VMware vSphere

I am using VMware ESXi 7.0 Update 2 according to follow output secureboot has enabled on my HPE server :

[root@host1:~] /usr/lib/vmware/secureboot/bin/secureBoot.py -c
Secure boot can be enabled: All vib signatures verified. All tardisks validated. All acceptance levels validated
[root@host1:~] /usr/lib/vmware/secureboot/bin/secureBoot.py -s
Enabled

Now I want to enable require-secure-boot but cannot set it and show follow error :

[root@host1:~] esxcli system settings encryption set --require-secure-boot=TRUE
Unable to change the encryption mode and policy. Verify that the current host configuration can satisfy the new requirement.

How can solve it ?

Make sure that you've activated TPM during installation, if not, use this command:

esxcli system settings encryption set --mode=TPM

Then continue as follow:

1. Activate

esxcli system settings encryption set --require-secure-boot=T

 2. Check

esxcli system settings encryption get
   Mode: TPM
   Require Executables Only From Installed VIBs: false
   Require Secure Boot: true

 3. Backup the key:

esxcli system settings encryption recovery list

But I don't have TPM on my esxi hosts

You must have either physical TPM 2.0 installed (e.g. module supported in UEFI to enable)

Or sometimes in rare cases I see vendors updated UEFI firmware to "emulate" TPM 2.0 features.

See other post here:

https://communities.vmware.com/t5/vSphere-Hypervisor-Discussions/ESXi-PSOD-using-secure-boot/m-p/2907887#M7025

I ran into the exact same thing and then discovered that even though my host recognized the TPM chip Secure Boot was not, in fact, enabled. DOH!!!  Check your system manual for instructions and make sure the BIOS/Firmware has secure boot enabled.

Joe