If an ESXi host utilizes a Trusted Platform Module (TPM), specific preparation steps are required before initiating any hardware changes while the host remains accessible via SSH.

The ESXi host experiences a Purple Screen of Death (PSOD) following the below changes:

• Replacement of a system board/motherboard
• Replacing a CMOS battery
• Replacing CPU or RAM

The following KB article lists PSODs and error messages associated with boot-time encryption failures, 
ESXi boot failures due to system configuration issues - restore security configuration, decrypt system configuration, recover system configuration

• VMware vSphere ESXi 7.x

• VMware vSphere ESXi 8.x

Hardware modifications to an ESXi host can alter or reset the BIOS configuration.

When a host is secured with a TPM, the security key can be wiped from the BIOS and must be manually restored.

Warning: Configuration backups alone are insufficient for recovery; if a motherboard is replaced without the encryption recovery key, the host cannot be recovered and a complete rebuild is required.

Preparation (Before Hardware Maintenance):

1. Connect to the ESXi host via SSH as the root user.

2. Verify the current encryption status to determine if "Require Secure Boot" or encryption is active:

   esxcli system settings encryption get
   

3. Generate the recovery key:

   esxcli system settings encryption recovery list
   

4. Store the generated recovery key in a secure, off-host location.

5. Generate and export a configuration backup to complement the encryption key:

   vim-cmd /hostsvc/firmware/sync_config
   vim-cmd /hostsvc/firmware/backup_config
   

Recovery (After Hardware Maintenance):

1. During the host boot sequence, press Shift+O to manually enter the recovery key.

2. Once the host has successfully booted, connect via SSH as the root user.

3. Bind the host configuration to the new TPM chip:

   esxcli system settings encryption set --mode=TPM

4. Persist the configuration changes:

   /sbin/auto-backup.sh