Symptoms

After replacing a system board (motherboard) on an ESXi host equipped with a Trusted Platform Module (TPM), the following symptoms occur:

• PSOD during boot: The host fails to boot into the hypervisor and triggers a Purple Screen of Death (PSOD) with the error: Unable to restore the system configuration. A security violation was detected. https://via.vmw.com/security-violation 428266
  
  
• vCenter Alarms: The vSphere Client displays an alarm on the host summary page: The new host TPM endorsement key doesn't match the one stored in the DB 316512
  
  
• Attestation Failure: The host's Attestation status under Monitor > Security shows as Failed.

VMware vSphere ESXi 8.x

vCenter Server uses a unique hardware "fingerprint" called the Endorsement Key (EK), which is hardcoded into the TPM chip, to verify host integrity.

When a motherboard is replaced, the new TPM chip provides a different EK. vCenter detects this mismatch and blocks the host from booting or attesting to prevent unauthorized hardware replacement (spoofing). ESXi 8.x strictly enforce this configuration integrity, leading to the PSOD if the stale keys are not cleared from the vCenter database (VCDB). 316512

To resolve the mismatch and clear the PSOD without removing the host from the vSphere Distributed Switch (vDS) or inventory, follow these steps to clear stale keys from the vCenter database.

Prerequisites

• Ensure you have the 16-bit Encryption Recovery Key for the host (retrieved via esxcli system settings encryption recovery list before the hardware swap). 436459
  
  
• Take a snapshot of the vCenter Server Appliance (VCSA).

Procedure

1. Initial Boot: Use Shift+O during the ESXi boot process and append the recovery key: encryptionRecoveryKey=<16-bit-key>
   
   
2. Access vCenter DB: Log into the VCSA via SSH as root and stop the vpxd service: service-control --stop vpxd
   
   
3. Clear Stale Keys:
   • Access the Postgres DB: /opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB
     
     
   • Identify the Host ID (replace FQDN with the host's name): SELECT id, dns_name FROM vpx_host WHERE dns_name = 'host_fqdn';
     
     
   • Nullify the old keys (replace ID with the number from the previous step): UPDATE vpx_host SET endorsement_key='', attestation_identity_key='' WHERE id = <ID>;
     
     
   • Exit the database: \q
     
     
4. Restart and Reconnect:
   
   
   • Start the service: service-control --start vpxd
     
     
   • In the vSphere Client, Disconnect then Connect the host. This triggers a fresh security handshake to "learn" the new motherboard's EK.
     
     
5. Seal Configuration: In the ESXi shell, run the following to lock the configuration to the new TPM: esxcli system settings encryption set --mode=TPM /sbin/auto-backup.sh 316512

Related Information

• Error: "The new host TPM endorsement key doesn't match the one stored in the DB" appears within the vSphere Client
  
  
• ESXi PSOD: "Unable to restore the system configuration. A security violation was detected" after reinstallation