I have a Dell R940 with a TPM 2.0 Module. Spec of server matches that of compatibility for 8.0
TPM seems to be working and I get the following confirmation:
localcli hardware trustedboot get
Drtm Enabled: true
Tpm Present: true
The problem I am having is that Virtual Machines being created on the host are not being offered TPM hardware. I understand that virtual TPM hardware is available via vCenter, but I was under the impression TPM hardware on the host would be available to VM installed on that HOST? Is my understanding incorrect?
The aim is for this server to me utilised as a test environment for various OS including those requiring TPM (Windows 11 and the newer MS servers specifically). Currently I am unable to install these OS as they fail the TPM requirements of the OS.
Advice and guidance would be greatly appreciated.
Actually is a little bit different as you referred, the TPM hardware chip is needed when you want to encrypt and secure the ESXi during the boot. What is offered to the VMs is the vTPM feature that simulates exactly the same but in software.
Here is a good documentation explaining the differences between the vTPM and the TPM. Also, you will see a good detail of the requirements: https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6F811A7A-D58B-47B4-84B4-73391D55...
Thanks for the link and reply.
I understood the need for the vTPM, advantages it provides and the reason for its additional requirements (vCenter) but I was under the impression from documents I had read that when the HOST machine had dedicated TPM module there was an additional path utilising HOST hardware and an element of passthrough that VMs could utilise albeit with the limitation that these VMs would be totally reliant on hosting on that specific HOST and not transportable to other HOSTs. That feature itself, in my mind would then also provide a level of additional security in the lab test environment ensuring a VM could not be used outside the HOST and subsequently leave the test environment.
I am hoping there is indeed a way to utilise machine specific TPM hardware and I have not misinterpreted the document I had read (posted this below) as if this feature is not available on ESXi Hypervisor, with latest OS being ever more TPM reliant, the ESXi Hypervisor is going to become ineffective. ESXi Hypervisor license cannot be used with vCenter so the only path would then be vSphere coupled with its big sister vCenter.
I have always utilised ESXi Hypervisor to spin up multiple versions of OS configurations for platform specific software testing to ensure compatibility and provide client support, so I am very much hoping I have not misinterpreted the direct hardware path I read about and there is indeed a way to configure to continue using ESXi Hypervisor and host TPM reliant OS so still hoping someone can elighten me or confirm thats not going to happen and I need to rethink things.
QUOTE FROM ARTICLE I HAD READ:
VMware has had support for TPM 1.2 since ESXi 5.x. However, before vSphere 6.7, the APIs and functionality of TPM 1.2 were limited to very specific use cases. VMware vSphere 6.7 added support for TPM 2.0 and the ability to use a Virtual Trusted Platform Module (vTPM) device for Windows 10 and Windows Server 2016 and higher.
With the Virtual Trusted Platform Module (vTPM), you can add a TPM 2.0 virtual cryptoprocessor to a virtual machine. The vTPM is a software-based representation of a physical TPM 2.0 security device. If you have a VMware ESXi host with a TPM 2.0 card running an ESXi version before 6.7, it will not see the TPM 2.0 device. Conversely, the new features in vSphere 6.7 do not use a TPM 1.2 device.
To install Windows 11 in VMware vSphere, you need to be running VMware vSphere 6.7 or higher to add the vTPM device to meet the Windows 11 hardware requirements for installation. END QUOTE
Got your explanation and is more than clear, but unfortunately and even reading your snippet, vTPM is the one used to secure the VMs and for that you need vCenter as per the requirements sheet. TPM will be used for Host Attestation but the module will not be present to the VMs if you do not have vCenter.
If that is the current position then ESXi 8.0 has less functionality than Vmware Workstation which works in exactly the manner I was expecting ESXi to work.
Seems a massive shortfall in functionality - when comparing to Workstation - and considering the whole point of ESXi Hypervisor was to enable lab environments and techs to hone skills without the need for full licenses. TPM is not an enterprise specific requirement, its a general requirement, confirmed by the fact Workstation supports TPM.
Pretty much means we not longer have a viable path to continue using ESXi to test Windows 11/Windows Server 2022 without resorting to 60 day rebuilds. This just seems like a massive oversight.