Maxim_Kazmin - Fotolia

Tip

How to resolve a vSphere TPM error

If you encounter a host TPM attestation alarm -- meaning the system cannot verify your host -- in vSphere 6.7, you can modify settings in the server's UEFI to troubleshoot.

When you upgrade to vSphere 6.7, you might see a host TPM attestation alarm in your vCenter Server, which can indicate an issue with the host attestation process. To resolve this vSphere TPM error, ensure you have the right Trusted Platform Module chip installed and the correct settings -- adjustable via your server's United Extensible Firmware Interface -- enabled or disabled.

If you recently upgraded to vSphere 6.7, you might notice that your vCenter Server now lists errors on your ESXi hosts. Specifically, in vSphere 6.7, vCenter Server associates Host TPM alarms with specific hosts. You can troubleshoot and resolve this error by disconnecting and reconnecting the host from vCenter Server, or by verifying a host's authenticity.

For those who might not understand attestation, the system uses the TPM 2.0 chip to attest to an ESXi host's identity. When you add a new ESXi host to vCenter Server, vCenter must verify that the TPM 2.0 hardware comes from a reputable vendor. To do this, it requests an attestation key from the ESXi host server. vCenter Server prompts the host for an attestation report based on the host's platform configuration registers. Once the host submits this report, vCenter Server can verify the host's authenticity and complete the attestation process.

Where to view alarms

When you add a brand new VMware host to vCenter Server, you might notice that the host -- sometimes designated by an IP address -- has an alarm associated with it, which is visible it in your console's upper left column.

vSphere alarm
The host server raises an alarm.

The system displays a warning message under the Summary tab. This message indicates that it detects a TPM 2.0 device, but that vCenter cannot establish a connection to that device. Additionally, the Alarms pane can display a host TPM Attestation Alarm.

Host TPM attestation alarm
The host generates a TPM Attestation alarm in the Alarms display pane.

Resolving the error in old hosts

The first thing to do when you receive an error message is to check your vCenter Server Log.

The first thing to do when you receive an error message like this one on a host that worked before the upgrade is to check your vCenter Server Log. Look for a message that reads, "No cached identity key, loading from DB." This message means that someone installed a TPM 2.0 chip within a host that vCenter already manages.

To resolve the vSphere TPM error in this case, simply put the host into maintenance mode, disconnect the host from vCenter Server and then reconnect it. That should fix the problem.

If you have a brand-new host, however, then the error indicates a problem with the attestation process. In this case, you must ensure you meet all host attestation requirements.

Host attestation requirements

For the host attestation process to work correctly, your host must meet several requirements. First, you must install a supported TPM 2.0 chip on your host -- a TPM 1.2 device isn't sufficient. VMware provides a full list of supported TPM 2.0 hardware that works with its hosts.

Second, you must enable TPM 2.0 and Secure Boot in your server's United Extensible Firmware Interface (UEFI). Disabling either of these often causes the TPM host attestation error. Most systems enable TPM 2.0 by default but set Secure Boot to disabled.

Additionally, you can check which algorithm your TPM hardware uses. In order for vCenter Server's host attestation feature to work, the host TPM hardware must use SHA-265 hashing. Some systems require you to disable the Intel TXT feature through the server's UEFI configuration before you can use the SHA-256 algorithm.

Finally, TPM requires that your host runs on ESXi version 6.7 or higher. The vCenter Server must also run version 6.7 or higher.

Dig Deeper on VMware ESXi, vSphere and vCenter