VxRail: Hosts Show Alert in vCenter Stating: TPM 2.0 Device Detected But a Connection Cannot Be Established (Customer Correctable)

ESXi hosts in the cluster have an alert which states: TPM 2.0 device detected but a connection cannot be established.

 

The ESXi host's BIOS must be configured to use the SHA256 hashing algorithm in order to support TPM. The alert can result from the advanced BIOS settings of the ESXi host not being set to the default of SHA1 or other BIOS settings. 

 

***Check that these BIOS changes outlined in this article are appropriate for your specific environment***.

The steps below are to be performed on each affected node, one at a time. Before placing nodes into Maintenance Mode, ensure that the cluster is healthy. Ensure that there is not an active vSan resynchronization, and that there are adequate resources available for virtual machine (VM) Migration. Ensure that enough free VSAN space is available for fault tolerance.

1. Place the host into Maintenance Mode in vCenter using 'Ensure Accessibility'.
2. Use IDRAC or BMC to open a console to the host. Reboot the host and enter BIOS settings, when available, by pressing F2 for System Setup > System BIOS. 
3. Go to the boot settings and take the screenshot for the UEFI Boot Sequence.
4. Reset BIOS settings to default by clicking the "Default" button. (Note: Resetting the BIOS setting to default may change the BIOS boot order.)

 
 
5. Enter System Security.
   a. 'TPM Security' should be 'On'.
   b. 'TxT' should be 'On'.

 
 

If there is only the Off option at Intel TXT field, set Secure boot enabled using KB#000158364  and set SHA-256 (Step 6 of this KB) first, then turn Intel(R) TXT on.
Article 000158364 requires other changes, log a service request with Dell Technologies.

 

6. Enter 'TPM Advanced Settings'.
   a. TPM PPI settings should be 'Disable'.
   b. 'TPM2 Algorithm Selection' should be 'SHA256'.
 
7. Verify that Secure Boot is set to "Enabled."
 
8. Verify that BIOS settings are correct. 
9. Go to the Boot settings -->UEFI Boot Sequence and change the boot order again as per your taken screenshot. (Generally AHCI controller in…: ESXi operating system is the first boot)
10. Exit the BIOS settings, which will reboot the node. Wait for the node to boot completely.
11. In vCenter, if the host shows disconnected, right-click the host icon, select 'Connection' and reconnect the host before exiting Maintenance Mode.
12. Clear any alerts, retest, check once again for overall cluster health, VSAN resynchronization, sufficient resources available, and go to the next host. 

If it is not possible to change the TPM algorithm to SHA256, try it with Intel(R) TXT disabled.
If there is still an alarm even after reboot, disconnect and then reconnect the host from vCenter.