When attempting to migrate TPM-enabled virtual machines between vCenter instances, the operation fails with errors related to key providers, such as:

• "Key provider [name] not found"
• "Cannot apply encryption policy"
• "You must set the default key provider"

VMware vSphere environments with:

• Cross-vCenter migration capabilities
• TPM-enabled virtual machines
• Storage policies with encryption settings
• Virtual machine encryption features

The migration failure occurs due to one or more of the following conditions:

1. Missing or mismatched key providers between source and destination vCenters
2. TPM 2.0 not enabled on the destination host
3. Storage policy inconsistencies between source and destination
4. Encryption key availability issues in the destination environment

Follow these steps to resolve the migration issue:

1. 1. Verify Key Provider Configuration
      1. Ensure the same key provider is configured on both source and destination vCenters
         • Steps to Configure same key provider on both Source and Destination vCenter
           1. On the source vCenter, navigate to Configure > Security > Key Providers.

           2. Select the existing Key Provider and click Back Up to generate a key file.

           3. This key file must then be restored on the destination vCenter and then try migration of vTPM-enabled VMs

              Restore a vSphere Native Key Provider Using the vSphere Client

              1. On the destination vCenter, go to Configure > Security > Key Providers.

              2. Click Add, then select Restore from Backup.

              3. Upload the key file previously backed up from the source vCenter.

      2. Verify the key provider connection status shows "Connected" on both vCenters
      3. If using Native Key Provider (NKP), import the source NKP configuration to the destination vCenter
         
         
   2. Check Host Requirements
      1. Verify TPM 2.0 is enabled on the destination host
      2. Ensure the destination host meets all hardware requirements for TPM support
         
         
   3. Review Storage Policies
      1. Verify storage policies are consistent between source and destination
      2. If necessary, temporarily remove VM storage policies before migration
      3. Reapply storage policies after migration completion
         
         
   4. For Encrypted VMs
      1. Verify encryption keys are available in the destination environment
      2. Ensure proper licensing for encryption features is in place
      3. Confirm destination vCenter has appropriate encryption permissions configured

• TPM-enabled VM migrations require consistent key provider configurations across environments
• vSphere Native Key Provider (NKP) requires specific licensing levels
• Storage policy modifications during migration are not supported
• Consider temporarily removing TPM if not required by applications
• Related Articles:
  • Decrypt an Encrypted Virtual Machine or Virtual Disk
  • Remove Virtual Trusted Platform Module from a Virtual Machine
  • Configuring and Managing vSphere Native Key Provider
  • vSphere Native Key Provider (NKP) Questions & Answers
  • vSphere Native Key Provider Overview
  • Configure a vSphere Native Key Provider
  • Storage Compatibility Issue for vMotion when storage policies are applied to the VMs
  • What Are the Requirements for vMotion Between vCenter Server Instances