ESXi upgrade fails from 7.x to 8.x due to unsupported TPM version

Posted on by

I ran into an interesting issue today while helping a customer upgrade their ESXi farm to the latest 8.x version (8.0.3, 24674464).

One thing I had overlooked was the presence of a TPM (Trusted Platform Module) chip. The customer was using Update Manager baselines for the upgrade, and right after checking compliance against the image, I got a non-compliant status with the message:
“TPM 1.2 device detected. Support for TPM version 1.2 is discontinued. Installation may proceed, but may cause the system to behave unexpectedly.”

After a bit of digging, I came across this helpful VMware KB article:
ESXi upgrade fails from 7.x to 8.x due to unsupported TPM version

It turns out that starting with vSphere 8.x, TPM 1.2 is deprecated and no longer supported.

The KB suggests the most logical step:
Engage the hardware OEM to upgrade the TPM module on affected hosts to version 2.0 (or higher).

This makes sense – but I wanted to double-check whether TPM was actually enabled and in use on the host.

So I followed another KB:
Need to disable Trusted Platform Module (TPM) on a TPM enabled ESXi host

To list the current encryption settings on the ESXi host: 

 esxcli system settings encryption get
    Mode: TPM
    Require Executables Only From Installed VIBs: false
    Require Secure Boot: true

If Mode appears as TPM, then the TPM feature is enabled on the Host BIOS settings and TPM is enabled.

In my case, the TPM status showed Mode: NONE, which indicated that the feature wasn’t actually enabled. To be sure, I jumped into the BIOS settings to double-check the configuration there as well.

That’s when I noticed an option under System Settings > Security > Trusted Platform Module to upgrade the TPM to version 2.0. Before proceeding with that update, I first upgraded the BIOS firmware to the latest available version – just to make sure everything was fully compatible.

Although the KB also mentions that “Disabling the TPM is not going to help the upgrade if the ESXi host was installed while the TPM device was present and the feature was enabled in the BIOS, the ESXi host will install with TPM enabled”, I decided to proceed with updating the TPM chip to version 2.0 regardless of whether the feature was actively used or not.

Got back in BIOS and did the following:

The option to update to TPM 2.0 mentioned that physical presence confirmation was required, which made me dig further…

The TPM 1.2 settings indicated that Physical Presence was Not Asserted, which suggested that the system wasn’t authorized to make TPM changes at that point.

Went back into the XCC interface and enabled the Assert Physical Presence option.

The setting also changed in BIOS:

…so I proceeded with the TPM update:

After that, I rebooted the system as required.

After reboot, the TPM module showed as 2.0, and the physical presence setting went back to “not asserted.”

In vCenter, the compliance status changed to non-compliant and I remediated the host without any issues.

Leave a Reply

Your email address will not be published. Required fields are marked *