Record the TPM State of each node and if encryption enabled, backup the keys of each node into the report

[CodeJACKz]

trafficstars

Since TPM should now be implemented for all deployments, can this detail be added to the report?

Link with example code: https://vm.knutsson.it/2021/07/powercli-tpm-encryption-recovery-key-backup/

I got bitten by this after a recent deployment where the keys were not recorded and a node failed a couple of weeks after. Recovery would have been possible and faster had i recorded all the keys.

[CodeJACKz]

I'll get greedy by asking to record the Key Persistence status too :-)

This is used to set it: Key persistence is not enabled by default when using 3rd party KMS. This can be enabled via the following esxcli commands: esxcli system settings encryption set --mode=TPM esxcli system security keypersistence enable

https://core.vmware.com/blog/support-key-persistence

[tpcarman]

I'll look into adding the TPM information, however an as-built does not set or change a configuration, it simply documents and records the current configuration.

[CodeJACKz]

Thanks Tim. I only included them "set" commands to hint at a place to check if it was even enabled or not

[tpcarman]

Yeah thanks for that, I will likely use that to report on whether it is set or not, and probably add a health check for it too.