• After the ESXi host was moved from one vCenter to another vCenter, the task to register encrypted virtual machine completes successfully. However, the virtual machine's are displayed as Invalid in the vCenter UI.
• The “Virtual Machine Locked” alarm is shown on the virtual machine’s summary tab.
• The Native Key Provider was restored from the source to the destination vCenter, and the Key Provider Constraints was set to be available only on TPM-protected ESXi hosts.
• During virtual machine registration, the below entries are logged in /var/log/vmware/vpxd.log of the vCenter server:
  
  

  YYYY-MM-DDTHH:MM:SS.###Z error vpxd[#####] [Originator@#### sub=InvtVm opID=########-#####-auto-####-h5:########-##-##] Failed to update entity state moId; vm-####, callId: #, e: N3Vim5Fault20GenericVmConfigFault9ExceptionE(Fault cause: vim.fault.GenericVmConfigFault
  YYYY-MM-DDTHH:MM:SS.###Z info vpxd[#####] [Originator@#### sub=CryptoManager opID=########-#####-auto-####-h5:########-##-##] The crypto state of VM [vim.VirtualMachine:vm-####,VM_name] on host [vim.HostSystem:host-####,Host_Name] was changed from unset to locked
  YYYY-MM-DDTHH:MM:SS.###Z info vpxd[#####] [Originator@#### sub=CryptoManager opID=########-#####-auto-####-h5:########-##-##] Key info for VM VM_name during register operation:
  YYYY-MM-DDTHH:MM:SS.###Z warning vpxd[#####] [Originator@#### sub=CryptoManager opID=########-#####-auto-####-h5:########-##-##] Get key providers Key_provider_name status on [vim.HostSystem:host-####,Host_Name]: No TPM2 device.
  YYYY-MM-DDTHH:MM:SS.###Z warning vpxd[#####] [Originator@#### sub=CryptoManager opID=########-#####-auto-####-h5:########-##-##] Failed to send keys #############/##################################################/################/+#########+#####################################/Key_provider_name to host [vim.HostSystem:host-####,Host_Name] for vm [vim.VirtualMachine:vm-####,VM_name] during register operation:
  YYYY-MM-DDTHH:MM:SS.###Z info vpxd[#####] [Originator@#### sub=VdbOpJournal opID=########-#####-auto-####-h5:########-##-##] Removed journal id=##
  YYYY-MM-DDTHH:MM:SS.###Z info vpxd[#####] [Originator@#### sub=CryptoManager opID=########-#####-auto-####-h5:########-##-##] Key info for VM VM_Name after register operation:
  YYYY-MM-DDTHH:MM:SS.###Z warning vpxd[#####] [Originator@#### sub=CryptoManager opID=########-#####-auto-####-h5:########-##-##] Failed to unlock VM [vim.VirtualMachine:vm-####,VM_Name] on host [vim.HostSystem:host-####,Host_name]: N3Vim5Fault8NotFound9ExceptionE(Fault cause: vim.fault.NotFound

VMware vCenter Server 8.x

The Native Key Provider (NKP) restoration process on the destination vCenter Server was executed with the "Use key provider only with TPM-protected ESXi hosts" option enabled. However, the target ESXi host lacks a Trusted Platform Module (TPM).

This configuration mismatch results in the virtual machine displaying an invalid state following registration on the destination vCenter.

• Ensure there are valid offline snapshots of the linked vCenter VMs. 
• Restore the Native Key Provider from the backup, ensuring that the option labeled “Use key provider only with TPM-protected ESXi hosts” remains unchecked if the ESXi host does not have a TPM.
• Register the virtual machine on the destination vCenter.
  • Refer: Add or Register a Virtual Machine (VM) in vCenter Server

Refer: vSphere Native Key Provider (NKP) Questions & Answers