My good friend Mike Foley @MikeFoley reached out to me yesterday with a question on how to set the Lockdown Mode in vSphere 6 via the vSphere API. In the switch to vSphere 6, some of the API calls were updated and Lockdown mode was one of them. I told him it would be a piece of cake and to shoot me a WebEx. Well, unfortunately it took me a bit longer than I had anticipated, but we got it all figured out and good to go.
I decided that instead of putting others through what can sometimes be a painful process working with our APIs, I decided I’d write a function that would take care of it for you.
Tell me more…
The function can be called by typing Set-LockdownLevel. There are only two required parameters but I’ve added in several more to make things that much better.
if you run the: Get-Help Set-LockdownLevel -Detailed command you’ll see this in the Syntax section:
Set-LockdownLevel [-VMhost] [-filePath ] [-Disabled]
Set-LockdownLevel [-VMhost] [-filePath ] [-Normal]
Set-LockdownLevel [-VMhost] [-filePath ] [-Strict]
Set-LockdownLevel requires that you specify a host (obviously) but it can also accept Pipeline data so if you wanted to do a mass Lockdown mode change, you can pipe all of the hosts to this cmdlet.
The cmdlet also requires one of the following parameters: -Disabled, -Normal, -Strict; which are the three different levels of security in Lockdown Mode. The cmdlet will return an error if you choose more than one of these parameters.
The other two parameters are purely optional, however I think they are quite useful. If you include the -Filepath parameter along with a destination path (-Filepath c:\Temp\Lockdowndata.csv) the cmdlet will create a CSV with timestamps of which hosts were updated, the original lockdown mode level, and the new level. This is great for historical/Auditing purposes (you are welcome Mike Foley 😉 )
If you change the Lockdown mode to either Normal or Strict, a messagebox will pop up and warn you that you could be locking yourself out of your hosts if you are not careful. This is a great default feature, however, especially if you are doing bulk changes, you will not want to be accepting a messagebox for every change you make. To avoid the messagebox, add the -SuppressWarning parameter, which will bypass the warning (be sure you know what you are doing).
Let’s see this in action…
Here is the detailed information when looking at the help
Set-LockdownLevel 10.144.99.232 -Normal
As you can see, the Caution messagebox has popped up (You can suppress it with -SuppressWarning)
Below you will see that I have run the command several different times. The first with only the required parameters, the second time suppressing warnings, and the third time exporting the audit information to CSV.
Opening up the CSV you can see the information for the host I changed. The cmdlet will append the target CSV file so I can continue to use this one for all further Lockdown mode changes, or if I pipe a whole list of hosts to this cmdlet they will all append down below.
Hopefully this will come in handy for many of you as you work towards securing your environments.
You can find this script in my Scripts repo on Github HERE. Enjoy!