VxRail: 14G Nodes Disable an Active TPM 1.2 Module Permanently or Upgrade to a TPM 2.0 Module by Temporarily Disabling the TPM 1.2

This article describes two methods of handling nodes with TPM 1.2 modules:  

• Disabling an active TPM 1.2 module permanently before the upgrade
• Upgrade from an active TPM 1.2 module to a TPM 2.0 module by temporarily disabling the TPM 1.2 module before the upgrade

Article 204703 is the preferred method for dealing with Dell VxRail: Clusters with 14G nodes that have an active TPM 1.2 module either fail the VxRail 8.0.x LCM precheck with an error message or a warning message.

Prerequisites:

• Follow article 204006 Dell VxRail: How to gather the recovery keys for TPM security enabled VxRail nodes to capture the recovery keys from all the nodes.

The recovery keys are needed if there is an incident during TPM upgrade that necessitates a replacement of the motherboard, such as snapped plastics, slot damage during removal, ESD damage, and so forth.

• Verify that the vSAN cluster is in a healthy state.

Log in to your vCenter and go to VxRail Cluster > Monitor > vSAN > Skyline Health and ensure the vSAN is healthy. If there are any errors or warnings, resolve them before continuing. The only exception to this is if you are using a system that is not connected to the Internet and the errors are related to Internet access. 

• Disable any VMware vSphere services that you have that are using the TPM 1.2 module. 
• The TPM 1.2 modules in the current nodes must be functioning (no hardware errors).
• OPTIONAL: If you plan on upgrading the TPM 1.2 module with a TPM 2.0 module, you must procure (contact Dell Sales) a TPM 2.0 module for every node you want to upgrade.

Resolution Steps:

Estimated Time:

• Disable TPM Module: 20 minutes per node (the node reboot time and how long a node takes to go into maintenance mode affects the time).
• Powering off and replacing the TPM Module (optional): 15 minutes per node

The recommendation is to do this procedure one node at a time. If this is a large cluster with an N+2 or greater number of nodes, it may be possible to do more than one node at a time. Care should be taken to understand the impact to workloads and data availability before considering that approach.

1. Go to your vCenter Web Client and log in with an administrative account.
2. Go to the main menu and select Inventory.
3. Expand the VxRail cluster.
4. Right-click your node and select Maintenance Mode > Enter Maintenance Mode.
5. Ensure Move powered-off and suspended virtual machine to other hosts in the cluster is checked and that Ensure accessibility is selected next to vSAN data migration.

1. Click OK and wait until the node enters maintenance mode before moving onto the next step. You can monitor the progress in the Recent Tasks pane.
2. Set the TPM Security property to Off through iDRAC or BIOS of the node.

• iDRAC instructions:

1. Log in to the iDRAC of the node.
2. Go to Configuration > BIOS Settings > System Security.
3. Set TPM Security to Off.
4. Click Apply.
5. Click Apply And Reboot.
6. Go to Maintenance > Job Queue.
7.  Monitor the job queue and wait for the tasks to finish successfully.

• BIOS instructions:

1. Log in to the iDRAC of the node.
2. Under Virtual Console, go to Start the Virtual Console and wait for it to open.
3. You see the ESXi direct console interface. Press F12 on the keyboard and enter your root password when prompted.
4. Press F11 to restart the server.
5. While the server is booting, press F2 to enter System Setup.
6. On the System Setup Main Menu screen, click System BIOS > System Security Settings.
7. Next to the TPM Security option, select Off.
8. Save the setting.
9. Restart your system and wait for ESXi to boot.

1. Get your node's Managed Object ID (MOID).
   1. Go to https://<vcenter_ip>/mob and browse to your VMware vCenter’s Managed Object Browser (MOB).
   2. When prompted for a username and password, enter the same credentials, you would use to access your vCenter Web Client. Ensure that this account has administrator access.
   3. Select the active link in the value column for each of the following items: Content > rootFolder > childEntity > hostFolder > childEntity
   4. This page displays a host value. The Managed Object ID (MOID) for each host displays next to host. In the example below they are highlighted in yellow.

1. Browse to https://<vcenter_ip>/mob/?moid=<Node_MOID>&doPath=capability
2. Check the tpmVersion. If the procedure worked correctly, the value should be Unset.

1. OPTIONAL: Power off the node and follow this procedure from the Dell PowerEdge R640 Installation and Service Manual to upgrade the TPM 1.2 module to the TPM 2.0 module.
2. If the node is powered off, power it on and wait for ESXi to boot.
3. Browse to your vCenter Web Client and log in with an administrative account.
4. Go to the main menu and select Inventory.
5. Expand the VxRail cluster.
6. Right-click your node and select Maintenance Mode > Exit Maintenance Mode. Wait for the host to exit maintenance mode.
7. From the vSphere Web Client, go to VxRail Cluster > Monitor > vSAN > Skyline Health and ensure the vSAN is healthy. If there are any errors or warnings, resolve them before continuing. As mentioned earlier, the only exception to this would be if you are using a system that is not connected to the Internet and the errors are related to Internet access. All other errors and warnings should be actioned.