Friday, May 17, 2019

Fix Stuck VMware Tools Install

When automatic VMware tools upgrades is enabled in vCenter, sometimes the ISO will unmount before the installer notifies vCenter that the installation is done.  This will cause vCenter, and the host the VM is registered on, to think that VMware tools installation is still in progress even though it is complete.  The VM will be left in a state where it can't migrate, which means the host is unable to enter maintenance mode.  To fix this, we need to manually kill the process within ESXi that is running the stuck tools installation.

 Start by enabling SSH on the affected host, then use Putty (or the SSH client of your choice) and login to the host.  Run the commands below to get the process ID for the affected VM and then to kill the installation process.

Within your SSH session, run the command:

vim-cmd vmscv/getallvms

 Find the VMID of the VM with the stuck tools installation and run the command:

vim-cmd vmsvc/tools.cancelinstall id_number

 Replace "id_number" with the correct VMID found with the first command.  This will kill the VMware tools installation process allowing the VM to be moved with vMotion and the host to enter maintenance mode.
Posted by at No comments:
Labels: ,

Friday, April 26, 2019

Create a GPO for RegFix Required by MS15-124

Registry modification is required to fully mitigate against the IE ASLR Bypass vulnerability  (CVE-2015-6161) addressed in MS15-124 and patched in KB3116180 and newer IE cumulative updates.  Without the registry entries, systems are still vulnerable.  This will also cause the update to be listed as missing, or incomplete, in security scanners such as Tenable Nessus.

In large environments, Microsoft recommends deploying the registry fixes via GPO rather than via their downloadable fix-it program.  My experience has been that newer IE updates will sometimes remove the registry entries that need to be created, so having them in a GPO will ensure they persist through future patch cycles.

To create the GPO:
  1. Open Group Policy Management
  2. Create a new GPO and open it in the editor
  3. Click Computer Configuration -> Preferences -> Windows Settings -> Registry -> Right-Click, Click on New Registry Item and create the following two entries.
    • Reg Item 1:
      • Action: Update
      • Hive: HKLM
      • Key Path: SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
      • Value Name: iexplore.exe
      • Value Type: REG_DWORD
      • Value Data: 1
    • Reg Item 2:
      • Action: Update
      • Hive: HKLM
      • Key Path: SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
      • Value Name: iexplore.exe
      • Value Type: REG_DWORD
      • Value Data: 1
  4. Once the GPO is created, link it to any OUs containing computer objects.
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)