How to detect if the VTPM is enabled in a VM through syslogs

Hi all, I am trying to track the events that notify that vTPM is enabled on the VM through syslogs. I see a Cryptographic in the VM related to AddKey as configured in the KMS (Key Management System). But if I select only the Encryption option and do not add a vTPM to the VM, then also it shows the AddKey event. Is there a way to differentiate between these two events?   Or is there a way to see the vTPM related events in the syslogs?





Labels (3)
0 Kudos
1 Reply
Community Manager
Community Manager

What is your definition of "enabled" and what exactly are you trying to do or understand?

The reason I ask is that vSphere does produce a vSphere Event when a TPM is added to a VM, it is part of a generic "VmReconfiguredEvent" event and within that Event, you'll see changes that were applied and if you were to just add vTPM device, you would see that in payload. Using the VMware Event Broker Appliance (VEBA) Fling is the easiest to visualize and see this event

Here's a snippet of the payload:

"DeviceChange": [
        "Operation": "add",
        "FileOperation": "",
        "Device": {
          "Key": -1,
          "DeviceInfo": {
            "Label": "Virtual TPM",
            "Summary": "Virtual Trusted Platform Module"
          "Backing": null,
          "Connectable": null,
          "SlotInfo": null,
          "ControllerKey": 0,
          "UnitNumber": null,
          "EndorsementKeyCertificateSigningRequest": null,
          "EndorsementKeyCertificate": null
        "Profile": null,
        "Backing": null


If you are not interested in when a vTPM is added and simply whether it has been configured for a VM, you can use the vSphere API (includes PowerCLI) to check the tpmPresent property which will only be true if vTPM has been configured. 

When/How KMS is used is probably something you need to check with KMS vendor as I'm not aware of anything that differentiate between the operations you describe

0 Kudos