Error: "Unable to change the encryption mode and policy" when enabling TPM on ESXi

search cancel

Error: "Unable to change the encryption mode and policy" when enabling TPM on ESXi

book

Article ID: 426313

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Physical TPM has been added from the Hardware's side.

When attempting to enable the Trusted Platform Module (TPM) on an ESXi host via the command line, the operation fails with a configuration error:

> esxcli system settings encryption set --mode=TPM
Unable to change the encryption mode and policy. Verify that the current host configuration can satisfy the new requirement.

The encryption status shows Mode: NONE:> esxcli system settings encryption get
Mode: NONE
Require Executables Only From Installed VIBs: false
Require Secure Boot: false

The hardware is successfully communicating with ESXi:

> esxcli hardware trustedboot get
Drtm Enabled: false
Tpm Present: true

From the Hardware Management Page, it is evident that the TPM is present but the Enabled Status is "Disabled" and the Activation Status is "Deactivated"

Cause

The physical TPM module is detected by the ESXi kernel, but it is administratively Disabled or Deactivated in the server's firmware.

Resolution

To resolve this issue, the TPM must be fully enabled at the hardware level. Contact Hardware Vendor to turn on the Enablement Status and Activation Status.

Additional Information

VMware vSphere Support of Trusted Platform Module (TPM) and Trusted Execution Technology (TXT)

Securing ESXi Hosts with Trusted Platform Module

Enable TPM on ESXi.

Feedback

thumb_up Yes

thumb_down No