TPM issues in the Guest OS after migrating the VM to ESXi 8.0 U3

search cancel

TPM issues in the Guest OS after migrating the VM to ESXi 8.0 U3

book

Article ID: 382316

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Moving a vTPM enabled VM (e.g. Windows 11) to a host running 8.0 U3 may cause the following behavior:

Applications within the Guest OS stop authenticating with TPM, you might see a generic error like "Something went wrong" when the application stops.
When running PowerCLI command Get-TpmSupportedFeature, nothing is returned.

On the Event view logs for the VM you can observe the following error:

AadTokenBrokerPlugin Operation

Error: 0xCAA5001C Token broker operation failed.

Operation name: GetTokenSilently, Error: -2144862075 (0x80280085), Description: TPM 2.0: Hierarchy is not enabled or is not correct for the use.

Environment

VMware vSphere ESXi 8.0.3

Cause

This is due to a new backend feature enablement for vTPM. Due to this new feature, additional flags were added for vTPM in 8.0 U3 that were not present in previous versions. When the VM migrates from an older version to 8.0 U3, these new values result in a null hierarchy disable, causing vTPM to have issues.

Resolution

This issue is resolved in VMware ESXi 8.0 U3e or later release. Log in to the Broadcom Support Portal to download this patch.

Additional Information

Get-TpmSupportedFeature

What Is a Virtual Trusted Platform Module

Feedback

thumb_up Yes

thumb_down No