Category: VMware

VMware technologies

How to Suppress ESXi Shell Warnings with PowerCLI

If you’re managing VMware environments, you might occasionally run into persistent shell warning alerts in your ESXi hosts. Thankfully, you can quickly find and suppress these warnings with a bit of PowerCLI magic.

Check for ESXi Hosts with Shell Warnings

Show the actual advanced settings on all hosts. Log into vCenter using PowerCLI and run this command: 

 Get-VMHost | Get-AdvancedSetting | Where-Object { $_.type -eq 'VMHost' -and $_.name -eq 'UserVars.SuppressShellWarning' } | Format-Table entity, name, value

Command output:

Entity                Name                          Value
------                ----                          -----
...
fs-vsan-04.int.dc5.cz UserVars.SuppressShellWarning     1
fs-vsan-05.int.dc5.cz UserVars.SuppressShellWarning     0
...


Check which ESXi hosts haven’t suppressed the shell warning (default). Then run the following command:

 Get-VMHost | Get-AdvancedSetting | Where-Object { $_.type -eq 'VMHost' -and $_.name -eq 'UserVars.SuppressShellWarning' -and $_.value -ne 1 } | Format-Table entity, name, value

This command outputs a table listing all hosts where the shell warning hasn’t been suppressed—it remains visible in the GUI.

Command output:

Entity                Name                          Value
------                ----                          -----
fs-vsan-05.int.dc5.cz UserVars.SuppressShellWarning     0

Suppress the Shell Warnings

Now, to suppress the shell warnings on selected ESXi hosts, run this simple command:

$esxi="fs-vsan-05.int.dc5.cz"
Get-VMHost $esxi| Get-AdvancedSetting | Where-Object { $_.type -eq 'VMHost' -and $_.name -eq 'UserVars.SuppressShellWarning' -and $_.value -ne 1 } | Set-AdvancedSetting -Value 1 -Confirm:$false | Format-Table entity, name, value

This command immediately disables the shell warnings on selected hosts. No more alerts in GUI!

Command output:

Entity                Name                          Value
------                ----                          -----
fs-vsan-05.int.dc5.cz UserVars.SuppressShellWarning     1

Why (Not) Suppress Shell Warnings?

It’s important to note that suppressing shell warnings is only advisable in lab or non-production environments. In production environments, shell warnings provide valuable security reminders. Always keep shell warnings enabled to maintain security awareness unless you’re working in a controlled test environment.

Happy scripting!

VCP-VCF with VMUG Advantage now ready to unlock…

Looking for your Home Lab Licenses to run either vSphere Standard Edition or VCF? This article should give you what you need to know to make this happen. VCP-VCF with VMUG Advantage now ready to unlock vSphere Standard Edition or VCF!

VCP-VCF with VMUG Advantage now ready to unlock…

Looking for your Home Lab Licenses to run either vSphere Standard Edition or VCF? This article should give you what you need to know to make this happen. VCP-VCF with VMUG Advantage now ready to unlock vSphere Standard Edition or VCF!

Broadcom Social Media Advocacy

VMware GPU Homelab: Part 7 – Step-by-Step Guide…

VMware GPU Homelab: Part 7 – Step-by-Step Guide…

In this post, we’ll walk through the step-by-step process of deploying of the vSAN Witness Appliance for my Homelab’s 2-node vSAN cluster. Before we dive into the deployment, let’s quickly recap how a 2-node vSAN cluster works. Unlike larger vSAN clusters that require a minimum of three vSAN […]

Broadcom Social Media Advocacy

128GB memory mini PCs is now a reality with…

128GB memory mini PCs is now a reality with…

The long awaited 64GB DDR5 SODIMM memory modules from Crucial was just released this week! 😁 I was so excited about the news, I quickly splurged on a pair of these brand new modules, which are currently priced at $364 USD on Amazon! 😅💰 As of publishing this blog post, there is currently no […]

Broadcom Social Media Advocacy

How to Quickly Check/Backup ESXi Host TPM Encryption Recovery Key Using PowerCLI

Managing encryption across multiple ESXi hosts can be a bit of a hassle. But don’t worry. I’ve got a simple PowerCLI script that’ll save you time and headaches by quickly retrieving encryption status and recovery keys from your VMware environment.

Why Do You Need This?

Ensuring your ESXi hosts are correctly encrypted is essential for security. Regular checks help prevent surprises later, especially during troubleshooting or audits.

Getting Started

First, make sure you’re connected to your vCenter:

Connect-VIServer -Server

Replace with your vCenter IP or FQDN.

The Script Breakdown

Here’s a quick rundown of the PowerCLI script to verify encryption settings across all ESXi hosts and who Recovery key for each ESXi host. (link to GitHub repository and file tpm_recovery_key_backup.ps1):

# Connect to your vCenter server (if not already connected)
# Connect-VIServer -Server <VCENTER_IP_OR_FQDN>

$esxis  = get-vmhost | Sort-Object

foreach ($esx in $esxis) {
    $key= @()
    $enc = @()
    if ($esx.ConnectionState -ne "Connected" -and $esx.ConnectionState -ne "Maintenance") {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host "🚫 SKIPPED HOST" -ForegroundColor Yellow
        Write-Host "Host                : $($esx.Name)" -ForegroundColor DarkYellow
        Write-Host "Reason              : Not powered on or disconnected." -ForegroundColor DarkYellow
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host ""
        continue
    }
    $esxcli = Get-EsxCli -VMHost $esx -V2
    try {
        $key = $esxcli.system.settings.encryption.recovery.list.Invoke()
        $enc =  $esxcli.system.settings.encryption.get.Invoke()

        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host "🔹 ESXi Host        : $($esx.Name)" -ForegroundColor Cyan
        Write-Host "🔐 Recovery ID      : $($key.RecoveryID)" -ForegroundColor Green
        Write-Host "🗝️  Recovery Key     : $($key.Key)" -ForegroundColor Yellow
        Write-Host "🔒 Encryption Mode  : $($enc.Mode)" -ForegroundColor Magenta
        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host ""
    }
    catch {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host "❌ ERROR for host    : $($esx.Name)" -ForegroundColor Red
        Write-Host "⚠️  Failed to get encryption key for $($esx.Name) ."
        Write-Host "🧨 Error details     : $_"
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host ""
    }
}

What the Script Does

  • Connects to each ESXi host.
  • Checks if the host is Connected or in Maintenance mode.
  • Retrieves the Encryption Recovery ID and Key.
  • Shows the current encryption mode.
  • Gracefully handles hosts that are offline or disconnected, clearly indicating skipped or problematic hosts.

Output

Connected hosts or in Maintenance with Encryption keys

Powered off or disconnected hosts – Skipped hosts

Hosts without encryption keys or with errors

Wrapping It Up

This quick script helps you stay on top of ESXi encryption keys effortlessly. Just copy, adjust if needed, and run. Happy scripting!