VMCH-67-000005 - Virtual disk erasure must be disabled on the virtual machine.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Shrinking and wiping (erasing) a virtual disk reclaims unused space in it. If there is empty space in the disk, this process reduces the amount of space the virtual disk occupies on the host drive. Normal users and processes - that is, users and processes without root or administrator privileges - within virtual machines have the capability to invoke this procedure. However, if this is done repeatedly, the virtual disk can become unavailable while this shrinking is being performed, effectively causing a denial-of-service. In most datacenter environments, disk shrinking is not done, so this feature must be disabled. Repeated disk shrinking can make a virtual disk unavailable. The capability to wipe (erase) is available to non-administrative users operating within the VMs guest OS.


From the vSphere Web Client right-click the Virtual Machine and go to Edit Settings >> VM Options >> Advanced >> Configuration Parameters >> Edit Configuration. Find the isolation.tools.diskWiper.disable value and set it to true. If the setting does not exist, add the Name and Value setting at the bottom of screen.

Note: The VM must be powered off to configure the advanced settings through the vSphere Web Client so it is recommended to configure these settings with PowerCLI as it can be done while the VM is powered on. Settings do not take effect via either method until the virtual machine is cold started, not rebooted.


From a PowerCLI command prompt while connected to the ESXi host or vCenter server, run the following command:

If the setting does not exist, run:

Get-VM 'VM Name' | New-AdvancedSetting -Name isolation.tools.diskWiper.disable -Value true

If the setting exists, run:

Get-VM 'VM Name' | Get-AdvancedSetting -Name isolation.tools.diskWiper.disable | Set-AdvancedSetting -Value true

See Also


Item Details

References: CAT|II, CCI|CCI-000366, Rule-ID|SV-239336r679557_rule, STIG-ID|VMCH-67-000005, Vuln-ID|V-239336

Plugin: VMware

Control ID: 2105a520b5d53d700d38ef9db4b46aec9d01e38d07e29da5fdabd563b457bc4f