u/DonFazool

I have AVI setup and working fine. I created the user VMware recommends following the guide for 31.2.

It seems to be picking random datastores to deploy services engines (which is fine) but it is also selecting local storage (which is not fine at all).

I was doing ESX updates and vLCM could not put a host in maintenance mode. After digging, it was because AVI had deployed a service engine to that node's local storage.

I can't seem to find a way to tell AVI not to do this (you would think it would be smart enough to know not to do this)

Any idea?

Looks like Broadcom updated the KB with a lot more info. Automated fixes are coming to 8.0.3

https://knowledge.broadcom.com/external/article/423893

VMware's Responsibility:

VMware is taking the lead on ensuring the presence of the Windows OEM Devices PK certificate in the virtual firmware to facilitate KEK update. Our goal is to minimize operational overhead through automated delivery mechanisms for VMs running on major ESX versions currently under General Support.

• For newly created VMs: The Windows OEM Devices PK certificate is initialized automatically on ESX 9.x hosts. For ESX 8.x hosts, this will be initialized automatically after a planned vSphere 8.0 U3 patch is applied. (Note: This KB will be updated once that patch is available). The Microsoft 2023 KEK and DB certificates are initialized automatically on ESX 8.2 or newer hosts. (See the table above for more details).
• For existing VMs: VMware is delivering a comprehensive solution to add the Windows OEM Devices PK certificate into the vUEFI if it is detected as missing from VMs running on ESX 8.x and 9.x hosts (starting from planned future patches). While this solution utilizes automated delivery mechanisms to minimize overhead, it will still require customer actions. (Note: This KB will be updated once the patches are available.)

Customer's Responsibility:

• For PK updates:  Customers should execute PK update based on VMware guidance.
• For KEK and DB updates: Customers should follow their respective OS vendor's guidance to update them natively from within the guest OS.
  • Important Risk Note: VMware's KEK/DB update methods (via the vUEFI interface or VMX configuration) can serve as a fallback. However, updating these from outside the guest OS carries the risk of breaking applications (such as triggering BitLocker recovery) for vTPM-enabled VMs, as it alters Secure Boot variables and vTPM measurements without the OS's awareness.

Just registered. Would be fun to meet some fellow VMware folks in the community and find a drinking buddy (or three). They’re sending me alone this year.