Identify VMware ESX Hosts and VMs using Secure Boot

byWeb Master 02.21.2026 Aria Automation

You may need to identify VMware ESX Hosts and VMs that use Secure Boot in your environment.  This can be helpful for a number of reasons:

  • Environment Audit – are there any assets that should be using Secure Boot –  but are not?
  • Inventory list – Having a list of assets that are using Secure Boot can help build a reference list should the need arise to make updates to the Secure Boot configuration

There are two primary means to do this:

  • Aria Operations / VCF Operations – With a little work and help from an open-source management pack you can build a dashboard that will identify these assets
  • PowerCLI – PowerCLI  can be used to quickly and easily extract this information and format it in any way you like

Aria Operations / VCF Operations

What is the difference between Aria Operations and VCF Operations?
These are different names for the same product. The name changed as the product has evolved over time.  The name of this tool you use will depend on the version you are running and how long you have been working with it 😉

vCenter Operations Manager / vCOPs 5.x
vRealize Operations / vROPs 6.0
Aria Operations /  Aria Ops 6.5 – 8.x
VMware Cloud Foundation Operations / VCF Ops 9.x

Brock Peterson has written an excellent article on how to use Operations to list VMs and Hosts using Secure boot.  It uses an open-source management pack called vCommunity Management Pack.  I won’t repeat his work; but do want to highlight a consideration:

  • VCF Operations 9.x can display information about both Host and VM Secure Boot configurations
  • If you are still on Aria Operations 8.x – you will only see VM Secure Boot status.  This version of Operations does not have the Host properties required to detect Secure Boot.

PowerCLI

PowerShell can use any recent version of the PowerCLI module to list out Secure Boot configurations for both ESX Hosts and VMs.

Below are two minimal PowerShell snippets that illustrate the properties you will need.  You can certainly modify this code to export the data to a CSV or nearly any format that is useful to you.

Get Host Secure Boot Status

Connect-VIServer -Server vcenter.vmware.lab -Force
# Get all hosts
$hosts = Get-VMHost
write-host "Found " $hosts.count " ESX hosts."
write-host ""
write-host "The following ESX host(s) use Secure boot:"

foreach ($vmhost in $hosts) {
    # Connect to esxcli for the host
    $esxcli = Get-EsxCli -VMHost $vmhost -V2
    $secureBoot = $esxcli.system.settings.encryption.get.Invoke() | Select -ExpandProperty RequireSecureBoot

    if ($secureBoot -eq "true") {write-host $vmhost}
}

ESX Host Secure Boot Status - PowerShell Script output

Get VM Secure Boot Status
Connect-VIServer -Server vcenter.vmware.lab -Force
$vms = Get-VM
write-host "Found " $vms.count " virtual machines."

foreach ($vm in $vms) {
    $vmView = $vm | Get-View
    if ($vmView.Config.BootOptions.EfiSecureBootEnabled) {
        Write-Host "$($vm.Name) has Secure Boot Enabled"
    }
}

VM Secure Boot Status

My Notes - Introduction to Swift
Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.