Need to disable Trusted Platform Module (TPM) on a TPM enabled ESXi host.
Article ID: 379687
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
- Need to disable Trusted Platform Module (TPM) on an ESXi host which had TPM enabled.
- ESXi was installed while TPM feature was enabled in the BIOS.
Environment
- VMware vSphere ESXi 8.0.x
- VMware vSphere ESXi 7.0.x
Cause
- Physical host with a TPM chip may be shipped with TPM feature enabled by default in the BIOS settings. And if the ESXi is installed on the host with default values, the TPM will be enabled for the ESXi host.
- Disabling the TPM on the ESXi host does not work.
Resolution
- TPM can be enabled on an ESXi host at any time.
- If the ESXi host is installed while TPM device is present in the physical host and the TPM feature is enabled in the BIOS settings, the ESXi host will install with TPM enabled.
- If the ESXi host is installed with TPM feature disabled in the BIOS, TPM encryption can be enabled on the ESXi host later at any time.
- Once TPM is enabled on the ESXi host, disabling TPM is not possible.
- Re-installing the ESXi host while the TPM feature is disabled in the BIOS is the only method to disable the TPM.
Additional Information
- To check if TPM hardware Module is present on the ESXi host.
- Example:
-
esxcli hardware trustedboot getDrtm Enabled: falseTpm Present: true
-
- Example:
- To list the current encryption settings on the ESXi host:
- Example1:
-
esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: false
Require Secure Boot: true - If
"Mode"is "None", then the TPM is not enabled on the ESXi host and on Host BIOS Settings.
-
- Example2:
-
esxcli system settings encryption get
Mode: NONE
Require Executables Only From Installed VIBs: false
Require Secure Boot: false - If "Mode" appears as "TPM", then the TPM feature is enabled on the Host BIOS settings and TPM is enabled.
-
- Example1:
Feedback
Yes
No
Powered by
