VMware vCenter Server 6.7 Update 1 Release Notes

vCenter Server 6.7 Update 1 | OCT 16 2018 | ISO Build 10244745

vCenter Server Appliance 6.7 Update 1 | OCT 16 2018 | ISO Build 10244745

Check for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

What's New
Earlier Releases of vCenter Server 6.7
Patches Contained in this Release
Internationalization
Product Support Notices
Compatibility
Installation and Upgrade Notes for This Release
Resolved Issues
Known Issues

What's New

With vCenter Server 6.7 Update 1, you can move a vCenter Server with an Embedded Platform Services Controller from one vSphere domain to another vSphere domain. Services such as tagging and licensing are retained and migrated to the new domain. For more information, see the vCenter Server Installation and Setup Guide.
vCenter Server 6.7 Update 1 adds screening for issues in your vSphere environment that proactively provides links to relevant VMware knowledge base articles. For more information, see Check vSphere Health in vSphere Client.
vCenter Server 6.7 Update 1 adds support for virtual machine (.vmtx) templates in the Content Library Service.
vCenter Server 6.7 Update 1 adds a CLI tool to convert instances of vCenter Server Appliance with an external Platform Services Controller instances into vCenter Server Appliance with an embedded Platform Services Controller connected in Embedded Linked Mode.
Burst Filter: vCenter Server 6.7 Update 1 adds a Burst Filter to manage event bursts and prevent the database of vCenter Server from flooding with identical events over a short period of time.
vCenter Server 6.7 Update 1 supports VMware vSphere vMotion between on-prem systems and VMware Cloud on AWS. You can use either the vSphere Client or vSphere Web Client, or the API. To enable the feature, you must upgrade the source on-prem vCenter Server system to vCenter Server 6.7 Update 1 and ESXi 6.7 Update 1.
With vCenter Server 6.7 Update 1, you can import Open Virtual Appliance (OVA) files in a Content Library. The OVA files are unzipped during the import, providing manifest and certificate validations, and create an OVF library item that enables deployment of virtual machines from a Content Library.
With vCenter Server 6.7 Update 1, you can restore external Platform Services Controller instances which are replicating data with other external Platform Services Controller instances. This includes restore of external Platform Services Controller instances in all topologies supported in replication mode. The external Platform Services Controller being restored syncs with active peers or if no replication partner is available, it is restored to a backed-up state.
Create and Extend Hyper-Converged Infrastructure (HCI): The Create/Extend HCI cluster feature provides a guided user experience for configuration of vSphere and vSAN clusters. The feature also delivers a new, scalable batch host workflow with a centralized wizard experience, embeds best practices, and automates repetitive operations. For more information, see the Product Support Notices section.
With vCenter Server 6.7 Update 1, you can use the Appliance Management User Interface to configure and edit the firewall settings of the vCenter Server Appliance.
With vCenter Server 6.7 Update 1, users with vCenter Single Sign-On administrator privileges, who are part of the SystemConfiguration.BashShellAdministrator group, can access and manage the vCenter Server Appliance by using the Bash shell.
vCenter Server 6.7 Update 1 supports Windows 2016 Active Directory.
vCenter Server 6.7 Update 1 adds support for configuration and monitoring of vCenter High Availability by using the vSphere Client.
With vCenter Server 6.7 Update 1, you can change color schemes in the vSphere Client to display the interface in a dark theme.
AppDefense vCenter Server Plugin: vCenter Server 6.7 Update 1 introduces VMware Appdefense as an integrated component of vCenter Server. The AppDefense vCenter Server Plugin provides aggregated security metrics, visibility, and health statistics for applications and workloads running on vSphere.
AppDefense lifecycle management: vCenter Server 6.7 Update 1 supports one-click, integrated installation and upgrade workflows for AppDefense directly within vCenter Server. For more information, see the AppDefense Installation Guide with vCenter Server Plugin.
AppDefense virtual machine monitoring: vCenter Server 6.7 Update 1 supports AppDefense behavior monitoring for visibility, security assessment, and troubleshooting directly within vCenter Server. For more information, see the AppDefense User Guide.
Scheduling a compliance check: With vCenter Server 6.7 Update 1, by using the vSphere Client, you can schedule a host profile compliance check to run at a later time or during a set interval.
Copy settings: With vCenter Server 6.7 Update 1, you can create individual sub-profiles, or copy a group of sub-profiles between one or more host profiles, by using the Copy Settings wizard in the vSphere Client.
Attach or detach host profiles to ESXi hosts and clusters: With vCenter Server 6.7 Update 1, you can attach or detach a host profile to multiple ESXi hosts and clusters by using a single dialog box in the vSphere Client.

Earlier Releases of vCenter Server 6.7

Features and known issues of vCenter Server are described in the release notes for each release. Release notes for earlier releases of vCenter Server 6.7 are:

For open source components, list of disallowed or unsupported CPUs, and product support notices see the VMware vSphere 6.7 Release Notes.

Patches Contained in This Release

This release of vCenter Server 6.7 Update 1 delivers the following patches. See the VMware Patch Download Center for more information on downloading patches.

Security Patch for VMware vCenter Server 6.7 Update 1
Full Patch for VMware vCenter Server Appliance 6.7 Update 1

Security Patch for VMware vCenter Server 6.7 Update 1

Third Party Product fixes (for example: JRE, tcServer). This patch is applicable for vCenter Server for Windows, Platform Services Controller for Windows, and vSphere Update Manager.

NOTE: This patch updates only the JRE version 1.8.0.181.

For vCenter Server and Platform Services Controller for Windows

Download Filename	VMware-VIMPatch-T-6.7.0-10244745.iso
Build	10244745
Download Size	40.8 MB
md5sum	019d4ff13fb3fecdab5ae012abb081f7
sha1checksum	aaf8ab3c267ef9ea261fd00208e8cb2c882feac5

These vCenter Server components depend on JRE and have to be patched:

Platform Services Controller
vSphere Update Manager
vCenter Server

Download and Installation

You can download this patch by going to the VMware Patch Download Center and choosing VC from the Search by Product drop-down menu.

Mount the VMware-VIMPatch-T-6.7.0-10244745.iso file to the system where the vCenter Server component is installed.
Double-click ISO_mount_directory/autorun.exe.
In the vCenter Server Java Components Update wizard, click Patch All.

Full Patch for VMware vCenter Server Appliance 6.7 Update 1

Product Patch for vCenter Server Appliance containing VMware software fixes, security fixes, and Third Party Product fixes (for example: JRE and tcServer).

This patch is applicable to the vCenter Server Appliance and Platform Services Controller Appliance.

For vCenter Server and Platform Services Controller Appliances

Download Filename	VMware-vCenter-Server-Appliance-6.7.0.20000-10244745-patch-FP.iso
Build	10244745
Download Size	1929.4 MB
md5sum	5e537ca6cea4e4931ba569b30cbac78c
sha1checksum	f063c224f54b54e757d599473818c3c52a6ecf18

Download and Installation

You can download this patch by going to the VMware Patch Download Center and choosing VC from the Search by Product drop-down menu.

Attach the VMware-vCenter-Server-Appliance-6.7.0.20000-10244745-patch-FP.iso file to the vCenter Server Appliance CD or DVD drive.
Log in to the appliance shell as root and run the commands given below:
- To stage the ISO:
  software-packages stage --iso
- To see the staged content:
  software-packages list --staged
- To install the staged rpms:
  software-packages install --staged

For more information on patching the vCenter Server Appliance, see Patching the vCenter Server Appliance.

For more information on staging patches, see Stage Patches to vCenter Server Appliance.

For more information on installing patches, see Install vCenter Server Appliance Patches.

For issues resolved in this patch see Resolved Issues.

For Photon OS updates, see VMware vCenter Server Appliance Photon OS Security Patches.

For more information on patching using the Appliance Management Interface, see Patching the vCenter Server Appliance by Using the Appliance Management Interface.

Internationalization

VMware vSphere 6.7 Update 1 is available in the following languages:

English
French
German
Spanish
Japanese
Korean
Simplified Chinese
Traditional Chinese

Components of vSphere 6.7 Update 1, including vCenter Server, vCenter Server Appliance, ESXi, the vSphere Client, the vSphere Web Client, and the VMware Host Client, do not accept non-ASCII input.

Product Support Notices

In the vSphere Client, the Add Hosts workflow replaces the Add Host workflow for a vSphere cluster to allow for greater scalability when adding ESXi hosts.
In addition to the Add Hosts workflow, you can also add groups of ESXi hosts in one batch to a cluster by using the BatchAddHostsToCluster_Task(batchAddHostsToCluster) API.
Unlike the Add Host workflow, the Add Hosts workflow in the Create and Extend Hyper-Converged Infrastructure (HCI) feature, also referred to as Cluster QuickStart, first adds ESXi hosts to an inventory before moving the hosts to the desired cluster. This change to the Add Hosts workflow requires additional permissions on the part of the user who runs the workflow, as described in the Security Guide and the vSphere API documentation. This change in the workflow ensures that ESXi hosts are in the correct maintenance mode state before being added to a cluster. ESXi hosts that you use to create or expand clusters must be quiesced and not running workloads until they are properly configured.
You also have the option to continue using the AddHost_Task(addHost) API to add individual hosts. For more information, see Required Privileges for Common Tasks, BatchAddHostsToCluster_Task (), and AddHost_Task ().

Compatibility

ESXi and vCenter Server Version Compatibility

The VMware Product Interoperability Matrix provides details about the compatibility of current and earlier versions of VMware vSphere components, including ESXi, VMware vCenter Server, and optional VMware products. Check the VMware Product Interoperability Matrix also for information about supported management and backup agents before you install ESXi or vCenter Server.

vSphere Update Manager, vSphere Client, and vSphere Web Client are packaged with vCenter Server.

Hardware Compatibility for ESXi

To view a list of processors, storage devices, SAN arrays, and I/O devices that are compatible with vSphere 6.7 Update 1, use the ESXi 6.7 Update 1 information in the VMware Compatibility Guide.

Device Compatibility for ESXi

To determine which devices are compatible with ESXi 6.7 Update 1, use the ESXi 6.7 Update 1 information in the VMware Compatibility Guide.

Guest Operating System Compatibility for ESXi

To determine which guest operating systems are compatible with vSphere 6.7 Update 1, use the ESXi 6.7 Update 1 information in the VMware Compatibility Guide.

Virtual Machine Compatibility for ESXi

Virtual machines that are compatible with ESX 3.x and later (hardware version 4) are supported with ESXi 6.7 Update 1. Virtual machines that are compatible with ESX 2.x and later (hardware version 3) are not supported. To use such virtual machines on ESXi 6.7 Update 1, upgrade the virtual machine compatibility. See the ESXi Upgrade documentation.

Installation and Upgrade Notes for This Release

Installation Notes for This Release

Read the ESXi Installation and Setup and the vCenter Server Installation and Setup documentation for guidance about installing and configuring ESXi and vCenter Server.

Although the installations are straightforward, several subsequent configuration steps are essential. Read the following documentation:

"License Management and Reporting" in the vCenter Server and Host Management documentation
"Networking" in the vSphere Networking documentation
"Security" in the vSphere Security documentation for information on firewall ports

VMware introduces a new Configuration Maximums tool to help you plan your vSphere deployments. Use this tool to view VMware-recommended limits for virtual machines, ESXi, vCenter Server, vSAN, networking, and so on. You can also compare limits for two or more product releases. The VMware Configuration Maximums tool is best viewed on larger format devices such as desktops and laptops.

Migrating Third-Party Solutions

For information about upgrading with third-party customizations, see the ESXi Upgrade documentation. For information about using Image Builder to make a custom ISO, see the ESXi Installation and Setup documentation.

Upgrade Notes for This Release

IMPORTANT: Upgrade from vCenter Server 6.5 Update 2d to 6.7 Update 1 is not supported because this patch released after 6.7 Update 1 and is considered a back in time upgrade.

Before an upgrade, always verify in the VMware Product Interoperability Matrix compatible upgrade paths from earlier versions of ESXi and vCenter Server to the current version.

For instructions about upgrading ESXi hosts and vCenter Server, see the ESXi Upgrade and the vCenter Server Upgrade documentation.

Resolved Issues

The resolved issues are grouped as follows.

Miscellaneous Issues
Networking Issues
Security Issues
Storage Issues
Installation Issues
Upgrade Issues
Virtual Machines Management Issues
Tools Issues
Guest OS Issues
Licensing Issues
Internationalization Issues
Server Configuration Issues
CIM and API Issues
vSAN Issues
vCenter Server, vSphere Web Client, and vSphere Client Issues

Miscellaneous Issues

Compliance checks might fail with an error for the UserVars.ESXiVPsDisabledProtocols option when an ESXi host upgraded to version 6.7 is attached to a host profile with version 6.0
The issue might occur when you perform the following actions:
1. Extract a host profile from an ESXi host with version 6.0.
2. Upgrade the ESXi host to version 6.7.
3. The host appears as non-compliant for the UserVars.ESXiVPsDisabledProtocols option even after remediation.
This issue is resolved in this release.
The vpxd service might fail intermittently due to a thread race
The vpxd service might fail intermittently due to a thread race in the propertyCollector service. During a system update, overlapping blocking calls might lead to the use of a filter that is no longer existing and cause the vpxd failure.

This issue is resolved in this release.
Unable to unstage patches when using an external Platform Services Controller
If you are patching an external Platform Services Controller (an MxN topology) by using the VMWare Appliance Management Interface, with patches staged to an update repository, and then attempt to unstage the patches, you might see the following error message:

Error in method invocation [Errno 2] No such file or directory: '/storage/core/software-update/stage'

This issue is resolved in this release.
The set sorting order for column values in the Performance Chart Legend grid is not retained after a data refresh
In the advanced performance charts of the vSphere Web Client, when you set an ascending or descending order for the column values in the Performance Chart Legend grid, the order might be disrupted on data refresh.

This issue is resolved in this release.
The vSphere Certificate Manager utility fails to replace a machine SSL certificate if it contains extra details in the Subject Alternative Name (SAN) field
The vSphere Certificate Manager utility might fail to replace a machine SSL certificate if you specify additional details in the SAN field, such as sites, IP addresses, and common names.

This issue is resolved in this release. With this fix, the vSphere Certificate Manager only checks the system name in the SAN field of machine SSL certificates.
vCenter Server might stop responding if an ESXi host is removed from the inventory
vCenter Server might stop responding if an ESXi host is removed from the inventory at the time the vCenter Server system starts up.

This issue is resolved in this release.
You cannot configure the remote log server domain name to start with a digit
If you configure the domain name of a remote log server for vCenter Server Appliance to start with a digit, for example syslog.9dc.com, the server might fail with syslog.invalid.configuration error.

This issue is resolved in this release.
Disk usage of syslog files might grow exponentially due to an issue with the log rotation
Log rotation and compression for some syslog files might stop after the first round and file size might grow significantly. The affected files are: /var/log/vmware/messages, /var/log/vmware/*/*-syslog.log and /var/log/vmware/esx/*/*-syslog.log.

This issue is resolved in this release.

Networking Issues

Link Aggregation Groups might be lost during the import of a vSphere Distributed Switch configuration
If you import a vSphere Distributed Switch configuration with many Link Aggregation Groups (LAGs), the vCenter Server daemon service vpxd might fail to insert the corresponding LAG information to the vCenter Server database, and some LAGs might be missing after a restart of the vpxd service.

This issue is resolved in this release. However, if you already face the issue, delete and reimport the vSphere Distributed Switch configuration, or create the missing LAG manually.
Deploying a virtual machine from a template with a static MAC address or cloning a template to another template with a static MAC address might trigger an alarm
Deploying a virtual machine from a template with a static MAC address or cloning a template to another template with a static MAC address might trigger a VM Static MAC Conflict alarm. Although the virtual machine template is not an active virtual machine, the vCenter Server system runs a VM MAC conflict check on the template.

This issue is resolved in this release.
You might see VLAN health check alarms for NSX logical switch port groups and ports connected to such port groups in a vSphere Distributed Switch
If you enable the health check service on a VLAN in a VDS, which contains NSX logical switch port groups, you might see a health check alarm. This fix prevents incorrect health check alarms for the VLAN settings of NSX logical switch port groups.

This issue is resolved in this release.
Performance of a VXLAN environment might degrade if IPFIX has a high sampling rate and traffic is heavy
When you enable IPFIX with a high sampling rate and traffic is heavy, you might see degraded performance of a VXLAN environment.

This issue is resolved in this release. Use lower sampling rates to optimize performance.
Тhe vCenter Server Appliance Management Interface might display an error message without the necessary details, because user input prompts are incorrect
When you configure proxy settings by using the Appliance Management Interface, and you specify just an IP address or FQDN as prompted, you might see an error HTTP Error in method invocation list index out of range. The actual format required for the proxy settings is not an IP address or FQDN, but follows the pattern http://FQDN_or_IP or https://FQDN_or_IP.

This issue is resolved in this release. This fix improves the user interface label and adds a prompt to provide a supported protocol in the proxy server URL field.

Security Issues

Update to vPostgres
vPostgres is updated to 9.6.9.
Update to Procmail
Procmail is updated to 3.22-4.
Update to cURL
cURL in the vCenter Server Appliance is updated to 7.59.0.
Upgrade of Eclipse Jetty
Eclipse Jetty is upgraded to version 9.2.24.
Document Type Definition issue in the Apache Xerces-C++ library
Due to a security issue discovered in the Xerces-C++ library with identifier CVE-2017-12627, the XML validation using the --schemaValidate flag is disabled in the VMware OVF Tool.

This issue is resolved in this release.
Update to OpenSSL library
The OpenSSL library is updated to version openssl-1.0.2o.
Update of the SQLite database
The SQLite database is updated to version 3.22.
Update to the libPNG library
The libPNG library is updated to libpng-1.6.34.
Update to the Python library
The Python third party library is updated to version 3.5.5 to resolve issues with identifiers CVE-2014-3539, CVE-2017-1000158, CVE-2016-5636 and CVE-2017-17522.
Update to the Apache Tomcat server
The Apache Tomcat server is updated to version 8.5.32.
Update to the libxml library
The vCenter Server service vmware-vpxd libxml2 library is updated to version 2.9.8.
Update to Ehcache
The Ehcache package is updated to version 3.4.0.
Update to JRE package
The Oracle (Sun) JRE package is updated to version 1.8.0.181.
Update to Apache Struts
Apache Struts is updated to version 2.5.17 to resolve CVE-2018-1327 and CVE-2018-11776.
Update to glibc package
The glibc package is updated to version 2.22-21.

Storage Issues

Unregistering a VMware vSphere API for Storage Awareness provider in a disconnected state might result in an error
If you unregister a vSphere API for Storage Awareness provider in a disconnected state, you might see a java.lang.NullPointerException error. Event and alarm managers are not initialized when a provider is in a disconnected state, which causes the error.

This issue is resolved in this release.
Upload or download of ISO files from a datastore might fail due to insufficient privileges
Upload or download of ISO files from a datastore might require Datastore.FileManagement privileges on datastore level and if such privileges are not assigned, upload or download of ISO files from the datastore might fail. In the vSphere Client, you might see the error Unauthorized. This fix removes the requirement for Datastore.FileManagement privileges for file upload and download.

This issue is resolved in this release.

Installation Issues

Update to the lxml open-source package in vCenter Server Appliance CLI installer
The lxml open-source package in vCenter Server Appliance CLI installer is updated to version 4.2.1.37.
External deployment of a second Platform Services Controller in an existing vCenter Single Sign-On domain might fail
External deployment of a second Platform Services Controller in an existing vCenter Single Sign-On domain might fail in stage 2 with the error:

Unable to validate the connectivity to the external Platform Services Controller. Failed to validate sso.

This issue is resolved in this release.
The GUI installer might display one and the same error message caused by firstboot failures during upgrade or installation of a vCenter Server Appliance
The GUI installer might display one and the same error message caused by firstboot failures during vCenter Server Appliance installation or upgrade. The message is:

/etc/systemd/system/vmware-vmon.service.d/dep_override.conf.tmp.

This issue is resolved in this release. Firstboot failures generate error-specific messages.

Upgrade Issues

Upgrade of the vCenter Server Appliance which uses DNS servers with enabled DNS Security Extensions (DNSSEC) might fail
The upgrade of the vCenter Server Appliance which uses DNS servers with enabled DNSSEC might fail. This issue occurs because while resolving the host name, the vCenter Server system might pick the resource record digital signature (RRSIG) of the DNSSEC instead of the IP address.

This issue is resolved in this release.
Upgrade to vCenter Server 6.7 might fail with an error that an IP already exists
In stage 2 of the upgrade of the vCenter Server Appliance, the source appliance must be shut down. If the shutdown of the source appliance takes a long time, the upgrade might fail. This is because the network of the source appliance is still active, and the newly deployed target appliance cannot apply network settings.

You might see an error IP already exists in the network.

This issue is resolved in this release.

Virtual Machines Management Issues

Deleting the NSX Guest Introspection service for a cluster might fail with an error
If vSphere ESX Agent Manager raises vmIssue and does not provide the Managed Object Reference ID of the virtual machine, the API requests to the vSphere ESX Agent Manager server might fail due to serialization and deserialization problems. You might see a message Error occurred while communicating with ESXi Agent Manager.

This issue is resolved in this release.
Deploying a new VMware vSphere Replication appliance 6.5.1 in a cluster without a shared storage might fail with an error
When you try to deploy a VMware vSphere Replication appliance 6.5.1 in a cluster without a shared storage, the OvfManager.createImportSpec() API call might fail. As a result, the deployment might fail with the following error:

The given OVF descriptor is invalid.

This issue is resolved in this release.
Deployment of a virtual machine from a custom OVF file might fail
Deployment of a virtual machine from a custom OVF file might fail if no attribute namespace prefix is specified, and the system uses the default namespace. You might see an error ATTRIBUTE_REQUIRED.

This issue is resolved in this release.
Cross-vCenter Server migration of a virtual machine to a cluster by using vSphere vMotion might fail on vCenter Server 6.7
Cross-vCenter Server migration of a virtual machine to a cluster by using vSphere vMotion might fail on vCenter Server 6.7. vSphere Storage DRS displays this error:
com.vmware.sdrs.disk.dsunspecified.

This issue is resolved in this release.
Undeleted tasks in a vCenter Server system might fail Content Library service tasks
When the Content Library service starts up, it cleans outstanding tasks from its database. Sometimes, outstanding tasks in a vCenter Server system are not properly indicated and pile as unresolved, which might lead to failure of new tasks.

This issue is resolved in this release.
The Content Library service might create a library backed by an SMB share even if the SMB mount fails, and the library consumes storage space from the vCenter Server system
If you create a content library backed by an SMB share in a vCenterServer Appliance, but the SMB mount fails, any uploaded content in the library still takes storage space from the vCenter Server system. The issue does not affect NFS mounts.

This issue is resolved in this release. If you already face the issue, see VMware knowledge base articles 58932 and 57867.

Tools Issues

The OVF Tool might fail to read an ISO file when it is attached to an OVA file
When you deploy an OVA template with an attached ISO file to vCenter Server or directly to an ESXi host, the OVF Tool might not read the ISO file and the deployment might fail with the following error: File Not Found.

This issue is resolved in this release.
Import of a virtual machine with a VMware Paravirtual SCSI disk adapter type might fail
When you use VMware Workstation or VMware Fusion to import a virtual machine with a VMware Paravirtual SCSI (PVSCSI) disk adapter type, the import operation might fail with the following error:

Invalid target disk adapter type: pvscsi.

This issue is resolved in this release.
Importing or exporting virtual machines with sound card adapters might fail
In VMware Workstation and VMware Fusion, importing or exporting virtual machines with sound card adapters might fail with

Unknown error, please try again.

This issue is resolved in this release.
You might fail to deploy virtual machines on VMware vCloud Director by using the OVF Tool due to outdated API versions
You might fail to deploy virtual machines on vCloud Director by using the OVF Tool, because it supports obsolete vCloud Director API versions.

This issue is resolved in this release.
IPv6 loopback entries might be deleted during Linux customizations
During Linux customizations, IPv6 loopback entries might be accidentally deleted from the /etc/hosts file.

This issue is resolved in this release.

Guest OS Issues

When you do a test recovery with IP customization of a virtual machine with Red Hat Enterprise Linux (RHEL) 7.x OS, the /etc/hostname file on the recovered instance might be empty
When you do a test recovery with IP customization of a virtual machine with RHEL 7.x OS, the /etc/hostname file on the recovered instance might be empty. You might also see no double quotes for the DOMAIN key / value in the network file under/etc/sysconfig/network-scripts/.

This issue is resolved in this release. If you already face the issue, use CLI to populate the hostname in the /etc/hostname file and to put the DOMAIN key/value in double quotes in the network file under /etc/sysconfig/network-scripts/.

Licensing Issues

ESXi hosts with custom certificates might automatically get a VMware Certificate Authority certificate
ESXi hosts that use custom certificates might automatically get VMware CA certificates if the parameters vpxd.certmgmt.certs.hardThreshold and vpxd.certmgmt.certs.softThreshold of the vpxd.certmgmt.mode advanced option hit their limits.

This issue is resolved in this release.
Witness virtual machine consumes host license capacity from vCenter Server Essentials Plus
A vSAN 2-host cluster (ROBO) requires two physical hosts and one witness. When the witness is an appliance that resides in a virtual machine, it incorrectly consumes a host license. This problem occurs because the vCenter Server considers the witness appliance to be a host.

Тhis issue is resolved in this release.

Internationalization Issues

Content Library content might fail to sync if file names in the source library contain non-ASCII characters
Synchronization of Content Library content might fail in case a name of an item in the source library contains multibyte non-ASCII characters such as Chinese or Japanese.

This issue is resolved in this release.

Server Configuration Issues

You cannot add or create an Active Directory over an LDAP identity source if SSL protection is active
If you set up SSL protection by using the option Connect to any domain controller, in the vSphere Web Client you might see an error, A vCenter Single Sign-On service error occurred when trying to add or create an Active Directory over an LDAP identity source.

This issue is resolved in this release. If you already face the issue, use the Specific domain controllers option to provide a URL that points to an actual domain controller as the primary server URL. Provide the SSL server certificate of this domain controller, making sure the certificate has the same subject name as the URL of the domain controller.

CIM and API Issues

Invoking the methods checkMigrate, checkRelocate and checkClone with a hostTests test type might not run network related checks
Invoking the methods checkMigrate, checkRelocate and checkClone with a hostTests test type might not run network related checks. Invoke the methods with a networkTests test type to run network related checks on selected destination host or cluster.

This issue is resolved in this release.
SNMP does not list Java proces names correctly in hrSWRunPath queries
If you run a hrSWRunPath query to identify the location of the long-term storage from which some software was loaded, the output might be incorrect, similar to: HOST-RESOURCES-MIB::hrSWRunPath.8260 = STRING: "/opt/vmware/bin/jsvc", because the query fetches data from /proc//smaps .

This issue is resolved in this release.

vSAN Issues

The Cluster Compliance status of a vSAN enabled cluster might display as Not compliant
The Cluster Compliance status of a vSAN enabled cluster might display as Not compliant, because the compliance check might not recognize vSAN datastores as shared datastores.

This issue is resolved in this release.
Error message about vSAN capacity appears after vSAN is disabled on a cluster
When all disk groups are removed from a vSAN cluster, the vSphere Client displays a warning similar to the following: VMware vSAN cluster in datacenter does not have capacity. After you disable vSAN on the cluster, the warning message persists.

This issue is resolved in this release.
Null pointer returned when executing Ruby vSphere Console (RVC) command vsan.whatif_host_failures
If the properties of an ESXi host cannot be retrieved, a null pointer might be returned when you run the following RVC command: vsan.whatif_host_failures.

This issue is resolved in this release.
vSAN capacity monitor shows lower Used Capacity than actual capacity used
After you upgrade vCenter Server to 6.5 Update 2, the vSAN capacity monitor (Monitor > vSAN > Capacity) does not include capacity used by virtual machines on hosts running 6.5 Update 1 or older. The Used Capacity displayed is lower than the actual capacity used.

This issue is resolved in this release.

vCenter Server, vSphere Web Client, and vSphere Client Issues

VMware vSphere Authentication Proxy configuration options are not visible in either the vSphere Web Client and the vSphere Client
You might not see the Manage tab under System Configuration > Services > VMware vSphere Authentication Proxy in either the vSphere Web Client and the vSphere Client.

This issue is resolved in this release.
When typing in the web-based WebMKS console of the vSphere Web Client in Mozilla Firefox, some characters might repeat
When typing in the web-based WebMKS console of the vSphere Web Client in Mozilla Firefox, versions 54.0 or later, some characters might repeat.

This issue is fixed in this release.
The Edit Host Customizations workflow in the vSphere Client might not keep customized values
When you customize the settings of an ESXi host by changing values such as IP and netmask, the Edit Host Customizations workflow in the vSphere Client might not keep the customized values.The workflow works as expected in the vSphere Web Client.

This issue is resolved in this release.

Known Issues

The known issues are grouped as follows.

Virtual Machines Management Issues
Installation, Upgrade and Migration Issues
CLI Issues
Miscellaneous Issues
Internationalization Issues
VMware High Availability and Fault Tolerance Issues
Tools Issues
vCenter Server, vSphere Web Client, and vSphere Client Issues
Known Issues from Prior Releases

Virtual Machines Management Issues

The Virtual Appliance Management Interface might display a 0- message or a blank page during patching from vCenter Server 6.7 to later versions
The Virtual Appliance Management Interface might display a 0- message or a blank page during patching from vCenter Server 6.7 to later versions, if calls from the interface fail to reach the back end applmgmt service. You might also see the message Unable to get historical data import status. Check Server Status.

Workaround: These are not failure messages. Refresh the browser and log in to the Virtual Appliance Management Interface again once the reboot of appliance in the back end is complete.
The Ready to Complete page of the Register Virtual Machine wizard displays only one horizontal line
The Ready to Complete page of the Register Virtual Machine wizard might display content similar to one horizontal line due to a rendering issue. This issue does not affect the workflow of the wizard.

Workaround: None

Installation, Upgrade and Migration Issues

Upgrading vCenter Server 6.5 for Windows to vCenter Server 6.7 might fail if the vSphere Authentication Proxy service is active
If the vSphere Authentication Proxy service is active while you perform an upgrade from vCenter Server 6.5 for Windows to vCenter Server 6.7, the operation might fail during the pre-check. You might see an error similar to:

The following non-configurable port(s) are already in use: 2016, 7475, 7476 Stop the process(es) that use these port(s).

Workaround: Stop the vSphere Authentication Proxy service. You can restart the service after the successful upgrade to vCenter Server 6.7.
Patching to vCenter Server 6.7 Update 1 from earlier versions of vCenter Server 6.7 might fail when vCenter Server High Availability is active
Patching to vCenter Server 6.7 Update 1 from earlier versions of vCenter Server 6.7 might fail when vCenter Server High Availability is active due to a DB schema change. For more information, see VMware knowledge base article 55938.

Workaround: To patch your system to vCenter Server 6.7 Update 1 from earlier versions of vCenter Server 6.7, you must remove vCenter Server High Availability and delete passive and witness nodes. After the upgrade, you must re-create your vCenter Server High Availability clusters.
Upgrade to vCenter Server Appliance 6.7 Update 1 from vCenter Server Appliance 6.5 Update 2 and later, using custom HTTP and HTTPS ports, might fail
Upgrades from vCenter Server Appliance 6.5 Update 2 and later, using custom HTTP and HTTPS ports, to vCenter Server Appliance 6.7 Update 1 might fail. You might see the issue regardless if you use the GUI or CLI installer.

Workaround: None
Converging an external Platform Services Controller to a vCenter Server might fail if the Platform Services Controller uses a custom HTTPS port
You might fail to converge an external Platform Services Controller to a vCenter Server system, if the vCenter Server system is configured with the default HTTPS port, 443, and the Platform Services Controller node is configured with a custom value for the HTTPS port. The operation fails in the firstboot stage due to convergence issues.

Workaround: Change the HTTPS port value to the default value, 443, for vCenter Server nodes before running vCenter External to Embedded Convergence tool. You can run the following commands to do the same:
1. /usr/lib/vmware-vmafd/bin/vmafd-cli set-dc-port --server-name localhost --dc-port 443
2. /usr/lib/vmware-vmafd/bin/vmafd-cli set-rhttpproxy-port --server-name localhost --rhttpproxy-port 443

CLI Issues

Views might switch from the appliance shell to the Direct Console User Interface during an upgrade of the vCenter Server Appliance by using the CLI installer
During an upgrade of the vCenter Server Appliance by using the CLI installer, views might switch intermittently from the appliance shell to the Direct Console User Interface. Restarts of the applmgmt service during updates causes the issue.

Workaround: Switch to appliance shell tty to monitor the progress.

Miscellaneous Issues

Importing a .csv file overwrites user input during host customization.
User input in the Customize hosts pane is overwritten by the import process and the values from the .csv file.

Workaround: Import the .csv file before adding manual changes in the Customize hosts pane.
The vCenter Server Convergence Tool might fail to convert an external Platform Services Controller to an embedded Platform Services Controller due to conflicting IP and FQDN
If you have configured an external Platform Services Controller with an IP address as an optional FQDN field during the deployment, the vCenter Server Convergence Tool might fail to convert the external Platform Services Controller to an embedded Platform Services Controller because of a name conflict.

Workaround: Do not use the vCenter Server Convergence Tool for Platform Services Controllers installed with an IP address as an alternative or addition to the FQDN address.
If you repoint and reconfigure the setup of a Platform Services Controller, the restore process might fail
If you repoint and reconfigure the setup of a Platform Services Controller, the restore process might fail due to a stale service ID entry.

Workaround: Follow the steps in VMware knowledge base article 2131327 to clean up the stale service ID before proceeding with restore.
Attempts to log in to a vCenter Server system after an upgrade to vCenter Server 6.7 might fail with a credentials validation error
After an upgrade of your system to vCenter Server 6.7, if you try to log in to the system by using either the vSphere Web Client or vSphere Client, and a security token or smartcard, the login might fail with an error Unable to validate the submitted credential.

Workaround: Remove and re-add the identity source. For more information, see Add or Edit a vCenter Single Sign-On Identity Source.
An Enhanced vMotion Compatibility (EVC) cluster might show new CPU IDs such as IBPB even if you revert an ESXi host to an older version
If you revert an ESXi host to an older version of ESXi, an EVC cluster might expose new CPU IDs, such as IBRS, STIBP and IBPB, even though the host does not have any of the features.

Workaround: This issue is resolved in this release. However, a host that does not meet the requirements of an EVC cluster does not automatically reconnect and you must remove it from the cluster.
Some vCenter Server plug-ins might not correctly render the dark theme mode in the vSphere Client
If you change color schemes in the vSphere Client to display the interface in a dark theme, some vCenter Server plug-ins might not correctly render the mode.

Workaround: None
If you enable per-VM EVC, virtual machines might fail to power on
If you install or use for upgrade only VMware vCenter Server 6.7 Update 1, but do not apply ESXi 6.7 Update 1, and if you configure or reconfigure per-VM EVC, virtual machines on unpatched hosts might fail to power on. You might also see the issue if you enable cluster-level EVC and even one of the hosts in the cluster is not patched with the latest update. The new CPU IDs of that cluster might not be available on the cluster. In such a cluster, if you configure or reconfigure per-VM EVC, virtual machines might fail to power on.

Workaround: Before you configure or reconfigure per-VM EVC, upgrade all the standalone ESXi hosts, as well as hosts inside a cluster, to the latest update for hypervisor-assisted guest mitigation for guest operating systems.
Edits to the DNS settings might cause deletion of the IPv6 loopback address from the /etc/resolv.conf and /etc/systemd/resolved.conf files
Edits to the DNS settings by using either the Appliance Management Interface, appliance shell, or the vSphere Web Client, might cause deletion of the IPv6 loopback address from the/etc/resolv.conf and /etc/systemd/resolved.conf files.

Workaround: To avoid deletion of the IPv6 loopback address, edit the resolv.conf files by using the Bash shell:
1. In the /etc/resolv.conf file, set the following parameters:
  nameserver: ::1
  nameserver: <dnsserver 1>
  nameserver: <dnsserver 2>
2. In the /etc/systemd/resolved.conf file, set the following parameters:
  [Resolve]
  LLMNR=false
  DNS=::1 <dnsserver 1> <dnsserver 2>
The SSH service might be disabled after an external Platform Services Controller converts to an embedded Platform Services Controller
If you convert an external Platform Services Controller to an embedded Platform Services Controller, the SSH service might be disabled based on Active Directory policies and restrictions.

Workaround: Manually enable the SSH service after the conversion is complete.

Internationalization Issues

A VMkernel network using an NSX logical switch might fail for stateless hosts if you register vCenter Server with non-ASCII characters on VMware NSX Manager
If you register vCenter Server to an NSX Manager with a password containing characters from the extended ASCII codes between 128 and 255, or non-ASCII characters, a VMkernel network using an NSX logical switch might be lost after deploying a stateless host.

Workaround: Register vCenter Server to an NSX Manager with a password containing only ASCII characters.
An ESXi host might stop responding if you add a vSphere Distributed Switch named with a string containing tens of non-ASCII characters to a physical adapter in a hyper-converged infrastructure (HCI) cluster
If you name a VDS with a string containing more than 40 characters from the extended ASCII codes between 128 and 255, or more than 26 non-ASCII characters, ESXi hosts might stop responding when you attempt to add the VDS to a physical adapter during the configuration of a hyper-converged infrastructure (HCI) cluster.

Workaround: Use strings with less than 40 characters from the extended ASCII codes and 26 non-ASCII characters when naming a VDS.

VMware High Availability and Fault Tolerance Issues

vCenter Server High Availability cluster configuration by using an NSX-T logical switch might fail
Configuration of a vCenter Server High Availability cluster by using an NSX-T logical switch might fail with the error Failed to connect peer node.

Workaround: Configure vCenter Server High Availability clusters by using a vSphere Distributed Switch.
You cannot add ESXi hosts running vSphere Fault Tolerance workloads to a vCenter Server system by using the vSphere Client
Attempts to add ESXi hosts running vSphere Fault Tolerance workloads to a vCenter Server system by using the vSphere Client might fail with the error Cannot add a host with virtual machines that have Fault Tolerance turned on as a stand-alone host.

Workaround: As alternatives, you can:
1. Schedule a task to add the host and execute it immediately.
  1. In the vSphere Client, navigate to Configure > Scheduled tasks for a selected cluster.
  2. Select New scheduled task > Add Host.
  3. Schedule a time to run the task.
  4. Add a host and run the task.
  5. Delete the task after the host is added.
2. Use the vSphere Web Client to add the host. Login to the vSphere Web Client and execute the standard add host workflow.
3. Turn off the fault tolerance virtual machines temporarily, add the host to the new vCenter Server system, and then turn it on back again.

Tools Issues

The OVF Tool might fail to verify an SSL thumbprint if you use CLI
If you set the SSL thumbprint value by using CLI, the OVF Tool might fail to verify the thumbprint. The issue is not monitored if you use the Direct Console User Interface (DCUI).

Workaround: Use any of the following alternatives:
- In the DCUI, specify the thumbprint in the section of ssl_certificate_verification.
- In the DCUI, specify to ignore certificate thumbprint for ESXi by putting ssl_certificate_verification verification_mode to False.
- Ignore all certificate thumbprints globally by using the command-line parameter: --no-ssl-certificate-verification.
- Wait for the CLI prompt to accept the thumbprint that it receives from the source.

vCenter Server, vSphere Web Client, and vSphere Client Issues

The vSphere Client and vSphere Web Client might not reflect update from vCenter Server 6.7 to vCenter Server 6.7 Update 1 for vCenter Server for Windows
If you update vCenter Server for Windows from vCenter Server 6.7 to vCenter Server 6.7 Update 1, the build number details for vpxd in the Summary tab of both the vSphere Client and vSphere Web Client might not reflect the update and show version 6.7.0.

Workaround: None.

Known Issues from Prior Releases

To view a list of previous known issues, click here.

The earlier known issues are grouped as follows.

Installation, Upgrade, and Migration Issues
Security Features Issues
Networking Issues
Storage Issues
Backup and Restore Issues
vCenter Server Appliance, vCenter Server, vSphere Web Client, and vSphere Client Issues
Virtual Machine Management Issues
vSphere HA and Fault Tolerance Issues
Auto Deploy and Image Builder Issues
Miscellaneous Issues
Server Configuration Issues

Installation, Upgrade, and Migration Issues

ESXi installation or upgrade fail due to memory corruption on HPE ProLiant - DL380/360 Gen 9 Servers
The issue occurs on HPE ProLiant - DL380/360 Gen 9 Servers that have a Smart Array P440ar storage controller.

Workaround: Set the server BIOS mode to UEFI before you install or upgrade ESXi.
After an ESXi upgrade to version 6.7 and a subsequent rollback to version 6.5 or earlier, you might experience failures with error messages
You might see failures and error messages when you perform one of the following on your ESXi host after reverting to 6.5 or earlier versions:
- Install patches and VIBs on the host
  Error message: [DependencyError] VIB VMware_locker_tools-light requires esx-version >= 6.6.0
- Install or upgrade VMware Tools on VMs
  Error message: Unable to install VMware Tools.
After the ESXi rollback from version 6.7, the new tools-light VIB does not revert to the earlier version. As a result, the VIB becomes incompatible with the rolled back ESXi host causing these issues.

Workaround: Perform the following to fix this problem.

SSH to the host and run one of these commands:

esxcli software vib install -v /path/to/tools-light.vib

or

esxcli software vib install -d /path/to/depot/zip -n tools-light

Where the vib and zip are of the currently running ESXi version.

Note: For VMs that already have new VMware Tools installed, you do not have to revert VMware Tools back when ESXi host is rolled back.
Special characters backslash (\) or double-quote (") used in passwords causes installation pre-check to fail
If the special characters backslash (\) or double quote (") are used in ESXi, vCenter Single Sign-On, or operating system password fields during the vCenter Server Appliance Installation templates, the installation pre-check fails with the following error:

Error message: com.vmware.vcsa.installer.template.cli_argument_validation: Invalid \escape: line ## column ## (char ###)

Workaround: If you include special characters backslash (\) or double quote (") in the passwords for ESXi, operating systems, or Single-Sign-On, the special characters need to be escaped. For example, the password pass\word should be escaped as pass\\word.
Windows vCenter Server 6.7 installer fails when non-ASCII characters are present in password
The Windows vCenter Server 6.7 installer fails when the Single Sign-on password contains non-ASCII characters for Chinese, Japanese, Korean, and Taiwanese locales.

Workaround: Ensure that the Single Sign-on password contains ASCII characters only for Chinese, Japanese, Korean, and Taiwanese locales.
Cannot log in to vSphere Appliance Management Interface if the colon character (:) is part of vCenter Server root password
During the vCenter Server Appliance UI installation (Set up appliance VM page of Stage 1), if you include the colon character (:) as part of the vCenter Server root password, logging into the vSphere Appliance Management Interface (https://vc_ip:5480) fails and you are unable to login. The password might be accepted by the password rule check during the setup, but login fails.

Workaround: Do not use the colon character (:) to set the vCenter Server root password in the vCenter Server Appliance UI (Set up appliance VM of Stage 1).
vCenter Server Appliance installation fails when the backslash character (\) is included in the vCenter Single Sign-On password
During the vCenter Server Appliance UI installation (SSO setup page of Stage 2), if you include the backslash character (\) as part of the vCenter Single Sign-On password, the installation fails with the error Analytics Service registration with Component Manager failed. The password might be accepted by the password rule check, but installation fails.

Workaround: Do not use the backslash character (\) to set the vCenter Single Sign-On password in the vCenter Server Appliance UI installer (SSO setup page of Stage 2)
Scripted ESXi installation fails on HP ProLiant Gen 9 Servers with an error
When you perform a scripted ESXi installation on an HP ProLiant Gen 9 Server under the following conditions:
- The Embedded User Partition option is enabled in the BIOS.
- You use multiple USB drives during installation: one USB drive contains the ks.cfg file, and the others USB drive is not formatted and usable.
The installation fails with the error message Partitions not initialized.

Workaround:
1. Disable the Embedded User Partition option in the server BIOS.
2. Format the unformatted USB drive with a file system or unplug it from the server.
Windows vCenter Server 6.0.x or 6.5.x upgrade to vCenter Server 6.7 fails if vCenter Server contains non-ASCII or high-ASCII named 5.5 host profiles
When a source Windows vCenter Server 6.0.x or 6.5.x contains vCenter Server 5.5.x host profiles named with non-ASCII or high-ASCII characters, UpgradeRunner fails to start during the upgrade pre-check process.

Workaround: Before upgrading Windows vCenter Server 6.0.x or 6.5.x to vCenter Server 6.7, upgrade the ESXi 5.5.x with the non-ASCII or high-ASCII named host profiles to ESXi 6.0.x or 6.5.x, then update the host profile from the upgraded host by clicking Copy setting from the hosts.
You cannot run the camregister command with the -x option if the vCenter Single Sign-On password contains non-ASCII characters
When you run the camregister command with the -x file option, for example, to register the vSphere Authentication Proxy, the process fails with an access denied error when the vCenter Single Sign-On password contains non-ASCII characters.

Workaround: Either set up the vCenter Single Sign-On password with ASCII characters, or use the –p password option when you run the camregister command to enter the vCenter Single Sign-On password that contains non-ASCII characters.
The Bash shell and SSH login are disabled after upgrading to vCenter Server 6.7
After upgrading to vCenter Server 6.7, you are not able to access the vCenter Server Appliance using either the Bash shell or SSH login.

Workaround:
1. After successfully upgrading to vCenter Server 6.7, log in to the vCenter Server Appliance Management Interface. In a Web browser, go to: https://appliance_ip_address_or_fqdn:5480
2. Log in as root.
  The default root password is the password you set while deploying the vCenter Server Appliance.
3. Click Access, and click Edit.
4. Edit the access settings for the Bash shell and SSH login.
  When enabling Bash shell access to the vCenter Server Appliance, enter the number of minutes to keep access enabled.
5. Click OK to save the settings.
Management node migration is blocked if vCenter Server for Windows 6.0 is installed on Windows Server 2008 R2 without previously enabling Transport Layer Security 1.2
This issue occurs if you are migrating vCenter Server for Windows 6.0 using an external Platform Services Controller (an MxN topology) on Windows Server 2008 R2. After migrating the external Platform Services Controller, when you run Migration Assistant on the Management node it fails, reporting that it cannot retrieve the Platform Services Controller version. This error occurs because Windows Server 2008 R2 does not support Transport Layer Security (TLS) 1.2 by default, which is the default TLS protocol for Platform Services Controller 6.7.

Workaround: Enable TLS 1.2 for Windows Server 2008 R2.1.
1. Navigate to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
2. Create a new folder and label it TLS 1.2.
3. Create two new keys with the TLS 1.2 folder, and name the keys Client and Server.
4. Under the Client key, create two DWORD (32-bit) values, and name them DisabledByDefault and Enabled.
5. Under the Server key, create two DWORD (32-bit) values, and name them DisabledByDefault and Enabled.
6. Ensure that the Value field is set to 0 and that the Base is Hexadecimal for DisabledByDefault.
7. Ensure that the Value field is set to 1 and that the Base is Hexadecimal for Enabled.
8. Reboot the Windows Server 2008 R2 computer.
For more information on using TLS 1.2 with Windows Server 2008 R2, refer to the operating system vendor's documentation.
vCenter Server containing host profiles with version less than 6.0 fails during upgrade to version 6.7
vCenter Server 6.7 does not support host profiles with version less than 6.0. To upgrade to vCenter Server 6.7, you must first upgrade the host profiles to version 6.0 or later, if you have any of the following components:
- ESXi host(s) version - 5.1 or 5.5
- vCenter server version - 6.0 or 6.5
- Host profiles version - 5.1 or 5.5
Workaround: See KB 52932
After upgrading to vCenter Server 6.7, any edits to the ESXi host's /etc/ssh/sshd_config file are discarded, and the file is restored to the vCenter Server 6.7 default configuration
Due to changes in the default values in the /etc/ssh/sshd_config file, the vCenter Server 6.7 upgrade replaces any manual edits to this configuration file with the default configuration. This change was necessary as some prior settings (for example, permitted ciphers) are no longer compatible with current ESXi behavior, and prevented SSHD (SSH daemon) from starting correctly.

CAUTION: Editing /etc/ssh/sshd_config is not recommended. SSHD is disabled by default, and the preferred method for editing the system configuration is through the VIM API (including the ESXi Host Client interface) or ESXCLI.

Workaround: If edits to /etc/ssh/sshd_config are needed, you can apply them after successfully completing the vCenter Server 6.7 upgrade. The default configuration file now contains a version number. Preserve the version number to avoid overwriting the file.

For further information on editing the /etc/ssh/sshd_config file, see the following Knowledge Base articles:
- For information on enabling public/private key authentication, see Knowledge Base article KB 1002866
- For information on changing the default SSHD configuration, see Knowledge Base article KB 1020530

Security Features Issues

Virtualization Based Security (VBS) on vSphere in Windows Guest OSs RS1, RS2 and RS3 require HyperV to be enabled in the Guest OS.
Virtualization Based Security (VBS) on vSphere in Windows Guest OSs RS1, RS2 and RS3 require HyperV to be enabled in the Guest OS.

Workaround: Enable Hyper-V Platform on Windows Server 2016. In the Server Manager, under Local Server select Manage -> Add Roles and Features Wizard and under Role-based or feature-based installation select Hyper-V from the server pool and specify the server roles. Choose defaults for Server Roles, Features, Hyper-V, Virtual Switches, Migration and Default Stores. Reboot the host.

Enable Hyper-V on Windows 10: Browse to Control Panel -> Programs -> Turn Windows features on or off. Check the Hyper-V Platform which includes the Hyper-V Hypervisor and Hyper-V Services. Uncheck Hyper-V Management Tools. Click OK. Reboot the host.

Networking Issues

Hostprofile PeerDNS flags do not work in some scenarios
If PeerDNS for IPv4 is enabled for a vmknic on a stateless host that has an associated host profile, the iPv6PeerDNS might appear with a different state in the extracted host profile after the host reboots.

Workaround: None.
When you upgrade vSphere Distributed Switches to version 6.6, you might encounter a few known issues
During upgrade, the connected virtual machines might experience packet loss for a few seconds.

Workaround: If you have multiple vSphere Distributed Switches that need to be upgraded to version 6.6, upgrade the switches sequentially.

Schedule the upgrade of vSphere Distributed Switches during a maintenance window, set DRS mode to manual, and do not apply DRS recommendations for the duration of the upgrade.

For more details about known issues and solutions, see KB 52621
VM fails to power on when Network I/O Control is enabled and all active uplinks are down
A VM fails to power on when Network I/O Control is enabled and the following conditions are met:
- The VM is connected to a distributed port group on a vSphere distributed switch
- The VM is configured with bandwidth allocation reservation and the VM's network adapter (vNIC) has a reservation configured
- The distributed port group teaming policy is set to Failover
- All active uplinks on the distributed switch are down. In this case, vSphere DRS cannot use the standby uplinks and the VM fails to power on.
Workaround: Move the available standby adapters to the active adapters list in the teaming policy of the distributed port group.
Network flapping on a NIC that uses qfle3f driver might cause ESXi host to crash
The qfle3f driver might cause the ESXi host to crash (PSOD) when the physical NIC that uses the qfle3f driver experiences frequent link status flapping every 1-2 seconds.

Workaround: Make sure that network flapping does not occur. If the link status flapping interval is more than 10 seconds, the qfle3f driver does not cause ESXi to crash. For more information, see KB 2008093.
Port Mirror traffic packets of ERSPAN Type III fail to be recognized by packet analyzers
A wrong bit that is incorrectly introduced in ERSPAN Type III packet header causes all ERSPAN Type III packets to appear corrupt in packet analyzers.

Workaround: Use GRE or ERSPAN Type II packets, if your traffic analyzer supports these types.
DNS configuration esxcli commands are not supported on non-default TCP/IP stacks
DNS configuration of non-default TCP/IP stacks is not supported. Commands such as esxcli network ip dns server add -N vmotion -s 10.11.12.13 do not work.

Workaround: Do not use DNS configuration esxcli commands on non-default TCP/IP stacks.
Compliance check fails with an error when applying a host profile with enabled default IPv4 gateway for vmknic interface
When applying a host profile with enabled default IPv4 gateway for vmknic interface, the setting is populated with "0.0.0.0" and does not match the host info, resulting with the following error:

IPv4 vmknic gateway configuration doesn't match the specification

Workaround:
1. Edit the host profile settings.
2. Navigate to Networking configuration > Host virtual nic or Host portgroup > (name of the vSphere Distributed Switch or name of portgroup) > IP address settings.
3. From the Default gateway Vmkernal Network Adapter (IPv4) drop-down menu, select Choose a default IPv4 gateway for the vmknic and enter the Vmknic Default IPv4 gateway.
Intel Fortville series NICs cannot receive Geneve encapsulation packets with option length bigger than 255 bytes
If you configure Geneve encapsulation with option length bigger than 255 bytes, the packets are not received correctly on Intel Fortville NICs X710, XL710, and XXV710.

Workaround: Disable hardware VLAN stripping on these NICs by running the following command:

esxcli network nic software set --untagging=1 -n vmnicX.
RSPAN_SRC mirror session fails after migration
When a VM connected to a port assigned for RSPAN_SRC mirror session is migrated to another host, and there is no required pNic on the destination network of the destination host, then the RSPAN_SRC mirror session fails to configure on the port. This causes the port connection to fail failure but the vMotion migration process succeeds.

Workaround: To restore port connection failure, complete either one of the following:
- Remove the failed port and add a new port.
- Disable the port and enable it.
The mirror session fails to configure, but the port connection is restored.

Storage Issues

NFS datastores intermittently become read-only
A host's NFS datastores may become read-only when the NFS vmknic temporarily loses its IP address or after a stateless hosts reboot.

Workaround: You can unmount and remount the datastores to regain connectivity through the NFS vmknic. You can also set the NFS datastore write permission to both the IP address of the NFS vmknic and the IP address of the Management vmknic.
When editing a VM's storage policies, selecting Host-local PMem Storage Policy fails with an error
In the Edit VM Storage Policies dialog, if you select Host-local PMem Storage Policy from the dropdown menu and click OK, the task fails with one of these errors:

The operation is not supported on the object.

or

Incompatible device backing specified for device '0'"Detailed

Workaround: You cannot apply the Host-local PMem Storage Policy to VM home. For a virtual disk, you can use the migration wizard to migrate the virtual disk and apply the Host-local PMem Storage Policy.
Datastores might appear as inaccessible after ESXi hosts in a cluster recover from a permanent device loss state
This issue might occur in the environment where the hosts in the cluster share a large number of datastore, for example, 512 to 1000 datastores.
After the hosts in the cluster recover from the permanent device loss condition, the datastores are mounted successfully at the host level. However, in vCenter Server, several datastores might continue to appear as inaccessible for a number of hosts.

Workaround: On the hosts that show inaccessible datastores in the vCenter Server view, perform the Rescan Storage operation from vCenter Server.
Migration of a virtual machine from a VMFS3 datastore to VMFS5 fails in a mixed ESXi 6.5 and 6.7 host environment
If you have a mixed host environment, you cannot migrate a virtual machine from a VMFS3 datastore connected to an ESXi 6.5 host to a VMFS5 datastore on an ESXi 6.7 host.

Workaround: Upgrade the VMFS3 datastore to VMFS5 to be able to migrate the VM to the ESXi 6.7 host.
Warning message about a VMFS3 datastore remains unchanged after you upgrade the VMFS3 datastore using the CLI
Typically, you use the CLI to upgrade the VMFS3 datastore that failed to upgrade during an ESXi upgrade. The VMFS3 datastore might fail to upgrade due to several reasons including the following:
- No space is available on the VMFS3 datastore.
- One of the extents on the spanned datastore is offline.
After you fix the reason of the failure and upgrade the VMFS3 datastore to VMFS5 using the CLI, the host continues to detect the VMFS3 datastore and reports the following error:

Deprecated VMFS (ver 3) volumes found. Upgrading such volumes to VMFS (ver5) is mandatory for continued availability on vSphere 6.7 host.

Workaround: To remove the error message, restart hostd using the /etc/init.d/hostd restart command or reboot the host.
The Mellanox ConnectX-4/ConnectX-5 native ESXi driver might exhibit performance degradation when its Default Queue Receive Side Scaling (DRSS) feature is turned on
Receive Side Scaling (RSS) technology distributes incoming network traffic across several hardware-based receive queues, allowing inbound traffic to be processed by multiple CPUs. In Default Queue Receive Side Scaling (DRSS) mode, the entire device is in RSS mode. The driver presents a single logical queue to OS and is backed by several hardware queues.

The native nmlx5_core driver for the Mellanox ConnectX-4 and ConnectX-5 adapter cards enables the DRSS functionality by default. While DRSS helps to improve performance for many workloads, it could lead to possible performance degradation with certain multi-VM and multi-vCPU workloads.

Workaround: If significant performance degradation is observed, you can disable the DRSS functionality.
1. Run the esxcli system module parameters set -m nmlx5_core -p DRSS=0 RSS=0 command.
2. Reboot the host.
Datastore name does not extract to the Coredump File setting in the host profile
When you extract a host profile, the Datastore name field is empty in the Coredump File setting of the host profile. Issue appears when using esxcli command to set coredump.

Workaround:
1. Extract a host profile from an ESXi host.
2. Edit the host profile settings and navigate to General System Settings > Core Dump Configuration > Coredump File.
3. Select Create the Coredump file with an explicit datastore and size option and enter the Datastore name, where you want the Coredump File to reside.
Native software FCoE adapters configured on an ESXi host might disappear when the host is rebooted
After you successfully enable the native software FCoE adapter (vmhba) supported by the vmkfcoe driver and then reboot the host, the adapter might disappear from the list of adapters. This might occur when you use Cavium QLogic 57810 or QLogic 57840 CNAs supported by the qfle3 driver.

Workaround: To recover the vmkfcoe adapter, perform these steps:
1. Run the esxcli storage core adapter list command to make sure that the adapter is missing from the list.
2. Verify the vSwitch configuration on vmnic associated with the missing FCoE adapter.
3. Run the following command to discover the FCoE vmhba:
  - On a fabric setup:
    #esxcli fcoe nic discover -n vmnic_number
  - On a VN2VN setup:
    #esxcli fcoe nic discover -n vmnic_number
Attempts to create a VMFS datastore on an ESXi 6.7 host might fail in certain software FCoE environments
Your attempts to create the VMFS datastore fail if you use the following configuration:
- Native software FCoE adapters configured on an ESXi 6.7 host.
- Cavium QLogic 57810 or 57840 CNAs.
- Cisco FCoE switch connected directly to an FCoE port on a storage array from the Dell EMC VNX5300 or VNX5700 series.
Workaround: None.

As an alternative, you can switch to the following end-to-end configuration:
ESXi host > Cisco FCoE switch > FC switch > storage array from the DELL EMC VNX5300 and VNX5700 series.

Backup and Restore Issues

Windows Explorer displays some backups with unicode differently from how browsers and file system paths show them
Some backups containing unicode display differently in the Windows Explorer file system folder than they do in browsers and file system paths.

Workaround: Using http, https, or ftp, you can browse backups with your web browser instead of going to the storage folder locations through Windows Explorer.

vCenter Server Appliance, vCenter Server, vSphere Web Client, and vSphere Client Issues

The time synchronization mode setting is not retained when upgrading vCenter Server Appliance
If NTP time synchronization is disabled on a source vCenter Server Appliance, and you perform an upgrade to vCenter Server Appliance 6.7, after the upgrade has successfully completed NTP time synchronization will be enabled on the newly upgraded appliance.

Workaround:
1. After successfully upgrading to vCenter Server Appliance 6.7, log into the vCenter Server Appliance Management Interface as root.
  The default root password is the password you set while deploying the vCenter Server Appliance.
```
 https://IP_or_FQDN_of_appliance:5480
```
2. In the vCenter Server Appliance Management Interface, click Time.
3. In the Time Synchronization pane, click Edit.
4. From the Mode drop-down menu, select Disabled.
  The newly upgraded vCenter Server Appliance 6.7 will no longer use NTP time synchronization, and will instead use the system time zone settings.
Login to vSphere Web Client with Windows session authentication fails on Firefox browsers of version 54 or later
If you use Firefox of version 54 or later to log in to the vSphere Web Client, and you use your Windows session for authentication, the VMware Enhanced Authentication Plugin might fail to populate your user name and to log you in.

Workaround: If you are using Windows session authentication to log in to the vSphere Web Client, use one of the following browsers: Internet Explorer, Chrome, or Firefox of version 53 and earlier.
vCenter hardware health alarm notifications are not triggered in some instances
When multiple sensors in the same category on an ESXi host are tripped within a time span of less than five minutes, traps are not received and email notifications are not sent.

Workaround: None. You can check the hardware sensors section for any alerts.
When using the VCSA Installer Time Sync option, you must connect the target ESX to the NTP server in the Time & Date Setting from the ESX Management
If you want to select Time Sync with NTP server from the VCSA Installer->Stage2->Appliance configuration->Time Sync option (ESX/NTP server), you also need to have the target ESX already connected to NTP server in the Time&Date Setting from the ESX Management, otherwise it'll fail in installation.

Workaround:
1. Set the Time Sync option in stage2->Appliance configuration to sync with ESX
2. Set the Time Sync option in stage2->Appliance configuration to sync with NTP Servers, make sure both the ESX and VC are set to connect to NTP servers.
When you monitor Windows vCenter Server health, an error message appears
Health service is not available for Windows vCenter Server. If you select the vCenter Server, and click Monitor > Health, an error message appears:

Unable to query vSAN health information. Check vSphere Client logs for details.

This problem can occur after you upgrade the Windows vCenter Server from release 6.0 Update 1 or 6.0 Update 2 to release 6.7. You can ignore this message.
Workaround: None. Users can access vSAN health information through the vCenter Server Appliance.
vCenter hardware health alarms do not function with earlier ESXi versions
If ESXi version 6.5 Update 1 or earlier is added to vCenter 6.7, hardware health related alarms will not be generated when hardware events occur such as high CPU temperatures, FAN failures, and voltage fluctuations.

Workaround: None.
vCenter Server stops working in some cases when using vmodl to edit or expand a disk
When you configure a VM disk in a Storage DRS-enabled cluster using the latest vmodl, vCenter Server stops working. A previous workaround using an earlier vmodl no longer works and will also cause vCenter Server to stop working.

Workaround: None
vCenter Server for Windows migration to vCenter Server Appliance fails with error
When you migrate vCenter Server for Windows 6.0.x or 6.5.x to vCenter Server Appliance 6.7, the migration might fail during the data export stage with the error: The compressed zip folder is invalid or corrupted.

Workaround: You must zip the data export folder manually and follow these steps:
1. In the source system, create an environment variable MA_INTERACTIVE_MODE.
2. Go to Computer > Properties > Advanced system settings > Environment Variables > System Variables > New.
3. Enter "MA_INTERACTIVE_MODE" as variable name with value 0 or 1.
4. Start the VMware Migration Assistant and provide your password.
5. Start the Migration from the client machine. The migration will pause, and the Migration Assistant console will display the message To continue the migration, create the export.zip file manually from the export data (include export folder).
6. NOTE: Do not press any keys or tabs on the Migration Assistant console.
7. Go to the %appdata%\vmware\migration-assistant folder.
8. Delete the export.zip created by the Migration Assistant.
9. To continue the migration, manually create the export.zip file from the export folder.
10. Return to the Migration Assistant console. Type Y and press Enter.
Discrepancy between the build number in VAMI and the build number in the vSphere Client
In vSphere 6.7, the VAMI summary tab displays the ISO build for the vCenter Server and vCenter Server Appliance products. The vSphere Client summary tab displays the build for the vCenter product, which is a component within the vCenter Server product.

Workaround: None
vCenter Server Appliance 6.7 displays an error message in the Available Update section of the vCenter Server Appliance Management Interface (VAMI)
The Available Update section of the vCenter Server Appliance Management Interface (VAMI) displays the following error message:

Check the URL and try again.

This message is generated when the vCenter Server Appliance searches for and fails to find a patch or update. No functionality is impacted by this issue. This issue will be resolved with the release of the first patch for vSphere 6.7.

Workaround: None. No functionality is impacted by this issue.

Virtual Machine Management Issues

Name of the virtual machine in the inventory changes to its path name
This issue might occur when a datastore where the VM resides enters the All Paths Down state and becomes inaccessible. When hostd is loading or reloading VM state, it is unable to read the VM's name and returns the VM path instead. For example, /vmfs/volumes/123456xxxxxxcc/cs-00.111.222.333.

Workaround: After you resolve the storage issue, the virtual machine reloads, and its name is displayed again.
You must select the "Secure boot" Platform Security Level when enabling VBS in a Guest OS on AMD systems
On AMD systems, vSphere virtual machines do not provide a vIOMMU. Since vIOMMU is required for DMA protection, AMD users cannot select "Secure Boot and DMA protection" in the Windows Group Policy Editor when they "Turn on Virtualization Based Security". Instead select "Secure boot." If you select the wrong option it will cause VBS services to be silently disabled by Windows.

Workaround: Select "Secure boot" Platform Security Level in a Guest OS on AMD systems.
You cannot hot add memory and CPU for Windows VMs when Virtualization Based Security (VBS) is enabled within Windows
Virtualization Based Security (VBS) is a new feature introduced in Windows 10 and Windows Server 2016. vSphere supports running Windows with VBS enabled starting in the vSphere 6.7 release. However, Hot add of memory and CPU will not operate for Windows VMs when Virtualization Based Security (VBS) is enabled.

Workaround: Power-off the VM, change memory or CPU settings and power-on the VM.
Snapshot tree of a linked-clone VM might be incomplete after a vSAN network recovery from a failure
A vSAN network failure might impact accessibility of vSAN objects and VMs. After a network recovery, the vSAN objects regain accessibility. The hostd service reloads the VM state from storage to recover VMs. However, for a linked-clone VM, hostd might not detect that the parent VM namespace has recovered its accessibility. This results in the VM remaining in inaccessible state and VM snapshot information not being displayed in vCenter Server.

Workaround: Unregister the VM, then re-register it to force the hostd to reload the VM state. Snapshot information will be loaded from storage.
An OVF Virtual Appliance fails to start in the vSphere Client
The vSphere Client does not support selecting vService extensions in the Deploy OVF Template wizard. As a result, if an OVF virtual appliance uses vService extensions and you use the vSphere Client to deploy the OVF file, the deployment succeeds, but the virtual appliance fails to start.

Workaround: Use the vSphere Web Client to deploy OVF virtual appliances that use vService extensions.

vSphere HA and Fault Tolerance Issues

When you configure Proactive HA in Manual/MixedMode in vSphere 6.7 RC build you are prompted twice to apply DRS recommendations
When you configure Proactive HA in Manual/MixedMode in vSphere 6.7 RC build and a red health update is sent from the Proactive HA provider plug-in, you are prompted twice to apply the recommendations under Cluster -> Monitor -> vSphere DRS -> Recommendations. The first prompt is to enter the host into maintenance mode. The second prompt is to migrate all VMs on a host entering maintenance mode. In vSphere 6.5, these two steps are presented as a single recommendation for entering maintenance mode, which lists all VMs to be migrated.

Workaround: There is no impact to work flow or results. You must apply the recommendations twice. If you are using automated scripts, you must modify the scripts to include the additional step.
Lazy import upgrade interaction when VCHA is not configured
The VCHA feature is available as part of 6.5 release. As of 6.5, a VCHA cluster cannot be upgraded while preserving the VCHA configuration. The recommended approach for upgrade is to first remove the VCHA configuration either through vSphere Client or by calling a destroy VCHA API. So for lazy import upgrade workflow without VCHA configuration, there is no interaction with VCHA.

Do not configure a fresh VCHA setup while lazy import is in progress. The VCHA setup requires cloning the Active VM as Passive/Witness VM. As a result of an ongoing lazy import, the amount of data that needs to be cloned is large and may lead to performance issues.

Workaround: None.

Auto Deploy and Image Builder Issues

Reboot of an ESXi stateless host resets the numRxQueue value of the host
When an ESXi host provisioned with vSphere Auto Deploy reboots, it loses the previously set numRxQueue value. The Host Profiles feature does not support saving the numRxQueue value after the host reboots.

Workaround: After the ESXi stateless host reboots:
1. Remove the vmknic from the host.
2. Create a vmknic on the host with the expected numRxQueue value.
After caching on a drive, if the server is in the UEFI mode, a boot from cache does not succeed unless you explicitly select the device to boot from the UEFI boot manager
In case of Stateless Caching, after the ESXi image is cached on a 512n, 512e, USB, or 4Kn target disk, the ESXi stateless boot from autodeploy might fail on a system reboot. This occurs if autodeploy service is down.

The system attempts to search for the cached ESXi image on the disk, next in the boot order. If the ESXi cached image is found, the host is booted from it. In legacy BIOS, this feature works without problems. However, in the UEFI mode of the BIOS, the next device with the cached image might not be found. As a result, the host cannot boot from the image even if the image is present on the disk.

Workaround: If autodeploy service is down, on the system reboot, manually select the disk with the cached image from the UEFI Boot Manager.
A stateless ESXi host boot time might take 20 minutes or more
The booting of a stateless ESXi host with 1,000 configured datastores might require 20 minutes or more.

Workaround: None.

Miscellaneous Issues

ESXi might fail during reboot with VMs running on the iSCSI LUNs claimed by the qfle3i driver
ESXi might fail during reboot with VMs running on the iSCSI LUNs claimed by the qfle3i driver if you attempt to reboot the server with VMs in the running I/O state.

Workaround: First power off VMs and then reboot the ESXi host.
VXLAN stateless hardware offloads are not supported with Guest OS TCP traffic over IPv6 on UCS VIC 13xx adapters
You may experience issues with VXLAN encapsulated TCP traffic over IPv6 on Cisco UCS VIC 13xx adapters configured to use the VXLAN stateless hardware offload feature. For VXLAN deployments involving Guest OS TCP traffic over IPV6, TCP packets subject to TSO are not processed correctly by the Cisco UCS VIC 13xx adapters, which causes traffic disruption. The stateless offloads are not performed correctly. From a TCP protocol standpoint this may cause incorrect packet checksums being reported to the ESXi software stack, which may lead to incorrect TCP protocol processing in the Guest OS.

Workaround: To resolve this issue, disable the VXLAN stateless offload feature on the Cisco UCS VIC 13xx adapters for VXLAN encapsulated TCP traffic over IPV6. To disable the VXLAN stateless offload feature in UCS Manager, disable the Virtual Extensible LAN field in the Ethernet Adapter Policy. To disable the VXLAN stateless offload feature in the CIMC of a Cisco C-Series UCS server, uncheck Enable VXLAN field in the Ethernet Interfaces vNIC properties section.
Significant time might be required to list a large number of unresolved VMFS volumes using the batch QueryUnresolvedVmfsVolume API
ESXi provides the batch QueryUnresolvedVmfsVolume API, so that you can query and list unresolved VMFS volumes or LUN snapshots. You can then use other batch APIs to perform operations, such as resignaturing specific unresolved VMFS volumes. By default, when the API QueryUnresolvedVmfsVolume is invoked on a host, the system performs an additional filesystem liveness check for all unresolved volumes that are found. The liveness check detects whether the specified LUN is mounted on other hosts, whether an active VMFS heartbeat is in progress, or if there is any filesystem activity. This operation is time consuming and requires at least 16 seconds per LUN. As a result, when your environment has a large number of snapshot LUNs, the query and listing operation might take significant time.

Workaround: To decrease the time of the query operation, you can disable the filesystem liveness check.
1. Log in to your host as root.
2. Open the configuration file for hostd using a text editor. The configuration file is located in /etc/vmware/hostd/config.xml under plugins/hostsvc/storage node.
3. Add the checkLiveFSUnresolvedVolume parameter and set its value to FALSE. Use the following syntax:
  <checkLiveFSUnresolvedVolume>FALSE</checkLiveFSUnresolvedVolume>
As an alternative, you can set the ESXi Advanced option VMFS.UnresolvedVolumeLiveCheck to FALSE in the vSphere Client.
After upgrade to ESXi 6.7, networking workloads on Intel 10GbE NICs cause higher CPU utilization
If you run certain types of networking workloads on an upgraded ESXi 6.7 host, you might see a higher CPU utilization under the following conditions:
- The NICs on the ESXi host are from the Intel 82599EB or X540 families
- The workload involves multiple VMs that run simultaneously and each VM is configured with multiple vCPUs
- Before the upgrade to ESXi 6.7, the VMKLinux ixgbe driver was used
Workaround: Revert to the legacy VMKLinux ixgbe driver:
1. Connect to the ESXi host and run the following command:
  # esxcli system module set -e false -m ixgben
2. Reboot the host.
Note: The legacy VMKLinux ixgbe inbox driver version 3.7.x does not support Intel X550 NICs. Use the VMKLinux ixgbe async driver version 4.x with Intel X550 NICs.
Initial install of DELL CIM VIB might fail to respond
After you install a third-party CIM VIB it might fail to respond.

Workaround: To fix this issue, enter the following two commands to restart sfcbd:
1. esxcli system wbem set --enable false
2. esxcli system wbem set --enable true

Server Configuration Issues

To collapse the list of previous known issues, click here.