I just built a new environment and was greeted by this error. This fix will likely work on other Dell servers, and the settings may apply to other vendors.

High level is you need to set TPM2 Algorithm Selection to SHA256 in the BIOS. You MIGHT have to turn on Intel TXT, and then enable Secure Boot. This SHOULD NOT impact the ESXi installation, but there is a chance it might. Enabling Secure Boot on a machine with modified or unsigned files carries with it the risk of rendering your machine unbootable with the current ESXi installation.

So, here we go:

Place the host into Maintenance Mode (Ensure Accessibility should be fine, but if it’s a new deployment, I usually do Full Migration, which also tests my vSAN network), and then reboot.

Press F2 to enter the System Setup Menu BIOS and select System BIOS

Scroll down & hit System Security

Click “TPM Advanced Settings”

Set TPM2 Algorithm Selection to SHA256 and click Back

Set Intel TXT to On

Scroll down and enable Secure Boot (click OK at the pop up asking you to set a BIOS password)

Click Back to return to the main System BIOS, then click Finish and click Yes to save changes

Click Finish at the System Setup Menu, and confirm Yes that you want to exit & reboot.

On the next boot, you should see a message stating Secure Boot has been modified, you don’t need to do anything

Once it’s back in vCenter, you can go to the host and clear out the “Host TPM attestation alarm” alert by clicking Reset to Green, then exit Maintenance Mode.