Disable Trusted Platform Module (TPM) on a TPM enabled ESXi host
search cancel

Disable Trusted Platform Module (TPM) on a TPM enabled ESXi host

book

Article ID: 379687

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Need to disable Trusted Platform Module (TPM) on an ESXi host which had TPM enabled.
  • ESXi was installed while TPM feature was enabled in the BIOS.
  • Disabling the TPM on the ESXi host does not work.

Environment

  • VMware vSphere ESXi 8.0.x
  • VMware vSphere ESXi 7.0.x

Cause

A physical host with a TPM chip may be shipped with TPM feature enabled by default in the BIOS settings. If the ESXi is installed on the host with default values, the TPM will be enabled for the ESXi host.

Resolution

TPM can be enabled on an ESXi host at any time. If the ESXi host is installed while TPM device is present in the physical host and the TPM feature is enabled in the BIOS settings, the ESXi host will install with TPM enabled.

If the ESXi host is installed with TPM feature disabled in the BIOS, TPM encryption can be enabled on the ESXi host later at any time.

Once TPM is enabled on the ESXi host, disabling TPM is not possible. Re-installing the ESXi host while the TPM feature is disabled in the BIOS is the only method to disable the TPM.

Additional Information

To check if TPM hardware Module is present on the ESXi host:

  1. SSH to the ESXi host
  2. Run the command:

    esxcli hardware trustedboot get

    Example

     esxcli hardware trustedboot get
       Drtm Enabled: false
       Tpm Present: true

To list the current encryption settings on the ESXi host:

  1. SSH to the ESXi host
  2. Run the command:

    esxcli system settings encryption get

    Example 1 

    esxcli system settings encryption get
    Mode: TPM
    Require Executables Only From Installed VIBs: false
    Require Secure Boot: true

    Note: If "Mode" is "TPM", then the TPM feature is enabled on the Host BIOS settings and TPM is enabled. 

    Example 2

    esxcli system settings encryption get
    Mode: NONE
    Require Executables Only From Installed VIBs: false
    Require Secure Boot: false

    Note: If "Mode" is "None", then the TPM is not enabled on the ESXi host and on Host BIOS Settings.