I made the mistake of enabling host encryption mode on a host in a cluster to try out windows 11. This triggered an alarm on every other host in the cluster. For some reason host encryption mode was also enabled automatically on one additional host in the cluster.
When I upgraded a third host in the cluster this resulted in host encryption mode being automatically enabled on this host as well. As I don't really need host encryption mode (I have removed the windows 11 vm), I thought I'd disable it. This proved to be quite tricky as it requires the host to be removed from the vcenter server, restarted and added back. As I am using a distributed virtual switch I first had to move an uplink to a standard switch, migrate all vmkernel interfaces to it and remove the host from the distributed switch.
I did all this on one of the three hosts with host encryption mode enabled. It worked. I added it back to the cluster and host encryption mode was promptly enabled automatically again. As it happens, this has to be done on all hosts with host encryption mode enabled at once. So I did. Luckily it was only enabled on three of the 16 hosts in the cluster. After I was done, host encryption mode was disabled on all of the hosts in the cluster.
Then I upgraded the rest of the hosts, resulting in host encryption mode being enabled on every single one of them.
There should be a warning about this when enabling host encryption mode. This seems to be a one way street with no documented way of getting out.