Validating compliance of VMSA-2018-0004 (Spectre) on ESXi and VM

This is an update to  Validating Compliance of VMSA-2018-0002 and BIOS update.

VMware recently published VMSA-2018-004, which details Hypervisor-Assisted Guest Mitigation fixes as well as knowledge base (KB) article 52085 with instructions to verify the updated microcode for a Virtual Machine.

Version 2.4.0 of vDocumentation now includes enhancements to the Get-ESXSpeculativeExecution script cmdlet that will:

• Validate if an ESXi is patched and compliant to VMSA-2018-0004
• Validate if an ESXi is seeing the updated CPUID Microcode

If –ReportOnVMs switch is specified then this will also report on VM compliance.

This new version also includes a new script cmdlet: Get-VMSpeculativeExecution. This cmdlet accepts $VM object and is very useful for checking VM compliance. Make sure to run “get-help Get-VMSpeculativeExecution –full” to see all the help content.

Examples of Get-ESXSpeculativeExecution

If we run “Get-ESXSpeculativeExecution -esxi labesx001.local”, this is the output:

If we run “Get-ESXSpeculativeExecution –ReportOnVMs –exportexcel”, we will generate an Excel sheet with 3 TABs: Patch_Compliance, BIOS_Compliance, and VM_Compliance

Examples of Get-VMSpeculativeExecution

If we run “Get-VM “testvm39” | Get-VMSpeculativeExecution”, this is the output:

Other Examples

“Get-VM |   Get-VMSpeculativeExecution” Will check compliance on ALL VMs

“Get-Host “Labhost13.local” | Get-VMSpeculativeExecution” Will check compliance for all VMs running on host Labhost13.local

“Get-VM -Location “Dev_Cluster” | Get-VMSpeculativeExecution” Will check compliance for all VMs running on Dev_Cluster

Get-VMHost “Labhost13.local” | Get-VM | Get-VMSpeculativeExecution | Export-Excel “VMValidation.xlsx” -WorkSheetname “VMresults” Will check compliance for all VMs running on host Labhost13.local, which will exported to “VMValidation.xlsx” Excel file.