• When attempting to toggle encryption option on a virtual machine,
  The Edit Settings > VM Options > Encryption section does not display an option to disable encryption, and the virtual machine continues to show as encrypted.
  
  
• The VM may display the following message in the vCenter server UI:
  
  

  This VM is encrypted with Trusted Platform Module

• This message confirms that the VM is configured with a Virtual Trusted Platform Module (vTPM), which enforces encryption dependencies and prevents direct removal of encryption until the vTPM device is properly removed.

VMware vCenter Server 8.x
VMware ESXi 8.x

The failure to disable encryption occurs because the virtual trusted platform module (vTPM) device remains active on the virtual machine.

In vSphere, encryption and vTPM functionality are tightly integrated. The vTPM device stores cryptographic material tied to the VM’s encryption state. As long as the vTPM device is present, vSphere prevents encryption removal to maintain data integrity and security.

To successfully toggle and disable encryption, the vTPM must first be removed. Only after this dependency is cleared can encryption be fully detached from the VM.

To remove encryption from the VM, follow these steps:

1. Important: Make sure there is a valid backup of the virtual machine before making these changes.

2. Remove Encryption and vTPM Device

   • In the vSphere Client, power off the virtual machine.

   • Navigate to Edit Settings → Virtual Hardware → Trusted Platform Module.

   • Remove the vTPM device.

   • Disable encryption from the virtual machine settings.

Encrypt VM toggle will be visible now as in below screenshot:

         3. Reboot the virtual machine

• • Power on the virtual machine and verify that it boots successfully into the operating system.

  • The encryption indicator should no longer appear, confirming successful removal of encryption.

After performing the above steps:

• The virtual machine's summary tab should no longer indicate encryption status.

• The vTPM device should no longer appear under Virtual Hardware.

• The virtual machine should boot normally without encryption enforcement.

Removing the vTPM device breaks the encryption dependency between the virtual machine and the vSphere native key provider, allowing encryption to be safely disabled.

Also, Microsoft has included TPM support as a requirement for Windows 11. While there are ways to circumvent these requirements for testing, the vTPM functionality allows you to remain fully supported by Microsoft.

For further guidance and FAQs, refer to the following VMware documentation:

• vSphere Virtual TPM (vTPM) Questions & Answers