Dell PowerEdge T150 - ESXI 8 maybe has a problem with TPM

Hello, this might be helpful: https://dell.to/3Nfd1oC

Click on "TPM Adv. Settings" and enable SHA256 (Dell Default is SHA1 at least on Non- vSAN Ready Nodes).  If you look into the ESXi logs you will find the hind about that.

The physical TPM have nothing (or little) to do with the support of WIndows 11 VMs. For that you need vCenter >= 7.0.x where VMware have add the support for a internal KMIP Server which than allow you to add a vTPM to the VM Settings.  The VMware Native Key Provide of that KMIP can be based on the pTPM but thats not a requirement.

A stand alone ESX 7 doesnt not support a vTPM... not sure about ESX8.  The VMware Workstation add it some time ago. In vSphere 7 you always need a vCenter(VCSA) to archive that!

Regards,
Joerg

Here's what the BIOS looked like above and below the image above.

And here's what it looked like when I clicked on "TPM Advanced Settings".

I selected SHA256 like you said and saved BIOS and I'm now in ESXI again and ESXI is not giving the message again that "TPM 2.0 device detected but a connection cannot be established".

So the problem seems to have been fixed. But when you look at the pictures I've included here do you think there's anything else I need to do? Do I need to enable secure boot at the BIOS by any chance? Or do anything else?

And for Windows 11 I just need to install vCenter 8 and Windows 11 should work fine?

Thank you so much for telling me what to do.

What is this for? I don't think I understand this. I bought the server with ESXI 8 installed with the highest TPM so I was expecting for everything to work fine.

The last 3 screenshots are not visible yet... so i am  just guessing.

With "Sha256" you have meet one of the ESXi requirements  of using the SecureBoot feature. To enable it you need to go back to the "System Secury" entry page and there is a option for enabling "SecureBoot" on the very bottom. If you enable it:

• Rescent vSphere ESXi will detect it and try to boot with SecureBoot. If you follow the messages on the screen when ESXi is booting you can see it (when to know how it looks like ;))
• There is a ESXi Adv. Option to force the use of SecureBoot from the ESXi OS perspective. Iam pretty sure that somewhere is a info in the GUI if ESXi boots with SecureBoot or not

The Win11 is a completly different story and have nothing todo with the pyhical TPM of your T150 Server and if you have enable SecureBoot for the ESXi OS or not.

A needed vTPM for a VM is based on a KMIP Provider you have to add to your environment trough vCenter. Speaking of vSphere >= 7.0.2 VMware added a Native one to vCenter and the external isnt needed any more.

• A ESXi 7.x cant run Window 11 VM with a vTPM without vCenter
• Iam not sure about ESXi 8 but i think its the same

So for Win11 VMs on vSphere you need a vCenter Server.

The vTPM you need to discuss in VMTN and not here in the Dell forum.

vSphere 8 docs:
https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-1C3B2BAC-A2D1-4F15-86AF-1E7DE9F850D8.html

Regards,
Joerg

DUDE!!!! Again, and again..... 2 different things

1. The propper configuration of the TPM of your server must be finished BEFOR the Host joins the vCenter. vCenter have its own section about Hosts securiy

• If you later change something it will raise an Error
• Solving this issue required that the Host leave the vCenter and join again after fix the setup

So...

1. Check if Sha256 is set
2. Enable Secureboot
3. Remove Host from vCenter and Join again.

If you grep through hostd.log or message for "tpm" you will see TPM related problems when ESXi boots.

For setting up a Win11 VM you need to setup the KMIP Native Provider first.

Think twice when adding the native provide if ticking the checkbox in bottom left! If yes than the Hosts needs to provide a propper TPM. So to make life easier..... uncheck the box (which is the default). After the Key Provider is backuped and ready your can go an create a Win11 VM by add the vTPM device. Than you can install Win11.
Again.. it have nothing to do if your Host have a TPM or not... as long as you dont tick the checkbox when creating the Key Provider.  One Note: VMs with a vTPM cant be exportet as OFV/OVA any more.

Regards,
Joerg

I've added vCenter and added the same host vCenter is installed on to a data center in vCenter, since I only have one Dell server right now. But it says "Host TPM attestation alarm" like it shows in my attached picture, and I can't successfully install a Windows 11 VM. It's kind of strange that you can't see my attached picture, I can see them okay on my end on here.

Do I need to enable secure boot on the Dell BIOS? Or change anything else? Thank you.

I got Windows 11 to install as VM on ESXI. I think I didn't look at the system requirements earlier and increased the storage size and number of cores and RAM size and it seems to have worked.

The most important part was SHA256. I wouldn't haven't known to enable unless you told me like you did. Thanks so much for guiding me through this.

You are welcome.

Regards,
Joerg