update

_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/.universal/schedules.ps1

@@ -24,4 +24,7 @@ New-PSUSchedule -Cron "0 11 * * *" -Script "Infra-Certificate-External.Sectigo\I
 New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDVMwareVMMetadataToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDVMwareVMMetadataToSql.ps1" 
 New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDVMwareHostMetadataToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDVMwareHostMetadataToSql.ps1" 
 New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDVMwareClusterMetadataToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDVMwareClusterMetadataToSql.ps1" 
-New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDOneViewServerInventoryToSql.ps1" -Name "Sync-ITDOneViewServerInventoryToSql.ps1"
+New-PSUSchedule -Cron "0 8 * * *" -Script "Infra-VMware.Administration\Sync-ITDOneViewServerInventoryToSql.ps1" -TimeZone "America/Chicago" -Name "Sync-ITDOneViewServerInventoryToSql.ps1" 
+New-PSUSchedule -Cron "0 7 * * MON-FRI" -Script "Infra-VMware.Administration\New-ITDVMwareVMHostLockdownTicket.ps1" -TimeZone "America/Chicago" -Name "New-ITDVMwareVMHostLockdownTicket.ps1" 
+New-PSUSchedule -Cron "0 8 * * MON-FRI" -Script "Infra-VMware.Administration\Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -TimeZone "America/Chicago" -Name "Enable-ITDVMwareVMHostLockdownViaTicket.ps1" 
+New-PSUSchedule -Cron "15 0 1 * *" -Script "Infra-VMware.Administration\Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Name "Disable-ITDVMwareVMHostLockdownVantisScan.ps1"

_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/.universal/scripts.ps1

@@ -40,7 +40,7 @@ New-PSUScript -Name "Test-ZMFile.ps1" -Description "Test-ZMFile.ps1" -Tag @('Inf
 New-PSUScript -Name "Update-ITDVMwareILOSslCertificate.ps1" -Description "Update-ITDVMwareILOSslCertificate.ps1" -TimeOut "300" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Update-ITDVMwareILOSslCertificate.ps1" -Environment "Agent" -Credential "ndgov_svcitdiaasauto" 
 New-PSUScript -Name "Test-ZMVariable.ps1" -Description "Test-ZMVariable.ps1 [[-variable1] <string>] [[-variable2] <string>]" -Path "ZM-Test\Test-ZMVariable.ps1" 
 New-PSUScript -Name "Test-ITDScheduleWithCreds.ps1" -Description "Test-ITDScheduleWithCreds.ps1" -Path "ZM-Test\Test-ITDScheduleWithCreds.ps1" -Environment "Agent" -Credential "ndgov_svcitdiaasauto" 
-New-PSUScript -Name "New-ITDCertificateRequestSectigo.ps1" -Description "New-ITDCertificateRequestSectigo.ps1" -Tag @('Team-Windows_Execute','Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\New-ITDCertificateRequestSectigo.ps1" -Environment "PowerShell 7" 
+New-PSUScript -Name "New-ITDCertificateRequestSectigo.ps1" -Description "New-ITDCertificateRequestSectigo.ps1" -Tag @('Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\New-ITDCertificateRequestSectigo.ps1" -Environment "PowerShell 7" 
 New-PSUScript -Name "Unregister-CommonName.ps1" -Description "Unregister-CommonName.ps1" -Tag @('Team-Windows_Execute','Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\Unregister-CommonName.ps1" -Environment "PowerShell 7" 
 New-PSUScript -Name "Invoke-CertAutoRenew.ps1" -Description "Invoke-CertAutoRenew.ps1" -Tag @('Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\Invoke-CertAutoRenew.ps1" -Environment "PowerShell 7" 
 New-PSUScript -Name "New-SectigoPfxCertificate.ps1" -Description "New-SectigoPfxCertificate.ps1" -Tag @('Team-Windows_Execute','Infra-Certificate_Modify') -Path "Infra-Certificate-External.Sectigo\New-SectigoPfxCertificate.ps1" -Environment "PowerShell 7" 
@@ -54,3 +54,6 @@ New-PSUScript -Name "Sync-ITDVMwareClusterMetadataToSql.ps1" -Description "Sync-
 New-PSUScript -Name "Sync-ITDVMwareHostMetadataToSql.ps1" -Description "Daily VMware Host metadata report for PowerBI trending and hardware capacity planning." -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDVMwareHostMetadataToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcro" 
 New-PSUScript -Name "Sync-ITDVMwareVMMetadataToSql.ps1" -Description "Sync-ITDVMwareVMMetadataToSql.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDVMwareVMMetadataToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcro" 
 New-PSUScript -Name "Sync-ITDOneViewServerInventoryToSql.ps1" -Description "Sync-ITDOneViewServerInventoryToSql.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Sync-ITDOneViewServerInventoryToSql.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmhpe" 
+New-PSUScript -Name "New-ITDVMwareVMHostLockdownTicket.ps1" -Description "New-ITDVMwareVMHostLockdownTicket.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\New-ITDVMwareVMHostLockdownTicket.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcro" 
+New-PSUScript -Name "Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -Description "Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Enable-ITDVMwareVMHostLockdownViaTicket.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcauto" 
+New-PSUScript -Name "Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Description "Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Tag @('Infra-VMware_Modify') -Path "Infra-VMware.Administration\Disable-ITDVMwareVMHostLockdownVantisScan.ps1" -Environment "PowerShell 7" -Credential "ndgov_svcitdvmvcauto"

_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Disable-ITDVMwareVMHostLockdownVantisScan.ps1

@@ -0,0 +1,41 @@
+
+[CmdletBinding()]
+param (
+)
+    
+begin {
+        
+}
+    
+process {
+    Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcauto
+    
+    $VMHosts = Get-Datacenter -Name "Grand Forks Vantis" | Get-VMHost
+    
+    ForEach ($VMHost in $VMHosts) {
+        Write-Verbose -Message ("Start: " + $VMHost.Name) -Verbose
+    
+        $VMHostStatus = Get-ITDVMwareVMHostStatus -Name $VMHost.Name
+        
+        # if accurate, enable lockdown
+        If ($VMHostStatus.LockdownMode -eq 'lockdowndisabled') {
+            Write-Verbose -Message ("Lockdown is already disabled on " + $VMHost.Name + ", no change") -Verbose
+            $NoChange = $true
+        }
+        Else {
+            Write-Verbose -Message ("Lockdown is enabled on " + $VMHost.Name + ", disabling now") -Verbose
+            Disable-ITDVMwareVMHostFeature -Name $VMHost.Name -LockdownMode
+            
+        } 
+        Start-Sleep -Seconds 5
+        
+        # confirm lockdown is enabled
+        $VMHostStatusCheck = Get-ITDVMwareVMHostStatus -Name $VMHost.Name
+    }
+
+    Disconnect-ITDvCenter
+}
+    
+end {
+        
+}

_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Enable-ITDVMwareVMHostLockdownViaTicket.ps1

@@ -0,0 +1,86 @@
+
+[CmdletBinding()]
+param (
+        [switch]
+        $IncludeInProgress
+)
+    
+begin {
+        
+}
+    
+process {
+    New-ITDServiceNowSession -Credential $Secret:snow_vmcred -Environment Production
+    Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcauto
+    
+    If($PSBoundParameters.ContainsKey("IncludeInProgress")){
+        $Filter = 'short_descriptionSTARTSWITHLockdown mode is disabled on VMware host^state=1^ORstate=2'
+    } Else {
+        $Filter = 'state=1^short_descriptionSTARTSWITHLockdown Mode is disabled on VMware host'
+    }
+
+    $Incidents = Get-ITDServiceNowRecord -ItemType Incident -Filter $Filter | Sort-Object {$_.number.value}
+    
+    ForEach ($Incident in $Incidents) {
+        # reset variables for each loop
+        $VMHostName = $null
+        $VMHostStatus = $null
+        $VMHostStatusCheck = $null
+        $NoChange = $null
+
+        $VMHostName = $Incident.short_description.display_value.split(' ')[-1]
+        
+        Write-Verbose -Message ("Start " + $Incident.number.display_value + " for host " + $VMHostName) -Verbose
+        # confirm ticket is accurate, that host has lockdown mode disabled
+        $VMHostStatus = Get-ITDVMwareVMHostStatus -Name $VMHostName
+        
+        # if accurate, enable lockdown
+        If ($VMHostStatus.LockdownMode -eq 'lockdowndisabled') {
+            Write-Verbose -Message ("Lockdown is still disabled on " + $VMHostName + ", enabling lockdown mode") -Verbose
+            Enable-ITDVMwareVMHostFeature -Name $VMHostName -LockdownMode
+        }
+        Else {
+            Write-Verbose -Message ("Lockdown is already enabled on " + $VMHostName + ", no change") -Verbose
+            $NoChange = $true
+        } 
+        Start-Sleep -Seconds 5
+        
+        # confirm lockdown is enabled
+        $VMHostStatusCheck = Get-ITDVMwareVMHostStatus -Name $VMHostName
+
+        # update ticket with current status
+        If ($VMHostStatusCheck.LockdownMode -eq 'lockdowndisabled') {
+            # update work notes if disabled
+            Write-Verbose -Message ("Lockdown is still disabled on " + $VMHostName + ", update incident work notes") -Verbose
+            $WorkNotesMsg = ("Lockdown is still disabled on " + $VMHostName + " after attempted remediation, manual review required.")
+            Update-ITDServiceNowRecord -ItemType Incident -Number $Incident.number.display_value -Values @{
+                work_notes = $WorkNotesMsg
+                state      = 'On Hold'
+            }
+        }
+        Else {
+            # close if enabled
+            If ($NoChange) {
+                Write-Verbose -Message ("Lockdown was already enabled on " + $VMHostName + ", closing incident") -Verbose
+                $close_notes = ("Lockdown was already enabled on " + $VMHostName + " when checked, closing incident")
+            }
+            Else {
+                Write-Verbose -Message ("Lockdown successfully enabled on " + $VMHostName + ", closing incident") -Verbose
+                $close_notes = ("Lockdown successfully auto-enabled on " + $VMHostName);
+            }
+            Write-Verbose -Message ("Lockdown successfully enabled on " + $VMHostName + ", closing incident") -Verbose
+            Update-ITDServiceNowRecord -ItemType Incident -Number $Incident.number.display_value -Values @{
+                close_code         = 'Solved (Permanently)'
+                close_notes        = $close_notes
+                u_underlying_cause = 'Configuration';
+                state              = 'Closed'
+            }
+        }
+    }
+
+    Disconnect-ITDvCenter
+}
+    
+end {
+        
+}

_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/New-ITDVMwareVMHostLockdownTicket.ps1

@@ -0,0 +1,59 @@
+
+<#
+.SYNOPSIS
+    Checks VMware host lockdown mode status and creates incidents for disabled hosts.
+
+.DESCRIPTION
+    Recurring PSU schedule task, ~8am.
+
+    This script connects to the ITD vCenter, retrieves all VMware hosts, and checks their lockdown mode status.
+    If lockdown mode is disabled on any hosts, it creates a ServiceNow incident for review.
+
+.EXAMPLE
+    .\VMware-LockdownTickets.ps1
+
+.NOTES
+    Requires VMware PowerCLI and ITD ServiceNow modules.
+    Service account credentials must be available via $PrvCred and $Secret:ndgov_svcitdvmvcro.
+#>
+[CmdletBinding()]
+param (
+        
+)
+    
+begin {
+        
+}
+    
+process {
+    New-ITDServiceNowSession -Credential $Secret:snow_vmcred -Environment Production
+    Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro
+    
+    $AllVMHosts = Get-VMHost
+    $CurrentState = Get-ITDVMwareVMHostStatus -Name $AllVMHosts
+    $LockdownDisabled = $CurrentState | where-object lockdownmode -eq lockdowndisabled
+
+    If ($LockdownDisabled) {
+        
+        ForEach ($VMHost in $LockdownDisabled) {
+            Write-Verbose -Message "Start $($VMHost.Name) incident creation"
+            $NewIncidentParams = @{
+                CallerUsername   = 'svcvmwareadm';
+                ShortDescription = ("Lockdown Mode is disabled on VMware host " + $VMHost.Name);
+                Description      = ("Lockdown Mode is disabled on VMware host " + $VMHost.Name + ". Lockdown mode is required for CIS hardening compliance 3.20 (L1)");
+                Impact           = 3;
+                Urgency          = 1;
+                Category         = 'Cloud Platforms'
+                Subcategory      = 'Virtualization'
+                AssignmentGroup  = 'NDIT-Cloud Platforms'
+            }
+            New-ITDServiceNowIncident @NewIncidentParams
+        }
+    }
+
+    Disconnect-ITDvCenter
+}
+    
+end {
+        
+}

_NDGOV_WindowsTeam/ITD.Infra-Servers-PowerShellUniversal.Production/Infra-VMware.Administration/Sync-ITDVMwareVMMetadataToSql.ps1

@@ -71,14 +71,14 @@
 param(
 )
 
-Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro
-
 #region --- Setup ---------------------------------------------------------------
 [string] $OutputPath = 'C:\temp\VM_Trends\'
 [string] $ServerInstance = 'itdintsql22p1.nd.gov\INTSQL22P1'
 [string] $Database = 'ITD-Systems-Automation'
 [string] $Table = 'VMware_Trends_VM'
+
 [System.Management.Automation.PSCredential] $SqlCredential = $Secret:sql_itdpsu1
+Connect-ITDvCenter -Credential $Secret:ndgov_svcitdvmvcro
 
 $RunDate = Get-Date
 $DateStamp = $RunDate.ToString('yyyyMMdd')
@@ -126,7 +126,7 @@ $AllVMs = Get-VM | Where-Object { $_.Name -notlike 'vCLS*' }
 Write-Verbose 'Pre-fetching VM tag assignments...'
 $TagLookup = @{}
 Get-TagAssignment -Entity $AllVMs | ForEach-Object {
-    $VMId    = $_.Entity.Id
+    $VMId    = $_.Entity.Uid
     $Cat     = $_.Tag.Category.Name
     $TagName = $_.Tag.Name
     if (-not $TagLookup.ContainsKey($VMId)) { $TagLookup[$VMId] = @{} }
@@ -140,6 +140,9 @@ Get-TagAssignment -Entity $AllVMs | ForEach-Object {
 Write-Verbose "Processing $($AllVMs.Count) VMs..."
 
 $Results = foreach ($VM in $AllVMs) {
+    Write-Verbose -Message ("Start " + $VM.Name) -Verbose
+    $StoragePlatforms = $null
+    $StoragePlatform = $null
 
     $Ext = $VM.ExtensionData  # single API object -- reuse for all fields
 
@@ -151,7 +154,7 @@ $Results = foreach ($VM in $AllVMs) {
     $DatacenterName = $HostDatacenterMap[$VM.VMHost.Name]
 
     #--- Tag assignments (pre-fetched; null when category not assigned to this VM)
-    $VMTags = if ($TagLookup.ContainsKey($VM.Id)) { $TagLookup[$VM.Id] } else { @{} }
+    $VMTags = if ($TagLookup.ContainsKey($VM.Uid)) { $TagLookup[$VM.Uid] } else { @{} }
 
     #--- Storage platform parsed from datastore name convention: VMCLUSTER_LUN_PLATFORM_Desc
     #    Segment 2 = storage platform identifier (e.g. FS92, A9K).