Symptoms
Administrators provisioning Virtual Desktop Infrastructure (VDI) hosts in Parallels RAS may encounter failures when using Template Distribution with Windows 11-based templates on Hyper-V.
Common observed behaviors include:
- VDI host creation fails during provisioning.
- Replica VMs created from the template fail to power on when distributed to a different Hyper-V provider host.
- The following error appears in the Hyper-V event log on the destination host:
The key protector for the virtual machine could not be unwrapped. Details are included in the HostGuardianService-Client event log. - No issues occur when the replica remains on the original Hyper-V host, or when TPM is manually disabled on the replicated VM.
Cause
This issue is caused by how Hyper-V handles TPM and Key Protectors across hosts, combined with Windows 11 security requirements.
Windows 11 requires Secure Boot and TPM to be enabled for installation and normal operation. When TPM is enabled on a Hyper-V VM, a Key Protector is generated and cryptographically bound to the originating Hyper-V host via its Host Guardian Service (HGS) identity.
During Template Distribution, the VM template is copied to a different Hyper-V provider host. The destination host has a different HGS identity, so it cannot decrypt or unwrap the original Key Protector. As a result, the VM fails to power on.
Resolution
Use one of the following approaches depending on your requirements:
Option 1: Regenerate the Key Protector on the destination host (Recommended — preserves TPM)
This approach keeps TPM enabled on the VM while resolving the Key Protector mismatch. Run the following PowerShell commands on the destination Hyper-V provider host for each affected replica VM:
Disable-VMTPM -VMName "YourReplicaVMName"
Set-VMKeyProtector -VMName "YourReplicaVMName" -NewLocalKeyProtector
Enable-VMTPM -VMName "YourReplicaVMName"
Replace YourReplicaVMName with the actual name of the replica VM on that host. Repeat for each replica VM distributed to that destination host.
Result: A new, valid Key Protector is created on the destination host. The VM powers on with TPM enabled.
Warning: If BitLocker is enabled inside the VM, Windows may detect that the TPM state has changed and prompt for the BitLocker Recovery Key on the next boot. Ensure you have the BitLocker Recovery Key available before applying this option.
Option 2: Disable TPM in the template before distribution (Simpler deployment — no TPM)
This approach removes the TPM dependency entirely, allowing the template to be distributed across Hyper-V hosts without manual intervention per replica.
- Open the golden image VM settings in Hyper-V Manager.
- Disable TPM on the VM before converting it into a Parallels RAS template.
- Create the VDI template in the RAS Console and enable Template Distribution.
- Proceed with provisioning.
Result: The template distributes successfully across Hyper-V hosts and replica VMs power on without manual intervention.
Note: Disabling TPM removes Windows 11 hardware security features, including TPM-based BitLocker encryption. Use this option only in environments where TPM is not required by policy.
| Option 1 (Recommended) | Option 2 | |
|---|---|---|
| TPM preserved | Yes | No |
| BitLocker compatible | Yes (Recovery Key may be required after first boot) | No |
| Manual steps per replica | Yes — PowerShell on each destination host | No |
| Best suited for | Environments requiring Windows 11 security features | Simplified deployment at scale where TPM is not required |
Note: A product-level fix for this behavior is planned for a future release of Parallels RAS.
Was this article helpful?
Tell us how we can improve it.