Windows 11 VM Fails to Boot Due to Missing vTPM Configuration
search cancel

Windows 11 VM Fails to Boot Due to Missing vTPM Configuration

book

Article ID: 377302

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

A Windows 11 virtual machine (VM) fails to boot after being restored or migrated, potentially due to missing or incorrect virtual Trusted Platform Module (vTPM) configuration

Environment

- VMware vSphere 7.0 or later
- Windows 11 guest operating system
- vCenter Server 7.0 Update 2 or later

Cause

Windows 11 requires TPM 2.0 for installation and operation. In a virtual environment, this requirement is met using vTPM. If a Windows 11 VM is created without vTPM or if the vTPM configuration is lost during restore or migration, the VM may fail to boot properly.

You may have used a work-around to avoid vTPM use, which has since been overwritten by updates. However, working around vTPM is not supported by VMware and is at your own risk.

Resolution

To resolve this issue, follow these steps to properly configure vTPM for your Windows 11 VM:

1. Ensure your environment meets the prerequisites:
   a. vCenter Server 7.0 Update 2 or later
   b. ESXi host version 6.7 or later
   c. VM hardware version 14 or later
   d. For other system requirements see Find Windows 11 specs, features, and computer requirements

2. Configure a vSphere Native Key Provider:
   a. Log in to the vSphere Client.
   b. Navigate to the vCenter Server instance.
   c. Go to "Configure" > "Security" > "Key Providers".
   d. Click "Add" and select "Add Native Key Provider".
   e. Enter a name for the key provider and click "Add".
   f. Once created, click "Back up Key Provider" and securely store the backup file.
   g. For other details, see VMware vSphere 7.0 Documentation - Configure a vSphere Native Key Provider

3. Enable the Key Provider:
   a. Select the newly created key provider.
   b. Click "Enable" to activate it as the default key provider.

4. Add vTPM to the VM:
   a. Right-click the VM and select "Edit Settings".
   b. Click "Add New Device" and choose "Trusted Platform Module".
   c. Click "OK" to save the changes.

5. Enable UEFI Secure Boot:
   a. In the VM settings, expand the "VM Options" section.
   b. Set the firmware to "UEFI".
   c. Check the box for "Enable UEFI Secure Boot".
   d. Click "OK" to save the changes.

6. Attempt to boot the VM.

If the VM still fails to boot, especially if you were unable to add a "Trusted Platform Module: to the existing VM, you may need to recreate the VM:

1. Create a new VM with the following settings:
   a. Guest OS: Windows 11 (64-bit)
   b. Enable vTPM
   c. Enable UEFI Secure Boot
   d. Do not add a new hard disk

2. Attach the existing virtual disk:
   a. In the VM settings, click "Add New Device" and choose "Existing Hard Disk".
   b. Browse to and select the VMDK file from the original Windows 11 VM.
   c. Set the virtual device node to match the original VM's configuration (usually SCSI 0:0).

3. Power on the new VM and verify if it boots correctly.

Additional Information

- VMware does not support running Windows 11 VMs without meeting all Microsoft's requirements, including TPM 2.0.
- For more information on vTPM requirements, see the VMware documentation:
  vSphere Security
- For detailed steps on configuring vSphere Native Key Provider, refer to: Configure vSphere Native Key Provider