How to fix TPM 2.0 device detected but a connection cannot be established on Dell EMC VxRail nodes
I just built a new environment and was greeted by this error. This fix will likely work on other Dell servers, and the settings may apply to other vendors.
High level is you need to set TPM2 Algorithm Selection to SHA256 in the BIOS. You MIGHT have to turn on Intel TXT, and then enable Secure Boot. This SHOULD NOT impact the ESXi installation, but there is a chance it might. Enabling Secure Boot on a machine with modified or unsigned files carries with it the risk of rendering your machine unbootable with the current ESXi installation.
So, here we go:
Place the host into Maintenance Mode (Ensure Accessibility should be fine, but if it’s a new deployment, I usually do Full Migration, which also tests my vSAN network), and then reboot.
Press F2 to enter the System Setup Menu BIOS and select System BIOS
Scroll down & hit System Security
Click “TPM Advanced Settings”
Set TPM2 Algorithm Selection to SHA256 and click Back
Set Intel TXT to On
Scroll down and enable Secure Boot (click OK at the pop up asking you to set a BIOS password)
Click Back to return to the main System BIOS, then click Finish and click Yes to save changes
Click Finish at the System Setup Menu, and confirm Yes that you want to exit & reboot.
On the next boot, you should see a message stating Secure Boot has been modified, you don’t need to do anything
Once it’s back in vCenter, you can go to the host and clear out the “Host TPM attestation alarm” alert by clicking Reset to Green, then exit Maintenance Mode.
Nicely done and thank you for this article – was good to see these clear information and screenshots to point me in the right direction.
I’ve just had a similar problem on a Dell PowerEdge R650…it’s late, I’m tired and just found your brilliantly documented article and now I can sleep knowing that ESXi will no longer be moaning ;-)
Thanks a billion for spending your time to put this together <3
Thank you for this tremendously well documented process!
This is going straight into Evernote!
This has worked under the following setup:
Custom Dell ESXi 6.7.0 U3, don’t recall the 2022 patch
Dell EMC PowerEdge R440
Bios Version: 2.13.3
After getting a Host TPM attestation alarm, I could proceed as usual. Thank you for your help.
Hey, just wanted to add that one must disconnect/re-connect the host(s) in vCenter, if they were already connected, or this may not withstand rebooting due to the old keys remaining in [vCenter’s] DB cache.
Thank you for this, man. Saved me a lot of trouble!
ESXi 7.0.3, 20036589 (aka. 7.0U3f)
This is the only article I found that fixed this for me. Thank you!
We had this error on our Dell Poweredge R640’s (not using vxrail) – we had installed Windows Server 2019 on them to use Hyper-V and S2D previously, but now are switching to VMware/ESXi. SecureBoot had already been turned on in our case but yes, SHA1 was set, and TXT was off. Following your instructions to change that to SHA256 and TXT=on, we also lost the “connection cannot be established” flag on the new host, and merely needed to “reset to green” on the Host TPM attestation alarm.
I have several more former Hyper-V hosts to migrate to VMware; this time I’ll try setting these BIOS settings ahead of time before adding them to vsphere and see if we avoid this issue entirely. Thanks!
Thank you very much for the explanation. It worked.
Great writeup. Solution works perfect on an R740 with ESXI 7.0.3
Worked great. Thanks for the article.
Thank you for making this nice and simple !
Thanks for this write up, great to see other people doing Dell and VMware’s job for them :)
We are using Dell PowerEdge R6515 with AMD EPYC processors, not in VXRail.
All the UEFI, Secure boot and SHA256 settings are the same as explained except obviously Intel TXT is not there.
As mentioned in a comment below, we had to remove and re-add the hosts to the vSAN cluster so keys are re-written.
All good, no more alerts and our PenTesters will be happy now :D
Amazing brother, thank you!
Worked with Dell PowerEdge T350, Esxi 7u3.
Worked like a charm on MX750C blade (MX7000 Chassis).
Thanks a Bunch
I thank you for this crystal clear walkthrough.
It worked perfectly on a brand new poweregde R550 with vmware 8.0.0 (customized Dell image)
And thank you for spending your time to help the community.
Worked on ESXi 8.0, R750xs
Didn’t see “Host TPM attestation alarm”
Thanks so much for this! This worked perfectly for our new MX750c’s.