Symptoms:

• After changing the system board with TPM, the following message may appear within the vSphere Client or ESXi host summary page:

The new host TPM endorsement key doesn't match the one stored in the DB

• vCenter Server 7.x
• vCenter Server 8.x
• vCenter Server 9.x

• A mismatch exists between the key value generated by the new TPM and the key value stored in the vCenter Server database (VCDB) under the VPX_HOST table.

• Follow these steps (choosing only option 1, 2, or 3) to clear stale TPM keys from the vCenter Server database and re-attest the ESXi hosts.

Option 1: 

Step 1: Place the affected ESXi host in Maintenance Mode.

• • • Right-click host -> Enter maintenance mode
      
      

Step 2: Stop the vCenter Server Service

Note: If vCenter is in Enhanced Linked Mode (ELM), refer to VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice for snapshot best practices.

1. 1. 1. Log into the vCenter Server Appliance (VCSA) via SSH as root.
      2. Stop the VMware Virtual Center Server service (vpxd) by running:
         
         service-control --stop vpxd
          

Step 3: Clear Stale Keys from the Postgres Database

1. 1. 1. Access the vCenter Database (VCDB) using the following command:
                 /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB
         
         
      2. Identify the internal Host ID for the affected ESXi host. Replace esxi-hostname.example.com with the FQDN exactly as it appears in the vSphere inventory:
             select id, dns_name FROM vpx_host WHERE dns_name = 'esxi-hostname.example.com';


      3. Clear the endorsement_key and attestation_identity_key fields for that specific ID (replace 123 with your actual Host ID from step 'b'):
             UPDATE vpx_host SET endorsement_key='', attestation_identity_key='' WHERE id = 123;


      4. Exit the database:
            \q

Step 4: Restart Services and Reconnect Host

1. 1. 1. Start the vCenter Server service:
         
         service-control --start vpxd
          
      2. Log into the vSphere Client.
      3. Right-click the ESXi host and select Connection -> Disconnect.
      4. Wait approximately 10 seconds, then right-click the host and select Connection -> Connect.
          

Step 5: Verification and Alarm Reset

1. 1. 1. Navigate to the host's Monitor tab > Issues and Alarms > Triggered Alarms.
      2. If the TPM or Attestation alarm remains active, right-click the alarm and select Reset to Green.
      3. To verify the fix, go to the host's Monitor tab -> Security.
      4. Confirm that the Attestation status is reported as Passed.
         
         

Option 2:

CAUTION:  Do not perform this workaround if the host is using of vVOL datastores or is connected to a vSphere Distributed Switch (vDS)-- including vSAN hosts.

1. 1. 1. Place the affected ESXi host in Maintenance Mode (Right-click host -> Enter maintenance mode)
      2. Within the vCenter vSphere Client, place the affected host into Maintenance Mode.
      3. Remove the host from the vCenter inventory.
         NOTE: If the "Remove from Inventory" option is unavailable (greyed out), refer to "Remove from Inventory" option grayed out for ESXi host.
         
         
      4. Re-add the host to vCenter.
      5. Exit the host from Maintenance Mode.

Option 3 (vSAN host using vSphere Standard Switches [vSS] only):

CAUTION:  Do not perform this workaround if the host is part of a vSAN cluster and is connected to a vSphere Distributed Switch (vDS).

1. 1. 1. Verify the cluster is healthy otherwise (Choose Cluster -> Monitor Tab -> Skyline Health).
      2. Verify Cluster has enough resources to run without the affected host (Right-click host -> Maintenance mode -> Enter Maintenance mode -> Pre-check)
      3. Within the vCenter vSphere Client, place the affected host into Maintenance Mode with "Ensure Accessibility" or "Full Data Evacuation" mode and wait for resync operation to complete. See related TechDocs: Place a Member of vSAN Cluster in Maintenance Mode and Working with Members of the vSAN Cluster in Maintenance Mode.
      4. Move the ESXi host out of the cluster to disassociate it from vSAN (Right-click host -> Move To...)
      5. Remove the host from the vCenter inventory.
         NOTE: If the "Remove from Inventory" option is unavailable (greyed out), refer to "Remove from Inventory" option grayed out for ESXi host.
         
         
      6. Re-add the host to vCenter.
      7. Re-add host to vSAN Cluster. See TechDocs:  Use Quickstart to Add Hosts to a vSAN Cluster or Add a Host to the vSAN Cluster
      8. Exit the host from Maintenance Mode.

• For clarity: Option 1 is the only one that should be used with hosts that are part of vSAN clusters connected to a vDS or using vVOL datastores (regardless of whether vDS or vSS is being used).
  
  
• Refer to the following KB on options available to resolve the alarm other than removing and adding the host - Alarm: “The new host TPM endorsement key doesn't match the one stored in the DB”.