Enable the Secure Boot Enforcement for a Secure ESXi Configuration

Symptoms:
The TPM chip is installed on the server and it is enabled and configured to use SHA-256 and FIFO. ESXi can see the TPM chip status

Running the command 'esxcli system settings encryption get', returns mode NONE:

# esxcli system settings encryption get
   Mode: NONE
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: false

Trying to manually enable TPM fails:

# esxcli system settings encryption set --require-secure-boot=T
Unable to change the encryption mode and policy. Verify that the current host configuration can satisfy the new requirement.

# esxcli system settings encryption set --mode=TPM
Unable to change the encryption mode and policy. Verify that the current host configuration can satisfy the new requirement.

Note: 'demsg' command shows the status of TPM

VMware vSphere ESXi 7.0.2

This issue is observed of the TPM model/firmware here is strictly FIPS and our 7.0 U2 keys are not compatible.

This issue is resolved in ESXi 7.0 U3c

Workaround:
There is no workaround in 7.0 U2, upgrade to 7.0 U3c.