If you receive the following alert in vCenter then some BIOS Security settings may need to be configured which I will detail below:

Detailed information from VMware in relation to securing ESXi Hosts with Trusted Platform Module (TPM) can be found at the following link:

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-10F7022C-DBE1-47A2-BD86-3840C6955057.html

One of the Key points from the VMware guidance and which is stepped through below is to ‘Ensure that the TPM is configured in the ESXi host’s BIOS to use the SHA-256 hashing algorithm’.

When you boot an ESXi host with an installed TPM 2.0 chip, vCenter Server monitors the host’s attestation status. The vSphere Client displays the hardware trust status in the vCenter Server’s Monitor tab under Security:

To correct these BIOS security settings:

  • Enter the VxRail host into maintenance mode.
  • Link & launch iDrac from physical view.
  • Reboot host and hit F2 to enter BIOS Settings.

Choose System Security from the Menu & Ensure TPM Security, SHA26, TXT and secure boot is enabled as per the following:

Take the host back out of MM and repeat for each host that has the TPM warning. On completion you may still see FAILED for Attestation in the vSphere client, if this is the case then disconnect and then re-connect the host from vCenter (does not require to place host in Maintenance Mode).

Warnings are now cleared and TPM Attestation has passed:

Hope that helped!

2 Comments »

  1. Hello David,

    great article. There is an issue with the updates. After every BIOS upgrade of the nodes it seems that you have to manually follow your walk through, although not on every node.
    Have you noticed this behavior as well?

    Best regards,

    Matt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s