After changing the Trusted Platform Module (TPM) version from 1.2 to 2.0 in the server Basic Input/Output System (BIOS), an ESXi host shows a purple screen and fails to boot.

The error message states:

The system has found a problem on your machine and cannot continue.

UEFI Secure Boot failed:
Failed to verify signatures of the following vib(s): [<vib_name>]. 
Unrecognized tardisks: [<tardisk_name>]

No port for remote debugger.

Additional symptoms reported:

• Received a "crash screen with a vib issue" after changing TPM to 2.0 in BIOS

ESXi 7.0 and later versions on servers with

• TPM 2.0 hardware
• Secure Boot enabled

The Physical Presence setting in the server BIOS is set to "De-asserted" when TPM 2.0 and Secure Boot are both enabled.

TPM 2.0 requires Physical Presence to be "Asserted" to authorize security operations.

Physical Presence is an authorization mechanism in TPM that controls whether security-sensitive operations can proceed. When set to "Asserted," it indicates that a platform operator has authorized TPM security functions. When set to "De-asserted," TPM operations requiring operator authorization are restricted.

When enabling TPM 2.0 with Secure Boot, the boot process relies on TPM to validate that only digitally signed code runs. During boot, the system attempts to verify the signatures of ESXi VIBs through the TPM. With Physical Presence set to "De-asserted," the TPM cannot complete the authorization checks required for signature verification.

This causes VIB signature validation to fail. The boot process stops with the UEFI Secure Boot error.

This configuration state typically occurs when changing the TPM version from 1.2 to 2.0 without adjusting the Physical Presence setting. TPM 1.2 implementations may have different Physical Presence requirements or enforcement. Configurations that worked with TPM 1.2 can trigger boot failures after upgrading to TPM 2.0.


This scenario commonly occurs when changing the TPM version to prepare for upgrading to ESXi 8.x, which requires TPM 2.0. The host becomes inaccessible and requires BIOS-level changes to restore functionality.

1. Reboot the ESXi host and access the BIOS/UEFI setup during boot. Press F1, F2, F12, or Del, depending on your server vendor.

2. Navigate to the security or TPM configuration section. The exact menu path varies by vendor but is commonly found under:

   • System Settings > Security
   • Security > Trusted Computing
   • Advanced > Security Settings

3. Locate the Physical Presence setting. It may also be labeled as "TPM Physical Presence" or "Physical Presence Policy."

4. Change the Physical Presence setting from De-asserted to Asserted.

5. Verify that Secure Boot is set to Enabled. This setting is typically found in the same security menu or under Boot Options.

6. Verify that TPM State or TPM Device is set to Enabled and the TPM version is 2.0.

7. Save the BIOS configuration changes and exit the setup.

8. Allow the server to reboot.

The ESXi host boots successfully without the UEFI Secure Boot error.

Note: BIOS menu structures and terminology vary by hardware vendor. Consult your server vendor's documentation for specific menu paths and setting names if needed.

For more information about TPM support in vSphere environments, see VMware vSphere Support of Trusted Platform Module (TPM) and Trusted Execution Technology (TXT).

For step-by-step guidance on enabling TPM on ESXi hosts, see Enable TPM on ESXi.

For information about troubleshooting other ESXi boot failures related to TPM and Secure Boot configuration, see ESXi boot failures due to system configuration issues - restore security configuration, decrypt system configuration, recover system configuration.

For details about managing Secure Boot enforcement settings on ESXi hosts with TPM, see Manage a Secure ESXi Configuration in the vSphere Security documentation.

Prevention: Before changing the TPM version in your server BIOS, verify that the Physical Presence setting is set to "Asserted" to avoid boot failures. This is particularly important when preparing hosts for ESXi 8.x upgrades, which require TPM 2.0.

Note: BIOS configuration options and terminology vary by hardware vendor (Dell, HPE, Lenovo, Cisco, etc.). Consult your server vendor's documentation for specific instructions on configuring TPM and Physical Presence settings for your hardware model.