A vCenter Server alarm notifies you when an encrypted virtual machine is in a locked state. You can unlock a locked encrypted virtual machine by using the vSphere Client (HTML5-based client) after taking the necessary steps to make the required keys available on the KMS.


  • Verify that you have the required privileges: Cryptographic operations.RegisterVM
  • Other privileges might be required for optional tasks such as enabling host encryption.
  • Before unlocking a locked virtual machine, troubleshoot the cause of the lock and attempt to fix the problem manually. See Resolve Missing Key Issues.


  1. Connect to vCenter Server by using the vSphere Client.
  2. Navigate to the virtual machine's Summary tab.
    When a virtual machine is locked, the Virtual Machine Locked alarm appears.
  3. Decide if you want to either acknowledge the alarm, or reset the alarm to green but not unlock the virtual machine now.
    When you click either Acknowledge or Reset to green, the alarm goes away, but the virtual machine remains locked until you unlock it.
  4. Navigate to the virtual machine's Monitor tab and click Events to get more information about why the virtual machine is locked.
  5. Perform suggested troubleshooting before you unlock the virtual machine.
  6. Navigate to the virtual machine's Summary tab and click Unlock VM, located underneath the virtual machine console.
    A message appears, warning that encryption key data is transmitted to the host.
  7. Click Yes.