If you receive the following alert in vCenter then some BIOS Security settings may need to be configured which I will detail below:
Detailed information from VMware in relation to securing ESXi Hosts with Trusted Platform Module (TPM) can be found at the following link:
One of the Key points from the VMware guidance and which is stepped through below is to ‘Ensure that the TPM is configured in the ESXi host’s BIOS to use the SHA-256 hashing algorithm’.
When you boot an ESXi host with an installed TPM 2.0 chip, vCenter Server monitors the host’s attestation status. The vSphere Client displays the hardware trust status in the vCenter Server’s Monitor tab under Security:
To correct these BIOS security settings:
- Enter the VxRail host into maintenance mode.
- Link & launch iDrac from physical view.
- Reboot host and hit F2 to enter BIOS Settings.
Choose System Security from the Menu & Ensure TPM Security, SHA26, TXT and secure boot is enabled as per the following:
Take the host back out of MM and repeat for each host that has the TPM warning. On completion you may still see FAILED for Attestation in the vSphere client, if this is the case then disconnect and then re-connect the host from vCenter (does not require to place host in Maintenance Mode).
Warnings are now cleared and TPM Attestation has passed:
Hope that helped!