When you install or upgrade to ESXi 8.0 or later, the execInstalledOnly internal runtime option is activated on hosts by default. This option helps protect your hosts against ransomware attacks. If your ESXi 8.0 or later hosts still run non-VIB binaries from external sources, you can deactivate the execInstalledOnly internal runtime option.
The execInstalledOnly option helps protect your hosts against ransomware attacks by ensuring that the VMkernel executes only those binaries on a host that have been properly packaged and signed as part of a valid VIB.
The execInstalledOnly option is both a boot and an internal runtime option. The execInstalledOnly boot option, also called a kernel option, was introduced in ESXi 5.5. The execInstalledOnly boot option is deactivated by default. In vSphere 7.0 Update 2 and later, you can enforce the execInstalledOnly boot option upon every boot by using a TPM. For more information, see Activate or Deactivate the execInstalledOnly Enforcement for a Secure ESXi Configuration.
The execInstalledOnly internal runtime option added in ESXi 8.0 is activated on hosts by default. The execInstalledOnly boot option continues to be deactivated by default, except a previously enabled execInstalledOnly boot option overwrites the internal runtime option if you set both.
When you deactivate the execInstalledOnly internal runtime option, vCenter Server warnings appear for the host.
