ESXi upgrade from 7.x to 8.x fails due to unsupported TPM version and Incompatible Upgrade baseline warning
search cancel

ESXi upgrade from 7.x to 8.x fails due to unsupported TPM version and Incompatible Upgrade baseline warning

book

Article ID: 368511

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware vSphere ESXi 8.0 VMware vCenter Server 8.0

Issue/Introduction

  • ESXi upgrade or patch via SDDC Manager fails with the following error message: The host ##0c357d-####-####-####-08ba0a8660## is incompatible with the Patch/upgrade ISO file. 
    • Additionally, the vua.log on the vCenter reports MISSING_DEPENDENCY_VIB Error:
      /var/log/vua.log
  • A similar error is reported in the /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server-#.log:
    YYYY-MM-DDT##:###:##.###Z info vmware-vum-server[10875] [Originator@6876 sub=HostUpgradeScanner] [scannerImpl 1757] (vmodl.LocalizableMessage) [
    -->    (vmodl.LocalizableMessage) {
    -->       key = "com.vmware.vcIntegrity.HostUpgrade.UnsupportedTPMVersion",
    -->       arg = <unset>,
    -->       message = <unset>
    -->    }
    --> ]

  • The following error can be seen in the vCenter UI when viewing compliance scan results for the Upgrade baseline:

    "TPM 1.2 device detected.  Support for TPM version 1.2 is discontinued.  Installation may proceed but may cause the system to behave unexpectedly."

         

Environment

  • VMware Cloud Foundation 5.x
  • VMware vSphere 8.x

Cause

  • Support for TPM 1.2 is deprecated starting in vSphere 8.x
  • More details regarding TPM can be found here
  • From vSphere 8.0 Release Notes:
    "Removal of Trusted Platform Module (TPM) 1.2: VMware discontinues support of TPM 1.2 and associated features such as TPM 1.2 with TXT. To get full use of vSphere features, you can use TPM 2.0 instead of TPM 1.2."

 

Resolution

To resolve this issue, engage the hardware OEM to upgrade the Trusted Platform Module (TPM) on all affected hosts to a supported version (TPM 2.0 or higher).

Workaround:

If upgrading the TPM is not immediately possible, you can manually upgrade the ESXi host using an Offline Bundle ZIP.

  • Steps to upgrade an ESXi host via Offline Bundle:
    1. Download the Offline Bundle
    2. Upload the bundle to a datastore
      • Upload the downloaded .zip file to a datastore accessible by the ESXi host.
    3. SSH to ESXi Host and List available image profiles:
      • esxcli software sources profile list -d <location of ZIP file>
    4. Update the host
      • Run the following command to update the ESXi host (the -f flag forces the update and bypasses the TPM version check): 
        • esxcli software profile update -p <profile name> -d <location of ZIP file> -f
    5. Reboot the ESXi host to complete the upgrade/patch process.
    6. Verify ESXi version in SDDC Manager
      • Once the upgrade or patch is complete, allow time for the inventory to synchronize in SDDC Manager. For VCF version 5.2 and above, you can also perform a manual inventory sync by following the steps outlined in the KB article- Synchronize Inventory Versions
      • If the version does not update automatically, manually update the ESXi version in the SDDC Manager database by following the steps in the KB- Manual update ESXi build number in vCF/SDDC manager

Note:

  1. Disabling TPM does not bypass this issue if the ESXi host was originally installed with TPM enabled in the BIOS.

  2. Once TPM is enabled on the ESXi host, it cannot be disabled. For details, refer to KB: Need to disable Trusted Platform Module (TPM) on a TPM enabled ESXi host.

Additional Information

Note:
If the hosts already contains a TPM 1.2 device but it is not being used for vSphere, during Remediation check the box for "Ignore warnings about unsupported hardware devices" to allow the upgrade to proceed but no TPM functionality will be available for the host.