“Unable to provision Endorsement Key on TPM 2.0 device: No RSA Endorsement Key certificate found in TPM 2.0 device’s non-volatile memory.”

This post was originally published on this site

I am trying to bring up a couple of ESXi 7.0 hosts with attestation and add them to a VCSA. Install is unremarkable, except the hosts keep failing attestation. I also keep getting the titled error in vCenter, after adding the hosts.


The summary on the TPM alert just says “Internal Error.” The document that I found on “internal error” was this (https://vinfrastructure.it/2019/11/esxi-6-7-tpm-support-on-dell-emc-poweredge-server/ ) which points to “the TPM settings in the BIOS are not correct.”


I checked the TPM in ESXi as best as I could figure, everything seems to come back clean (screen shot attached) except for these 2 lines, that seem funny, but do not generate any errors:


tpmDriver: Tpm2CheckInterface:615: TPM does not appear to be speaking the 2.0 protocol (interfaceType = 0xf).

tpmDriver: Tpm2CheckInterface:616: Continuing on best effort basis using the 2.0 protocol.


I never had this issue on 6.7 and have regenerated all keys in BIOS, I have added the VMWare key “vmware_sb2017.der” per KB 2148532 (https://kb.vmware.com/s/article/2148532)to my “Authorized Signatures” in the Secure Boot part of the BIOS (I also tried with standard settings), renewed certs on the hosts, and generated certs in VCSA (option 4),


I have also, disconnected and reconnected hosts multiple times and rebooted everything.


I really do not know what else to do, because according to the hosts, they seem to be passing and loading everything, but VCSA keeps telling me not.


Motherboard is Supermicro X11Dpi-NT. It is Supermicro’s TPM 2.0 chip AOM-TPM-9670V-S (IFX).


I am attaching screen shots of the BIOS settings and CLI.


Any ideas? Whatever I have tried so far, keeps coming back to the same result.


Any help would be appreciated.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.