Automate workaround for ESX Admins group

In a recent security advisory (VMSA-2024-0013), there is a workaround listed for hosts older than ESXi 8.0u3 (https://knowledge.broadcom.com/external/article/369707). This knowledge base article lists a few advanced settings and an esxcli command which can be ran to apply this workaround. Setting advanced settings and invoking esxcli are two things that PowerCLI can do very well. The following code sample highlights those commands and helps automate the process listed in the knowledge base article.

$vmhosts = Get-Cluster h243-cluster | Get-VMHost
foreach ($vmHost in $vmhosts) {
  Write-Host "Processing host $($vmHost.Name)"
  # Get advanced setting, if it is not the desired value, set it to the desired value.
  $vmhost | Get-AdvancedSetting Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd | ?{$_.Value -ne $false} | Set-AdvancedSetting -Value $false -Confirm:$false
  $vmhost | Get-AdvancedSetting Config.HostAgent.plugins.vimsvc.authValidateInterval | ?{$_.Value -ne 90} | Set-AdvancedSetting -Value 90 -Confirm:$false
  $vmhost | Get-AdvancedSetting Config.HostAgent.plugins.hostsvc.esxAdminsGroup | ?{$_.Value -ne ''} | Set-AdvancedSetting '' -Confirm:$false 

  # Find and remove the default admin group if present (ends with \esx admins)
  $esxcli = $vmhost | Get-EsxCli -V2
  $esxcli.system.permission.list.Invoke() | ?{$_.IsGroup -eq $true -AND $_.Principal -match [regex]::escape('\esx^admins')+'$' -AND $_.Role -eq 'Admin' } | %{
    write-host "Found group $($_.Principal) and will attempt to remove."
    $removeGroup = $esxcli.system.permission.unset.CreateArgs()
    $removeGroup.id = $_.Principal
    $removeGroup.group = $_.IsGroup
    $esxcli.system.permission.unset.invoke($removeGroup)
  }

  # List current system permissions for reference
  $esxcli.system.permission.list.Invoke()
} # end vmhosts loop

For more detail on these PowerCLI cmdlets, check out the documentation links below:
Get-AdvancedSetting
Set-AdvancedSetting
Get-EsxCli

This entry was posted in Scripting, Virtualization. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Notify me of followup comments via e-mail. You can also subscribe without commenting.