System, click on Advanced System Settings.
Click Edit to modify settings.
Filter for Syslog.global.logHost.
Enter your syslog server details in the format tcp://hostname:514 or udp://hostname:514 in my case udp://10.20.55.44:514 or with DNS name udp://syslog:514
Click OK to apply the changes.

2. Open Firewall Ports for Syslog Traffic

Enable Syslog in Firewall Rules:

Still under the Configure tab, go to Networking > Firewall > Ougoing connections.
Click EDIT….
Filter for syslog

Click on Checkboxand Click OK.
Now you should see “syslog” in outgoing firewall rules.

3. Verify Connectivity to the Syslog Server

Test Network Connection:

Access the ESXi Shell or use SSH to connect to your ESXi host.
Run the command: nc -zu 10.20.55.44 514
If the connection is successful, it confirms that the ESXi host can reach the syslog server on the specified port. if you have some troubles see my blog post about troubleshooting syslog communication here → https://vpxd.dc5.cz/index.php/2025/02/22/esxi-to-syslog-troubleshooting-connectivity-issues-like-a-pro/

4. Configure Syslog Using ESXCLI Commands (CLI Method)

Set the Remote Syslog Server:

Open a console session to your ESXi host.
Execute:

esxcli system syslog config set --loghost='udp://syslog:514’

Apply the New Configuration:

esxcli system syslog reload

Check the syslog configuration

esxcli system syslog config get

Open Firewall Ports:

Enable the syslog firewall rule with:

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

Refresh the firewall settings:

esxcli network firewall refresh

Check the ruleset

esxcli network firewall ruleset rule list | grep syslog

Tips & Tricks

Verify firewall rules to allow syslog traffic.
Use consistent naming conventions for easier log analysis.
Regularly backup your syslog configuration settings.

By following these simple steps and best practices, you’ll ensure your ESXi host remains efficiently monitored, secure, and compliant.

VMware related KB 318939: https://knowledge.broadcom.com/external/article/318939/

ESXi to Syslog: Troubleshooting Connectivity Issues Like a Pro!

When troubleshooting ESXi network and Syslog server connectivity issues, knowing the right tools can save you hours of frustration. Whether it’s an unresponsive syslog server, blocked TCP/UDP ports, this guide will help you diagnose and fix common connectivity issues quickly.

Key Troubleshooting Tools for ESXi Network Connectivity

Step 1: Verify Basic Network Connectivity

Before checking anything else, confirm that the ESXi host can communicate with the syslog server at a basic network level.

Standard ICMP ping test:

ping <destination-IP>

VMkernel-specific ping (useful for vMotion, NFS, etc.):

 vmkping <destination-IP>

or specify which vmkernel should be used as ongoing interface for ping

 vmkping -I vmk0 <destination-IP>

If these fail, the issue is likely a network routing problem or an upstream firewall blocking traffic.

Step 2: Check TCP/UDP Port Connectivity (netcat)

Even if the server is reachable, the syslog port might be blocked or not listening. Netcat helps determine if a specific TCP or UDP port is reachable.

⚠️ Note: Be aware that netcat doesn’t display an error message when a connection fails—only a successful connection is reported.

Use Cases

Test TCP Port Connectivity:

nc -z <destination-ip> <destination-port>

Test UDP Port Connectivity:

nc -zu <destination-ip> <destination-port>

Step 3: Analyze ESXi Network Connections and Interface Statistics

ESXi provides tools to inspect active network connections and adapter performance.

Check active TCP/UDP connections:

esxcli network ip connection list|grep <port>

If the syslog connection isn’t listed, ESXi isn’t attempting to send logs—double-check your syslog configuration in vSphere.

Check NIC statistics for errors and dropped packets:

esxcli network nic stats get -n <vmnicX>

Persistent errors here could indicate network congestion or misconfigurations.

Final Thoughts: Diagnosing Syslog Connectivity Efficiently

Troubleshooting network issues between an ESXi host and a syslog server doesn’t have to be a headache. Using these tools, you can pinpoint the problem—whether it’s a blocked port, misconfiguration, or network adapter issue—and resolve it efficiently.

Still facing issues? Look at Broadcom KB

How to Quickly Disable a vmnic on ESXi – No Switch Changes or Cable Pulling Needed!

In VMware ESXi, managing physical network interfaces (vmnics) is essential for troubleshooting, maintenance, or reconfiguration. There are times when you need to disable or re-enable a network interface without relying on the network team to shut down a switch port or physically unplugging the cable in the server room. Fortunately, this can be done quickly using the esxcli command-line tool.

Checking Available Network Interfaces

First login via SSH or directly on server console.

Before shutting down a vmnic, it’s good practice to list all available interfaces and check their status:

esxcli network nic list

This command will display a list of vmnics along with their link state, driver, and speed.

Shutting Down a vmnic Interface

To disable a specific vmnic, use the following command:

esxcli network nic down -n vmnicX

Replace vmnicX with the actual interface name (e.g., vmnic5).

Bringing a vmnic Interface Back Up

If you need to enable the interface again, run:

esxcli network nic up -n vmnicX

This will bring the network interface back online.

Use Cases

Test network failover scenarios.
Identify and isolate network issues by disabling a suspected faulty NIC.
Temporarily disable a NIC to measure the impact on network performance and verify load balancing efficiency.
Test how virtual machines respond when a specific network path goes down.
Shut down a vmnic that is connected to an untrusted VLAN or an incorrectly configured network.
Test different network configurations without permanently altering physical connections.

By using esxcli, you can manage network interfaces efficiently.

Let me know if you need any tweaks! 🚀

How to Change vmnic Name on an ESXi Host via Command Line

Renaming or reordering vmnics on an ESXi host can be useful in various scenarios, such as standardizing network configurations or aligning network interface names across multiple hosts. This guide will show you how to achieve this using the ESXi command line.

Listing Current vmnic Aliases

Before making changes, it is essential to check the current vmnic assignments. You can do this with the following command:

localcli --plugin-dir /usr/lib/vmware/esxcli/int/ deviceInternal alias list

This command will return a list of all existing vmnic aliases and their corresponding bus addresses.

Bus type  Bus address          Alias
--------  -------------------  -----
pci       m01000300            vmhba0
pci       m01000b00            vmnic0
pci       p0000:00:07.1        vmhba1
pci       m02001300            vmnic1
logical   pci#m01000300#0      vmhba0
logical   pci#p0000:00:07.1#0  vmhba1
logical   pci#p0000:00:07.1#1  vmhba64
logical   pci#m02001300#0      vmnic1
logical   pci#m01000b00#0      vmnic0

When a nic is controlled by a native driver, then there are actually two aliases associated with the device: a pci alias for the pci device and a logical alias for the uplink logical device.

[root@fs-vsan-05:~] localcli --plugin-dir /usr/lib/vmware/esxcli/int deviceInternal alias list | grep vmnic1

pci       m02001300            vmnic1
logical   pci#m02001300#0      vmnic1

When the logical alias is present, then both the pci alias and logical alias need to be renamed !

Changing a vmnic Name

Make sure you have console access before starting the upcoming steps.

To change the name of a specific vmnic, use the following commands. Replace vmnic5 with the desired new alias and update the bus-address accordingly.

localcli --plugin-dir /usr/lib/vmware/esxcli/int deviceInternal alias store --bus-type pci --alias vmnic5 --bus-address m02001300

localcli --plugin-dir /usr/lib/vmware/esxcli/int deviceInternal alias store --bus-type logical --alias vmnic5 --bus-address pci#m02001300#0

Once the commands have been executed, you need to reboot the ESXi host for the changes to take effect.

reboot

Having Some Fun with vmnic Naming

If you want to experiment and see how ESXi handles long vmnic names, you can try something fun like this:

localcli --plugin-dir /usr/lib/vmware/esxcli/int deviceInternal alias store --bus-type pci --alias vmnic1234567890 --bus-address m02001300

localcli --plugin-dir /usr/lib/vmware/esxcli/int deviceInternal alias store --bus-type logical --alias vmnic1234567890 --bus-address pci#m02001300#0

reboot

While ESXi generally follows a strict naming convention, pushing its limits can be an interesting experiment!

Conclusion

Renaming vmnics in ESXi via the command line is a straightforward process that requires just a few commands and a reboot. Whether you’re restructuring network configurations or just having a bit of fun, these steps will help you modify your ESXi network interfaces with ease.

Give Your ESXi Host a Personal Touch with a Custom Welcome Message – the PowerShell way

Ever wanted to spruce up that default login screen on your ESXi host or have some fun with your DCUI? Then you’re in the right place! In this post, I’ll walk through using the Annotations.WelcomeMessage advanced setting to display a custom welcome message on your ESXi host. Best of all, I’ll share a neat PowerShell function to make it easy.

Why Customize the Welcome Message?

Personalization: Display a personal greeting, instructions, or a quick reminder for anyone logging into the ESXi console.

Useful Info: Share contact details or support info in case someone needs to know who to call if something breaks.

Fun Factor: It’s always nice to see something other than “Welcome to VMware ESXi” from time to time at least in homelab.

Security: Display security/legal warning.

The Advanced Setting: Annotations.WelcomeMessage

Annotations.WelcomeMessage is an advanced ESXi host parameter. It’s where you store the text you want displayed in DCUI on the default console screen (replacing some default text, similar to screenshot below).

(virtual ESXi)

PowerShell Script: Set-WelcomeMessage Function

Here is the star of the show—my simple PowerShell function that taps into VMware’s PowerCLI to set Annotations.WelcomeMessage on your ESXi host. It even shows you the old message before setting the new one.

You can download it from my GitHub repo in ESXi folder from my GitHub repo: https://github.com/musil/vSphere_scripts or use this direct link to a script file: https://github.com/musil/vSphere_scripts/blob/main/ESXi/set_welcome_message.ps1

Function Set-WelcomeMessage {
    <#
        .SYNOPSIS
        This function retrieves the vCenter version and build number. 
        Based on https://knowledge.broadcom.com/external/article/315410/
    
        .NOTES
        File Name      : set_welcome_message.ps1
        Author         : Stanislav Musil
        Prerequisite   : PowerShell
        Website        : https://vpxd.dc5.cz/index.php/category/blog/
        X (Twitter)    : https://www.x.com/stmusil
    
        .DESCRIPTION
        The script is a function that takes a single parameter, the vCenter server name. Retrieves the version and build number. 
        To use the function, you can dot-source the script and then call the function. 
        Windows:   . .\set_welcome_message.ps1
        Mac/Linux: . ./set_welcome_message.ps1
    
        .EXAMPLE
        Set-WelcomeMessage -Hostname "ESXi.example.com" -WelcomeMessage "Welcome to {{hostname}"

    #>
    param (
        [string]$HostName,
        [string]$WelcomeMessage
    )
   
    # Ensure PowerCLI module is imported
    if (-not (Get-Module -Name VMware.VimAutomation.Core -ErrorAction SilentlyContinue)) {
        Import-Module VMware.VimAutomation.Core
    }`

# Define the target host and the parameter values
$ESXihost = Get-VMHost -Name $HostName
$paramName = "Annotations.WelcomeMessage"

$current = Get-AdvancedSetting -Entity $ESXihost -Name $paramName
Write-Host "Current Weclome message:"  $current.Value

# Set the advanced parameter
Get-AdvancedSetting -Entity $ESXihost -Name $paramName | Set-AdvancedSetting -Value $WelcomeMessage -Confirm:$false

# Verify the change
$updatedSetting = Get-AdvancedSetting -Entity $ESXihost -Name $paramName
Write-Output "New $paramName value on $ESXihost : $($updatedSetting.Value)"

}

How to Run It

1. Dot-source the script (so the function is recognized):

On Windows:

. .\set_welcome_message.ps1

On Mac/Linux:

. ./set_welcome_message.ps1

2. Execute the function:

Set-WelcomeMessage -Hostname "ESXi.example.com" -WelcomeMessage "Welcome to my ESXi host!"

3. That’s it! Now when you check the DCUI over iDRAC/IPMI/iLO etc.. or on directly on console screen, you’ll see your brand-new custom text.

Change it back to default

just set empty parameter 🙂

Set-WelcomeMessage -Hostname "ESXi.example.com" -WelcomeMessage ""

Final Thoughts

Customizing your ESXi’s welcome message is quick, easy, and surprisingly fun. Whether you’re adding a helpful notice or just a silly greeting, a personal touch goes a long way. Give it a try, and see if your team notices!

Happy customizing!

Manual way

https://knowledge.broadcom.com/external/article/315410

Advanced Examples

To get much awesome welcome message you need to use much complicated formating tags.

Welcome DCUI screen from my homelab:

My Homelab Welcome Message

To make it more easy I just “save” all the parameters of the welcome message into the variable $a.


$a="
{align:left}{bgcolor:black}{color:white} {esxproduct} (VMKernel Release {esxversion})
{bgcolor:black}{align:left}
{align:left}{bgcolor:black}{color:white} DC5 - Homelab
{bgcolor:black}{align:left}
{align:left}{bgcolor:black}{color:white} Memory: {memory}
{bgcolor:black}{align:left}
{align:left}{bgcolor:black}{color:white}NOTE:
{align:left}{bgcolor:black}{color:white}     if you need help contact support@homelab
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:black}{align:left}
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black} To manage this host, go to:                                                                                                
{bgcolor:yellow}{color:black} http://{ip}                                                                                                         
{bgcolor:yellow}{color:black} http://{hostname}                                                                                               
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{bgcolor:yellow}{color:black}                                                                                                                            
{align:left}{bgcolor:black} {color:red} <F2> Customize System/View Logs                                                                   <F12> Shut Down/Restart {/align}
"

And then just run the same command and instead of welcome message I used the $a variable

Set-WelcomeMessage -Hostname "fs-vsan-05.int.dc5.cz" -WelcomeMessage $a

Happy experimenting with different colors 🙂