Tag: Windows

What’s New in Private Cloud: VMware VCF 9.1 Enhancements

VMware Cloud Foundation (VCF) 9.1 is here — and it’s one of the most feature‑packed releases in years. This update isn’t just incremental; it’s a strategic modernization of compute, storage, networking, security, and operations across the entire private cloud stack.


.

Let’s break down the biggest enhancements and why they I think they matter.

Modernizing Infrastructure Economics with vSphere Foundation 9.1

VCF 9.1 brings several powerful updates to the vSphere layer, aimed at improving performance efficiency and reducing operational overhead.

Enhanced NVMe Memory Tiering

Workloads that demand high throughput and low latency benefit from smarter memory tiering. NVMe-based memory tiers now deliver improved performance and flexibility. (And yes — many are hoping Secure Boot support lands here as well.)


Parallel Processing of DRS vMotion

DRS can now process multiple vMotions in parallel, dramatically reducing cluster balancing times. This is especially impactful in large-scale environments with frequent workload mobility.

Live Patching for TPM-Enabled Hosts

Live patching now works even on hosts with TPM enabled — a huge win for security-conscious organizations that previously had to choose between uptime and compliance.

Networking Updates: Scale, Simplicity, and Smarter Automation

VCF 9.1 introduces major networking enhancements that streamline operations and expand connectivity options.

Enhanced Day-2 VM Lifecycle Management

Networking changes for VMs — including NIC updates, IP changes, and security policies — are now easier and more automated.

Existing VLAN Connectivity via Distributed Transit Gateways

You can now bridge existing VLAN-based networks into VCF environments more seamlessly, reducing migration friction and simplifying hybrid designs.

Streamlined Firewalls & Automated Inter-VPC Security

Security policies between VPCs are now automated, reducing manual rule creation and improving consistency across tenants.

Terraform Provider Enhancements

Better support for tenant-level policy and content management means more automation and cleaner IaC workflows.

Simplified Workload Connectivity & Enhanced Network Scale

EVPN-VXLAN Interoperability

VCF 9.1 now supports EVPN-VXLAN interoperability with the physicalnetwork fabric. This is a major step toward fully integrated, fabric-aware cloud networking.

Network Assessment & VPC Planning

New tools and workflows help architects plan VPC layouts, assess network readiness, and avoid misconfigurations before deployment.

Optimize, Modernize & Protect Storage with vSAN in VCF 9.1

Storage gets a significant upgrade in this release, especially for environments focused on efficiency and resilience.

Encryption for vSAN Global Deduplication

Global dedupe is now compatible with data-at-rest encryption — a long-awaited capability for secure, space-efficient storage.

Enhanced Stretched Cluster Capabilities

Improved resilience and smarter failure handling strengthen business continuity for mission-critical workloads.

Automated Storage Policy Management

Policies now adjust automatically based on cluster configuration changes, reducing manual tuning and risk of misalignment.

Strengthening Zero Trust Security & Platform Resilience

Security is a major theme in VCF 9.1, with improvements across the stack.

Data-at-Rest Encryption for Global Dedupe

This ensures encrypted storage without sacrificing dedupe efficiency — a rare combination in enterprise storage.

Quick Patching for vCenter

Faster patch cycles reduce exposure windows and simplify maintenance.

Live Patching for TPM-Enabled Hosts

As mentioned earlier, this is a major operational win for secure environments.

Continuous Compliance & Integrated Cyber Recovery

VCF 9.1 pushes deeper into automated compliance and recovery workflows.

Compliance Monitoring & Desired State Remediation

The platform now continuously checks VCF components against desired state and can automatically remediate drift.

VPC Policy-Based Connectivity

Security and connectivity policies can now be applied consistently across VPCs, improving governance and reducing misconfigurations.

VMware Data Services Manager 9.1: Modern Databases for AI & Cloud

Microsoft SQL Server 2022 Now GA

SQL Server 2022 is now fully supported and generally available through DSM 9.1, enabling automated lifecycle management for modern database workloads — including those powering AI and analytics.

Want to See It in Action?

VMware has published a full VCF 9.1 video podcast series that dives deeper into the new capabilities:

Enough to do in my Homelab Starting with Upgrade and testing the new features!!

Mitigating Secure Boot Risks in 2026: A Comprehensive Guide

In June 2026 Secure boot certs start to going to expire for physical en virtual machines Servers en Clients. PS not only Windows but also Linux!!

PS. Make sure Client en Servers all installed with latest updates!!

Made a little Risk Assessment:

The expiration and replacement of Microsoft Secure Boot certificates pose a high risk to IT environments. If not properly managed, systems may fail to boot, updates may fail, and security risks may increase. This is particularly critical in automated and virtualized environments.

Key risks:

 Systems failing to boot after updates
 Incompatibility during OS or hypervisor upgrades
 Increased security risks due to outdated certificates

Recommended actions:

1.Update firmware and Secure Boot certificates
2.Test all workloads in a lab environment
3.Update golden images and automation pipelines

A phased rollout and proper validation are essential to prevent disruptions.

1. Scope

This document describes the risks, impact, and mitigations related to the expiration of Microsoft Secure Boot certificates in enterprise environments.

2. Affected Components

 Systems with UEFI firmware (Servers, Desktops, Virtual Machines)
 Microsoft UEFI CA certificates
 Operating Systems (Servers, Clients) (Windows, Linux)
 Automation tools like (Packer, MDT, SCCM)

3. Risk Analysis

Key risks:

 Incompatibility during upgrades
 Security vulnerabilities caused by outdated trust stores
 Errors in automation pipelines
 Firmware incompatibility

4. Risk Matrix

 Upgrade Issues: High
 Security Exposure: High
 Automation Failures: Medium
 Firmware Issues: High

5. Mitigations

 Update firmware on all systems
 Apply Microsoft Secure Boot updates
 Verify Event ID 1808
 Rebuild images with updated certificates
 Perform a phased rollout

6. Validation & Testing

 Test OS boot scenarios
 Validate Secure Boot status
 Verify automation pipelines

7. Conclusion

Changes to Secure Boot certificates must be treated as critical infrastructure updates. Proper preparation, testing, and phased implementation are essential to avoid disruptions.

.Microsoft has released patch’s for the following OS.

Windows 11 (23H2/24H2/25H2)
Windows Server 2016/2019/2022/2025.

VMware is creating a “Fix or Update” for this

* I did not test versions with extended support like Windows 2012 R2 and Windows 10.

Simplified Fix Secure Boot Script for Easy VM Updates

Get your list with:
Get-VM | Where-Object { $_.ExtensionData.Config.Firmware -eq “efi” -and

$_.ExtensionData.Config.BootOptions.EfiSecureBootEnabled } | Select-Object Name,

   @{N=”OS”;E={$_.ExtensionData.Guest.GuestFullName}},  PowerState

There is a updated coming from VMware by Broadcom: Check this article:     @{N=”OS”;E={$_.ExtensionData.Guest.GuestFullName}},  PowerState

https://knowledge.broadcom.com/external/article/423893

Extra Info

Microsoft Info:

I hope that most People have Read: Windows Secure Boot certificate expiration and CA updates

and Secure Boot playbook for certificates expiring in 2026

Redhat:
Secure Boot Certificate Changes in 2026: Guidance for RHEL Environments

Broadcom:
Secure Boot Certificate Expirations and Update Failures in VMware Virtual Machines

Manual Update of the Secure Boot Platform Key in Virtual Machines





Simplified Fix Secure Boot Script for Easy VM Updates

I recently created 3 version of a FixSecureBoot script — a lightweight alternative inspired by the excellent work of haz-ard-9, the author of FixSecureBootBulk.ps1. Their script is powerful and absolutely the right choice if you rely on BitLocker or need a fully automated, safety‑first workflow.

However, at roughly 3,000 lines of code, the original script is understandably complex. It includes many checks and safeguards, which are great for production environments but made it harder for me to fully understand what was happening under the hood. I wanted something simpler, easier to read, and tailored to my own workflow.

So I took the time to study the original script, copied only the parts I needed, and built a much more compact version that gives me exactly the result I want — which show the verification step that every thing is correct updated.

What My Script Does

Here’s the full sequence of actions my simplified script performs:

1.Shuts down the VM
2.Creates a snapshot
3.Enables UEFI Setup Mode
4.Clears VMRAM (for older VMs)
5.Upgrades virtual hardware if the VM is below version 21 (vSphere 8)
6.Starts the VM and waits for VMware Tools
7.Checks that the guest OS is fully online
8.Downloads the required certificates (only once)
9.Uploads the two certificates to the VM if not exist
10.Installs the new boot certificates
11.Shuts down the VM and clears Setup Mode
12.Boots the VM and sets AvailableUpdates to 0x5944 (certs ready for install)
13.Reboots until AvailableUpdates becomes 0x4100 (may require multiple reboots)
14.Reboots and runs Secure-Boot-Update again
15.Reboots and runs Secure-Boot-Update again, then checks for Event ID 1808 (if found, everything is good)

I’ve tested this workflow successfully on:

 Windows 11 (23H2, 24H2, 25H2)
 Windows Server 2016, 2019, 2022, and 2025

Downloads
** link the links for downloading the original files from Microsoft Github page.

WindowsOEMDevicesPK.der
microsoft corporation kek 2k ca 2023.der

Rename microsoft corporation kek 2k ca 2023.der to kek2023.der

.

Current Limitation: Packer Integration

CLEAN PACKER BUILD IS NOT SAFE!! AFTER THE BUILD YOU NEED TO RUN FIX SECURE BOOT!!

I don’t yet have a complete fix for integrating this into a full Packer build. For now, I simply pre‑stage the certificates:

Build file:

provisioner “file” {

source = “./setup/SecurebootCert/”

destination = “C:/Windows/Temp”

}

I have build three versions:

Fix_Secure_Boot_Manual.ps1
Fix_Secure_Boot_Single.ps1
Fix_Secure_Boot_Multi.ps1

If you want a script that’s easier to read, easier to modify, and still gets the job done (as long as you’re not using BitLocker), this simplified version might be exactly what you need.

Let me know if you want me to share the script itself or write a follow‑up post about how it works internally.
.

.

Template Check if al ready Updated

If VM check if al ready updated

.

Run Script full from Template
.

Pages: Page 1, Page 2

Top VCF 9 Updates: Installer, NVME, and More

Afbeelding met tekst, schermopname, ontwerpDoor AI gegenereerde inhoud is mogelijk onjuist.

Afbeelding met tekst, schermopname, Lettertype, logoDoor AI gegenereerde inhoud is mogelijk onjuist.

What are my things I would like to test

  • VCF 9 installer (VCF 9 Beta i looked good)
  • NVME Tiering
  • vSAN ESA Dedub
  • VCF 9 with Ubiquiti
  • Kubernetes Service now includes Windows containerization
  • NSX VPC Support

Afbeelding met tekst, schermopname, Lettertype, nummerDoor AI gegenereerde inhoud is mogelijk onjuist.

Afbeelding met tekst, schermopname, software, multimediaDoor AI gegenereerde inhoud is mogelijk onjuist.

The VCF Cloud Foundation Installer makes lives a lot easier! More about this coming very soon

Afbeelding met tekst, multimedia, software, schermopnameDoor AI gegenereerde inhoud is mogelijk onjuist.

The VCF Operations Console is looking good! I used it in the VCF 9 beta

More about this also later!

Easy Script to Create DNS Records in VCF Lab

When you build your VCF Lab environment you want to create your DNS records automatically. I use for DNS a Windows Server.

The Script:

function ConvertTo-DecimalIP {
param ([string]$ip)
$parts = $ip.Split(‘.’) | ForEach-Object { [int]$_ }
return ($parts[0] -shl 24) + ($parts[1] -shl 16) + ($parts[2] -shl 8) + $parts[3]
}

function ConvertTo-DottedIP {
param ([int]$intIP)
$part1 = ($intIP -shr 24) -band 0xFF
$part2 = ($intIP -shr 16) -band 0xFF
$part3 = ($intIP -shr 8) -band 0xFF
$part4 = $intIP -band 0xFF
return “$part1.$part2.$part3.$part4”
}

$zone = “testlab.nl”
$startip = “192.168.200.10”

$dnsrecords = “vcf-m01-cb01″,”vcf-m01-sddcm01″,”vcf-m01-esx01″,”vcf-m01-esx02″,”vcf-m01-esx03″,”vcf-m01-esx04″,”vcf-w01-esx02″,”vcf-w01-esx03″,”vcf-w01-esx04″,”vcf-w01-esx04″,”vcf-m01-nsx01a”,”vcf-m01-nsx01b”,”vcf-m01-nsx01c”,”vcf-m01-nsx01″,”vcf-w01-nsx01a”,”vcf-w01-nsx01b”,”vcf-w01-nsx01c”,”vcf-w01-nsx01″,”vcf-m01-vc01″,”vcf-w01-vc01″
$count = $dnsrecords.count

# Convert start IP to decimal

$decimalIP = ConvertTo-DecimalIP $startIP
$i = 0

# Loop and print incremented IPs

foreach ($dnsrecord in $dnsrecords) {
$i -lt
$count;
$i++
$currentDecimalIP = $decimalIP + $i
$currentIP = ConvertTo-DottedIP $currentDecimalIP
Add-DnsServerResourceRecordA -Name $dnsrecord -ZoneName $zone -AllowUpdateAny -IPv4Address $currentIP -CreatePtr
Write-Output “DNS record $dnsrecord in $zone with $currentIP is created” -ForegroundColor Green

Simplified DNS Zone Commands for Windows

     

To very handy command’s when you are building your labs multiple times when using a Windows Server as a DNS Server

I wanted to do it through Powershell but i think this is the easiest way to do.

dnscmd /zoneexport “wardvissers.nl” “wardvissers.nl”

dnscmd /zoneadd “wardhomelab.nl” /primary /file wardhomelab2.nl.dns /load

Deploying Windows VMs with Terraform and Packer

A whale ago, I started using Packer for creating Windows Templates for using in my home lab.
I blogged about it here: Windows Server 2025 “Preview” deployment with Packer

So now I want to deploy a template with Terraform, which was created earlier by Packer.

First, we need to ensure we have the Terraform downloaded and the vSphere provider Initialized.

  1. Install Terraform: You can download it from the official Terraform website and follow the installation instructions for your operating system.

I made my life a little easier to create a PowerShell script that downloads the latest version: Download Terraform.ps1

  1. Initialize Your Terraform Configuration: Create a directory for your Terraform configuration files. Inside this directory, create a `main.tf` file (or any `.tf` file) where you will define your provider and other configurations.
    Define the vSphere Provider in Your main.tf: Add the following block to your Terraform configuration file to specify the use of the vSphere provider:

terraform {

  required_providers {

    vsphere = {

      source = “HashiCorp/vsphere”

      version = “> 2.11”

    }

  }

}

provider “vsphere” {

  user           = vcenter_username

  password       = vcenter_password

  vsphere_server = vcenter_server

  # If you have a self-signed cert

  allow_unverified_ssl = true

}

Replace ”vcenter_username”, ” vcenter_password” , ”vcenter_server” with your actual vSphere credentials and server address.

  1. Basic Terraform Commands

Terraform.ps1

# Go to the Terraform download folder

$terraformfolder = ‘d:\automation\terraform\’

Set-Location $terraformfolder

# Download Terraform plugins

.\terraform.exe init

# Test Run

.\terraform.exe plan

# Run Terraform

.\terraform.exe apply

# Clean Up what you created

.\terraform.exe Destroy

Initialize the Terraform Working Directory: Run the following command in your terminal from the directory where your Terraform configuration file is located:

terraform init

Afbeelding met tekst, schermopname, Lettertype, softwareDoor AI gegenereerde inhoud is mogelijk onjuist.

This command will download the vSphere provider and initialize your Terraform working directory. It sets up and downloads the necessary provider plugins for Terraform to interact with vSphere.

Verify the Installation: After running `terraform init`, you should see output indicating that the vSphere provider has been successfully installed. You can now proceed to create Terraform configurations to manage your vSphere resources.

Deploy a Template VM within vSphere

In this example, we are deploying a VM running Windows Server 2022.

Terraform Module Structure

  1. variables.tf: Define the variables for the module.
  2. main.tf: Contains the main configuration for the VM.
  3. outputs.tf: Define the outputs for the module.

Variables.tf

variable “vsphere_user” {

  default     = “<your_vcenter_username_here>”

   description = “vSphere username to use to connect to the environment – Default: administrator@vsphere.local”

}

variable “vsphere_password” {

  default     = “<your_vcenter_password_here>”

  description = “vSphere vCenter password”

}

variable “vsphere_server” {

  default = “<your_vcenter_here>”

  description = “vSphere vCenter server”

}

variable “datacenter” {

  default = “<your_datacenter_here>”

  description = “vSphere datacenter”

}

variable “cluster” {

  default = “<your_cluster_here>”

  description = “vSphere cluster”

}

variable “network” {

  default = “<vcenter_network>”

  description = “vSphere network”

}

variable “datastore” {

  default = “<your_destination_datastore_>”

  description = “vSphere datastore”

}

variable “template” {

  default = “<your_template_name_here>”

  description = “Template VM”

}

variable “customization_specifications” {

  default = “<vcenter_customization_specifications>”

  description = “Customization Spec”

}

When you run “.\terraform plan” you do a test run to check your coding

Afbeelding met tekst, schermopname, LettertypeDoor AI gegenereerde inhoud is mogelijk onjuist.

Afbeelding met tekst, schermopname, Multimediasoftware, softwareDoor AI gegenereerde inhoud is mogelijk onjuist.

When you run “.\terraform apply” build your virtual machine

Afbeelding met tekst, schermopname, LettertypeDoor AI gegenereerde inhoud is mogelijk onjuist.

Afbeelding met tekst, schermopname, Lettertype, softwareDoor AI gegenereerde inhoud is mogelijk onjuist.

Based on: https://vminfrastructure.com/2025/03/11/deploying-a-vm-using-terraform/

It works but it need some tweaking and fixing.

Adding a TPM2.0 security device does not work right now
Server 2025 customization does not work

Get LDAPS Certificates: A Guide with OpenSSL

Using OpenSSL on Any Platform to get the LDAPS Certificate from the AD Server

Using OpenSSL should work with any Active Directory Server platform. (Windows, Linux etc.). I use Windows in my case

Requirements:

  • Openssl
  • FQDN or IP of the Active Directory Server
  • LDAPS certificate installed in the Active Directory Server certificate store

Steps:

  1. Run the following command from your local computer:
    openssl s_client -showcerts -connect <ip or fqdn of your active directory server>:636
  2. In the output, copy the certificate portion of the output to a text file

rtal

3. Save the text file as my_ldaps_cert.pem.

The saved certificate can be installed into any software that needs to connect to your Active Directory using LDAPS.

Essential Insights on Windows Server 2025

Essential Insights on Windows Server 2025

  1. Free Windows Server 2025 Security Advice Book read here and download here
  2. Windows Server 2025 is Certified on VMware vSphere
  3. Windows Server 2025 known issues and notifications
  4. New & Updated Security Tools
  5. Windows Server 2022 to 2025: Active Directory Upgrade Guide

My HomeLab anno 2024

My home lab is manly used for testing new stuff released by VMware (70%) en Microsoft (20%) other stuff (10%)

For the Base I use my Home PC

Intel i5 12600k
128 GB Memory
2 x 2TB Samsung 980 and 990 Pro SSD.
Windows 11 Pro
VMware Workstation Pro

On my Home PC running
Server 2022 (Eval for DC)
ESXi801 (16 GB) (NSX Demo Cluster)
ESXi802 (16 GB) (NSX Demo Cluster)
ESXi803 (64 GB) (General Cluster) )
ESXi804 (64 GB) (General Cluster)
ESXi805 (24 GB) (Single Node vSAN Cluster)
ESXi806 (16 GB) (4 Node vSAN Cluster)
ESXi807 (16 GB) (4 Node vSAN Cluster)
ESXi808 (16 GB) (4 Node vSAN Cluster)
ESXi809 (16 GB) (4 Node vSAN Cluster)

ESXi701 (24GB) (General Cluster)
ESXi702 (24GB) (General Cluster)

In general cluster there a running the most VM’s. Also here I am testing Packer and Terraform.

Afbeelding met tekst, schermopname, software, LettertypeAutomatisch gegenereerde beschrijving

For a while I used a 2TB Samsung SSD a Storage for ESXi Server through Truenas
But I wanted a larger storage for all my VM’s.

After reading on William Liam blog Synology DS723+ in Homelab and Synology NFS VAAI Plug-in support for vSphere 8.0

So I did a nice upgrade. Afbeelding met tekst, schermopname, software, nummerAutomatisch gegenereerde beschrijving

I used not the original Synology Parts. Following parts works fine.
Kingston 16 GB DDR4-3200 notebook memory
WD Red SN700, 500 GB SSD
WD Red Pro, 8 TB

* For Read-Write caching you need 2 SSD devices.

For mouting the NFS shared I created a little powercli script.

https://github.com/WardVissers/VMware-Powercli-Public/blob/main/Add%20NFS%20DataStore%20Github.ps1
Translate »