Configuring Advanced Options

The advanced options settings of an ESXi host can affect virtual machine security.

Advanced options include welcome messages, sshd prompts, SOAP session timeout, eager zeroing of VM memory, login attempts before lockout, seconds delay after lockout, password history, password duration, password quality, DCUI timeout, shell timeout, and host client session timeout. Eager zeroing of memory can be helpful for security.

Setting advanced options on individual ESXi hosts using the UI can be impractical at scale. The vSphere API offers a programmatic interface to manipulate advanced options. The UI is built on top of the API calls.

Advanced options are controlled by the OptionManager managed object, a property of HostConfigManager. You can show advanced options with QueryOptions, and set them with UpdateOptions. For details, see the vSphere API Reference.

Querying Advanced Options

The full list of advanced options is available in the OptionManager.supportedOption[] field, and the list of non-default settings is available in the OptionManager.setting[] field. The contents of these arrays are fixed for a particular ESXi build and do not change at runtime.

You can use the QueryOptions method to get the setting for any supported option.

Setting Advanced Options

To set an advanced option, call the UpdateOptions method with the desired key and value. The following pseudo-code sets the advanced option for memory zeroing to "1" for true:

MoRef optionMgr = hostSystem.configManager.advancedOption;
opts = new OptionValue[]
opts[0].key = "Mem.MemEagerZero"
opts[0].value = "1"
optionMgr.UpdateOptions(changedValue=opts)