VMware Cloud Foundation Upgrade prechecks fails with error "Failed uploading the update/upgrade patch files to VUM,performing compliance checks on the cluster Failed scanning hosts: [esxhost1, esxhost2, esxhost3] for the baseline groups associated with the cluster"

esxupdate.log

“Cannot deploy host upgrade agent. Ensure that vSphere Lifecycle Manager is officially signed. Check the network connectivity and logs of host agent and vpxa for details.” 

If the Security Compliance configuration was implemented on the Cloud Foundation environment based on vSphere 7 docs, User may have enabled the policy "ExecInstalledOnly"

The ExecInstalledOnly policy prevents any executable to run on an ESXi host which was not installed by using a VIB. Update Manager and Lifecycle Manager workflows using baselines require to push an Upgrade-Agent (vua) to the ESXi.

If ExecInstalledOnly is enabled, the vua agent is not allowed to be executed that breaks the Update Manager or Lifecycle Manager workflows.

The policy "ExecInstalledOnly" is listed under Security configurations that are not applicable or not compatible with VMware Cloud Foundation

Source  - Security and Compliance Configuration Guide for VMware Cloud Foundation 4.5

Always use the security hardening guide written for VMware Cloud Foundation.

(Do not use security compliance settings specifically written for vCenter, ESXi, NSX if these components are are part of Cloud Foundation Installment)

Run the following ESXCLI command.
esxcli system settings encryption set --require-exec-installed

Verify the change.
esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: true

Confirm that Executables Only From Installed VIBs displays false.

To save the setting, run the following command.
/sbin/auto-backup.sh

The TPM no longer enforces the execInstalledOnly boot option.