WilliamLam.com

Clearing TPM alarms after replacing TPM chip or resetting TPM keys for ESXi

by // 13 Comments

If you have a supported Trusted Platform Module (TPM) device that has been installed in your ESXi host after the initial installation and you either replace the TPM chip and/or you reset the TPM keys within the system BIOS, you may find several TPM alarms that is raised within your vCenter Server including:

  • Host TPM attestation alarm
  • TPM Encryption Recovery Key Backup Alarm
  • The new host TPM endorsement key doesn't match the one stored in the DB


I recently had to resolve this in my lab after clearing the TPM keys within the system BIOS, this was for some testing I was doing, but I could not figure out how to get vCenter Server to clear the previous endorsement keys associated with the ESXi host.

After a bit of searching, I came across this VMware KB 81446 which outlines a solution to one the scenarios I mentioned above where you would see these TPM alarms, which is replacing the TPM chip, but I came to find out that the workflow is also applicable if you had cleared the TPM keys and new ones were generated prior to re-installing ESXi. The KB was missing a some details, which I have already shared in the feedback and I think there is a more streamline method which I have shared below.

[Read more...]

Workaround for VMware Cloud Builder 10GbE pre-check in VMware Cloud Foundation 5.0

by // 8 Comments

VMware Cloud Foundation (VCF) 5.0 is now generally available for customers to upgrade and I had a chance to play with it in my homelab before it was released.

One change that I had noticed in the new version of the VMware Cloud Builder for VCF 5.0 compared to VCF 4.5 is the introduction of a new 10GbE pre-check to ensure that your physical ESXi hosts met the minimum networking requirement. For a production deployment, this pre-check makes a ton of sense but for a homelab/development environment where you may not have 10GbE connectivity, this is certainly not ideal, especially as this was possible with VCF 4.5.

With VCF 5.0, this new pre-check is considered an error and will prevent you from continuing the VCF deployment as you can see from the error message below.


Fortunately, I was able to find an easy workaround to the issue that would still allow users to deploy the latest VCF 5.0 without 10GbE networking! 😀

[Read more...]

Custom vCenter Server Role using vSphere Terraform Provider on VMware Cloud on AWS

by // Leave a Comment

In a VMware Cloud on AWS (VMC-A) environment, a default CloudAdmin vCenter Server Role is provided to customers to manage and deploy workloads in vCenter Server. Typically, this vCenter Server Role is only granted to limited number of Cloud Administrators within your organization, which you get to control as an end user.

VMware also supports customers in creating additional custom vCenter Server Roles that limits the privileges for other usage such as auditing or workload provisioning. If you create a custom vCenter Server Role for VM provisioning and you are using vSphere Automation Tools that VMware supports including PowerCLI or even the popular vSphere Terraform Provider, you may come across the following error message during the VM deployment:

System.Read privilege required for config.distributedVirtualSwitch


As you can see from the error message, the current user does not have the Read-only privilege assigned to the Virtual Distributed Switch (VDS) which is required by the automation client, in this case the vSphere Terraform Provider, to be able to properly provisioned a VM.

Note: When using the default CloudAdmin role, VMware automatically applies the correct privileges to all applicable vSphere Inventory objects and this is the reason you do not see this problem when using an account with the default CloudAdmin role. For custom vCenter Server Roles that are created by customers, we can not apply this automation as the intention of the custom role(s) are unknown to VMware.

We can quickly fix this issue by following the instructions below which will guide you in properly assigning the correct vSphere permissions to enable VM provisioning when using a non-CloudAdmin role.

[Read more...]