I’m trying to create a script to disable ESXi shell, as I’m in the obligation to get the configuration before any change things I made the script like this

#Collect configuration

Get-VMHost | Get-VMHostService | Where { $_.key -eq “TSM” } | Select VMHost, Key, Label, Policy | Out-String | ForEach-Object { $_.Trim() } > “.ESXiShell.txt”

# Verification

$CheckESXi_Shell_Disabled = (gc .HardeningESXi-LogsESXi_Shell_Disabled-Config.txt | ft Value | findstr /v ” _$Null Value —– _$Null”) | where-object {$_ -notlike ‘*off*’} | foreach{$_.split(“.”)[0]}

function ESXiDisabled {

    if ($CheckESXiDisabled -eq “off”) {

    Write-Log -Level Success -Message “All Hosts have ESXi shell disabled” -FilePath $LogFile

    }

    else {

    Write-Host -f red “Host(s) with ESXi Shell not set as required “

    Write-Log -Level Success -Message  “Fixing host(s)” -FilePath $LogFile

    $CheckESXiDisabled | ForEach-Object {Get-VMHost | Get-VMHostService | Where { $_.key -eq “TSM”} | Set-VMHostService -Policy Off

    }

}

}

ESXiDisabled

unfotunaly the script is not working as expected, if I change the policy from GUI I’m expecting that the script detect that and do change and if the policy is set to OFF script should say that and nothing is done