• When attempting to enable or reconfigure vSphere High Availability (HA) on a vSphere Cluster, the process fails for one or more ESXi hosts. Administrators will observe the following symptoms in the vCenter Server environment: 
  
  "Cannot install the vSphere HA (FDM) agent on the host due to root password expired"

• VMware vCenter Server 

• vSphere HA relies heavily on the ability of vCenter Server to authenticate and communicate with the ESXi hosts to push, install, and configure the Fault Domain Manager (FDM) HA agent.
• If the ESXi root account is locked or the password has expired due to local security policies, the authentication handshake between vCenter Server (via the vpxa agent) and the ESXi host fails. Consequently, vCenter cannot authenticate to deploy the HA agent, resulting in the "HA agent unreachable" or "Uninitialized" state.

  To resolve this issue, you must reset the expired root password, refresh the vCenter-to-ESXi authentication token, and force a reconfiguration of the HA agent.

   Follow these steps below:

Reset the ESXi Root Password using Host Profiles If vCenter still maintains a management connection to the host but HA configuration is failing, you can leverage Host Profiles to reset the password without needing direct DCUI or SSH access.

Reference Article: Reset host root password with Host Profile

1. 1. In the vSphere Client, navigate to Policies and Profiles > Host Profiles.

   2. Extract a Host Profile from the affected host (or use an existing one).

   3. Edit the Host Profile and navigate to Security and Services > Security Settings > Security > User Configuration > root.

   4. Configure a new, complex root password.

   5. Attach the Host Profile to the affected ESXi host(s) and Remediate to apply the new password.

Disconnect the ESXi Host from vCenter To force vCenter to recognize the new credentials and refresh the connection token, briefly disconnect the host.

1. 1. Navigate to the Hosts and Clusters view.

   2. Right-click the affected ESXi host and select Connection > Disconnect.

   3. Wait for the host to show as (Disconnected) in the inventory.

Reconnect the ESXi Host

1. 1. Right-click the disconnected ESXi host and select Connection > Connect.

   2. The vpxa authentication routine will run, and vCenter will prompt you to enter the administrative credentials.

   3. Enter the username (root) and the new password configured via the Host Profile in Step 1.

   4. Allow the host to fully reconnect to the vCenter Server.

Reconfigure vSphere HA Once the host is fully connected and authenticating correctly, reinstall the HA agent.

1. 1. Right-click the newly reconnected ESXi host.

   2. Select Reconfigure for vSphere HA.

   3. Monitor the Recent Tasks pane. The FDM agent will successfully deploy, and the host's HA State will change to Running (Primary/Secondary).