Users are experiencing issues with the execInstalledOnly feature on ESXi 7.0. Despite enabling execInstalledOnly and configuring Secure Boot, unsigned Python scripts can still be executed on the ESXi host. This behavior occurs on both systems with and without TPM modules.

- VMware ESXi 7.0 or newer
- Servers with and without TPM modules
- UEFI Secure Boot enabled

The execInstalledOnly feature in ESXi 7.0 is designed to prevent the execution of unsigned binaries, but it does not prevent the execution of scripts run through interpreters like Python. This limitation exists in ESXi versions up to and including 8.x.

Currently, there is no built-in method in ESXi 7.0 to prevent the execution of unsigned scripts run through interpreters. However, you can take the following steps to enhance security:

1. Ensure TPM 2.0 is enabled and configured in your server's BIOS settings.
2. Enable UEFI Secure Boot in your server's firmware settings.
3. Configure ExecInstalledOnly:
   1. Run the following command to enable ExecInstalledOnly:

      • esxcli system settings kernel set -s execInstalledOnly -v TRUE

   2. Reboot the host for the changes to take effect.
      
      
4. Verify the configuration:

   1. esxcli system settings kernel list -o execinstalledonly

   2. Ensure that both "Configured" and "Runtime" show as TRUE.
      
      
5. Enable Secure Boot enforcement:
   

   1. esxcli system settings encryption set --require-secure-boot=TRUE

6. Enable ExecInstalledOnly enforcement:
   

   1. esxcli system settings encryption set --require-exec-installed-only=TRUE

7. Verify the encryption settings:
   

   1. esxcli system settings encryption get

   2. Ensure that "Require Executables Only From Installed VIBs" and "Require Secure Boot" are both set to true.
      
      

     Note: These steps will enhance overall system security but will not prevent the execution of unsigned scripts run through interpreters.

Additional Information:
Securing the ESXi Configuration

Enable or Disable the execInstalledOnly Enforcement for a Secure ESXi Configuration

Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration