You can choose to enable UEFI secure boot enforcement, or disable a previously enabled UEFI secure boot enforcement. You must use ESXCLI to change the setting in the TPM on the ESXi host.

This task applies only to ESXi hosts that have a TPM. UEFI Secure boot is a firmware setting for ensuring that the software launched by the firmware is trusted. To learn more, see UEFI Secure Boot for ESXi Hosts. The enablement of UEFI Secure boot can be enforced upon every boot by using the TPM.

Prerequisites

  • Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
  • Required privilege for using ESXCLI standalone version or through PowerCLI: Host.Config.Settings

Procedure

  1. List the current settings on the ESXi host.
    esxcli system settings encryption get
       Mode: TPM
       Require Executables Only From Installed VIBs: false
       Require Secure Boot: true
    If secure boot enforcement is enabled, Require Secure Boot displays true. If secure boot enforcement is disabled, Require Secure Boot displays false.
    If Mode appears as NONE, you must enable the TPM in the host's firmware and set the mode by running the following command:
    esxcli system settings encryption set --mode=TPM
  2. Enable or disable the secure boot enforcement.
    Option Description
    Enable
    1. Shut down the host gracefully.

      For example, right-click the ESXi host in the vSphere Client and select Power > Shut Down.

    2. Enable secure boot in the firmware of the host.

      See your specific vendor hardware documentation.

    3. Restart the host.
    4. Run the following ESXCLI command.
      esxcli system settings encryption set --require-secure-boot=T
    5. Verify the change.
      esxcli system settings encryption get
         Mode: TPM
         Require Executables Only From Installed VIBs: false
         Require Secure Boot: true

      Confirm that Required Secure Boot displays true.

    6. To save the setting, run the following command.
      /bin/backup.sh 0
    Disable
    1. Run the following ESXCLI command.
      esxcli system settings encryption set --require-secure-boot=F
    2. Verify the change.
      esxcli system settings encryption get
         Mode: TPM
         Require Executables Only From Installed VIBs: false
         Require Secure Boot: false

      Confirm that Require Secure Boot displays false.

    3. To save the setting, run the following command.
      /bin/backup.sh 0

      You can choose to disable the secure boot in the firmware of the host, but at this point the dependency between the firmware setting and the TPM enforcement is no longer set.

Results

The ESXi host runs with secure boot enforcement enabled or disabled, depending on your choice.
Note:
If you do not activate a TPM when you install or upgrade to vSphere 7.0 Update 2 or later, you can do so later with the following command.
esxcli system settings encryption set --mode=TPM
Once you have activated the TPM, you cannot undo the setting.

The esxcli system settings encryption set command fails on some TPMs even when the TPM is enabled for the host.

  • In vSphere 7.0 Update 2: TPMs from NationZ (NTZ), Infineon Technologies (IFX), and certain new models (like NPCT75x) from Nuvoton Technologies Corporation (NTC)
  • In vSphere 7.0 Update 3: TPMs from NationZ (NTZ)

If an installation or upgrade of vSphere 7.0 Update 2 or later is unable to use the TPM during the first boot, the installation or upgrade continues, and the mode defaults to NONE (that is, --mode=NONE). The resulting behavior is as though the TPM is not activated.