π― Professional Zerto Virtual Replication Compliance Auditing, DR Testing Analytics & Cyber Resilience Monitoring
π Download Latest Release (v2.1.0) π
Pre-built package β No building required! Includes compiled executable, installer, and documentation.
For developers or advanced users, see Installation from Source below.
The Zerto Compliance Tool is an open-source automation solution for Zerto Virtual Manager (ZVM/ZVMA) environments that helps IT administrators, disaster recovery teams, and MSPs monitor DR testing effectiveness, track VM protection coverage, validate cyber resilience configurations, and generate executive-ready compliance reports.
β’ Zerto Administrators managing disaster recovery infrastructure
β’ MSPs & Service Providers tracking multi-tenant Zerto compliance
β’ IT Compliance Teams auditing SOC 2, ISO 27001, HIPAA DR controls
β’ Disaster Recovery Managers validating RTO/RPO testing schedules
β’ VMware vSphere Admins monitoring protected workload coverage
Query Zerto REST APIs to generate interactive HTML dashboards showing DR testing effectiveness, VM protection gaps, cyber resilience posture, VPG health status, and compliance scoring with actionable recommendations. Supports Zerto 9.x and 10.x authentication on Windows with PowerShell 5.1+ and .NET 8.0 GUI launcher.
Keywords: Zerto compliance, disaster recovery audit tool, VM protection monitoring, DR testing automation, VPG compliance checker, cyber resilience scoring, business continuity audit, Zerto PowerShell automation, RTO RPO validation, ransomware protection assessment
β’ π Interactive HTML Dashboard with KPIs, drill-down breakdowns, and recommendations
β’ π Multi-Format Export: HTML, CSV, JSON, Markdown for executive reporting
β’ π Secure Authentication: Windows Credential Manager integration + config file support
β’ π Multi-Site Support: Primary + Secondary + Additional sites (3+)
β’ π Recovery Reports Collection: Centralizes VPG test reports in audit artifacts
β’ π― Dynamic Scoring: DR Testing (40%), VM Coverage (30%), Cyber Resilience (30%) when LTR is evaluated; weights redistribute to DR/VM if Cyber is not evaluated
β’
β’ π Security-First: TLS validation, Lab Mode for testing, no password logging
β’ π Comprehensive Artifacts: Evidence CSV, control maps, transcripts, manifests
β’ β
Windows Server 2016+ or Windows 10/11
β’ β
.NET 8.0 Desktop Runtime - Auto-installed via included dotnet-install.ps1
β’ β
PowerShell 5.1+ - Included with Windows
β’ β
Network Access to Zerto ZVMA (HTTPS port 443 for 10.x, port 9669 for 9.x)
β’ β
Zerto Credentials - Read-Only Administrator or higher
β’ β
Local Administrator privileges for installation
π‘ Note: All dependencies are included - just download, install, and run!
π Download ComplianceTool_DeploymentPackage.zip
Extract the ZIP to any location (e.g., C:\Tools\zerto-compliance-tool)
From the extracted folder:
# Install .NET 8.0 Desktop Runtime (if needed)
powershell -ExecutionPolicy Bypass -File .\dotnet-install.ps1
# Run environment setup
powershell -ExecutionPolicy Bypass -File .\Setup-Environment.ps1# Run installer from the extracted folder (requires Administrator)
powershell -ExecutionPolicy Bypass -File .\Install-ZertoComplianceLauncher.ps1The installer:
- Copies files to
C:\Program Files\ZertoCompliance\ - Creates Desktop and Start Menu shortcuts
- Verifies .NET runtime availability
# Launch from shortcut or:
"C:\Program Files\ZertoCompliance\ZertoComplianceLauncher.exe"Configuration:
- Source Site: Enter primary ZVMA IP/hostname (e.g.,
192.168.111.20) - Zerto GUI User Name: Enter Zerto admin username (e.g.,
admin) - Password: Enter corresponding password
- Secondary Site (optional): Add secondary ZVMA for dual-site audits
- Additional Sites (optional): Comma-separated list for 3+ site environments
- Output Folder: Choose report destination (default:
Documents\ZertoCompliance) - Lab Mode: Enable SSL skip for testing environments only
- Cyber Resilience: Enable LTR vault lock evaluation
Click "Run Now" to execute compliance scan. Monitor progress in output window. Report opens automatically when complete.
Reports are generated in: ComplianceAudit_<host>_<YYYY-MM-DD_HHMMSS>/
Key Files:
- π
Report_<timestamp>.htmlβ Interactive dashboard (open in browser) - π
Zerto_Compliance_<timestamp>.csvβ Tabular evidence for Excel/BI - π
AUDIT-REPORT.mdβ Markdown executive summary - π¦
RecoveryReports/β VPG recovery test JSON reports - π
SUMMARY.txt,MANIFEST.json,ControlsMap.txt,LOG.txt
Your compliance score uses dynamic weights:
- When Cyber Resilience is evaluated (LTR enabled):
- Overall = (DR Testing % Γ 0.40) + (VM Coverage % Γ 0.30) + (Cyber Resilience % Γ 0.30)
- When Cyber Resilience is NOT evaluated (LTR disabled):
- Cyber weight is removed and redistributed proportionally β DR Testing β 57.14%, VM Coverage β 42.86%
| Scenario | DR Testing | VM Coverage | Cyber | Total |
|---|---|---|---|---|
| LTR enabled (standard weights) | 50% Γ 0.40 = 20 | 80% Γ 0.30 = 24 | 0% Γ 0.30 = 0 | 44% |
| LTR disabled (redistributed weights) | 100% Γ 0.5714 = 57.1 | 50% Γ 0.4286 = 21.4 | β | 79% |
Click dashboard cards in the HTML report to see detailed breakdowns!
The tool supports multiple authentication methods:
Method 1: GUI Input (Default)
- Enter credentials directly in launcher GUI
- Used for immediate/ad-hoc audits
Method 2: Windows Credential Manager
- Store credentials securely in Windows Credential Manager
- Target format:
zerto:<hostname> - Automatic retrieval during execution
Method 3: Config File
- Create
auth.config.jsonwith site credentials - See
Documentation/SECURE-CREDENTIALS.mdfor format
Same Credentials:
- Uncheck "Different credentials for secondary site"
- Primary credentials used for all sites
Different Credentials:
- Check "Different credentials for secondary site"
- Enter separate username/password for secondary
- Additional sites use primary credentials (config file override available)
- β Passwords never logged or stored in reports
- β HTTPS-only communication with ZVMA
- β Credentials validated per-site independently
β οΈ Lab Mode (SSL skip) disabled by default, marked in red- β All reports stored locally - no cloud connectivity
Default: TLS validation enabled (verify_tls: true)
For Production:
# Keep Lab Mode unchecked in GUI
# Import valid certificates per IMPORT-CERTIFICATE.mdFor Testing Environments:
# Check "Lab mode (skip SSL verification)" in GUI
# β οΈ WARNING: Only use in isolated test environmentsDefault: %USERPROFILE%\Documents\ZertoCompliance
Custom Location:
- Click Browse button in GUI
- Select preferred output folder
- Reports organized by timestamp subdirectories
For automation and non-interactive scenarios, use PowerShell script directly:
Replace the example IPs (
192.168.111.20,192.168.222.20) with your own ZVM/ZVMA hostnames or IPs.
.\Run-ComplianceAudit.ps1 `
-PrimaryZvmaHost "192.168.111.20" `
-Username "admin" `
-Password "YourPassword" `
-OutputPath "C:\Reports".\Run-ComplianceAudit.ps1 `
-PrimaryZvmaHost "192.168.111.20" `
-SecondaryZvmaHost "192.168.222.20" `
-Username "admin" `
-Password "YourPassword" `
-OutputPath "C:\Reports".\Run-ComplianceAudit.ps1 `
-PrimaryZvmaHost "192.168.111.20" `
-Username "admin" `
-Password "YourPassword" `
-UseLtr `
-OutputPath "C:\Reports".\Run-ComplianceAudit.ps1 `
-PrimaryZvmaHost "192.168.111.20" `
-Username "admin" `
-Password "YourPassword" `
-Insecure `
-OutputPath "C:\Reports"See Run-ComplianceAudit.ps1 -Help for full parameter reference.
Enable verbose logging for diagnostics:
.\Run-ComplianceAudit.ps1 -PrimaryZvmaHost "192.168.111.20" -Verbose
Get-Content .\ComplianceAudit_*\LOG.txt -Tail 50| Problem | Solution |
|---|---|
| ".NET runtime not found" | Run dotnet-install.ps1 or download from dotnet.microsoft.com |
| "Authentication failed" | Verify ZVMA IP, username/password, check port 9669/443 access |
| "TLS validation error" | Enable Lab Mode for testing, or install valid cert on ZVMA |
| "Secondary site fails" | Verify secondary IP, check "Different credentials" if needed |
| "Launcher won't open" | Check %TEMP%\ZertoComplianceLauncher.log for startup errors |
| "Empty reports" | Run with -Verbose, check LOG.txt for API errors |
For detailed guidance, see:
QUICK_START.md- β‘ 5-minute setup checklistDEPLOYMENT_GUIDE.html- π Full installation and configuration walkthroughDocumentation/TROUBLESHOOTING.md- π§ Advanced diagnosticsDocumentation/SECURE-CREDENTIALS.md- π Credential management best practicesDocumentation/HYPERVISOR-CONFIGURATION.md- π₯οΈ Multi-site setup examples
- Backup existing reports and configuration
- Download latest release from GitHub
- Run installer:
powershell -ExecutionPolicy Bypass -File .\Installer\Install-ZertoComplianceLauncher.ps1
- Launch from shortcut
The installer overwrites files in C:\Program Files\ZertoCompliance\ and preserves shortcuts.
See UPGRADE.md for detailed upgrade instructions and rollback procedures.
To remove the tool completely:
powershell -ExecutionPolicy Bypass -File "C:\Program Files\ZertoCompliance\Uninstall-ZertoComplianceLauncher.ps1"This removes:
- Installation directory (
C:\Program Files\ZertoCompliance\) - Desktop shortcut
- Start Menu shortcut
Note: Audit reports in your output directory are preserved.
For developers and advanced users who want to build from source code:
git clone https://github.com/ALastoff/zerto-compliance-tool.git
cd zerto-compliance-toolRequired: .NET SDK 8.0 or later (not just Runtime)
Download from: https://dotnet.microsoft.com/download/dotnet
# Unblock files (Windows)
Get-ChildItem -Recurse | Unblock-File
# Set execution policy
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
# Run environment setup
powershell -ExecutionPolicy Bypass -File .\Setup-Environment.ps1
# Build and install
cd .\Installer
powershell -ExecutionPolicy Bypass -File .\Build-And-Install.ps1We welcome contributions from the Zerto community!
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes and write/update tests
- Follow code style: PSScriptAnalyzer for PowerShell, C# conventions for .NET
- Commit with clear messages (
git commit -m 'Add amazing feature') - Push and open a Pull Request
Report bugs: GitHub Issues
Request features: GitHub Discussions
- π DEPLOYMENT_GUIDE.html - Complete installation and configuration
- β‘ QUICK_START.md - 5-minute setup guide
- π PRE-DEPLOYMENT_CHECKLIST.md - Pre-flight validation
- π UPGRADE.md - Version upgrade procedures
- π Documentation/SECURE-CREDENTIALS.md - Credential management
- π₯οΈ Documentation/HYPERVISOR-CONFIGURATION.md - Multi-site examples
- π’ Documentation/ENTERPRISE-FEATURES.md - Roadmap and feature requests
- β Multi-site support (Primary + Secondary + Additional)
- β Recovery reports centralization
- β Cyber resilience scoring (LTR vault lock evaluation)
- π² Email alerting for low compliance scores
- π² Trend analysis across multiple audit runs
- π² PowerBI integration with JSON/CSV exports
- π² Custom thresholds for scoring weights
- π² API endpoint for programmatic access
- π² Linux support via PowerShell Core
β’ π§ Troubleshooting: Documentation/ folder - Diagnostic guides
β’ π Bug Reports: GitHub Issues
β’ π‘ Feature Requests: GitHub Discussions
β’ π Security Issues: See Legal Disclaimer below for responsible disclosure
For complex issues or collaboration:
β’ π§ Email: aaron.lastoff@hpe.com
β’ π GitHub: @ALastoff
β’ πΌ LinkedIn: Aaron Lastoff
Want to enhance the Zerto Compliance Tool? Open an issue or reach out via email for collaboration opportunities!
MIT License β see LICENSE file for details (if applicable).
Built with β€οΈ for the Zerto community by disaster recovery automation enthusiasts.
Special thanks to:
- Zerto/HPE for providing comprehensive REST APIs
- PowerShell and .NET communities for excellent frameworks
- Contributors and testers who helped improve this tool
The author and Zerto disclaim all implied warranties, including merchantability and fitness for a particular purpose. In no event shall Zerto or the author be liable for damages arising from the use or inability to use this script.
Use at your own risk. Always test in non-production environments first.
Author: Aaron Lastoff
Company: Zerto (HPE)
Version: 2.1.0
Date: January 2026