There has been several reports from folks internally and within the community that after upgrading to ESXi 8.0, they are now seeing the following TPM error message:
TPM 2.0 device detected but a connection cannot be established.
The common theme between all these reported cases that I have seen is that they are all using an Intel NUC. While the Intel NUCs may list TPM support, they do not support either TPM Interface Specification (TIS) for TPM 1.2 or the First In, First Out (FIFO) for TPM 2.0, which are industry standards for communicating with a TPM device that ESXi uses.
Hopefully this is not new news to anyone, especially as I had written about this topic back in 2020 and how to disable the error message using a 10th Gen Intel NUC. Now, what is new and what surprised me was that folks were only seeing this error message after they had successfully upgraded from ESXi 7.x to ESXi 8.0.
After speaking with some folks internally, I came to learn that we had fixed a bug in vSphere 7.x, where we were incorrectly detecting the version of the TPM device and therefore the error message, which is supposed to show was not appearing. That explains why the error message was not showing before but is now correctly showing after the ESXi 8.0 upgrade.
To be clear, the TPM device found in the typical 4x4 Intel NUC has never been supported nor functional with vSphere. If you attempted to use it, you would get an error thrown stating that you do not have a valid TPM device. While the error message did not appear in earlier vSphere releases, the correct and expected behavior for an unsupported TPM device is to show the message above. In addition to the vSphere UI message in vCenter Server, you can also check the vmkernel.log file on the ESXi host and you should also see the following entry:
2022-10-19T05:40:26Z In(182) vmkernel: VMB_TPM: 99: Unsupported 'startMethod': 7
2022-10-19T05:40:26Z In(182) vmkernel: VMB_TPM: 227: Unable to determine TPM IO area base address.
2022-10-19T05:40:26Z In(182) vmkernel: VMB_TPM: 187: Failed to initialize TPM.
By upgrading to ESXi 8.0, we are now correctly letting users know that their TPM device can not be used. To get rid of the message, you will need to go into BIOS and under Security->Security Features->Intel Platform Trust Technology (uncheck to disable), which is the same solution I had posted back in 2020.
Note: The only Intel NUC that I have had success with TPM is 9th Gen Intel NUC which uses a Xeon-based processor and that is fully compatible for both vSphere 7.x and vSphere 8.0 in case anyone is interested.
I was just waiting for the new 12th gen NUC's with vPro, so TPM would be onboard. Now it seems TPM on the NUC does not work with ESXi 8, there is no need to wait for that NUC and I can buy a regular NUC with i5 instead.
Hello. I installed ESXi8.0, but I can see that there is message like TPM 2.0 connection cannot be established on ESXi host dashboard. Also, Windows11 can't install and error message is like ""This PC doesn't currently meet the minimum system requirements to run Windows 11". Well, the Windows11 was run on this PC actually and TPM2.0 is enabled on BIOS. Also, secure boot is enabled. The ESXi8.0 doesn't support TPM2.0??
William, Thanks for the great article. (I found it after my other post!) Yeah, I started ponding that even though Dell shipped our ESXi/vSAN hosts with TPM 2.0 modules and pre installed ESXi 7.0.x, they didn’t verify that it was working. …or it was working in 7.x, but not when upgraded to 8GA.
FWIW: In the 12th Gen NUCs the TPM setting is similar to the older NUCs. There is also a BIOS update already, so while you’re prepping the updates and getting everything ready, you can change that setting on your newer NUC.
Hi William,
Thank you for sharing!!
Running my VMs now for > 1 year on my NUC10i7FNH successfully. When tried to update from ESX 7.0 3i to 8.0 received the HW warning during upgrade.
After switching off Intel Platform Trust Technology everything works fine now.
Unfortunately switching off "Intel Platform Trust Technology" is no solution for those of us running their homelab-environment on AMD ryzen platforms. Of course on AMD mainboards there are no such intel-related bios options 😉 . In my case i have a high-end Asus Pro WS X570-ACE with Ryzen 5 5600G, but getting same error message. - Unfortunately my board has no external tpm module connector, so i am stuck with the virtual AMD fTPM, which is TPM 2.0 1.3. and therefore should theoretically work fine (latest bios installed today). - I wonder if vmware is going to support using AMD ftpm in future releases, or if my homelab has to switch to proxmox. I would rather want to use vmware esxi, because this is what i also use at my job.
I have the AM5D4ID-2T/BCM motherboard and it has a TPM header.
It seems i have to buy a TPM module just to get rid of the warning message? Shame it just can't be supressed in VCSA using a flag.
Hey William,
I have a Lenovo Thinkcentre M720Q, that has a built in TPM 2 chip. Is there any way to get this to be seen in ESXi 8? I have validated that it is enabled in the BIOS.
Steve
Did you actually read the blog post? Not all TPM 2.0 chips are created equal, please see post
Hi William,
You've mentioned that you had success with TPM on Xeon-based NUC9, what version of ESXi did you run and did you try Windows 11 VM on it?
I am not observing the same message "TPM 2.0 device detected but a connection..." in ESXi 8.0U1 running on Intel NUC9 Pro BKNUC9VXQNX. Rather, I am getting "This PC doesn't currently meet the minimum system requirements to run Windows 11" and the only thing I can think of that is not meeting Windows 11 system requirement is TPM...
[root@localhost:~] esxcli hardware trustedboot get
Drtm Enabled: false
Tpm Present: true
[root@localhost:~] esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: false
Require Secure Boot: true
Any ideas? Any information about TPM module on NUC9 Pro BKNUC9VXQNX? There is nothing in the latest version of the BIOS for this model of NUC that can be tweaked...
Thanks for the tip!! I would've never figured this one out on my own. And thanks for everything you do - super valuable to those of us running labs at home!
On fTPM setting everything to 1.2 or 1_2 and then disabling sha1 got it validated in 8.0.2