Ensure the ESXi shell is disabled

This post was originally published on this site

I’m trying to create a script to disable ESXi shell, as I’m in the obligation to get the configuration before any change things I made the script like this


#Collect configuration

Get-VMHost | Get-VMHostService | Where { $_.key -eq “TSM” } | Select VMHost, Key, Label, Policy | Out-String | ForEach-Object { $_.Trim() } > “.ESXiShell.txt”


# Verification

$CheckESXi_Shell_Disabled = (gc .HardeningESXi-LogsESXi_Shell_Disabled-Config.txt | ft Value | findstr /v ” _$Null Value —– _$Null”) | where-object {$_ -notlike ‘*off*’} | foreach{$_.split(“.”)[0]}


function ESXiDisabled {

    if ($CheckESXiDisabled -eq “off”) {

    Write-Log -Level Success -Message “All Hosts have ESXi shell disabled” -FilePath $LogFile


    else {

    Write-Host -f red “Host(s) with ESXi Shell not set as required “

    Write-Log -Level Success -Message  “Fixing host(s)” -FilePath $LogFile

    $CheckESXiDisabled | ForEach-Object {Get-VMHost | Get-VMHostService | Where { $_.key -eq “TSM”} | Set-VMHostService -Policy Off






unfotunaly the script is not working as expected, if I change the policy from GUI I’m expecting that the script detect that and do change and if the policy is set to OFF script should say that and nothing is done

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.