In vCenter Lifecycle Manager (vLCM), the following compliance alert is observed for an ESXi host:

Host is out of compliance with the image
The host will be rebooted during remediation.
Quick Boot is not supported on the host.

When running the following command directly on the ESXi host:

/usr/lib/vmware/loadesx/bin/loadESXCheckCompat.py

The output indicates that Quick Boot is not supported due to Intel TXT being enabled:

This system is not QuickBoot compatible: violating one or more strict requirements (Quick Boot is not support on this machine)
The host does not fulfill the following hard dependencies:
    - Intel TXT is enabled

• VMware vCenter Server

• vSphere Lifecycle Manager (vLCM) using image-based management

• ESXi 8.x / 9.x

• Host with TXT-capable platforms

• Intel TXT enabled in system BIOS

Intel TXT (Trusted Execution Technology) is a hardware-based security feature designed to verify the integrity of the system during the earliest stages of the boot process. It validates components such as BIOS/UEFI and the ESXi hypervisor to ensure they have not been tampered with.

Key characteristics of Intel TXT:

• Intel TXT operates only during system boot

• It requires a full cold boot, including:

  • Complete hardware initialization

  • Power-On Self-Test (POST)

  • Full security measurement and verification

• Once the system has completed booting and entered the running state, Intel TXT is no longer active

ESXi Quick Boot is designed to reduce reboot time by skipping POST and certain hardware and security initialization steps. As a result:

• Intel TXT and ESXi Quick Boot are mutually exclusive

• When Intel TXT is enabled, Quick Boot is not supported

• This behavior is expected and by design

Note: Enabling or disabling Intel TXT does not affect runtime performance, since TXT functions only during the boot phase.

Option 1: Enable Quick Boot (Lower to Medium Security Requirements)

If the environment does not require the highest level of boot-time security:

1. Enter the system BIOS

2. Disable Intel TXT

3. Save the configuration and reboot the host

4. Re-run remediation in vLCM

With Intel TXT disabled, ESXi Quick Boot will be supported for image-based remediation.

Recommended security configuration for this scenario:

• TPM: Enabled

• Secure Boot: Enabled

• Intel TXT: Disabled

This configuration provides a balanced approach between security and operational efficiency.

Option 2: Retain Maximum Boot-Time Security (High Security Requirements)

If strict security, compliance, or attestation requirements exist:

• Keep Intel TXT enabled

• Accept that Quick Boot cannot be used

• vLCM remediation will always perform a full reboot

This configuration is typically required for environments that use:

• Hardware-based trust validation

• Attestation or measured boot

• vSphere Trust Authority

Recommended security configuration for this scenario:

• TPM: Enabled

• Secure Boot: Enabled

• Intel TXT: Enabled

Intel TXT introduces higher operational overhead because:

• Every reboot requires a full cold boot

• BIOS or firmware updates can invalidate the trust state

• Hardware changes may cause the host to be marked as untrusted

• Additional validation or re-attestation workflows may be required

For these reasons, Intel TXT is disabled by default on most systems, unless explicitly enabled.