VMware Cloud Community
vmb01
Enthusiast
Enthusiast
‎04-08-2022 03:43 AM
Jump to solution

vtpm and ESS +

  1. IHAC trying to install W11 as guest
  2. As we know, W11 needs TPM (ok, there’re tons of sites about registry hack to avoid this check, but it is unsupported by MS)
  3. We can supply vTPM to a guest.. easy.
  4. vTPM needs vSphere Encryption (see  documentation:

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-6F811A7A-D58B-47B...)

  1. VM encryption is only available in ENT+
  2. So does it mean that only customer with ENT+ will be able to virtualize w11?

 

0 Kudos
1 Solution

Accepted Solutions
stadi13
Hot Shot
Hot Shot
‎04-13-2022 12:19 AM
Jump to solution

Hi @vmb01 

Starting with vSphere 7 Update 2 you can use the vSphere Native Key Provider which is included in all vSphere versions for virtualizing Windows 11.

See the quote from this link (https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-54B9FBA2-FDB1-400...) below:

vSphere Native Key Provider is included in all vSphere editions and does not require an external key server (also called a Key Management Server (KMS) in the industry). You can also use vSphere Native Key Provider for vSphere Virtual Machine Encryption, but you must purchase the VMware vSphere® Enterprise Plus Edition™.

Regards Daniel

View solution in original post

6 Replies
vmb01
Enthusiast
Enthusiast
‎04-11-2022 07:17 AM
Jump to solution

In both the essentials kits is included the VTPM feature

0 Kudos
stadi13
Hot Shot
Hot Shot
‎04-13-2022 12:19 AM
Jump to solution

Hi @vmb01 

Starting with vSphere 7 Update 2 you can use the vSphere Native Key Provider which is included in all vSphere versions for virtualizing Windows 11.

See the quote from this link (https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-54B9FBA2-FDB1-400...) below:

vSphere Native Key Provider is included in all vSphere editions and does not require an external key server (also called a Key Management Server (KMS) in the industry). You can also use vSphere Native Key Provider for vSphere Virtual Machine Encryption, but you must purchase the VMware vSphere® Enterprise Plus Edition™.

Regards Daniel

Stefan_19911
Contributor
Contributor
‎03-17-2023 10:12 AM
Jump to solution

Dear community

i tried to create a VM with windows 11 and virtual TPM for the first time on our system with vSphere 7.0.3 Build 0395099

License is "vCenter Server 7"
Product is "vCenter Server 7 Standard"

I added a key provider but i still can not add a TPM module to a new virtual machine.

Do i need to configure just that native key provider or do i need to do all the steps from the guide below ?

 

Configure vSphere Trust Authority ?

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-39D8AB34-AD45-4B0...

 

Thank you for a short feedback.

0 Kudos
stadi13
Hot Shot
Hot Shot
‎03-17-2023 10:53 AM
Jump to solution

Hi @Stefan_19911 

these steps are not required. Do you have EFI enable for that virtual machine? Whoch hardware version do you use?

Regards

Daniel

0 Kudos
IRIX201110141
Champion
Champion
‎03-17-2023 12:17 PM
Jump to solution

Heads up!

if you configure this new native Key provider

  1. Dont click the checkbox in the lower left if your have older CPUs within your Hosts during configuring
  2. You need to backup the provider before you can use it

Regards,
Jörg

Stefan_19911
Contributor
Contributor
‎03-20-2023 02:18 AM
Jump to solution

Thank you for your help.

I created a new Key provider without activated checkbox and when i added i TPM Module i configured these options also.
With these options i was able to create a VM and setup Windows 11.

1. Add a new Trust Platform Module device from "ADD NEW DEVICE" drop-down list,
2. Go to "VM Options" tab, set "Encrypted vMotion" and "Encrypted FT" to "Required" from "Opportunistic" under "Encryption" configuration part.
3. Click "Next", "Finish" to start VM creation.

0 Kudos