Users may encounter a Host TPM attestation alarm in the vSphere UI after installing or upgrading to ESXi 8.0 or later versions. This alarm typically appears when Secure Boot is disabled on the ESXi host, even if TPM is not actively used in the environment.

The message appears such as:

- VMware vSphere 7.0 or later
- May involve ESXi hosts with UEFI BIOS
- May involve environments where Secure Boot cannot be enabled due to hardware or other constraints

The Host TPM attestation alarm can be triggered due to several reasons:

1. Secure Boot Disabled: The primary cause is when the vCenter Server detects that Secure Boot is disabled on an ESXi host. This alarm is part of VMware's enhanced security features but may not be relevant in all environments, particularly those where hardware limitations prevent the use of Secure Boot.

2. Data Synchronization Issues: The alarm can also occur spuriously if the ESXi host and vCenter Server become unsynchronized in their data. This desynchronization can happen due to various factors, such as network issues, server restarts, or temporary communication problems between the ESXi host and vCenter Server.

These causes explain why both permanent solutions (like enabling Secure Boot or disabling the alarm) and temporary fixes (like disconnecting and reconnecting the host) can be effective in different scenarios.

There are several approaches to resolve this issue:

If Secure Boot is already enabled on the cluster ESXi hosts:

1. Disconnect and Reconnect the host to vCenter:
   1. In the vSphere Client, right-click on the affected host.
   2. Select "Disconnect".
   3. Wait for the host to disconnect fully.
   4. Right-click on the host again and select "Connect".
   5. Wait for the host to reconnect and rescan.
      
      
2. Acknowledge and Reset the triggered alarm:
   1. In the vSphere Client, navigate to the affected host.
   2. Go to the "Monitor" tab and select "Issues".
   3. Find the TPM attestation alarm.
   4. Right-click on the alarm and select "Reset to Green".

If Secure Boot is not already enabled on the cluster ESXi hosts:

• Enable Secure Boot (if possible):
  1. Access your server's BIOS settings during boot.
  2. Locate the Secure Boot option (typically under the 'Boot' or 'Security' section).
  3. Enable Secure Boot.
  4. Save changes and exit the BIOS.
  5. Boot into ESXi and verify that the alarm is cleared.
     
     
• Disable the TPM Attestation Alarm (if Secure Boot cannot be enabled):
  1. Log in to the vSphere Client.
  2. Navigate to the vCenter Server object in the inventory.
  3. Go to Configure > Alarm Definitions.
  4. In the filter field next to "Alarm Name", enter "TPM".
  5. Select the radio button next to "Host TPM attestation alarm".
  6. Click the EDIT control.
  7. In the alarm configuration dialogue, click NEXT until you reach the "Review" screen.
  8. Find the "Disable this alarm" option and select it.
  9. Click SAVE to apply the changes.

After applying any of these solutions, monitor the vSphere UI for 24 hours to confirm that the alarm is no longer triggered.

• Disabling the TPM attestation alarm does not affect the security of your environment if you're not utilizing TPM-based features.
• You can re-enable the alarm in the future if you implement TPM-based security features in your environment.
• The disconnect/reconnect and alarm reset steps may provide a temporary fix by forcing the ESXi host and vCenter Server to resynchronize their data. If the alarm reoccurs frequently, consider the more permanent solutions or investigate potential network or communication issues between your ESXi hosts and vCenter Server.