https://kb.vmware.com/s/article/68024 gives you detailed steps on how to validate if an ESXi host has both the CPU Microcode and patches applied. The step for confirming this is to examine the vmware.log file for a VM and look for the CPUID capability entry, for example based on latest KB.
Capability Found: cpuid.MDCLEAR
This however just confirms that the hypervisor has the new microcode that includes the CPUID mask (CPU Feature) to mitigate the Microarchitectural Data Sampling (MDS) Vulnerabilities. There is no easy way by just looking at the vmware.log to confirm whether or not the CPU features have been exposed to the VM hardware, what some folks do is search the vmware.log and look for the MDCLEAR entry under “Featurecompat: Requirements:”.

There is an easier way of confirming this and any future CPUID Masks. We can validate both the Hypervisor and VMs using PowerCLI, doesn’t have to be a script, just a line of code:
Validating Hypervisor
The below code, will list all the CPUID Masks enabled by the current CPU Microcode on a specific ESXi host. Note that MDCLEAR CPU Feature is present, so the ESXi host is patched and compliant
(Get-VMHost -Name "hostname").ExtensionData.Config.FeatureCapability |
Where-Object value -eq 1 | Select-Object -ExpandProperty FeatureName

If you wanted to validate a Cluster, to list all ESXi hosts that are MDS compliant (Have the MDCLEAR CPU Feature present):
Get-Cluster "clustername" | Get-VMHost |
Where-Object {$_.ExtensionData.Config.FeatureCapability.value -eq 1 -and $_.ExtensionData.Config.FeatureCapability.FeatureName -match "MDCLEAR"}

Validating VMs
The below line, will list all the CPUID Masks available to the VM hardware
(Get-VM -Name "VMname").ExtensionData.Runtime.FeatureRequirement | Select-Object -ExpandProperty FeatureName

If you wanted to validate a cluster, to list all VMs that are MDS compliant (Have the MDCLEAR CPU Feature present):
Get-Cluster "clustername" | Get-VM | Where-Object {$_.ExtensionData.Runtime.FeatureRequirement.FeatureName -match "MDCLEAR"}

The Vmware.log is an accurate source to show the CPUID capability (indicating that that both the CPU microcode and hypervisor are properly updated). However, you should know that just because the log indicates the CPUID capability that does not mean the VM is mitigated. I have found the log entries present just by migrating VMs during the remediation of a Cluster.
By using PowerShell we can confirm the CPUID features availability at the hypervisor level, and which VMs have the hardware support enabled.
Leave a Reply