Information
The ESXi host must enable TPM-based Secure Boot enforcement. The TPM-based nature of VMware ESXi Secure Boot Enforcement enhances security beyond standard Secure Boot. It uses a hardware TPM chip to store and verify cryptographic measurements of the entire boot process, from UEFI firmware to the ESXi kernel. This creates a hardware-backed root of trust, making it much harder for attackers to tamper with the boot sequence undetected. Unlike normal Secure Boot, which only checks digital signatures, TPM-based enforcement ensures the integrity of the complete boot chain and enables advanced features like remote attestation for verifying host trustworthiness. This control flips ESXi from merely supporting Secure Boot to requiring it. Without this setting enabled, and configuration encryption, an ESXi host could be subject to offline attacks. An attacker could simply transfer the ESXi install drive to a non-Secure Boot host and boot it up without ESXi complaining.
Solution
$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.settings.encryption.set.CreateArgs()
$arguments.requiresecureboot = $true
$ESXcli.system.settings.encryption.set.Invoke($arguments)