If a TPM fails, or if you clear a TPM, you must recover the secure ESXi Configuration. Until you recover the configuration, the ESXi host cannot boot.
- You cleared the TPM (that is, the seeds in the TPM were reset).
- The TPM failed.
To troubleshoot other secure ESXi configuration problems, see the VMware knowledge base article at https://kb.vmware.com/kb/81446.
Perform the recovery manually. Do not perform the recovery as part of an installation or upgrade script.
- (Optional) If the TPM failed, move the disk (having the boot bank) to another host with a TPM.
- Start the ESXi host.
- When the ESXi installer window appears, press Shift+O to edit boot options.
- At the command prompt, enter the boot option to recover the configuration.
encryptionRecoveryKey=recovery_keyThe secure ESXi configuration is recovered and the ESXi host boots.
- To persist the change, enter the following command:
What to do next
When you enter the recovery key, it is temporarily displayed in an untrusted environment and is in memory. Though not necessary, as a best practice, you can remove residual traces of the key in memory by rebooting the host. Or, you can rotate the key. See Rotate the Secure ESXi Configuration Recovery Key.