PowerCLI: Find UEFI-Enabled VMs

A script to detect UEFI-enabled virtual machines in VMware vCenter.

Advertisements

With all the news regarding the Spectre and Meltdown CPU vulnerabilities over the past several months, there’s been a greater focus to get VMware virtual machines to virtual hardware version 9 or higher, as noted by Andrea Mauro’s post┬áregarding these vulnerabilities. In addition to that, several companies and organizations may be looking to enable Secure Boot, a feature first introduced with vSphere 6.5. However, in order to enable secure boot, the virtual machine needs to be configured with both EFI boot firmware AND be on virtual hardware version 13 or higher.

So how do we look through our environment to detect all these EFI-enabled VMs? I put this script together to scan a vCenter datacenter object for all VMs that have EFI boot firmware set. The script is below, but the latest version will be available on GitHub.

I was also recently introduced to a PowerShell utility called Out-GridView. In earlier scripts, I would ask the user to input either the datacenter name or cluster name they wanted to scan. With this Out-GridView utility, it will bring up a new dialog box where the script will list all datacenters or clusters found by the script. The user can then select or highlight their choice, click OK, and the script will continue. This has definitely helped reduce the number of misspelled names in recent weeks, so I hope to incorporate this into other previous scripts.

I’ve also added some validation for the CSV output. I’ve learned that exporting the results to a CSV is fine, however it does no good to export an empty CSV if nothing was found. Therefore I’ve included some logic to say, “Hey, if the report is empty or nothing was found, tell the user” and then exit without presenting the option to export to CSV (Y/N).

############################################################
# Script: find-uefi-vms-in-a-datacenter.ps1
# Author: Doug DeFrank
# Date: 2018-06-30
#
# Purpose: Find UEFI-enabled VMs in a specific VMware datacenter
############################################################

Write-Host `n “This script will find all UEFI-enabled VMs in a specific VMware datacenter.” `n

### Define the date in the yyyyMMdd format
$date = Get-Date -format “yyyyMMdd”

### Prompt user for vCenter Server name, and connect to it
$vCenterServer = Read-Host -Prompt ‘Enter the FQDN of the vCenter Server you want to connect to. (vcenter.domain.com)’
Connect-VIServer -Server $vCenterServer -WarningAction SilentlyContinue | Out-Null

### Choose a datacenter name
$DatacenterName = Get-Datacenter | Out-GridView -PassThru -Title “Select a Datacenter”

### Get all VMs in the chosen datacenter
$vms = $DatacenterName | Get-VM | Sort-Object

### Set the loop variable to 1
$loop = 1

$report = foreach ($vm in $vms) {
### Display a progress bar during VM checks
Write-Progress -Activity “Scanning for UEFI-enabled VMs…” -Status “Checking $vm” -PercentComplete ($loop/$vms.count * 100)

### If the VM boot firmware is set to EFI, add it to the report
if ($vm.ExtensionData.Config.Firmware -eq “efi”) {
$vm | Select-Object Name,@{N=’Firmware’;E={$_.ExtensionData.Config.Firmware}}
}
$loop++
}

### Check to see if the report is empty
if (!$report) {
Write-Host -ForegroundColor Red `n “No UEFI-enabled VMs found.”
}

### If UEFI VMs are found, ask the user if they want to export the results to a CSV file
else {
Do {
Write-Host `n “Do you want to export the results to a CSV file?”
Write-Host “1.) Yes”
Write-Host “2.) No”
$csvexportyn = Read-Host
Switch ($csvexportyn) {

### If user chooses 1.) Yes, export to a CSV file in the same location as the script itself
1 {
Write-Host `n “Generating CSV > .\$DatacenterName-EFI-VM-Report-$date.csv”
$report | Export-CSV -path “.\$DatacenterName-EFI-VM-Report-$date.csv” -NoTypeInformation
$yn = $true
}

### If user chooses 2.) No, display a separate window with the scan results, and exit the script
2 {
$report | Out-GridView
$yn = $true
}

### Validate the user input. If it’s not a 1 or a 2, repeat the question
default {
Write-Host -ForegroundColor Red “>>> Invalid input. Please enter a [1] for Yes or a [2] for No.”
$yn = $false
}
}
}

### Loop through the “Export CSV” question until a valid choice is made
Until ($yn)
}

### Disconnect from the vCenter Server
Write-Host `n “Script Complete. Disconnecting from vCenter Server $vCenterServer.”
Disconnect-VIServer -Server $vCenterServer -Confirm:$false | Out-Null

As always, thanks for stopping by! If you’ve found this post useful or helpful, let me know in the comments.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s