Please validate that each step below is true for your environment. Each step will provide instructions or a link to a document, to eliminate possible causes and take corrective action as necessary.
Error message A:
- Check if your firmware security settings have been modified from what it was before.
- If TPM 2.0 has been disabled, re-enable it.
- If UEFI secure boot has been disabled, enable it.
- If execInstalledOnly boot option is set to FALSE, change it back to its initial value (i.e. TRUE).
- Add "execInstalledOnly=TRUE" to the boot command-line (press shift+o when mboot starts and you see a 5 second countdown, right after the bios finishes running).
- If you would like to change the firmware settings and permanently avoid this violation message, See Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration.
- If the firmware settings have not been modified, This means that either the TPM 2.0 chip is not working or has been replaced (possibly due to a motherboard swap) or the version of ESXi being booted is not genuine. In this case, you need to recover the ESXi configuration with the following steps:
- Start the ESXi host.
- When the ESXi installer window appears, press 'Shift+O' to edit boot options.
- To recover the configuration, at the command prompt, append the following boot option to any existing boot options.
- Note: Don’t remove the information which is already present at the prompt.
- Type 'encryptionRecoveryKey=xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx' immediately after the already showed commands (no space is needed).
- Sample - The key format is provided as 16 sets of six digit values with a dash between the sets.
- Press enter to continue the host boot process.
- Now, the secure ESXi configuration is recovered and the ESXi host boots.
- To persist the change, enter the following command: /sbin/auto-backup.sh
- Reboot the ESXi host.
Note: For ESXi versions 8.0 U1 and 8.0 U2 (or any patch on these lines), if you encounter a PSOD after an ESXi Quick Boot upgrade, simply rebooting the host will solve the problem. VMware is aware of this issue and working on a fix in a future release.
Error message B
This means that a genuine ESXi version has booted, but the configuration data has been tampered with or is corrupted and cannot be recovered. see Installing and Setting Up ESXi.
Error message C:
This means that we are unable to recover with the provided recovery key. Ensure the input recovery key is correct; otherwise, see Installing and Setting Up ESXi.
To retrieve the ESXi recovery key, run esxcli system settings encryption recovery list