Booting VCF Automation takes al lot of resources. I see regularly spikes. See screenshot below. .
.
Normally VCF automation runs between 8 – 10Ghz Which is normal and fine in a 3 Node MS-A2 setup.
To make my Lab environment a little bit safer i limit VCF automation till 25000mhz. This keeps my MS-A2 a little cooler and ensures that the node does max out.
While deploying VMware Cloud Foundation (VCF) 9.1 in a homelab environment, the installation repeatedly failed during the ‘Deploy and Configure VCF Management Platform’ stage. Despite performing nine completely clean installations, the deployment consistently stopped at the same point.
Error Observed
The deployment task failed with the message: ‘Add VM Name Prefix to NSX Firewall Exclusion List’. The failure was identified in /var/log/vmware/vcf/domainmanager/domainmanager.log
Initial Research
Several Broadcom Knowledge Base articles appeared relevant, including KB440449 and KB 441122. Although the symptoms were similar, neither article fully resolved the issue.
VMSP Configuration Review
The original VMSP configuration used a name value matching the prefix of the fleetFqdn. The configuration was modified to use a unique VMSP cluster name. While this appeared promising, the issue persisted.
Additional Troubleshooting
Additional troubleshooting included changing VMSP IP ranges, rebuilding DNS records, validating forward and reverse DNS resolution, and reviewing deployment logs for networking issues.
Root Cause Analysis
The issue was ultimately not caused by the NSX firewall exclusion configuration. Multiple infrastructure issues contributed to deployment instability.
Although the deployment failure appeared to indicate an NSX firewall exclusion issue, the underlying cause was network instability combined with infrastructure configuration problems. After correcting NTP configuration, validating DNS, upgrading network connectivity, and replacing the defective SFP+ module, the VCF 9.1 deployment completed successfully.
VMware Cloud Foundation (VCF) 9.1 is here — and it’s one of the most feature‑packed releases in years. This update isn’t just incremental; it’s a strategic modernization of compute, storage, networking, security, and operations across the entire private cloud stack.
.
Let’s break down the biggest enhancements and why they I think they matter.
Modernizing Infrastructure Economics with vSphere Foundation 9.1
VCF 9.1 brings several powerful updates to the vSphere layer, aimed at improving performance efficiency and reducing operational overhead.
Enhanced NVMe Memory Tiering
Workloads that demand high throughput and low latency benefit from smarter memory tiering. NVMe-based memory tiers now deliver improved performance and flexibility. (And yes — many are hoping Secure Boot support lands here as well.)
Parallel Processing of DRS vMotion
DRS can now process multiple vMotions in parallel, dramatically reducing cluster balancing times. This is especially impactful in large-scale environments with frequent workload mobility.
Live Patching for TPM-Enabled Hosts
Live patching now works even on hosts with TPM enabled — a huge win for security-conscious organizations that previously had to choose between uptime and compliance.
Networking Updates: Scale, Simplicity, and Smarter Automation
VCF 9.1 introduces major networking enhancements that streamline operations and expand connectivity options.
Enhanced Day-2 VM Lifecycle Management
Networking changes for VMs — including NIC updates, IP changes, and security policies — are now easier and more automated.
Existing VLAN Connectivity via Distributed Transit Gateways
You can now bridge existing VLAN-based networks into VCF environments more seamlessly, reducing migration friction and simplifying hybrid designs.
VCF 9.1 now supports EVPN-VXLAN interoperability with the physicalnetwork fabric. This is a major step toward fully integrated, fabric-aware cloud networking.
Network Assessment & VPC Planning
New tools and workflows help architects plan VPC layouts, assess network readiness, and avoid misconfigurations before deployment.
Optimize, Modernize & Protect Storage with vSAN in VCF 9.1
Storage gets a significant upgrade in this release, especially for environments focused on efficiency and resilience.
Encryption for vSAN Global Deduplication
Global dedupe is now compatible with data-at-rest encryption — a long-awaited capability for secure, space-efficient storage.
Enhanced Stretched Cluster Capabilities
Improved resilience and smarter failure handling strengthen business continuity for mission-critical workloads.
Automated Storage Policy Management
Policies now adjust automatically based on cluster configuration changes, reducing manual tuning and risk of misalignment.
Strengthening Zero Trust Security & Platform Resilience
Security is a major theme in VCF 9.1, with improvements across the stack.
Data-at-Rest Encryption for Global Dedupe
This ensures encrypted storage without sacrificing dedupe efficiency — a rare combination in enterprise storage.
Quick Patching for vCenter
Faster patch cycles reduce exposure windows and simplify maintenance.
Live Patching for TPM-Enabled Hosts
As mentioned earlier, this is a major operational win for secure environments.
Continuous Compliance & Integrated Cyber Recovery
VCF 9.1 pushes deeper into automated compliance and recovery workflows.
Compliance Monitoring & Desired State Remediation
The platform now continuously checks VCF components against desired state and can automatically remediate drift.
VPC Policy-Based Connectivity
Security and connectivity policies can now be applied consistently across VPCs, improving governance and reducing misconfigurations.
VMware Data Services Manager 9.1: Modern Databases for AI & Cloud
Microsoft SQL Server 2022 Now GA
SQL Server 2022 is now fully supported and generally available through DSM 9.1, enabling automated lifecycle management for modern database workloads — including those powering AI and analytics.
Want to See It in Action?
VMware has published a full VCF 9.1 video podcast series that dives deeper into the new capabilities:
Enough to do in my Homelab Starting with Upgrade and testing the new features!!
In June 2026 Secure boot certs start to going to expire for physical en virtual machines Servers en Clients. PS not only Windows but also Linux!!
PS. Make sure Client en Servers all installed with latest updates!!
Made a little Risk Assessment:
The expiration and replacement of Microsoft Secure Boot certificates pose a high risk to IT environments. If not properly managed, systems may fail to boot, updates may fail, and security risks may increase. This is particularly critical in automated and virtualized environments.
Key risks:
•Systems failing to boot after updates
•Incompatibility during OS or hypervisor upgrades
•Increased security risks due to outdated certificates
Recommended actions:
1.Update firmware and Secure Boot certificates
2.Test all workloads in a lab environment
3.Update golden images and automation pipelines
A phased rollout and proper validation are essential to prevent disruptions.
1. Scope
This document describes the risks, impact, and mitigations related to the expiration of Microsoft Secure Boot certificates in enterprise environments.
2. Affected Components
•Systems with UEFI firmware (Servers, Desktops, Virtual Machines)
•Microsoft UEFI CA certificates
•Operating Systems (Servers, Clients) (Windows, Linux)
•Automation tools like (Packer, MDT, SCCM)
3. Risk Analysis
Key risks:
•Incompatibility during upgrades
•Security vulnerabilities caused by outdated trust stores
•Errors in automation pipelines
•Firmware incompatibility
4. Risk Matrix
•Upgrade Issues: High
•Security Exposure: High
•Automation Failures: Medium
•Firmware Issues: High
5. Mitigations
•Update firmware on all systems
•Apply Microsoft Secure Boot updates
•Verify Event ID 1808
•Rebuild images with updated certificates
•Perform a phased rollout
6. Validation & Testing
•Test OS boot scenarios
•Validate Secure Boot status
•Verify automation pipelines
7. Conclusion
Changes to Secure Boot certificates must be treated as critical infrastructure updates. Proper preparation, testing, and phased implementation are essential to avoid disruptions.
.Microsoft has released patch’s for the following OS.
Windows 11 (23H2/24H2/25H2) Windows Server 2016/2019/2022/2025.
VMware is creating a “Fix or Update” for this
* I did not test versions with extended support like Windows 2012 R2 and Windows 10.
I recently created 3 version of a FixSecureBoot script — a lightweight alternative inspired by the excellent work of haz-ard-9, the author of FixSecureBootBulk.ps1. Their script is powerful and absolutely the right choice if you rely on BitLocker or need a fully automated, safety‑first workflow.
However, at roughly 3,000 lines of code, the original script is understandably complex. It includes many checks and safeguards, which are great for production environments but made it harder for me to fully understand what was happening under the hood. I wanted something simpler, easier to read, and tailored to my own workflow.
So I took the time to study the original script, copied only the parts I needed, and built a much more compact version that gives me exactly the result I want — which show the verification step that every thing is correct updated.
What My Script Does
Here’s the full sequence of actions my simplified script performs:
1.Shuts down the VM
2.Creates a snapshot
3.Enables UEFI Setup Mode
4.Clears VMRAM (for older VMs)
5.Upgrades virtual hardware if the VM is below version 21 (vSphere 8)
6.Starts the VM and waits for VMware Tools
7.Checks that the guest OS is fully online
8.Downloads the required certificates (only once)
9.Uploads the two certificates to the VM if not exist
10.Installs the new boot certificates
11.Shuts down the VM and clears Setup Mode
12.Boots the VM and sets AvailableUpdates to 0x5944 (certs ready for install)
13.Reboots until AvailableUpdates becomes 0x4100 (may require multiple reboots)
14.Reboots and runs Secure-Boot-Update again
15.Reboots and runs Secure-Boot-Update again, then checks for Event ID 1808 (if found, everything is good)
I’ve tested this workflow successfully on:
•Windows 11 (23H2, 24H2, 25H2)
•Windows Server 2016, 2019, 2022, and 2025
Downloads
** link the links for downloading the original files from Microsoft Github page.
If you want a script that’s easier to read, easier to modify, and still gets the job done (as long as you’re not using BitLocker), this simplified version might be exactly what you need.
Let me know if you want me to share the script itself or write a follow‑up post about how it works internally. .
Thrilled to join the @MyVMUG community at VMUG Connect in Amstedam! I’ll be diving into Minimum 2 Node Homelab Setup and sharing practical insights you can use in your environment. Can’t wait to learn from other members too!
I don’t have much experience with Kubernetes but wanted to try some new things.
The only container that I have running is Home Assistant on Docker.
Got to try to get Kubedoom working. So I did with the following steps.
Maybe in the near future I’ll try to add more games: Retro DOS Games on Kubernetes
Finally having a Kubernetes cluster version 1.32, which was required for running KubeDoom.
Download kubectl
mkdir d:\kubectl
Extract the downloaded ZIP file and place both executables (kubectl.exe and kubectl-vsphere.exe) in a folder such as: d:\kubectl
Websites store cookies to enhance functionality and personalise your experience. You can manage your preferences, but blocking some cookies may impact site performance and services.
Essential cookies enable basic functions and are necessary for the proper function of the website.
Name
Description
Duration
Cookie Preferences
This cookie is used to store the user's cookie consent preferences.
30 days
Statistics cookies collect information anonymously. This information helps us understand how visitors use our website.
Google Analytics is a powerful tool that tracks and analyzes website traffic for informed marketing decisions.
Contains information related to marketing campaigns of the user. These are shared with Google AdWords / Google Ads when the Google Ads and Google Analytics accounts are linked together.
90 days
__utma
ID used to identify users and sessions
2 years after last activity
__utmt
Used to monitor number of Google Analytics server requests
10 minutes
__utmb
Used to distinguish new sessions and visits. This cookie is set when the GA.js javascript library is loaded and there is no existing __utmb cookie. The cookie is updated every time data is sent to the Google Analytics server.
30 minutes after last activity
__utmc
Used only with old Urchin versions of Google Analytics and not with GA.js. Was used to distinguish between new sessions and visits at the end of a session.
End of session (browser)
__utmz
Contains information about the traffic source or campaign that directed user to the website. The cookie is set when the GA.js javascript is loaded and updated when data is sent to the Google Anaytics server
6 months after last activity
__utmv
Contains custom information set by the web developer via the _setCustomVar method in Google Analytics. This cookie is updated every time new data is sent to the Google Analytics server.
2 years after last activity
__utmx
Used to determine whether a user is included in an A / B or Multivariate test.
18 months
_ga
ID used to identify users
2 years
_gali
Used by Google Analytics to determine which links on a page are being clicked
30 seconds
_ga_
ID used to identify users
2 years
_gid
ID used to identify users for 24 hours after last activity
24 hours
_gat
Used to monitor number of Google Analytics server requests when using Google Tag Manager
You must be logged in to post a comment.