• When creating native key provider from vCenter GUI, the option "Use key provider only with TPM protected ESXi hosts (Recommended)" is enabled by default, and includes word "Recommended".
• Customer does not know whether or not to enable above option for their environment, i.e., a cluster where some hosts have TPMs and some don’t.

VMware vCenter 8

While we recommend a TPM, one is not required to use Native Key Provider. If a TPM 2.0 is available and configured on the host it will be used to store the Native Key Provider keys. If one is not configured, the Native Key Provider keys will be stored as part of the encrypted ESXi configuration data.

If you leave the default “Use key provider only with TPM protected ESXi hosts” option selected, hosts without TPMs will not participate in Native Key Provider. When you attempt cryptographic operations on a virtual machine on those hosts they will fail.

Only deploy native key provider to TPM-enabled hosts in a non-homogenous cluster there may be availability concerns, as part of the cluster will not be able to run those workloads.

For best results on non-homogenous clusters please uncheck the TPM option when creating a Native Key Provider.

More information please see below:

https://www.vmware.com/docs/vsphere-native-key-provider-nkp-questions-answers