Reading Time: 2 minutes

One of the new feature of VMware vSphere 6.7 is the full support for Trusted Platform Module (TPM) 2.0 devices both at host and VM level.

But when you are using a TPM 2.0 device on an ESXi host, the host might fail to pass the attestation phase.

In this case, on your host, you will notice a critical error like this:

The vSphere Client does not provide any other information, neither at task or event level.

To troubleshoot the potential causes of this problem you can use VMware documentation.

The first step is found the reason of this issue, and you have to change the view on the datacenter object:

  1. Navigate to a data center and click the Monitor tab.
  2. Click Security.
  3. Review the host’s status in the Attestation column and read the accompanying message in the Message column.

Now depending on the error message you can identify a solution.

If the error message is Host secure boot was disabled, you must re-enable Secure Boot to resolve the problem. You need Secure Boot working FIRST. 

If the attestation status of the host is failed, check the vCenter Server log for the following message:

No cached identity key, loading from DB

This message indicates that you are adding a TPM 2.0 chip to an ESXi host that vCenter Server already manages. You must first disconnect the host, then reconnect it.

For all other error messages, contact VMware support.

For more information see also: Configuring TPM 2.0 on a 6.7 ESXi host.


Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-20 and vExpert Pro. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-19. Nutanix NTC 2014-20. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.