Powering on an encrypted virtual machine or a VM with vTPM fails in vSphere 7.0 when attempted with a non-Administrator user
book
Article ID: 326210
calendar_today
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
When trying to power on a virtual machine that is encrypted, for example because it has been configured with a virtual TPM (vTPM), the task fails with an error message:
Permission to perform this operation was denied. NoPermission.message.format
When trying to open a remote console for the virtual machine, the following error is shown:
KMS Error: Unable to connect to MKS: Permission to perform this operation was denied.
Environment
VMware vCenter Server 7.0.x
Cause
This issue occurs when the user who initiated the power-on task does not have the required permissions to access encrypted VMs respectively read the encryption keys used to encrypt the VM. For these operations, "Cryptographic operations" privileges are required.
Resolution
To prevent this problem, ensure that the role for the user includes the following privileges:
Cryptographic operations > Direct Access
Cryptographic operations > Read KMS information
If the VM is hosted in a cluster with DRS enabled, the following privilege is required as well: