• When cloning a Windows 11 virtual machine equipped with a virtual Trusted Platform Module (vTPM), or deploying it from a template in vSphere 8.x, the new VM may retain the same vTPM secrets or thumbprints as the source.
• During the deployment wizard, the vSphere Client prompts to either copy or replace the TPM. By default, this is set to Copy, which may not be desirable for environments requiring unique security identities for every VM.
  
  
  
• TPM Provisioning Options
  
  During the deployment wizard, or when configured via advanced settings, you can choose between two primary policies:
  
  
  • Copy (Default):
    
    • The newly deployed VM receives an identical copy of the source template's vTPM device.
    • The clone retains access to all stored secrets from the source VM.
      
      
  • Replace:
    • The deployed VM receives a brand-new, unique vTPM device.
    • The VM will not have access to any secrets from the source VM.

VMware vCenter Server 8.0.x

To change the default global behavior for all clone operations in vCenter, modify the advanced setting vpxd.clone.tpmProvisionPolicy to replace.  This is useful as a workaround when deploying from a Content Library, where the vSphere Client may not natively prompt for the policy during the workflow Configuring vTPM settings in vCenter for cloning a Windows 11 VM from a template.

1. In the vSphere Client, select your vCenter Server and go to Configure > Settings > Advanced Settings.
2. Click Edit Settings and search for vpxd.clone.tpmProvisionPolicy.
3. Set the value to one of the following
   1. replace: Automatically provides a new, unique vTPM for all clones.
   2. copy: Maintains the default behavior of copying the vTPM.
4. Click Save.

Note: This configuration change only impacts future clone or deployment operations and does not affect existing Virtual Machines.