You can troubleshoot and recover from boot problems that you might encounter with a secure ESXi Configuration.

If you clear a TPM (that is, the seed values in the TPM are reset), if a TPM fails, or if you replace the motherboard or TPM device, or both, you must take steps to recover the ESXi secure configuration. You must have the recovery key to recover the configuration. Until you recover the configuration, the ESXi host cannot boot. See Recover the Secure ESXi Configuration.

Although uncommon, it is possible that an ESXi host might fail to restore or decrypt the secure configuration, preventing the host from booting. Possible situations include:

  • Change to secure boot setting (or other policy)
  • Actual tampering
  • The recovery key is unavailable

To troubleshoot these conditions, see the VMware knowledge base article at https://kb.vmware.com/kb/81446.