Virtualization Based Security (VBS) in vSphere 6.7

As we all know VMware has released their latest version vSphere 6.7 recently and there are many enhancements and new features .Now a days security is very import in all the platform and VMware has fantastic improvements  in the security side. There are really big security features with vSphere 6.7 and one of the really cool security features is the support for Microsoft Virtualization Based Security (VBS).

 

In this post I will sharing information about Microsoft Virtualization Based Security (VBS) and to enable this on  Windows 2016 Hyper-V in vSphere 6.7  virtual machine.

Virtualization-based security  ( VBS ) is a feature of the Windows 10 and Windows Server 2016 operating systems. It uses hardware and software virtualization to enhance Windows system security by creating an isolated, hypervisor-restricted, specialized subsystem. Microsoft Virtualization Based Security  (VBS)  uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. VBS uses the underlying hypervisor to create this virtual secure mode, and to enforce restrictions which protect vital system and operating system resources, or to protect security assets such as authenticated user credentials. Microsoft is using the hypervisor as a restricted memory space where sensitive information like credentials can be stored instead of  on the operating system itself. With the increased protections offered by VBS, even if malware gains access to the OS kernel the possible exploits can be greatly limited and contained, because the hypervisor can prevent the malware from executing code or accessing platform secrets.

Prerequisites
VBS reinforces the security of Microsoft Hyper-V  and you have to configure below setting on your virtual machine 
Option Required Setting
Firmware type UEFI
Enable UEFI Secure Boot Enabled
Enable hypervisor applications in this virtual machine Enabled
Enable IOMMU in this virtual machine Enabled
  • Create a virtual machine that uses hardware version 14 or later and one of the following supported guest operating systems.

    • Windows 10 Enterprise, 64-bit

    • Windows Server 2016

  • To use Windows 2016 as the guest operating system, apply all Microsoft updates to the guest.

Note:- VBS might not function in a Windows 2016 guest without the most current updates.

Enabling Virtualization Based Security in Windows 2016 with vSphere 6.7

I am  creating a  2016 virtual machine in a nested ESXi 6.7 vSphere environment  for configure VBS , you have two options to enable VBS  and VM compatibility Level should be ESXi 6.7

  • While creating the Virtual machine

  • After Creating the Virtual Machine

After booting the Windows 2016 Server  VM  follow below steps to enable Virtualization Based Security .

  • Enable the group policy setting first for VBS
  • Enable Hyper-V in Windows 2016 Server

Navigate to  Group Policy setting where VBS has to be  enabled

Open up the local group policy editor by typing gpedit.msc  using RUN menu or Search  Local Security  Policy from Start Menu

Navigate to Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security  

 

Set the policy to Enabled  and below options  from drop down menu and click OK   - > Reboot the Server

  • Select Platform Security level                                    :   Secure Boot and DMA Protection
  • Virtualization Based Protection of Code Integrity:   Enabled with UEFI lock
  • Credential Guard Configuration                               :   Enabled with UEFI lock

Note:- Enabled without UEFI lock option will allow you enable or disable this setting remotely

 

Enable Hyper-v on Windows 2016 Server

Navigate to Server Manager - > Add roles and features 

 

Click Next with default options and from Server Roles Select Hyper-V  & Include Management tools  and Click OK 

 

 

Continue with default options and Click Finish

After enabling the Hyper-V feature Restart Windows.

 

How to Verify VBS Enabled 

Run  the msinfo32.exe command from run menu  and under the System Summary  You can find the entries  related device guard

More about VBS can found here 

Check more vSphere 6.7 Posts 

Thank you for reading this post  , Share the knowledge if you feel worth sharing it.

Follow VMarena on FaceBook , Twitter , Youtube


Replace vCenter External PSC 6.7 VMCA Certificate by an ADCS Signed Certificate

In my previous post i have explained  on how to replace VMCA SSL certificate on on vCSA 6.7 with embedded PSC   , this post I will be sharing the information on replacing self-signed certificate by a Certificate Authority (CA) signed SSL certificates in a vCenter External PSC 6.7 environment.

The vSphere Certificate Manager utility provides all workflows to replace or regenerate the Machine SSL Certificate, Solution User Certificates and the VMCA Root Signing Certificate on the vCenter Server and Platform Services Controller.

Requirements

  • Working PKI based on Active directory Certificate Server.
  • Certificate Server should have a valid Template for vSphere environment

Note :- If you don’t have a template Refer this Post  for creating a new Template

  • vCenter Server Appliance with root Access

Generate a certificate request from PSC 6.7

Login to vCSA by using SSH or Console

Run /usr/lib/vmware-vmca/bin/certificate-manager and select the operation option 1

Note:-This console is already in bash shell so it didn't asked type shell to access console , in you case it may asked you type shell to access

Enter administrator credentials and enter option number 1.

Specify the following options:

  • Output directory path :-             path where will be generated the private key and the request
  • Country                          :-             your country in two letters
  • Name                              :-             The FQDN of your PSC
  • Organization                 :-             an organization name
  • OrgUnit                          :-             type the name of your unit
  • State                                :-             country name
  • Locality                           :-             your city
  • IPAddess                        :-             provide the PSC IP address
  • Email                              :-             provide your E-mail address
  • Hostname                      :-             the FQDN of your PSC
  • VMCA Name                 :-             the FQDN where is located your VMCA , here we use PSC (vCSA  or PSC FQDN  based on your setup)

Once the private key and the request is generated select Option 2 to exit

Next we have to export the Request and key from the location , we will user win scp for this  operation .

To perform export we need additional permission on PSC , type the following command for same

Note :- To perform export we need additional permission on PSC , type the following command for same

#chsh -s /bin/bash root

Once connected to PSC  from winscp tool navigate the path you have mentioned on the request and download the  vmca_issued_csr.csr  file

Open the Certificate Server URL using  this format  http://FQDN or IP /CertSrv/ from browser and select Request a certificate  option

Select Advanced certificate request 

Open the exported vmca_issued_csr.csr file in a notepad and copy the contents and paste ob the Column Based-64-encoded certificate Request , Select the appropriate Certificate template , here I choose vSphere 6.7 and Click  on Submit

From Next Page Select the Base 64 encoded option and Download the Certificate and Certificate Chain

Note :- You have to export the Chain certificate to .cer extension , by default it will be PKCS#7

Open Chain file by right click or double click navigate the certificate -> right click -> All Tasks  -> export and save it as filename.cer

Also you have to export the Certificate Server certificate .

Next you have export the newly downloaded certificates to PSC Appliance ( PSC , Chain , CA root certificates )

Login to PSC appliance using winscp and copy to location .

Note:- Remember path where you copied the new certificates , it is required for replacing menu .

Login to vCenter Server Appliance Console or using putty

Go to the path where you copied the certificates change the new PSC certificate to root-ca.cer  ( Not mandatory , you can eep the same same )

Rename  #  mv  /tmp/certnew.cer  /tmp/root-ca.cer

Now you add the CA server certificate data to your new renamed PSC certificate

Now will replace the certificate

Run /usr/lib/vmware-vmca/bin/certificate-manager and select the operation option 1

Enter administrator credentials and enter option number 2

Add the exported certificate and generated key path from previous steps and Press Y to confirm the change

  • Custom certificate for machine SSL                             :-   Path to the chain of certificate (srv.cer here)
  • Valid custom key for machine SSL                                :-   Path to the .key file generated earlier.
  • Signing certificate of the machine SSL certificate :-  Path to the certificate of the Root CA (root-ca.cer , generated base64 encoded PSC certificate).

It will take little time to complete and you can see message

Status : 100 % Completed [All tasks completed successfully]

Note:-  If you are providing different certificate instead of chain certificate  in Custom certificate for machine SSL option you will get error  with "depth lookup:certificate" 

Also if CA server certificate data is not added to PSC root certificate and available locally on same path you may face below error

 

 

 

Now Connect to the vCenter using Web Client and you can see the new custom certificate

Thank you for reading this post  , Share the knowledge if you feel worth sharing it.

Check more vSphere 6.7 Posts 

Follow VMarena on FaceBook , Twitter , Youtube


Join the vCSA 6.7 to an Active Directory Domain From HTML Client

VMware vSphere 6.7  is the latest version released by VMware and there are many enhancement and new features are available with this release. The major change for the vCenter Server Appliance is simplified  architecture and all  vCenter Server services are running on a single instance with all the function .With vSphere 6.7 new HTML5 client is available with may enhancements  , VMware is working on to reach 100 %  for all the functions are fully supported by HTML5 client .

In this post I am sharing  configure  vCSA6.7 to an Active Directory Domain From HTML Client and other options available  there  ,additionally command to join , dis-join and verify domain status .

Join AD Domain

  • Open vSphere HTML Client
  • Login as Single Sign-On Administrator or a user with global permissions.
  • Navigate to Administration >Configuration

From Identify Sources Tab you can verify available domain and by default Only SSO  and Localos will be available

  • Navigate to Tab Active Directory Domain and Click on Join AD
  • Add the Domain Name and Username and Password has permission to join to Active Directory and Click Join

Note:-  You have to reboot the Appliance to apply the changes

When the appliance is back online it will be part of Active Directory domain but you have to the domain to identity sources

  • Login to vCenter with SSO Admin account Navigate to Administration >Configuration->Identity Sources

  • Select ADD IDENTITY SOURCE and  Select Use machine account and click OK

And you can view your domain is listed on the identity Source tab

Additionally you can do below  configuration form same window

  • Remove  the Joined Domain
  • Create Login Message
  • Smart Card Authentication
  • Policies - Password Policy , Lockout Policy and Token Policy

Next add a Permission from Active Directory

Navigate to the Object , here I choose vCenter - > Permission -> Select the "+" symbol to add permission

From User Option Select the Domain Name

Search the Desired Username

Select the desired Role  and select the Propagate to Children Option and Click OK

Join to AD Domain using CLI

Also you can perform joining to active directory from command line

  • Connect to the vCenter Server Appliance with SSH
  • Activate the bash shell

#Command> shell

  • Use the domainjoin-cli tool to join , dis-join and verify status of domain

Join to AD using CLI

# /opt/likewise/bin/domainjoin-cli join [domain] [user name] [password]

Note:-As a security reason you have to add only username and it will prompt for password and it won't be visible

Verify the Domain status form CLI

Dis-join from a Domain From CLI 


Replace VCSA 6.7 Certificate (VMCA) by an ADCS Signed Certificate

In this post I will be sharing the information on replacing self-signed certificate by a Certificate Authority (CA) signed SSL certificates in a vSphere 6.7 environment. VMware has pre-packaged the vSphere Certificate Manager utility to automate the replacement process.

The vSphere Certificate Manager utility provides all workflows to replace or regenerate the Machine SSL Certificate, Solution User Certificates and the VMCA Root Signing Certificate on the vCenter Server and Platform Services Controller.

Before starting the procedure just a quick intro for managing vSphere Certificates, vSphere Certificates can manage in two different modes

  • VMCA Default Certificates

VMCA provides all the certificates for vCenter Server and ESXi hosts on the Virtual Infrastructure and it can manage the certificate lifecycle for vCenter Server and ESXi hosts. Using VMCA default the certificates is the simplest method and less overhead.

  • VMCA Default Certificates with External SSL Certificates (Hybrid Mode)

This method will replace the Platform Services Controller and vCenter Server Appliance SSL certificates, and allow VMCA to manage certificates for solution users and ESXi hosts. Also for high-security conscious deployments, you can replace the ESXi host SSL certificates as well. This method is Simple, VMCA manages the internal certificates and by using the method, you get the benefit of using your corporate-approved SSL certificates and these certificates trusted by your browsers.

Here we are discussing about the Hybrid mode, this the VMware’s recommended deployment model for certificates as it procures a good level of security. In this model only the Machine SSL certificate signed by the CA and replaced on the vCenter server and the solution user and ESXi host certificates are distributed by the VMCA.

Requirements

  • Working PKI based on Active directory Certificate Server.
  • Certificate Server should have a valid Template for vSphere environment

Note :- If you don't have a template Refer this Post for creating a new Template

  • vCenter Server Appliance with root Access

Generate a certificate request from VCSA 6.7

Login to vCSA by using SSH or Console and launch the bash by typing Shell.

Run /usr/lib/vmware-vmca/bin/certificate-manager and select the operation option 1

Enter administrator credentials and enter option number 1.

Specify the following options:

  • Output directory path :-             path where will be generated the private key and the request
  • Country                          :-             your country in two letters
  • Name                              :-             The FQDN of your vCSA
  • Organization                 :-             an organization name
  • OrgUnit                          :-             type the name of your unit
  • State                                :-             country name
  • Locality                           :-             your city
  • IPAddess                        :-             provide the vCSA IP address
  • Email                              :-             provide your E-mail address
  • Hostname                      :-             the FQDN of your vCSA
  • VMCA Name                 :-             the FQDN where is located your VMCA. Usually the vCSA FQDN

Once the private key and the request is generated select Option 2 to exit

Next we have to export the Request and key from the location , we will user win scp for this  operation .

To perform export we need additional permission on VCSA , type the following command for same

#chsh -s /bin/bash root

Once connected to vCSA from winscp tool navigate the path you have mentioned on the request and download the  vmca_issued_csr.csr  file .

Open the Certificate Server URL using  this format  http://FQDN or IP /CertSrv/ from browser and select Request a certificate  option

Select Advanced certificate request 

Open the exported vmca_issued_csr.csr file in a notepad and copy the contents and paste ob the Column Based-64-encoded certificate Request , Select the appropriate Certificate template , here I choose vSphere 6.7 and Click  on Submit

From Next Page Select the Base 64 encoded option and Download the Certificate and Certificate Chain

Note :- You have to export the Chain certificate to .cer extension , by default it will be PKCS#7

Open Chain file by right click or double click navigate the certificate -> right click -> All Tasks  -> export and save it as filename.cer

Navigate  to Certificate Authority  Option and verify the status of request from Issued Certificate 

Next you have export the newly downloaded certificates to vCenter Appliance

Login to vCenter appliance using winscp and copy to location .

Note:- Remember path where you copied the new certificates , it is required for replacing menu .

Login to vCenter Server Appliance Console or using putty

Run /usr/lib/vmware-vmca/bin/certificate-manager and select the operation option 1

Enter administrator credentials and enter option number 2

Add the exported certificate and generated key path from previous steps and Press Y to confirm the change

  • Custom certificate for machine SSL                             :-   Path to the chain of certificate (srv.cer here)
  • Valid custom key for machine SSL                                :-   Path to the .key file generated earlier.
  • Signing certificate of the machine SSL certificate :-  Path to the certificate of the Root CA (root.cer , generated base64 encoded certificate).

Note:-  If you are providing different certificate instead of chain certificate  in Custom certificate for machine SSL option you will get error  with "depth lookup:certificate"

It will take little time to complete and you can see message

Status : 100 % Completed [All tasks completed successfully]

Now Connect to the vCenter using Web Client and you can see the new custom certificate

Referees VMware KB


Microsoft Certificate Authority Template Creation for SSL certificate in vSphere 6.7

In this post I will share the steps to create the Microsoft Certificate Authority Template to support  for custom SSL certificate creation in VMware vSphere 6.7 .

Before jumping to the steps i will just give a intro to Certificate templates .Certificate templates are used to define the enrollment policy on the CA. First, an Enterprise CA can only issue certificates based upon the templates it is configure to use.  Second, permissions set on the certificate template’s Active Directory object determine whether or not a user or computer is permitted to request a certificate based on that template. If a user does not have Enroll permissions on a particular template, the CA will deny any request submitted by the user for a certificate based on that template.

Certificate templates contain properties that would be common to all certificates issued by the CA based on that template. Windows includes several predefined templates, but Administrators also have the ability to create their own templates specific for their enterprise. When requesting a certificate, a client can just specify the template name in the request and the CA will build the certificate based upon the requestor’s information in Active Directory and the properties defined in the template.

Currently, there are three versions of templates:

Version 1 templates were introduced in Windows 2000, and can be used by Windows 2000, Windows Server 2003 (R2), and Windows Server 2008 (R2) Enterprise CAs. Version 1 templates Active Directory objects are created the first time an Enterprise CA is created in the forest. These templates were designed to reflect the most common scenarios for digital certificates in the Enterprise. Unfortunately, if you don’t like the settings we selected you’re pretty much out of luck. Creating new v1 templates, or editing the existing templates, is not supported. The only customization supported is to the permissions on the template.

Version 2 templates were introduced in Windows Server 2003 and are a vast improvement over v1 templates. First and foremost, v2 templates can be modified by an Enterprise Admin. In addition, the Admin can duplicate an existing v1 or v2 template to create a new v2 template, and then customize the result. Finally, v2 templates expose a larger number of properties that can be configured, and also expose some controls to take advantage of some other new features introduced in Windows Server 2003. One of these features, for example, is key archival. Version 2 templates can be used by Windows Server 2003 and Windows Server 2008 Enterprise or Datacenter Editions. On Windows Server 2008 R2, v2 templates can be used by a CA installed on Standard, Enterprise, Datacenter, Foundation and Server Core Editions.

Version 3 templates were introduced in Windows Server 2008. Version 3 templates have all the features of a version 2 template with two major additions. First, v3 templates support the use of Crypto Next Generation (CNG) providers, which means that the certificates support Suite B algorithms based on Elliptical Curve Cryptography (ECC). Second, v3 templates have a setting that instructs Windows to grant the Network Service account access to the private key created on the requesting computer. This is great for those certificates that will be used by applications or services that run as Network Service rather than Local System. Version 3 templates are supported by CAs installed on Windows Server 2008 Enterprise and Datacenter Editions. They are also supported by CAs installed on Windows Server 2008 R2 Standard, Enterprise, Datacenter, Foundation and Server Core Editions.

To create a template for vSphere environment  we will  use the default Web Server template on the CA server . We will perform a clone of the webserver template with some modification and  a version 2 template will be created .

Creating a template for vSphere 6.x to use for Machine SSL and Solution User certificates

Log into your Windows Certificate Authority Server

Navigate to click Start > Run and type certtmpl.msc and click OK.

From the Certificates Templates Console you will see a list of different certificate templates , we will be creating a new template for use by the Machine SSL and Solution Users certificates by cloning  Web Server Template.

Navigate to Web Server Template -> Right-click -> Select Duplicate Template.

Select Windows Server 2003 for backward compatibility.

Notes: If you have an encryption level higher than SHA1, you may select Windows Server 2008 / 2008 R2

Click the General tab  and enter vSphere 6.7 as the name of the template  in the Template display name field

Click the Extensions tab. Select Application Policies and click Edit and remove Server Authentication and click OK.

Select Key Usage and click Edit. Select the Signature is proof of origin (nonrepudiation) option. Leave all other options as default.

Click the Subject Name tab. Ensure that the Supply in the request option is selected and  Click OK to save the template.

Adding a new template to certificate templates

Now that we have created the certificate template for vSphere 6.7 to use for Machine SSL and Solution User certificates . Next you have to add them to the list of template that we can select when submitting certificate request

Click Start > Run, type certsrv.msc, and click OK.

Right-click Certificate Templates and click New > Certificate Template to Issue.

Locate vSphere 6.7 from the list and Click OK.

Now we have created a new vSphere 6.7 Certificate Template and  it can be used while creating and replacing the Machine SSL certificate for VCSA .

Reference - VMware KB

 


How to Create Bootable vSphere 6.7 Installer USB Flash Drive

VMware released their latest version vSphere 6.7 on April 2018 and I have shared the details on one of my Blog post. As we know there are multiple options like remote management console (KVM, ILO, iDRAC), CD Drive to install the ESXi to Physical Server. However, some cases due to firmware issue, limited number of ports on switch remote console license unavailability or CD ROM unavailability we will have challenges to install ESXi, in that case bootable USB with ESXi installer will help to install the hypervisor.

In this post, I will explain how to create a bootable ESXi 6.7 Installer USB Drive using a free tool called Rufus . Following this method, you can create a bootable USB with vSphere 6.7 installer in less than two minutes.

Before starting installation, you have to verify that all the prerequisites are met to install vSphere 6.7 , you can validate those requirement from below checklist

vSphere 6.7 Installation Checklist

  • Hardware Compatibility with vSphere 6.7 from VMware HCL website
  • Virtualization Technology Intel VT or AMD-V available and enabled
  • Hardware Firmware and Driver version from VMware and Vendor Website
  • Vendor specified Custom ISO availability

Note :- You may create a Custom ISO by referring  VMware Docs

Prerequisite

  • vSphere 6.7 standard or Custom ISO image download from VMware or Vendor Website

For Free vSphere 6.7 License refer How to Obtain Free Version Of vSphere (ESXi) 6.7

  • Free Software – A free software capable to make USB bootable, we are using Rufus free tool and you can download that from here
  • USB Drive– A USB Drive with minimum capacity 4 GB or USB devices with 8 / 16 GB.

 Create Bootable USB Installer

Navigate to the Rufus and vSphere 6.7 ISO Location and you can identify them  as like below

  

Start Rufus Application

Verify the UDB Drive , here we are using  " VMARENA-USB " with Capacity of 4 GB and Browse and map the downloaded ESXi ISO " VMware-VMvisor-Installer-6.7.0-8169922.x86_64.iso "  and Click on Start 

Note :- Leave the partition Scheme as default "MBR" or if it is shown as GPT please change to MBR  and If required you  may modify the Volume Label or leave it as default one

You will get a Popup message asking to replace menu.c32  , Select Yes to continue

A warning message will Popup  All Data on the Device will be Destroyed to continue Click OK 

Note:-you can notice the device shows ready state ob this window

USB drive will be formatted and copying of installation files to USB device will start and it will be take less than 2 Minute .

Once it is completed in application window you can see status hows READY and  vSphere 6.7 UBN installer media is ready

Next Connect the USB drive to the server , power on and select the first boot device as USB and server will booted to Installation of vSphere 6.7

Note :- Boot order  has to be configured in the server BIOS .

Refer vSphere 6.7 Installation and Setup Guide for more features like image builder

More vSphere 6.7 Posts

Feel free to share it on social media  

Follow VMarena on Facebook , Twitter


How to Obtain Free Version Of vSphere (ESXi) 6.7

VMware vSphere 6.7 has been announced by VMware recently and there are many enhancement and new features are available with this release. Question is how we can obtain a free version of vSphere 6.7 for our non-production or testing environment.

As earlier how we used to get free license for older versions same method we have the options to generate vSphere 6.7 license. License key with no expiration date can created free at VMware's website. You can use the "Free Hypervisor" as identical to the paid version but with some software limitations.

Also Free version has some technical  Spec and limitations , find the below .

  • Free ESXi cannot be added to a vCenter Server
  • No commercial support
  • Some API functionality is missing
  • Number of logical CPUs per host: 480
  • No physical CPU limitation
  • Maximum vCPUs per virtual machine: 8
  • If you have already a free key for ESXi 6.0 or 6.5, you can use the old key for vSphere 6.7 also.

How to Obtain Free vSphere License

  1. Browse to VMware vSphere Hypervisor (ESXi) 6.7 Download Page

  1. You can Login with existing account or create an account
  1. To Register for ESXi you have to enter your personal information .After registration, you will receive a unique license key and access to the vSphere 6.7 binaries.

  1. Now Download VMware vSphere Hypervisor 6.7 - Binaries

  1. You can install ESXi to your Hardware and ass the License to the ESXI host from web Client
  2. Login as root with the Embedded Host Client (https://<ESX IP / FQDN>/ui/)

5.Navigate to Manage -> Licensing

6. Click Assign license and enter your license key and start using the free vSphere  6.7


How to Install 32 / 64 bit Operating System on Nested vSphere 6.7

VMware vSphere 6.7 has been announced by VMware recently and there are many enhancement and new features are available with this release.Most of the VMware engineers and admins will do their tests on Nested virtual environment , As we ll know VMware supports nested virtualization . With vSphere 6.7 also it supports , In this post i will share how can we install or what modification we have to do after creating a nested VMware 6.7 environment to install 2 32 bit and 64 bit OS top of that .

First I will share details about about my environment , my nested setup is running on top of  a HP ProLiant BL460 G7 Server , below table will have the configuration details .Since HP G7 is not supporting the 6.7 version I choose the base esxi on 6.0 U3 and Nested ESXi are on vSphere 6.7 . Also Storage is VSAN datastore created on this nested setup.

Server Type CPU CORE Logical CPU RAM ESXi Version
Physical 2 12 24 64 GB 6.0 U3
Nested 2 2 4 10 6.7
Nested 2 2 4 10 6.7
Nested 2 2 4 10 6.7
Nested 2 2 4 16 6.7

I created a 32 bit windows 2008 R2 machine on one of the Nested ESXi server with configuration of 1 CPU , 2 GB RAM , and 20 GB HDD

To install OS on the machine i powered on the VM and got the below error . As per the error i understand that , this issue is related my nested ESXi CPU feature . Since it is nested by default the hardware virtualization won't be  there , but what we can enable the virtualization feature on the CPU of nested ESXi and resolve this issue .

Let's check the virtualization supported feature enabled on the windows 2008 VM and the Nested ESXi . It is not mandatory to enable the feature the VM but it should be enabled on nested ESXi .

Edit Settings -> CPU -> Hardware Virtualization  , you can see it is not enabled on both .

Enable the Feature on the nested ESXi and power on the VM  , note that to enable the feature  down time required ( shutdown the nested ESXi) .

Shutdown the nested ESXi 

Edit Settings -> CPU -> Hardware Virtualization - > add the tick on Check box of Hardware Virtualization Option and Power on .

You can verify from that same from option and you can find configuration same like below on that feature .

Try to Power on the VM and install Operating system  . Also you can notice that VM hardware compatibility is ESXi 6.0 and later and virtual machine hardware version is 11 . Because I tried to create a VM first time with supported version of base ESXi seerver .

Also I have create new 64 bit windows 7 VM to test 64 bit compatibility on nested vSphere 6.7 and it worked

More vSphere 6.7 Posts


ESXCLI Commands in vSphere 6.7

VMware vSphere 6.7 has been announced by VMware recently and there are many enhancement and new features are available with this release.With this release vSphere CLI  also having enhancements and i was trying to under stand  what all new enhancement in my  6.7 Lab , ven though i tried with my lab i got reference from one the Blog on these details and it helped me to understand this quickly .

Apart from below available option there will be few additional commands if you are using any custom ISO .

Additional commands available with  custom ISO used in HPE  hardware

Below the Command List which is having enhancement and new commands , and it is total 62 number

ESXCLI Component Number of New Commands
Device 3
Hardware 6
iSCSI 1
Network 14
NVMe 14
RDMA 2
Storage 9
System 6
vSAN 7

esxcli device

Commands used to manage devices and available options are create, list and delete software devices ,drivers

esxcli hardware cpu cpuid raw
In previous versions only a subset of CPUID fields was available. The new raw command displays all CPUID fields for a given CPU.

esxcli hardware ipmi bmc
Allows configuration of IPMI Baseboard Management Controller (BMC) properties. OS name and OS version can be configured.

  • esxcli hardware ipmi bmc get
  • esxcli hardware ipmi bmc set

esxcli hardware power policy
Provides information and configuration options for system power policies.

  • esxcli hardware power policy choices list
  • esxcli hardware power policy get
  • esxcli hardware power policy set

esxcli iscsi adapter target lun list

Displays iSCSI LUN (Channel-, Target-, LUN numbers and LUN size) information

Here there is no iSCSI luns , so list is empty .

esxcli network ens
A bunch of new commands to configure ens (Enhanced Networking Stack) logical core affinity.

  • esxcli network ens lcore add
  • esxcli network ens lcore affinity get
  • esxcli network ens lcore affinity set
  • esxcli network ens lcore list
  • esxcli network ens lcore remove
  • esxcli network ens lcore switch add
  • esxcli network ens lcore switch get
  • esxcli network ens lcore switch remove
  • esxcli network ens maxLcores get
  • esxcli network ens maxLcores

esxcli network nic queue loadbalancer

This command using for displaying the details from installed and loaded NetQueue balancer plugins on physical NICs. Plugins can be enabled or disabled with the plugin set command. NetQueue has the  ability of some network adapters to deliver network traffic to the system in multiple receive queues that can be processed separately .

  • esxcli network nic queue loadbalancer plugin list
  • esxcli network nic queue loadbalancer plugin set
  • esxcli network nic queue loadbalancer state list
  • esxcli network nic queue loadbalancer state set

esxcli nvme device

New NVMe device namespace and feature configuration capabilities.

  • esxcli nvme device controller list
  • esxcli nvme device feature cap
  • esxcli nvme device feature apst get
  • esxcli nvme device feature hi get
  • esxcli nvme device feature hmb get
  • esxcli nvme device feature kat get
  • esxcli nvme device feature kat set
  • esxcli nvme device feature lba get
  • esxcli nvme device feature spm get
  • esxcli nvme device feature spm set
  • esxcli nvme device namespace attach
  • esxcli nvme device namespace create
  • esxcli nvme device namespace delete
  • esxcli nvme device namespace detach

esxcli rdma

This Command using for list all enabled RDMA protocols and delete iser logical devices.

RDMA - Remote direct memory access

ISER   - iSCSI Extensions for RDMA

esxcli storage 

it is very useful command fro all storage related activities

esxcli storage core device vaai

List the ats, clone, delete and zero VAAI attributes for the devices.

  • esxcli storage core device vaai ats list
  • esxcli storage core device vaai clone list
  • esxcli storage core device vaai delete list
  • esxcli storage core device vaai zero list

esxcli storage hpp

Commands to display information about devices controlled by the hpp (VMware High Performance Plugin).

  • esxcli storage hpp device list
  • esxcli storage hpp device set
  • esxcli storage hpp device usermarkedssd list
  • esxcli storage hpp path list

esxcli system clock
Display and configure clock phase correction settings. The default positive or negative phase correction is configured to 48 hours (172800 seconds)

  • esxcli system clock get
  • esxcli system clock set

system security fips140
Enable or disable FIPS140 mode for rhttpproxy and ssh.vSphere 6.7 uses FIPS 140-2 validated Cryptographic Modules which for example enforces specific secure encryption ciphers.

  • esxcli system security fips140 rhttpproxy get
  • esxcli system security fips140 rhttpproxy set
  • esxcli system security fips140 ssh get
  • esxcli system security fips140 ssh set

esxcli vsan

This command using to perform vSAN related operations

esxcli vsan datastore
Addition to above image exploring on datastore commands  , it is using to create and configure vSAN datastores. Creating datastores is only allowed if vSAN is enabled on the host and generally , add should be done at cluster level. Because the point is vSAN cluster is across the hosts and vSAN datastores should be in sync with all the hosts .

  • esxcli vsan datastore add
  • esxcli vsan datastore clear
  • esxcli vsan datastore list
  • esxcli vsan datastore remove

esxcli vsan debug

There is a new features for debugging vSAN features. It allows to Start/Stop the vSAN Managed Object Browser Service and to perform a host evacuation precheck.

  • esxcli vsan debug evacuation precheck
  • esxcli vsan debug mob start
  • esxcli vsan debug mob

ESXi 6.7 CLI Reference

Reference Blog

More vSphere 6.7 Posts


VMware vCenter 6.7 Upgrade from Windows vCenter 6.5

VMware vSphere 6.7 has been announced by VMware recently and there are many enhancement and new features are available with this release.In this post I am sharing details  about upgrade of  Windows based vCenter Server 6.5 with embedded PSC to 6.7 version .

Current vCenter Configuration

Operating System - Windows 2012 R2

CPU and Core       -  2 x 2

Memory                 -  16 GB

vCenter Version   -  vCenter Server 6.5 U1 with Embedded PSC

Database               -   Embedded SQL Database

I am performing upgrade from vCenter Server 6.5 U1  to vCenter 6.7 version , and not making any changes on configuration side . Also refer below checklist before proceeding the upgrade to new version .

  • Backup of the vCenter Server and the database .
  • Temporarily stop any third party software which could interfere with the installer, such as anti-virus scanner
  • SSO administrator password .
  • vCenter Server services are running with any other account rather than Local System account , you have to log in to the server with that account to run the upgrade
  • The user must be a member of the administrators group and it should have log on as a service permissions and if it is a domain user act as part of the operating system.
  • Proper NTP settings .
  • FQDN resolution .
  • Review the vCenter 6.7 Documentation 

Download the VMware vCenter Server and Modules for Windows ISO from VMware Official Website.

Mount the ISO and right click autorun.exe, select Run as administrator. The VMware vCenter Installer will open. Ensure vCenter Server for Windows is selected and click Install.

The vCenter Server 6.7 Installer will open in a separate window, select vCenter Server Windows and click Next.

Enter the current vCenter Server 6.5  SSO credentials and you can choose the same for vCenter Server and click Next 

Note:If  SSO administrator account has been  removed  from the vCenter administrators the you have to use the credentials of vCenter administrator.

The installer will now run pre-upgrade checks and continue after that

It will list the default ports required and configured  , Click Next to Continue

Select the type of data to migrate during the upgrade, click Next.

Select the installation directories. and Click Next

Note: You will need to remove the data export location folder after verifying the upgrade is successful because it won't remove automatically after the installation , the default location isC:\ProgramData\VMware\vCenterServer\export.

Tick or untick the VMware Customer Experience Improvement Program as appropriate and click Next.

Check the configuration on the review page, check the box to confirm that you have backed up the vCenter Server, and click on Upgrade to begin the installation .

new windows will come up with a progress bar , upgrade is  5 stage process it will take few minutes based on the existing setup  .

Different Steps of  vCenter Upgrades

  • Collect all required data
  • Export the the data to directory
  • Uninstall the Existing vCenter
  • Installing the new vCenter Components
  • Import the data

From version 6.7 onwards TLS 1.0 is disabled and TLS 1.1 will be used and incase a you need to use old TLS you can run reconfiguration tool from directory as show in below image .

Also After upgrade you have reconfigure DHCP setting for auto deploy

After Completing the installation you can Click on Launch vSphere Web Client to open vCenter on default Web browser

Click Finish to Exit the Installer .

Also you can Connect to the vCenter by using the IP or FQDN of the vCenter. and start accessing the new vCenter 6.7 re by clicking either the vSphere Web Client (Flex) or the vSphere Client (HTML5).

As we discussed on earlier posts new HTML5 client has most of the features available Start accessing the vCenter and learn new features .

Note that if you have installed  and configured Update manger then you have to perform upgrade of that also with version 6.7 .

More vSphere 6.7 Posts