Dell NativeEdge: Endpoint Server Firmware Upgrade issue with NativeEdge Operating Environment 3.1

A NativeEdge Endpoint 3.1 Server firmware upgrade after upgrading the NEOE to 3.1 can fail with a TPM resealing error.
The Endpoint that attempted the firmware remains disconnected from the NativeEdge Orchestrator (NEO).
Virtual Machines (VMs) or Deployments remain offline while the Endpoint remains in this state.
If the upgrade is attempted on a NativeEdge Server Endpoint, the error "Reseal the keys from predicted PolicyOR to Normal PCR7" is seen on the Endpoint console.

Due to an error in the resealing logic, the firmware will upgrade but the Endpoint remains disconnected.

Fix:

NativeEdge Engineering has created a dedicated EdgeOS hotfix to address this issue (3.1 Hotfix 2)

This is a EdgeOS bundle, which must be applied on the Endpoint prior to attempting the 3.1 Firmware Upgrade.

Workaround:

Currently the only method available to recover a system that has encountered this issue is to initiate a Factory Reset via USB.

Platform Configuration Register 7 (PCR7) is a TPM register that stores information (hashes) of software and firmware states during the boot process. This information is used to ensure the integrity of the firmware being used on a NativeEdge Server Endpoint.

TPM can lock (or “seal”) these keys so they are only accessible if the system’s Secure Boot settings are exactly the same as when the keys were created.
This means that the keys are protected and cannot be used if someone changes the boot process or tampers with the system.

During a firmware upgrade, there are changes being made to information within the BIOS and other firmware packages which require the system to reseal. 

Important:

Once the firmware upgrade completes successfully, it disconnects the iDRAC for 24 hours. This is expected as the firmware contains an updated NativeEdge Identity Module (IDM.) 
No further action is required, and the iDRAC access will restore after the 24-hour time period elapses.