Backup operations fail for Windows Server 2022 Virtual Machines.
Similar error message: Native Key Provider required .

VMware vCenter 8.x
VMware vSphere ESX 8.x

Windows Server 2022 VMs often have a Virtual Trusted Platform Module (vTPM) added by default or manually during setup. Even if the guest OS is not using BitLocker, the presence of a vTPM triggers the following in vSphere:

• Configuration Encryption: The VM's configuration file (.vmx) becomes encrypted.

• Storage Policy: The VM may be associated with a "VM Encryption Policy."

• Access Restrictions: Backup agents without "Cryptographic Operations" permissions in vCenter cannot interact with the encrypted metadata, leading to job failure.

Before proceeding with the fix, you must ensure BitLocker is NOT enabled inside the Windows Server 2022 Guest OS.

Step A: Remove the vTPM Device

1. Power Off the Windows Server 2022 VM. (Security hardware cannot be modified while the VM is running).

2. Right-click the VM and select Edit Settings.

3. Under the Virtual Hardware tab, locate the Trusted Platform Module device.

4. Click the X icon to remove the device.

5. Click OK to save changes.

Step B: Verify Storage Policy

1. Right-click the VM -> VM Policies -> Edit VM Storage Policies.

2. If the policy is set to VM Encryption Policy, change it back to a standard policy (e.g., Datastore Default).

3. Wait for the "Reconfigure VM" and "Decrypt" tasks to complete in the vCenter task list.

Step C: Validation

1. Power On the VM and verify that Windows boots normally to the login screen.

2. Test Backup: Manually initiate a snapshot or a backup job. The "Native Key Provider required" error should no longer appear, and the backup should complete successfully.