VMware ESXi6 Password Policy

With VMware ESXi 6 the  password policy is changed and require to use more complex passwords. The password policy in ESXi 6 has the following requirements:

  • Passwords must contain characters from at least three character classes.
  • Passwords containing characters from three character classes must be at least seven characters long.
  • Passwords containing characters from all four character classes must be at least seven characters long.

An uppercase character that begins a password does not count toward the number of character classes used. A number that ends a password does not count toward the number of character classes used.

For LAB environments I change frequently the password policy  in the ESXi 5 default, because it is possible to generate passwords that are easier to remember. The ESXi 5 default password policy has the following requirements:

  • Passwords containing characters from one or two character classes must be at least eight characters long.
  • Passwords containing characters from three character classes must be at least seven characters long.
  • Passwords containing characters from all four character classes must be at least six characters long.

The default configuration is for ESXi 5 and ESXi 6 are:

  • ESXi 5: retry=3 min=8,8,8,7,6
  • ESXi 6: retry=3 min=disabled,disabled,disabled,7,7

This means for the ESXi 5 password policy:

retry=3 min=N0,N1,N2,N3,N4

retry=3: A user is allowed 3 attempts to enter a sufficient password.
N0=8: Passwords containing characters from one character class must be at least eight characters long. For example: vmwareee
N1=8: Passwords containing characters from two character classes must be at least eight characters long. For example: vmware12
N2=8: Passphrases must contain words that are each at least eight characters long. For example: vmwareee
N3=7: Passwords containing characters from all three character classes must be at least seven characters long. For example: VMware12
N4=6: Passwords containing characters from all four character classes must be at least six characters long. For example: VMware1!

The word “disabled” can be used to not use specific password complexity. The password policy can be changed in the vSphere (Web) Client advanced system settings (see screenshot). No editing of PAM config files on the ESXi host is required anymore.

vsphere client

To change the password policy on multiple ESXi hosts, PowerCLI can be used. Here’s an example to change the Password Policy to the ESXi 5 password policy default:

# Set the ESXi Password Policy by using PowerCLI for every ESXi host
# Default Password Policy ESXi 6 = retry=3 min=disabled, disabled, disabled, 7, 7
# Default Password Policy ESXi 5 = retry=3 min=8,8,8,7,6
# Last updated by: Ivo Beerens October 4, 2015
$PasswordPolicy = "retry=3 min=8,8,8,7,6"
$VMHosts = Get-VMHost | Where { $_.ConnectionState -eq "Connected" }
foreach ($VMHost in $VMHosts)
$VMHosts | Get-AdvancedSetting -Name “Security.PasswordQualityControl" | Set-AdvancedSetting -Value $PasswordPolicy -Confirm:$false

Enable Touch ID Authentication in VMware Horizon

In Horizon 6.2 it is possible to authenticate with Apples Touch ID. Touch ID is not enabled by default and has the following minimal requirements:

  • iPhone 5S, 6, and 6 Plus
  • iPad Air 2 and iPad mini 3
  • IOS 8
  • Horizon 6 version 6.2
  • The View Connection Server must present a valid root-signed certificate to the Horizon Client
  • Horizon 3.5 client
  • The Horizon Client certificate checking mode must be set to ‘Never connect to untrusted servers or Warn before connecting to untrusted servers’

Touch ID is not enabled by default and is a global setting, so when enabling, all users are able to login using the Touch ID! There is no other way to control who can use Touch ID.

The following steps describes enabling Touch ID

Enable BioMetrics authentication in the View Connection Server.

  • Start ADSI Edit on the View Connection Server
  • In the Connection Settings dialog box, select or connect to DC=vdi,DC=vmware,DC=int
  • In the Computer pane, type localhost


  • Browse to the object CN=Common, OU=Global, OU=Properties
  • Edit the pae-ClientConfig attribute and add the value BioMetricsTimeout=-1 (-1 means BioMetric Authentication is supported without any time limit. To enable a time limit, enter for example 30 for 30 minutes).

1 1a


  • The new setting takes effect immediately

Horizon Client

  • Check the certificate settings on the iPad or iPhone.
  • Enable Touch ID in the Horizon Client and login the first time with your password.

IMG_7029 IMG_7030

After that you’re been able to use the Touch ID to authenticate to the Horizon View environment. Pretty cool stuff!


VMware vShield drivers renamed in Guest Introspection drivers

The vShield Endpoint drivers are renamed as Guest Introspection Drivers. In VMware Tools there are two drivers available:

  • NSX File Introspection Driver (vsepflt.sys)
  • NSX Network Introspection Driver (vnetflt.sys)

These drivers can be installed separately now and allows you to install the file driver without installing the network driver. To install the vShield Endpoint Thin Agent driver (vsepflt.sys), select the NSX File Introspection Driver in VMware tools under VMCI Driver.

vShield driver

For existing installations check if the vShield Endpoint Thin Agent driver is installed by using the following steps:

  • Open ‘msinfo32’
  • Select Software Environment (1)
  • Select System Drivers (2)
  • Search for the vsepflt driver (3) and check if the driver is running





What’s announced at VMworld 2015?

This blog contains the most VMworld 2015 announcements summarized. The VMworld 2015 day 1 announcements were all about the Software Defined Datacenter (SDDC), Hybrid cloud and Cloud Native Apps (containers).  This blogpost will be updated with new announcements when available.

VMworld 2015 day 1

VMware EVO SDDC (EVO RACK). VMware EVO SDDC is designed to provide a simple to deploy and updated SDDC at rack-scale, and includes software-defined compute, storage, networking security, and management.

More information: Link

Virtual SAN (VSAN) 6.1. VSAN 6.1 is the third release with the following new features:

  • Virtual SAN Stretched Cluster
  • Virtual SAN for Remote Office / Branch Office (ROBO)
  • Virtual SAN Replication with vSphere Replication
  • Support for Multi-Processor Fault Tolerance (SMP-FT)
  • Support for Windows Server Failover Clustering (WSFC) and Oracle Real Application Cluster (RAC)
  • Maximum Performance and Low latencies
  • Virtual SAN Health Check-Plug-in
  • Virtual SAN Management Pack for vRealize Operations

More information: Link

Unified Hybrid Cloud. The Unified Hybrid Cloud platform has the following new services and features:

  • Project Skyscraper (Technology Preview): Live Migration (vMotion) between datacenters. For example between on-premises and vCloud Air.
  • VMware vCloud Air Disaster Recovery.
  • VMware vCloud Air Object Storage
  • VMware vCloud Air SQL
  • VMware vCloud Aur Advanced Networking Services
  • VMware vCloud Aur Hybrid Cloud Manager

More information: Link

vSphere Integrated Containers and Photon Platform. VMware vSphere Integrated Containers will enable IT teams to support any application, including containerized applications, on a common infrastructure. The VMware Photon Platform, which will include future integrations with VMware NSX, VMware Virtual SAN and VMware vRealize Suite.

More information: Link

VMware Integrated OpenStack (VIO) 2. The new release is based on the OpenStack Kilo.

VMware Validated Design. VMware Validated Designs are architectures created and validated by VMware experts to build your SDDC.

More information: Link

Other announcements (not in the general session)


  • Double user density up to 128 user per server
  • Blade support for NVIDIA GRID
  • Linux support

More information: Link, YouTube

App-Delivery Decision Maker for Horizon 6. The Decision Maker helps you navigate the wide array of options that Horizon 6 supports to meet your application delivery and user requirements.

More information: Link

End User Computing Best Practices poster.

More information: Link

Site Recovery Manager 6.1.  SRM 6.1 has the following new capabilities:

  • Storage Profile Based Protection. Storage policy-based management to simplify the process of adding and removing protection to virtual
  • Stretched Storage and Orchestrated vMotion. Support for stretched storage solutions combined with cross-vCenter vMotion allows companies to
    achieve application mobility without incurring downtime, while taking advantage of all the benefits of
    Site Recovery Manager
  • Enhanced integration with VMware NSX. Enhancements to and integration with NSX 6.2 that simplify both the creation and execution of recovery
    plans and accelerate recovery time.

More information: Link

VMware NSX 6.2. NSX vSphere 6.2 includes the following new and changed features:

  • Cross vCenter Networking and Security
  • NSX 6.2 with vSphere 6.0 supports Cross vCenter NSX where logical switches (LS), distributed logical routers (DLR) and distributed firewalls (DFW) can be deployed across multiple vCenters, thereby enabling logical networking and security for applications with workloads (VMs) that span multiple vCenters or multiple physical locations.
  • Consistent firewall policy across multiple vCenters: Firewall Rule Sections in NSX can now be marked as “Universal” whereby the rules defined in these sections get replicated across multiple NSX managers. This simplifies the workflows involving defining consistent firewall policy spanning multiple NSX installations
  • Cross vCenter vMotion with DFW: Virtual Machines that have policies defined in the “Universal” sections can be moved across hosts that belong to different vCenters with consistent security policy enforcement.
  • Universal Security Groups: Security Groups in NSX 6.2 that are based on IP Address, IP Set, MAC Address and MAC Set can now be used in Universal rules whereby the groups and group memberships are synced up across multiple NSX managers. This improves the consistency in object group definitions across multiple NSX managers, and enables consistent policy enforcement
  • Universal Logical Switch (ULS): This new functionality introduced in NSX 6.2 as a part of Cross vCenter NSX allows creation of logical switches that can span multiple vCenters, allowing the network administrator to create a contiguous L2 domain for an application or tenant.
  • Universal Distributed Logical Router (UDLR): This new functionality introduced in NSX 6.2 as a part of Cross vCenter NSX allows creation of distributed logical routers that can span multiple vCenters. The universal distributed logical routers enable routing across the universal logical switches described earlier. In addition, NSX UDLR is capable of localized north-south routing based on the physical location of the workloads.

VMworld 2015 day 2

Day 2 announcements are about business mobility and End User Computing (EUC).

VMware Project A2,.  A new Technology Preview called Project A2 that offers a new mobile-centric approach to delivering and managing applications and devices for Windows 10 using AirWatch enterprise mobile management (EMM) and VMware App Volumes application delivery technology. This integrated solution enables our customers to accelerate their adoption of Windows 10 with mobile-like management for their devices and applications. Project A2combining #Airwatch and #Appvolumes to deploy applications to Physical endpoints

VMware Identity Manager Advanced Edition. introducing a new identity solution called VMware Identity Manager Advanced Edition that is a standalone identity as a service (IDaaS) solution for simplified access and identity management. Our existing solutions, Horizon and AirWatch already include this key enabling technology platform for delivering a single sign-on experience for Windows, SaaS and mobile applications. We are now announcing the release of this key, proven technology as a standalone product for customers that seek a standalone identity as a service solution.

More information: Link.

VMware Horizon 6.2 and VMware Horizon 6.2 for Linux such offers the following new capabilities:

  • VMware Horizon 6.2 will deliver applications at scale with new features to make the deployment and management of RDSH applications easier and more scalable. View Composer with Linked Clones will allow you to simply deploy and quickly update your entire RDSH farm. Load balancing improvements will allow you to balance applications based on various load metrics (CPU or memory usage) and will include an extensible interface to balance RDSH hosts based on metrics. The solution will also integrate Horizon Apps into the Cloud Pod Architecture (CPA) to allow virtual machines to scale between sites and between datacenters.
  • VMware Horizon 6.2 will also deliver a richer and more seamless user experience for apps and desktops.
  • Delivering rich 3D desktops and apps has never been easier. VMware Horizon 6.2 together with NVIDIA GRID cards will deliver high-end 3D graphics applications with RDSH in addition to 3D VDI desktops. VMware Horizon 6.2 will add support for NVIDIA GRID and NVIDIA GRID 2.0. NVIDIA GRID 2.0, based on NVIDIA’s award winning Maxwell architecture, will offer higher user density with higher performance to more platforms. The solution will support 4K (3840×2160) high resolution desktops and Linux desktops. Finally, vDGA pass through graphics will be extended to support select AMD FirePro GPUs for Windows VDI desktops.
  • It will be easier to work with local files too, with VMware Horizon 6.2. With VMware Horizon 6.2, hosted applications will be easier than ever to use with support for File Type Association with Windows clients, making it easy to open a file with a remote app right from the Windows Explorer. Client Drive Redirection, which allows easy access to files on your computer, will be extended with encryption for greater security, along with new support for Mac clients. In addition, Linux client support will be available as a tech preview.
  • There will also be communication improvements. VMware Horizon 6.2 will support the Skype for Business messaging application (formerly known as Microsoft Lync) on several Windows platforms including Windows 7, Windows 8.1, Windows 2008 R2, Windows 2012 R2 with Windows 10 desktops, and RDSH desktops running on Windows 2008 R2 and Windows 2012 R2 Servers.
  • VMware Horizon 6.2 with latest Horizon Client 3.5 for iOS will also offer the option of using Touch ID for easy login to your apps or desktops. Once enabled by the administrator, end-users can enjoy amazing one-touch access when using an iPhone or iPad.
  • Oh, did I forget Windows 10? Windows 10 is fully supported across the entire VMware Horizon portfolio including Horizon clients, desktops and hosted applications. . This day 0 support of Windows 10 continues our commitment to offering compatibility with the latest innovative technologies. With Windows 10 desktops running on VMware Horizon virtual desktops, end-users have full access to the features and functionality available from Windows 10 and VMware Horizon.
  • VMware Horizon 6.2 is also optimized for the VMware SDDC environment and already supports the latest release of vSphere – vSphere 6 U1. We leverage the new all-flash Virtual SAN to support double the number of users at the same cost, double your density, and supports over four thousand users per cluster. You can take advantage of the vSAN stretched cluster technology to deploy Horizon across multiple sites.
  • There will be more security in VMware Horizon as well. VMware Horizon 6.2 includes a hardened appliance to secure access to the Horizon infrastructure from outside the corporate firewall. Integration with VMware Identity Manager, included with Horizon Advanced and Horizon Enterprise, will provide end-users with secure, customizable access to resources using an expanding set of authentication sources including two-factor and bio-metric fingerprint authentication.
  • For federal government customers, the solution will also be compliant with the FIPS 140-2 regulation for security
  • VMware User Environment Manager (UEM) 8.7, included with Horizon Enterprise, will fully support Windows 10 and will offer even greater efficiency for dynamic updates to the mobile user environment. It will also be able to detect a wide range of connections including PCoIP, Blast, RDP, and Citrix. VMware User Environment Manager natively supports policies based on client name and IP for VMware Horizon connections with improved application profiling. Administrators will have greater visibility and new tools for analysis to understand when and where UEM settings are applied.
  • There will be new advancements in VMware Horizon for Linux as well. VMware Horizon for Linux will support NVIDIA GRID 2.0 to deliver shared and scalable 3D graphics to Linux users with up to 4 displays. VMware Horizon 6.2 for Linux will also offer support for Red Hat Enterprise Linux 7.1.

More information: Link

VMware Project Enzo. Offers our customers transformed economics and cloud simplicity for virtual desktops and apps via a modern hybrid architecture and hyper converged infrastructure. Project Enzo will be available as beta.

More information: Link

Manage Hyper-V in a workgroup remotely

Managing  Hyper-V remotely in a workgroup can be challenging to configure. This is still the case for Windows Server 2016. For a testing environment I needed to remotely manage Windows Server 2016 core server with the Hyper-V role enabled from Windows 10 with the Hyper-V manager. I used the following manual configuration:

  • Client with Hyper-V Manager (Windows 10). This client is called win10-01
  • Server with Windows Server 2016 core version with the Hyper-V role enabled. The server is called hv-02
  • Both systems are in the same workgroup called “workgroup”
  • Both systems have the same username and password.

Configuration on the Windows Server 2016  server:

  • Enable Remote Management
Configure-SMRemoting.exe -Enable
  • Open firewall for  Remote Computer Management
Set-NetFirewallRule -DisplayGroup 'Windows Management Instrumentation (WMI)' -Enabled true -PassThru
Set-NetFirewallRule -DisplayGroup 'Remote Event Log Management' -Enabled true -PassThru
  • Open firewall for ping (ICMPv4)
Set-NetFirewallRule -DisplayName “File and Printer Sharing (Echo Request – ICMPv4-In)” -Enabled True -PassThru
  • Enable Remote Desktop and allow remote connections
cscript.exe c:\Windows\System32\SCregEdit.wsf /AR 0
  • Enable Remote disk management
Set-NetFirewallRule -DisplayGroup 'Remote Volume Management' -Enabled true -PassThru


Configuration on the Windows 10 client:

  • Create a host file with IP address and hostname of the server. Make sure you can ping the hostname


  • Make sure that the network type is part of a private network before executing the WINRM command

1 2

  • Enable Remote Management
winrm quickconfig
  • For Managing remote systems
winrm set winrm/config/client @{TrustedHosts="Name of the Server"}
  • Enable remote disk Management (add this command on both systems) firewall rule
Set-NetFirewallRule -DisplayGroup 'Remote Volume Management' -Enabled true -PassThru
  • Open c:\windows\system32\dcomcnfg.exe and allow ‘anonymous logon’ for local and remote access.


After making this settings I was able to manage the Windows Server 2016 server with the following tools remotely:

  • Hyper-V manager
  • Computer Management
  • Disk Management


3 4