Automated ESXi Config Backups

First, we need PowerShell, this is installed by default on Windows, I tested this on Server 2022/2025 and Windows 11, and the default PowerShell installations work fine, if you want to use this on Ubuntu, then you will need to install PowerShell

sudo apt-get update

sudo apt-get install -y wget apt-transport-https software-properties-common

source /etc/os-release

wget -q https://packages.microsoft.com/config/ubuntu/$VERSION_ID/packages-microsoft-prod.deb

sudo dpkg -i packages-microsoft-prod.deb

sudo apt-get update

sudo apt-get install -y powershell

pwsh

From PowerShell, install PowerCLI with

Install-Module VMware.PowerCLI -Scope CurrentUser

You may get this prompt, enter Y and press Enter

And enter A and press Enter here

When its done, we can verify the version with

Get-Module -Name VMware.PowerCLI -ListAvailable

You may also want to opt in/out of the CEIP, as it flags when running with

#Set-PowerCLIConfiguration -Scope User -ParticipateInCEIP $false

Then, we want to use a dedicated account for this, as we will be putting the permissions in the script in plain text
In the vSphere UI click the three lines on the left and click Administration

Click Access Control/Roles/New

Give it a name, and select the role Host/Configuration/Firmware and click Create

Then under Single Sign On/Users And Groups, click the drop down for domain and select your vSphere domain, likely vSphere.local, mine is leaha.co.uk

Click Add

Enter the username you want, a secure password and click Add

Head to Access Control/Global Permissions and click Add

Select the esxi_config user and the ESXi Config Backup role and enable propagate to children and click ok

This script uses the credentials for the service account in plain text, hence the custom role, so the account cannot do anything else making it a lot more secure

There are a couple of bits you will need to edit

$basePath - You can set this to meet your environment
$vcUsername - This want setting to the username of the service account
$vcPassword - Set this to the service account password
$vcServer - Set this to your vCenter FQDN

In your chosen base path you will get a folder like this, using the time when the script runs

And in there will be all your config backups and a log file providing some information about what the script has been doing

# Define the base path for the backups
$basePath = "C:\ESXi-Config-Backups"

# Check if the base path exists, and create it if it doesn't
if (-not (Test-Path -Path $basePath)) {
    New-Item -ItemType Directory -Path $basePath | Out-Null
    Log-Message "Created base path: $basePath"
}

# Get the current date and time in a format suitable for folder names
$currentDateTime = Get-Date -Format "yyyy-MM-dd_HH-mm-ss"

# Create a single folder for the backup process using the current date and time
$backupFolderPath = Join-Path -Path $basePath -ChildPath $currentDateTime
New-Item -ItemType Directory -Path $backupFolderPath | Out-Null

# Create a log file in the backup folder
$logFilePath = Join-Path -Path $backupFolderPath -ChildPath "BackupLog.txt"

# Function to log messages to both console and file
function Log-Message {
    param ([string]$Message)
    # Append the message to the log file
    $Message | Out-File -FilePath $logFilePath -Append
    # Output to the console
    Write-Output $Message
}

# Temporarily disable SSL certificate verification
$tempSSLConfigOutput = Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false
Log-Message "Temporarily disabled SSL certificate verification: $($tempSSLConfigOutput | Out-String)"

# Disconnect from all vCenter servers to prevent multiple connection issues
$disconnectOutput = Disconnect-VIServer -Server * -Force -Confirm:$false
Log-Message "Disconnected from vCenter servers: $($disconnectOutput | Out-String)"

# Define credentials for vCenter connection
$vcUsername = "<service-account>"
$vcPassword = "<password>"
$securePassword = ConvertTo-SecureString $vcPassword -AsPlainText -Force
$vcCredential = New-Object System.Management.Automation.PSCredential ($vcUsername, $securePassword)
$vcServer = "<vCenter-fqdn>"

# Connect to the vCenter server
$connectionOutput = Connect-VIServer -Server $vcServer -Credential $vcCredential
Log-Message "Connected to vCenter server: $($connectionOutput | Out-String)"

# Log the creation of the backup folder
Log-Message "Backup folder created: $backupFolderPath"

# Get the list of all ESXi hosts from the vCenter server
$esxiHosts = Get-VMHost

# Loop through each ESXi host and perform the backup
foreach ($esxiHost in $esxiHosts) {
    # Perform the firmware backup for the current host, storing in the shared folder
    $backupOutput = Get-VMHostFirmware -VMHost $esxiHost -BackupConfiguration -DestinationPath $backupFolderPath
    Log-Message "Backup completed for host: $($esxiHost.Name). Files saved in: $backupFolderPath"
}

# Remove folders older than 5 minutes
$folders = Get-ChildItem -Path $basePath | Where-Object { $_.PSIsContainer -and $_.LastWriteTime -lt (Get-Date).AddMonths(-1) }
if ($folders.Count -eq 0) {
    Log-Message "No old backup folders to remove."
} else {
    foreach ($folder in $folders) {
        Remove-Item -Recurse -Force -Path $folder.FullName
        Log-Message "Removed old backup folder: $($folder.FullName)"
    }
}

# Log that all backups are done and the location they are in
Log-Message "All backups completed. Files saved in: $backupFolderPath"

# Inform the user about the script log file
Log-Message "Script logs can be found at: $logFilePath"

# Re-enable SSL certificate verification
$restoreSSLConfigOutput = Set-PowerCLIConfiguration -InvalidCertificateAction Prompt -Confirm:$false
Log-Message "Re-enabled SSL certificate verification: $($restoreSSLConfigOutput | Out-String)"