ESXi hosts may display the following alarm:
"Unable to provision Endorsement Key on TPM 2.0 device: Endorsement Key creation failed on device"
This alarm typically appears after ESXi host upgrades or when adding new hosts to the infrastructure. The issue affects the Trusted Platform Module (TPM) 2.0 functionality, which is crucial for host attestation and security features.
This issue can occur due to several factors:
Diagnostic Procedure
esxcli system settings encryption get
grep -i tpm /var/log/vmkernel.log
TPM Platform hierarchy is not enabled
"TPM Owner hierarchy is not enabled
"0x185
" or "TPM_RC_HIERARCHY
"Resolution Paths
Based on diagnostic results, follow the appropriate resolution path:
Path 1: BIOS Configuration Issues
If TPM or Secure Boot is not properly configured in BIOS:
esxcli system settings encryption set --mode=TPM
/bin/backup.sh 0
Path 2: TPM Hardware Replacement
If TPM chip has been recently replaced:
Path 3: Host Profile Conflicts
If issue appeared after host profile application:
Path 4: Hardware Issues
If diagnostics indicate hardware problems or previous paths fail:
esxcli hardware tpm status get