You can remove, or decommission, Trusted Hosts from a Trusted Cluster. You can decommission one or all Trusted Hosts from a Trusted Cluster, depending on the scenario.

When you decommission a Trusted Host, the remediate function sets the desired state of the Trusted Host to that of the non-Trusted Cluster where it is moved to. The decommissioned Trusted Host becomes a regular host. The Trusted Cluster (from where the Trusted Host was moved) continues to have its desired state configuration and functions still as a Trusted Cluster.

When you remove all the Trusted Hosts from a Trusted Cluster, you decommission the Trusted Cluster. You remove both the desired state configuration and applied configuration from the Trusted Hosts and the Trusted Cluster, then move all the Trusted Hosts to a non-Trusted Cluster.

You can reuse decommissioned Trusted Hosts in your environment. For example you can reuse the hosts in a non-trusted infrastructure capacity, or as vSphere Trust Authority Hosts. You can use the decommissioned hosts in the same vCenter Server or a different vCenter Server.

For more information about Trusted Cluster configuration and health, see Checking and Remediating Trusted Cluster Health.

Prerequisites

  • The vCenter Server for the Trusted Cluster must be running vSphere 7.0 Update 1 or later.
  • If you use PowerCLI, version 12.1.0 or later is required.

Procedure

  1. Connect to the vCenter Server of the Trusted Cluster by using the vSphere Client.
  2. Log in as a Trust Authority administrator.
  3. Navigate to a Trusted Cluster.
  4. Decide how to decommission the Trusted Hosts from the Trusted Cluster.
    Task Steps
    Keep the desired configuration state of the Trusted Cluster and the remaining Trusted Hosts
    1. Put hosts into Maintenance mode and move them to a new, empty cluster (that is, the cluster does not contain any hosts).
    2. Exit Maintenance mode on the hosts.
    3. For the new, empty cluster (not the Trusted Cluster), on the Trust Authority tab, click Remediate.

      Remediation removes the Trusted configuration from the moved hosts. The Trusted Cluster retains its desired state configuration.

    Remove the desired configuration state and applied configuration state of all the Trusted Hosts
    1. In a PowerCLI session, run the Connect-VIServer cmdlet to connect as the Trust Authority administrator to the vCenter Server of the Trusted Cluster.
      Connect-VIServer -server TrustedCluster_VC_ip_address -User trust_admin_user -Password 'password'
    2. Run the Set-TrustedCluster cmdlet, for example:
      Set-TrustedCluster -TrustedCluster 'TrustedCluster' -State Disabled

      The Trusted Infrastructure configuration is removed from all the Trusted Hosts, and the Trusted Cluster has its desired state configuration removed.

    3. Put all hosts into Maintenance mode and move them to a different cluster.
    4. Exit Maintenance mode on the hosts.
  5. To verify that the Trusted Cluster is healthy, click Check Health on the Trust Authority tab for the Trusted Cluster.

What to do next

If you no longer plan to attest the specific versions of ESXi or the TPM hardware from the decommissioned ESXi hosts, update the Trust Authority Cluster's configuration, for optimal security. See the VMware knowledge base article at https://kb.vmware.com/s/article/77146.