VMware Cloud Community
niceguy001
Enthusiast
Enthusiast
Jump to solution

virtual TPM for Windows 10 and 2016 only?

i've read the article about vTPM in vSphere 6.7 - Virtual Trusted Platform Modules - VMware vSphere Blog

according to the content, the vTPM function seems to only work on Win 10 or server 2016 virtual machine, is it correct?

what about other OS? which API can reach the enablement of vTPM for other VM OS?

the last question is, does the vTPM need to configure certificate on it or the guest OS will do the job??

does anyone know? Any reply will be appreciatedSmiley Happy

Reply
0 Kudos
1 Solution

Accepted Solutions
MarcelDaube
Contributor
Contributor
Jump to solution

Hi niceguy001

Yes it is correct. VMware Docs: Add a Virtual Trusted Platform Module to a Virtual Machine | vSphere 6.7: Virtual TPM 2.0 - YouTube

Prerequisites

  • Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.
  • The guest OS you use must be either Windows Server 2016 (64 bit) or Windows 10 (64 bit).
  • The ESXi hosts running in your environment must be ESXi 6.7 or later.
  • The virtual machine must use EFI firmware.

https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-vcenter-server-67-security-guide.pdf

Please be so kind and mark this answer as "correct" or "helpful" if you think your questions have been answered.

thanks

Marcel

View solution in original post

Reply
0 Kudos
4 Replies
MarcelDaube
Contributor
Contributor
Jump to solution

Hi niceguy001

Yes it is correct. VMware Docs: Add a Virtual Trusted Platform Module to a Virtual Machine | vSphere 6.7: Virtual TPM 2.0 - YouTube

Prerequisites

  • Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.
  • The guest OS you use must be either Windows Server 2016 (64 bit) or Windows 10 (64 bit).
  • The ESXi hosts running in your environment must be ESXi 6.7 or later.
  • The virtual machine must use EFI firmware.

https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-esxi-vcenter-server-67-security-guide.pdf

Please be so kind and mark this answer as "correct" or "helpful" if you think your questions have been answered.

thanks

Marcel

Reply
0 Kudos
RickVerstegen
Expert
Expert
Jump to solution

You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual TPM is compatible with TPM 2.0 and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.

To use virtual TPM, the following prerequisites must be met:

Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.

The guest OS you use must be either Windows Server 2016 (64 bit) or Windows 10 (64 bit).

The ESXi hosts running in your environment must be ESXi 6.7 or later.

The virtual machine must use EFI firmware.

Rick

Was I helpful? Give a kudo for appreciation!
Blog: https://rickverstegen84.wordpress.com/
Twitter: https://twitter.com/verstegenrick
Reply
0 Kudos
Geogee
Enthusiast
Enthusiast
Jump to solution

Don't know, if you have already solved this problem, but I have found an option how to add a vTPM to another VM, than one with Windows 10/2016 OS, which is available in the HTML5 client.

But you need to go into API calls.

I have used the Code capture feature that came with 6.7U2.

Powershell code:

$VMName = "RedHat"

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.DeviceChange = New-Object VMware.Vim.VirtualDeviceConfigSpec[] (1)

$spec.DeviceChange[0] = New-Object VMware.Vim.VirtualDeviceConfigSpec

$spec.DeviceChange[0].Device = New-Object VMware.Vim.VirtualTPM

$spec.DeviceChange[0].Device.DeviceInfo = New-Object VMware.Vim.Description

$spec.DeviceChange[0].Device.DeviceInfo.Summary = 'Trusted Platform Module'

$spec.DeviceChange[0].Device.DeviceInfo.Label = 'Trusted Platform Module'

$spec.DeviceChange[0].Device.Key = -1

$spec.DeviceChange[0].Operation = 'add'

$_this = Get-VM $VMname | Get-View

$_this.ReconfigVM_Task($spec)

But it is not yet officially supported by VMware.

Reply
0 Kudos
rharry
VMware Employee
VMware Employee
Jump to solution

AFAIK The reason it was limited to Windows only was at the time of vTPM's release there wasn't widespread support for tboot "out of the box" in the Linux distributions.

https://trustedcomputinggroup.org/resource/trusted-boot/

It should work if the GOS is configured properly to take advantage (although not officially supported, as we didn't test)

Reply
0 Kudos