VDI Provisioning Failures with Template Distribution on Hyper-V (Windows 11 VMs)

0 users found this article helpful

Applies to:
- Parallels Remote Application Server
Last Review: May 22, 2026
Available Translations:
Get updates

Symptoms

Administrators provisioning Virtual Desktop Infrastructure (VDI) hosts in Parallels Remote Application Server (RAS) may encounter failures when using Template Distribution with Windows 11-based templates on Hyper-V.

Common observed behaviors include:

1. VDI host creation fails during provisioning.

2. Replica VMs created from the template fail to power on when distributed to a different Hyper-V provider host.

3. No issues occur when:

The replica remains on the original Hyper-V host, or
The Trusted Platform Module (TPM) is manually disabled on the replicated VM.

4. Errors may appear, indicating an inability to start the VM or issues related to security/TPM configuration.

Cause

This issue is related to Windows 11 security requirements and how Hyper-V handles TPM and Key Protectors across hosts.

Key contributing factors:

Windows 11 requires Secure Boot and TPM to be enabled for installation and normal operation.

When TPM is enabled on a Hyper-V VM:

A Key Protector is generated and tied to the originating Hyper-V host.

During Template Distribution, the VM template is copied to a different Hyper-V provider host:

The destination host cannot decrypt or unwrap the original Key Protector.
As a result, the VM fails to power on due to an invalid or inaccessible TPM state.

Resolution

Administrators can resolve this issue using one of the following supported approaches:

Option 1: Regenerate Key Protector on Destination Host (Recommended – Preserves TPM)

This approach maintains TPM functionality while resolving the Key Protector mismatch.

Run the following PowerShell commands on the destination Hyper-V provider host:

Disable-VMTPM -VMName "YourReplicaVMName"

Set-VMKeyProtector -VMName "YourReplicaVMName" -NewLocalKeyProtector

Enable-VMTPM -VMName "YourReplicaVMName"

Result:

A new, valid Key Protector is created on the destination host.

The VM will successfully power on with TPM enabled.

Option 2: Disable TPM in Template (Bypass TPM Dependency)

This approach removes TPM dependencies entirely for easier cross-host distribution.

Steps:

Open the golden image VM settings in Hyper-V.
Disable TPM before converting the VM into a Parallels RAS template.
Enable Template Distribution and proceed with provisioning.

Result:

The template can be successfully distributed across Hyper-V hosts.

Replica VMs will power on without manual intervention.

Use Option 1 if maintaining Windows 11 security features (TPM, BitLocker) is required.

Use Option 2 for simplified deployment and scalability, where TPM is not mandatory.

Was this article helpful?

Tell us how we can improve it.