Using Orchestrator to automatically upgrade Tools

One of the main challenges in every (non-small) place I’ve worked is keeping VMware Tools updated, and with Change Management processes this becomes a little bit more complicated. There is a setting on each VM to upgrade Tools when the VM is booted and this is a good way to keep Tools updated on those VMs that aren’t mission critical and require manual intervention.

In this post we’ll look at creating an action and a workflow to configure this setting, and pushing it as a context setting in the Flex Web Client.

This leads to the issue of how this setting is enabled – firstly as part of the initial push (you don’t want to enable this manually for 100’s (or more) VMs) and with newly created VMs. Although this can be set on a VM template or “Gold Build” (or equivalent terminology), this can still lead to human error so we’ll also look creating a workflow to set this for a cluster and scheduling this using the Flex Web Client.

The monitor_control.restrict_backdoor setting

The monitor_control.restrict_backdoor advanced setting is a strange one that I’ve encountered recently. It was set on a VM that had been (allegedly) security hardened, and researching this setting in a search engine indicated that this was to prevent the backdoor port from being accessed from anything other than ring 0 (source: Most of the search results utilise this to hide a guest OS from knowing it is a VM – thus allowing a nested ESXi configuration.

According to the source above, VMware Tools runs on ring 3, so this has the side effect of preventing not only VMware Tools from being installed, but also from running. This is how I came to find out about this setting 😉

vSphere REST API and C++ (Part 1)

One of the new features in vSphere 6.5 is the vSphere REST API. I’ve used the Web Services SDK before and it has never appeared as elegant as other automation APIs I’ve worked with, so the introduction of this held a lot of promise.

I rarely see examples for REST services in C++ and as it’s my chosen language and I’ve occasionally used “cpprestsdk” (previously known as Casablanca) I wondered if I could put something together. This is the first article in a series playing around with what is possible.

Setting VM SDRS automation levels

I learnt recently that when you Storage vMotion a VM within a datastore cluster and you check the box to select which datastore you explicitly want the VM to be migrated to, it sets the SDRS automation level for the VM to disabled.

Finding out which VMs have an automation level of disabled can be achieved with the following line:

Get-DatastoreCluster | % { $_.ExtensionData.PodStorageDrsEntry.StorageDrsConfig.VmConfig } | ? { $_.Enabled -eq $False } | % { Get-View $_.VM | select Name }

Since I like to have VMs set to the cluster default we need a bit of PowerCLI to change the VMs back. The following code will look at all the datastore clusters on the vCenter, and all the VMs with a disabled automation level therein.

Credit goes to LucD whose posts in the VMware Communities forum formed the base of this script. The threads are here and here.

This script is designed to be used with PowerCLI 6, as per the “Import-Module” statements at the top. For previous versions of PowerCLI the lines should be replaced with adding the appropriate snapin.

param([Parameter(Mandatory=$true)][String] $VIServer)

Import-Module VMware.VimAutomation.Core;
Import-Module VMware.VimAutomation.Storage;

Connect-VIServer $VIServer

$storMgr = Get-View StorageResourceManager;

Get-DatastoreCluster |
	% { $vms = $_.ExtensionData.PodStorageDrsEntry.StorageDrsConfig.VmConfig;
		$spec = New-Object VMware.Vim.StorageDrsConfigSpec;
		$vms | ? { $_.Enabled -eq $False } | % {
			$entry = New-Object VMware.Vim.StorageDrsVmConfigSpec;
			$entry.Operation = "edit";
			$entry.Info = $_;
			$entry.Info.Enabled = $true;
			$spec.vmConfigSpec += $entry;
		$storMgr.ConfigureStorageDrsForPod($_.ExtensionData.MoRef, $spec, $true);
Disconnect-VIServer -Confirm:$False

If needed, this script can easily be expanded to check for Tags or Custom Attributes assigned to the VM, and only to change the automation level given the presence or absence of a tag or the value of a custom attribute.

Viewing VM CPU Masks via PowerCLI

  • This post was updated on 9th May 2017 to fix an error condition in the script.

Support for Windows Server 2012 was announced starting with ESXi 5.0 Update 2, but there was a little known flaw in this support – in that without a CPU mask, a VM could blue screen at any time. The support article KB2060019 was released which explained everything and the issue was fixed for Update 3.

It might be useful to try and track down which 2012 VM’s (it can be adjusted for Windows 8) had their CPU masked during this time, in order to remove. The following PowerCLI reports on all Windows 2012 (and R2) VM’s and displays any CPU masking they might have. You’ll then have to manually check the results and look for a 0 in the 5th most significant bit on the edx register, but I’m sure this could be automated further.

get-vm | ? { $_.ExtensionData.Config.GuestFullName -like "*2012*" -And $_.ExtensionData.Config.cpuFeatureMask -ne $null } | select Name, @{N="CPU";E={$_.ExtensionData.Config.cpuFeatureMask}} | select -Property Name -ExpandProperty CPU | Sort Name | fl


Installing ESXi 6 onto USB via Workstation 9

This is going to one of those blog posts that is mostly pictures 😉 When installing ESXi 6 I decided to install onto (and therefore boot from) USB instead of installing and booting from local disk. This would allow my SSDs to be used for playing with Flash Cache. I had Workstation 9 available to me, so tried to use it (spoiler alert: it worked).

To begin, create a new Virtual Machine with the latest compatibility level.


Select to install VMware ESXi 5.


It needs to have a minimum of 2 processors.


As per ESXi 5.5 it requires 4 GB of RAM.


Workstation 9 forces you to configure a drive. Add a small drive and delete afterwards.


Follow the wizard through to the end to create the VM. Then edit the settings and delete the hard disk. I don’t know if it is important, but I made sure the VM had the same number of ethernet adapters as the target host.

We can now boot the VM and go through the standard installation procedure. Select the USB drive to install from, though make sure it is larger than 910 MB:


If we are installing to another usb drive (for another host) after this one completes we need to change the MAC address of the VM’s network adapter, or we will create another installation with the same MAC address for the management adapter. Which will make one host unusable. Go to the Virtual Machine settings, select the Network Adapter and then press the Advanced button.


Press the Generate button to create a new MAC address.


We’re now set to install ESXi again 😉

vSphere Web Client and SSH Warnings

I started using the vSphere C# client back when the product was called Virtual Infrastructure 3, and despite its many flaws it has become second nature to me. I’ve used the Web Client in 5.0 and 5.5 but never really gotten into it (for many reasons, speed being the main one).

I typically use Host Profiles to configure new hosts through the C# client, so have never been through the process manually with the Web Client before. Starting with 6.0 I decided to try that and found a pleasant surprise to the usual yellow warnings I had seen previously.

I always enable SSH as when there are problems I like to be able to see esxtop and get information first hand from hosts, and I typically enable SSH via the DCUI after configuring the management network settings. Following this I’d join the host to the cluster and apply the appropriate host profile (containing the advanced setting “UserVars.SuppressShellWarning”), so the warning that SSH is enabled is purely transitory.

When I join the host to the cluster in the Web Client, I see the warning icon against the host and select the host to see what it is:


The “Suppress Warning” link caught my eye, and when clicking on it I got this message:


After that the warning disappeared ! Looking in the Advanced Settings we can see that this sets the value for the “UserVars.SuppressShellWarning” setting to 1.


I know that this quality of life improvement was also present in the 5.5 version of the Web Client (and maybe before) but it’s a nice little touch for those small deployments where you can clear the alerts on your host with a couple of clicks instead of having to lookup the setting. Especially when you’re not licensed for host profiles !

Unmounted NFS datastore after ESXi boots

In my home lab I recently found a problem where an NFS share I had mounted on my ESXi 5.5 device was unmounted after it had been turned on/restarted. My home lab is not that unusual, I have a N54L HP Microserver for shared storage – where I am using ZFS to carve up my 4x1TB disks – and a couple of Intel NUC’s for compute. All of this is joined together by a Cisco SG300-10 gigabit switch/router. I’ve been putting together some articles for this blog about a home lab and was curious as to the performance difference between running Windows Server 2012 Standard and CentOS 6.5 with ZFS for the shared storage. So I’ve been adding and deleting a lot of NFS and ISCSI datastores on my ESXi hosts. But since moving to CentOS to try out ZFS I’ve had a problem where one of my two compute devices will refuse to mount any shared VM exports. It will mount my ISO repository (which has slightly different permissions to allow anonymous SMB access), but nothing else. My other ESXi unit will mount everything.

Listing Virtual Machines and Portgroups

vSphere 5.0 – If you need a list of Virtual Machines and the portgroups they are attached to:

Get-VM -Location "somewhere" | ft Name, @{Expression={$_.NetworkAdapters.NetworkName};Label="Network Name"}

If you need to export this to a CSV:

Get-VM -Location "somewhere" | select-object Name, @{Expression={$_.NetworkAdapters.NetworkName};Label="Network Name"} | export-csv "vm-networks.csv"