Vinny1988
Contributor
Contributor

TPM install Pre ESXi 6.7

Jump to solution

"Now Friends",

     As an IT Pro, I have found 1 thing to be true, 99.9% of the time and that is "you are rarely ever the first to encounter a given issue". I cannot find any evidence to make that statement true in this case... Maybe someone here is better at Google than I?

I have Dell PowerEdge R630 and R640 servers that I have purchased TPM chips for in preparation for upgrade to ESXi 6.7. I am currently running 6.5 U2. I have read the documentation titled "Securing ESXi Hosts with Trusted Platform Module" and under the requirements section, ESXi 6.7 is explicitly listed. The question though is, What will happen if a TPM chip is installed in an existing ESXi host? Will it no longer boot properly? Will vCSA recognize it as the Jones that it knows or will it see the host as an all new Jones? (That was a joke... See initial link if you are lost)

I opened a case with Dell Support on this matter and I was told that they do not have documentation to reference for a scenario such as this. I have also opened a medium severity case with VMware GSS but I have not yet received a call back.

Bueller? Bueller? Bueller?

Tags (4)
0 Kudos
1 Solution

Accepted Solutions
Vinny1988
Contributor
Contributor

,

Thank you.

While reviewing these 2 replies, I received a call back from VMware GSS which pointed me to 2 blog posts where I have found the answer I needed.

If you are running 6.5 on a server with TPM 2.0 you will not see the TPM 2.0 device because there’s no support in 6.5 for TPM 2.0. New features in 6.7 do not use the TPM 1.2 device.

Quote from Article 1. Article 2.

TLDR. Don't bother with install of TPM chip until 6.7 is installed. Do so however before connecting host to vCSA and ensure that vCSA has already been upgraded to 6.7.

In our case, we are aware of a bug in 6.5 that we have been told will be fixed in the U3 release  of 6.5 and/or 6.7. Due to this, we will be holding off on the TPM additions.

View solution in original post

0 Kudos
4 Replies
anvanster
Enthusiast
Enthusiast

Well, the answer to your question is in the article you're referring to.

Note:

If you add a TPM 2.0 chip to an ESXi host that vCenter Server already manages, you must first disconnect the host, then reconnect it. See vCenter Server and Host Management documentation for information about disconnecting and reconnecting hosts.

Given this, in ideal world existing ESXi should boot normally if UEFI Secure boot is enabled and TPM configured properly. There are also some troubleshooting at the end of the article, but they only refer to 4 known / most common issues.

0 Kudos
ashishsingh1508
Enthusiast
Enthusiast

The ESXi host should continue to run with previous config, until you disconnect and re-connect.

Ashish Singh VCP-6.5, VCP-NV 6, VCIX-6,VCIX-6.5, vCAP-DCV, vCAP-DCD
0 Kudos
Vinny1988
Contributor
Contributor

Anvanster,

The way I read the note you referenced is that IF I have 6.7 installed and add the TPM chip... Is that not how you read it?

0 Kudos
Vinny1988
Contributor
Contributor

,

Thank you.

While reviewing these 2 replies, I received a call back from VMware GSS which pointed me to 2 blog posts where I have found the answer I needed.

If you are running 6.5 on a server with TPM 2.0 you will not see the TPM 2.0 device because there’s no support in 6.5 for TPM 2.0. New features in 6.7 do not use the TPM 1.2 device.

Quote from Article 1. Article 2.

TLDR. Don't bother with install of TPM chip until 6.7 is installed. Do so however before connecting host to vCSA and ensure that vCSA has already been upgraded to 6.7.

In our case, we are aware of a bug in 6.5 that we have been told will be fixed in the U3 release  of 6.5 and/or 6.7. Due to this, we will be holding off on the TPM additions.

0 Kudos