Set up TPM support in vCenter on Dell R7515

Quick HowTo/reminder to myself on how to activate TPM on ESXi hosts connected to vCenter.

The smoothest way is to configure the servers before they are connected to vCenter: Otherwise they must be removed from the inventory and re-added.

The BIOS security settings must be correctly configured:

Dell R7515 BIOS menu with System Security highlighted

Select System Security.

Dell R7515 BIOS System Security submenu, TPM Security section

TPM Security must be turned On.

Dell R7515 BIOS TPM Advanced Settings submenu

Under the TPM Advanced Settings menu, TPM2 Algorithm Selection must be set to SHA256.

Dell R7515 System Security submenu, Secure Boot section

Back in the System Security menu, Secure Boot must be Enabled.

Boot the server and add it to vCenter.

Enable the SSH service and log on to the server. Check the TPM status:

# esxcli system settings encryption get | grep Mode
   Mode: NONE

Set the mode to TPM:

# esxcli system settings encryption set --mode TPM

Get the encryption keys and store them somewhere safe, like a password manager:

# esxcli system settings encryption recovery list
Recovery ID                             Key
--------------------------------------  ---
{....}                                  ....

In vCenter, you’ll see a warning for each host, about the encryption key backup status. This last step was what that warning was about. If you’re confident the recovery ID and Key for each host is securely stored, reset the warning to green. The hosts are now utilizing their TPM capability.