A mismatch exists between the key value generated by the new TPM and the key value stored in the vCenter Server database (VCDB) under the VPX_HOST table.

Workaround

Note: Do not perform this workaround if the affected host is part of a vSAN cluster, uses VVOL storage, or is connected to a vSphere Distributed Switch (VDS).

1. Within the vCenter vSphere Client, place the affected host into Maintenance Mode.
2. Remove the host from the vCenter's inventory.
3. Re-add the host to vCenter.
4. Exit the host from Maintenance Mode.

If the "Remove from Inventory" option is unavailable (greyed out), refer the KB "Remove from Inventory" option grayed out for ESXi host.

Resolution

Important Notes:

• VMware recommends taking a power-off snapshot of the vCenter before making any database modifications. 
• Modifying the vCenter database directly is not supported unless explicitly directed by VMware Support. Proceed with care.

1. Take an appropriate snapshot of the vCenter.
   
   Note: In Enhanced Linked Mode (ELM) deployments, ensure all linked vCenters are powered off before taking Snapshots. Additional information may be found in KB Snapshot Best practices for vCenter Server Virtual Machines.
   
   
2. Place the affected host into Maintenance Mode.
3. Connect to vCenter via SSH as the root user.
4. Enable and access the Bash shell, if not already enabled. For details, refer to Enable and Access the Bash Shell from the Appliance Shell.
5. Stop the VPXD service:
   
   service-control --stop vpxd
   
   
6. Identify the affected Host ID
   
   Option 1 - List all hosts:
   
   /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST;"
   
   Option 2 - Retrieve a specific host's details:
   
   /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select id,dns_name,endorsement_key,attestation_identity_key from VPX_HOST WHERE dns_name = 'FQDN_of_issued_host.domain';"
   
   Note: Replace the FQDN_of_issued_host.domain with the fully qualified domain name of the affected host.
   
   
7. Clear the key value information by updating the endorsement_key and attestation_identity_key fields for the affected host:
   
   /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "update VPX_HOST set endorsement_key='', attestation_identity_key='' where id = <Host_ID_from_step_6>;"
   
   
8. Confirm the key value for the affected host has been cleared:
   
   /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST where id = <Host_ID_from_step_6>;"
   
   
9. Start the VPXD service:
   
   service-control --start vpxd
   
   
10. Disconnect and reconnect the affected host within the vSphere Client.
11. Verify that new key values are populated in the VPX_HOST table:
    
    /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB -h localhost -c "select ID,DNS_NAME,endorsement_key,attestation_identity_key from VPX_HOST where id = <Host_ID_from_step_6>;"
    
    
12. Exit the host from Maintenance Mode.  
13. After verifying the issue is resolved, consolidate the snapshot on the VCSA VM.

Refer to the following KB on options available to resolve the alarm other than removing and adding the host - Alarm: “The new host TPM endorsement key doesn't match the one stored in the DB”.