Reading Time: 4 minutes

Trusted platform module (TPM) is a hardware, designed to securely store information such as crendential or measurements.

TPM 2.0 is supported on all 13 th generation and 14 th generation Dell EMC PowerEdge servers including the latest AMD servers. Note that is not enabled by default.

TPM 2.0 is enabled and supported with VMware vSphere 6.7 releases. ESXi 6.7 introduced the “Host Attestation” feature using which the validation of boot process can be reported to vCenter dashboard.

But if you enable TPM 2.0 on DellEMC server you may get an ESXi Host TPM attestation alarm because the configuration may be wrong.

In this case, on your host, you will notice a critical error like this:

The vSphere Client does not provide any other information, neither at task or event level.

The first step is found the reason of this issue, and you have to change the view on the datacenter object:

  1. Navigate to a data center and click the Monitor tab.
  2. Click Security.
  3. Review the host’s status in the Attestation column and read the accompanying message in the Message column.

If you hot “Internal failure” than the TPM settings in the BIOS are not corrected.

You need to reboot your server and reconfigure it.

Use IDRAC (or the physical console) to open a console to the host. Reboot the host and enter BIOS settings, when available, by hitting F2. Note that you can also select the next boot option directly from the iDRAC console.

Then choose System Setup >  System BIOS   

TPM Security must be enabled (but if you got the previous error in vSphere it’s already enabled).

TPM Information must be “2.0 NTC”, but TPM Firmware could also be older.

If the server has already been used with TPM functions, could be useful select “Clear” on TPM Hierarchy.

Then you have to click on TPM Advanced link:

TPM PPI settings should be ‘Disable’  and ‘TPM2 Algorithm Selection’ should be ‘SHA256’.

If TPM2 Algorithm Selection is not present you need to save the configuration and reboot you system. Then enter in the BIOS again.

If it is not possible to change TPM algorithm to SHA256, try it with Intel(R) TXT disabled.   

Intel TXT could be On of Off depending by your vSphere release.

  • NOTE: TXT was not supported with TPM 2.0 for ESXi 6.7 release, but vSphere 6.7 U1 adds support for TPM 2.0 with TXT.

If there is only Off option at Intel TXT field (like in the following image), anable Secure boot (KB 529658) and set SHA-256 first, then turn Intel(R) TXT on (if needed)

User-added image

Reboot the host and clear the alarm.

If there is still an alarm even after reboot, disconnect and then re-connect the host from vCenter. Note that there is no need to put the host into maintenance mode when disconnecting host from vCenter (neither for a vSAN environment).  

Share

Related Posts

  • Installing Dell OMSA 7 on ESXi 5.5

    Some years ago, I've write some posts on how install Dell OpenManage on VMware ESXi. The OpenManage Server Administrator (OMSA) is a Dell tool really useful for a central management or to be integrated in other Dell's management tools. There are different options, but basically…

  • Nuovi server Dell-EMC PowerEdge con AMD EPYC

    A maggio 2017, Dell EMC ha annunciato la nuova generazione dei server PowerEdge: la 14ma generatione, la prima con il nuovo logo Dell-EMC. Dopo meno di 3 anni dall'introduzione della Generazione 13 dei PowerEdge, la nuova Generazione 14 definisce un completo Dell EMC PowerEdge server portfolio adatto per soluzioni…

  • Dell EMC PowerEdge MX

    La tecnologia della converged infrastructure riunisce vari elementi dell'infrastruttura alla base dell'IT, tra cui server, data storage device, funzioni di rete, virtualizzazione, software di gestione, orchestration e applicazioni. Le piattaforme converged combinano un sistema di converged infrastructure con una soluzione progettata e integrata, erogata e utilizzata…

Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-24. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-23. Nutanix NTC 2014-20. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.