Please validate that each step below is true for your environment. Each step will provide instructions or a link to a document, to eliminate possible causes and take corrective action as necessary.
Error message A:
- Check if your firmware security settings have been modified from what it was before.
- If TPM 2.0 has been disabled, re-enable it.
- If UEFI secure boot has been disabled, enable it back.
- If execInstalledOnly boot option is set to FALSE, change it back to its initial value (i.e. TRUE).
- Add "execInstalledOnly=TRUE" to the boot command-line (press shift+o when mboot starts and you see a 5 second countdown, right after the bios finishes running).
- If you would like to change the firmware settings and permanently avoid this violation message, See Enable or Disable the Secure Boot Enforcement for a Secure ESXi Configuration.
- If the firmware settings have not been modified, This means that either the TPM 2.0 chip is not working or has been replaced (possibly due to a motherboard swap) or the version of ESXi being booted is not genuine. In this case, you need to recover the ESXi configuration following these steps:
- Start the ESXi host.
- When the ESXi installer window appears, press Shift+O to edit boot options.
- To recover the configuration, at the command prompt, append the following boot option to any existing boot options.
- Note: Don’t remove the information which is already present at the prompt. Just type the encryptionRecoveryKey=recovery_key immediately after the already showed commands.
- Now, the secure ESXi configuration is recovered and the ESXi host boots. To persist the change, enter the following command: /sbin/auto-backup.sh
- Reboot the ESXi host.
Note: For ESXi versions 8.0 U1 and 8.0 U2 (or any patch on these lines), if you encounter a PSOD after an ESXi Quick Boot upgrade, simply rebooting the host will solve the problem. VMware is aware of this issue and working on a fix.
Error message B
This means that a genuine ESXi version has booted, but the configuration data has been tampered with or is corrupted and cannot be recovered. see Installing and Setting Up ESXi.
Error message C:
This means that we are unable to recover with the provided recovery key. Ensure the input recovery key is correct; otherwise, see Installing and Setting Up ESXi.
To retrieve the ESXi recovery key, run esxcli system settings encryption recovery list