Symptoms:

Compliance checks and remediation of ESXi with execInstalledOnly enabled fails with the following error:

Cannot deploy host upgrade agent. Ensure that vSphere Lifecycle Manager is officially signed. Check the network connectivity and logs of host agent and vpxa for details.

For more information, see Enable or Disable the execInstalledOnly Enforcement for a Secure ESXi Configuration

VMware vCenter Server 7.0.x

ExecInstallOnly policy does not allow any executable to run on an ESXi host which was not installed via a VIB. Update Manager (pre 7.0), and Lifecycle Manager workflows using baselines (including and beyond 7.0), require to push an Upgrade-Agent (vua) to the ESXi. If ExecInstallOnly is enabled, this vua agent is not allowed to be executed, breaking Update Manager / Lifecycle Manager workflows.

Lifecycle Manager workflows using a single image to manage clusters is not impacted by ExecInstallOnly state and continues to function as expected.

Currently there is no resolution.

Workaround:
To workaround this issue, please disable the execInstalledOnly Enforcement through the below steps:

Note: The below steps will require ESXi Host reboot to take effect

1. Connect to the ESXi Host through SSH. For more information, see Enable the Secure Shell (SSH) in the VMware Host Client
2. Run the below commands:

3. Make sure that the ESXi Host is evacuated of powered on Virtual Machines.
4. Reboot
5. Retry the VUM upgrade