Reading Time: 2 minutes

One of the new feature of VMware vSphere 6.7 is the full support for Trusted Platform Module (TPM) 2.0 devices both at host and VM level.

But when you are using a TPM 2.0 device on an ESXi host, the host might fail to pass the attestation phase.

In this case, on your host, you will notice a critical error like this:

The vSphere Client does not provide any other information, neither at task or event level.

To troubleshoot the potential causes of this problem you can use VMware documentation.

The first step is found the reason of this issue, and you have to change the view on the datacenter object:

  1. Navigate to a data center and click the Monitor tab.
  2. Click Security.
  3. Review the host’s status in the Attestation column and read the accompanying message in the Message column.

Now depending on the error message you can identify a solution.

If the error message is Host secure boot was disabled, you must re-enable Secure Boot to resolve the problem. You need Secure Boot working FIRST. 

If the attestation status of the host is failed, check the vCenter Server log for the following message:

No cached identity key, loading from DB

This message indicates that you are adding a TPM 2.0 chip to an ESXi host that vCenter Server already manages. You must first disconnect the host, then reconnect it.

For all other error messages, contact VMware support.

For more information see also: Configuring TPM 2.0 on a 6.7 ESXi host.