One of the new feature of VMware vSphere 6.7 is the full support for Trusted Platform Module (TPM) 2.0 devices both at host and VM level.

But when you are using a TPM 2.0 device on an ESXi host, the host might fail to pass the attestation phase.

In this case, on your host, you will notice a critical error like this:

The vSphere Client does not provide any other information, neither at task or event level. To troubleshoot the potential causes of this problem you can use this VMware documentation.


In most cases Host secure boot was disabled, you must re-enable Secure Boot to resolve the problem. So you need reboot your server and reconfigure it.

Use IDRAC (or the physical console) to open a console to the host. Reboot the host and enter BIOS settings, when available, by hitting F2. Note that you can also select the next boot option directly from the iDRAC console.

Then choose Configuration >  BIOS Settings > System Security

TPM Security should be On,

Intel(R) TXT should be Off,

Secure Boot should be Enabled

TPM Advanced Settings:

TPM2 Algorithm Selection : SHA256.

For more information see also: Configuring TPM 2.0 on a 6.7 ESXi host.