How to Install Windows 11 vTPM on VMware vSphere
The integration of vTPM in Windows 11 is a great example of a relentless effort to address emerging threats. Let's explore.
What Is vTPM Windows 11
A Trusted Platform Module (TPM) is a tiny chip on your computer’s motherboard that provides boot-up protection for PCs. It is a hardware-based security feature that stores cryptographic keys used to authenticate your device. Microsoft Windows 11 requires a PC with TPM 2.01. TPM 2.0 is a newer version of the TPM chip that provides better security features than its predecessor TPM 1.21.
Virtual TPM (vTPM) is a software-based representation of a physical TPM 2.0 security device that can be added to a virtual Machin. In virtualized environments such as VMware vSphere, migrating from Windows 10 to Windows 11 requires new virtual hardware, so today let’s consider Windows 11 TPM and see how to meet these new requirements can be satisfied when installing VMware vTPM on Windows 11 VM.
Does Your PC Already Have TPM 2.0
If you’ve got a computer that meets the other Windows 11 minimum system requirements, there’s a chance that it supports TPM 2.0. The standard is relatively recent, however. If you bought your PC after 2016, it almost certainly comes with TPM 2.0. If your computer is older than a few years, it likely either has the older TPM 1.2 version (which Microsoft says is not recommended for Windows 11) or has no TPM at all.
You can check if your PC already has TPM 2.0:
1. Press Windows Key + R to open the Run dialog box.
2. Type "tpm.msc" and press Enter to open the Trusted Platform Module (TPM) Management Console.
3. In the TPM Management Console, you should see information about your TPM version and its status.
If you have a TPM 2.0, you could enable TPM 2.0 (in Windows 10 Settings) to upgrade to Windows 11.
The Installation Requirements for New Windows 11
To install or upgrade to Windows 11, your devices must meet the following minimum hardware requirements5:
- Processor: 1 gigahertz (GHz) or faster with 2 or more cores on a compatible 64-bit processor or system on a chip (SoC).
- Memory: 4 gigabytes (GB) or greater.
- Storage: 64 GB or greater available disk space.
- System firmware: UEFI and Secure Boot capable.
- TPM: Trusted Platform Module (TPM) version 2.0.
- Display: High definition (720p) display that is greater than 9” diagonally, 8 bits per color channel
Prerequisites for Creating a Virtual Machine with a vTPM device
To create a virtual machine with a vTPM device, the following prerequisites must be met:
✧ VMware vSphere must be configured with a key provider, either third-party or using the vSphere Native Key Provider.
✧ The guest operating system must be Windows Server 2008 or Windows 7 and later, or Linux.
✧ For Windows guests, you must be running ESXi 6.7 or later and 7.0 Update 2 for Linux.
✧ Virtual Machine must support EFI Boot and must be Hardware v14 and above.
✍ If you don’t have the required hardware configuration including the TPM device for Windows 11 installation, you will see a screen that looks like the following, stating, “This PC can’t run Windows 11.”
How to Install Windows 11 Virtual TPM on VMware vSphere
The workflow for creating a Windows 11 virtual machine in VMware vSphere includes:
- Adding a key provider
- Creating a new virtual machine with an encrypted hard disk
- Adding a vTPM hardware device
Create a Key Provider
First, you must create a key provider before you can add a vTPM.
1. In vSphere Client, select Add Native Key Provider, then enter a name for the key provider and click Add Key Provider.
2. Click the Back Up button to back up the key provider to become active.
3. You will be asked if you want to protect the backup with a password. After selecting a password configuration, the key will download in the browser as a .p12 file.
The native key provider is configured and please go to create an encrypted virtual machine.
Create a New Encrypted Virtual Machine with vTPM
1. Navigate to the virtual machine in the vSphere Client inventory, and click New Virtual Machine. On the Select storage page, you should enable Encrypt this virtual machine.
2. On Select compatibility screen, select at least ESXi 6.7 and later for Windows guest OS, or ESXi 7.0 U2 and later for Linux guest OS to allow using the vTPM feature.
3. Select Windows or Linux for use as the guest OS.
Add a vTPM Hardware Device
The last step in VMware vSphere to make the VM compatible with Windows 11 is to add the Trusted Platform Module.
Click Add New Device and select Trusted Platform Module. You can further customize the hardware, for example, by changing disk size or CPU.
After finishing creating the new Windows 11 virtual machine, and before powering it up for the install, make sure the VM is configured to use EFI, and Secure Boot is enabled. When selecting Windows 10 x64 with recent vSphere versions, these are generally the defaults. However, it is a good idea to verify.
[Important] VMware Windows Backups to Avoid Data Loss
Before upgrading your Windows 10 to Windows 11, you should backup your Windows VMs first. This ensures that your data remains safe in case any unforeseen issues occur during the fixing process.
The centralized VMware backup software - AOMEI Cyber Backup supports VMware ESXi 6.0 and later versions. It contains more useful features to relieve your burden, such as scheduled backup, centralized management, full or incremental option, etc.
AOMEI Cyber Backup supports not only virtual machine backup but also SQL Server database backup.
✼ Agentless Backup: Create complete and independent image-level backup for VMware ESXi VMs.
✼ Role Assignment: Allows one administrator to create sub-accounts with limited privileges.
✼ Email Notification: Send email notification when the task is completed or abnormal.
✼ Multiple Storage Destinations: Back up to local folders or NAS (folders shared via the SMB protocol).
✼ Automated Execution: Automate virtual machine protection and notified by email.
✼ Restore from Any Point: Restore entire VM from any backed up restore points.
*You can choose to install this VM backup software on either Windows or Linux system.
Automate VM Backup Using AOMEI Cyber Backup
1. Bind Devices: Launch AOMEI Cyber Backup web client, navigate to Source Device > VMware > + Add VMware Device to add vCenter or Standalone ESXi host as the source device. And then click … > Bind Device.
2. Create Backup Task: Navigate to Backup Task > + Create New Task, and then set it up according to your needs.
- Device: cover multiple VMs on the host in one backup task.
- Target: selecting to back up to a local path, or to a network path. Used paths will be saved in Favorite Storage for handy selection.
- Schedule: choosing to perform full, differential or incremental backup, and automate execution daily, weekly or monthly according to the frequency you specified.
- Backup cleanup: Configure a retention policy to auto delete old backup files and save storage space.
3. Start Backup: Click Start Backup and select Add the schedule and start backup now or Add the schedule only.
Created backup tasks will be listed and monitored separately for progress checking, editing and restoring.
Conclusion
Windows 11 vTPM enhances the overall integrity of the system and extends the reach of Windows 11 security features. This article describes the Virtual Trusted Platform Module for Windows 11 and how to install virtual TPM on a Windows 11 virtual machine thus providing a secure computing environment.