A Windows 11 virtual machine (VM) fails to boot after being restored or migrated, potentially due to missing or incorrect virtual Trusted Platform Module (vTPM) configuration
- VMware vSphere 7.0 or later
- Windows 11 guest operating system
- vCenter Server 7.0 Update 2 or later
Windows 11 requires TPM 2.0 for installation and operation. In a virtual environment, this requirement is met using vTPM. If a Windows 11 VM is created without vTPM or if the vTPM configuration is lost during restore or migration, the VM may fail to boot properly.
You may have used a work-around to avoid vTPM use, which has since been overwritten by updates. However, working around vTPM is not supported by VMware and is at your own risk.
To resolve this issue, follow these steps to properly configure vTPM for your Windows 11 VM:
1. Ensure your environment meets the prerequisites:
a. vCenter Server 7.0 Update 2 or later
b. ESXi host version 6.7 or later
c. VM hardware version 14 or later
d. For other system requirements see Find Windows 11 specs, features, and computer requirements
2. Configure a vSphere Native Key Provider:
a. Log in to the vSphere Client.
b. Navigate to the vCenter Server instance.
c. Go to "Configure" > "Security" > "Key Providers".
d. Click "Add" and select "Add Native Key Provider".
e. Enter a name for the key provider and click "Add".
f. Once created, click "Back up Key Provider" and securely store the backup file.
g. For other details, see VMware vSphere 7.0 Documentation - Configure a vSphere Native Key Provider
3. Enable the Key Provider:
a. Select the newly created key provider.
b. Click "Enable" to activate it as the default key provider.
4. Add vTPM to the VM:
a. Right-click the VM and select "Edit Settings".
b. Click "Add New Device" and choose "Trusted Platform Module".
c. Click "OK" to save the changes.
5. Enable UEFI Secure Boot:
a. In the VM settings, expand the "VM Options" section.
b. Set the firmware to "UEFI".
c. Check the box for "Enable UEFI Secure Boot".
d. Click "OK" to save the changes.
6. Attempt to boot the VM.
If the VM still fails to boot, especially if you were unable to add a "Trusted Platform Module: to the existing VM, you may need to recreate the VM:
1. Create a new VM with the following settings:
a. Guest OS: Windows 11 (64-bit)
b. Enable vTPM
c. Enable UEFI Secure Boot
d. Do not add a new hard disk
2. Attach the existing virtual disk:
a. In the VM settings, click "Add New Device" and choose "Existing Hard Disk".
b. Browse to and select the VMDK file from the original Windows 11 VM.
c. Set the virtual device node to match the original VM's configuration (usually SCSI 0:0).
3. Power on the new VM and verify if it boots correctly.
- VMware does not support running Windows 11 VMs without meeting all Microsoft's requirements, including TPM 2.0.
- For more information on vTPM requirements, see the VMware documentation:
vSphere Security
- For detailed steps on configuring vSphere Native Key Provider, refer to: Configure vSphere Native Key Provider