• When a Windows 11 or Windows Server virtual machine is migrated or restored from a backup, it may fail to boot if the virtual Trusted Platform Module (vTPM) is missing, mismatched, or improperly configured.
  
  
• Attempting to power on the VM will trigger the following errors: 

  • ESXi Host Error: "Failed to power on the virtual machine <VM-Name>. The virtual machine must be encrypted."

  • vCenter Server Error: "The virtual machine must be encrypted. Failed to start the virtual machine. Module DevicePower On power on failed. Virtual TPM initialization failed."

• vSphere ESXi 7.0 or later
• vCenter Server 7.0 Update 2 or later
• Windows guest operating system

• This issue occurs because the cryptographic binding or state of the vTPM module attached to the virtual machine is broken, lost, or invalidated during the migration or restoration process.
  
  
• When a virtual machine configured with a vTPM is restored from a backup or migrated improperly, the host may lose the ability to decrypt the vTPM's secure data, directly resulting in a "Virtual TPM initialization failed" error.
  
  
• Operating systems such as Windows 11 require TPM 2.0 for installation, security features, and boot operations. In a virtual environment, this requirement is satisfied by the vTPM. If the vTPM cannot initialize, the OS will refuse to boot.
  
  
• In some instances, administrators may have used workarounds to bypass the vTPM requirement during the initial OS deployment. Subsequent Windows updates often overwrite these bypasses. Upon rebooting, the OS looks for a valid vTPM; if it is missing or the state is broken, the power-on attempt fails.

Before performing any changes to a virtual machine that is failing to power on, ensure these requirements:

1. Environment Prerequisites:
   • vCenter Server: Version 7.0 Update 2 or later.
   • ESXi Host: Version 6.7 or later.
   • VM Hardware: Version 14 or later.
   • Firmware: Must be set to UEFI.
   • Secure Boot: UEFI Secure Boot must be enabled.
   • Summary Tab: Select the VM in the vSphere Client and check the Encryption field in the Summary tab.
   • Storage Policy: Go to Edit Settings > Hard disk and verify if the VM Storage Policy is set to an "Encryption Policy".
   • If BitLocker is present, ensure to have the BitLocker Recovery Key available. If the virtual machine is recreated or the vTPM was reset, the Guest OS will likely stop at a BitLocker recovery prompt and require this key to complete the boot process.
2. Configure and Enable a vSphere Native Key Provider (NKP):
   • Navigates to the vCenter Server > Configure > Security > Key Providers. By clicking Add and selecting Add Native Key Provider, enter a unique name and add the provider.
   • Once the provider is created, click Back-Up > Back UP Key Provider and download the resulting file to a secure location. The NKP becomes active after backup is completed.
   • Select the newly created key provider and clicks Set as Default to activate it as the primary key provider for the environment.
   • If the ESXi hosts in the cluster do not have physical TPM 2.0 chips, the option "Use key provider only with TPM protected ESXi hosts" must be unchecked during or after the creation process to ensure compatibility.
3. Add or Reset a vTPM:
   If an "initialization failed" error occurs, a vTPM reset is required. First, remove the existing TPM module from the virtual machine's Edit Settings. Then, proceed with the following steps to add the vTPM:
   • Right-click the VM and select Edit Settings.
   • Click Add New Device and choose Trusted Platform Module.
   • Click OK to save the changes.
4. Power on the virtual machine.
   
   
5. If reset fails, create a new VM with vTPM and Secure Boot enabled, then attach the original VMDK as an Existing Hard Disk.
   
   

Note: Bypassing vTPM requirements is unsupported by Broadcom and is done at your own risk.