Schannel Set-Crypto PowerCLI Script

Are you in need of configuring crypto or schannel (IIS) settings on more than a few Windows virtual machines?  The Set-Crypto PowerCLI script might be of interest to use in your VMware environment. Recently I had to configure all the Windows servers in our VMware environment to use the correct crypto/schannel settings.  The gold standard for Windows/IIS administrators for configuring crypto is a program called IISCrypto . 

Schannel Security
Schannel Security

I have been using IISCrypto for a few years now and it is hands down the easiest way to configure your Windows vms using the schannel settings you choose. It also has built-in ‘best practices’ settings for general security as well as pci and fips requirements.  This is a great tool for setting one server at a time but I needed to do this en masse.  I thought wouldn’t it be great if they had a command-line tool.  Well it turns out that they do have a command-line tool. It allowed me to create a script to configure all my servers for crypto/schannel settings.

Set-Crypto Schannel

The schannel PowerCLI script  Set-Crypto utilizes IISCrypto command-line, batch files, and template profiles created ahead of time based on ‘best practices’ for 2012R2 Windows Server and 2016 Windows Server respectively. You can also go to my Pastebin Set-Crypto folder to get the needed batch files and template profile files. You will need to get IISCrypto from Nartac software.  It is free to use but their site does not explain their licensing model so I do not know the implications of using their software.  Please contact Nartac software for more information regarding licensing.  Please read the assumptions at the beginning of the script. Always be sure to read and understand any code you download from the internet before running in a production environment.


Feel free to comment and give suggestions on how to improve this script or any others I have shared.  If you like this script you may want to check out one of my previous scripts Powershell SSL Certificate Script .

 

 

Cross SSO vMotion Between vCenters

This week I am sharing a very helpful PowerCLI script to vMotion a vm from one SSO domain to another SSO domain.  I shamelessly borrowed this script from Romain Decker’s site Cloud Maniac. The original script was very good and functioned well.  I just took it a step further and added some functions to customize it for our environment.  These functions are:  Get-SourcevCenter, Get-DestvCenter, Ask-VMNameForMigration, Ask-DCForMigration, Ask-ClusterForMigration, Choose-StorageForVMMigration.  The names of each function should explain their use.   Essentially you will need to edit the script to customize some of these functions for your environment. 

I have used it dozens of times and it works flawlessly with one exception.  If your EVC modes don’t quite match between vCenters there may be some vms that cannot be vMotioned while powered on.  Just arrange for a downtime and try again with the vm powered off.  It will work well.  This sure beats downloading a vm to your desktop and then uploading it to the new vCenter environment.  If you need any explanation or help with modifying this code to fit your environment please feel free to comment.

( If you like this please check out some of my other PowerCLI posts like PowerCLI Get-vCenter Function )

Caution: Like all code you download from the internet, please understand and modify the code accordingly to prevent unforeseen production problems.  Also known as career-altering events. 

Cross SSO vMotion PowerCLI Code: 

Photo by bruce mars from Pexels
Thinking equals coding