Windows VM fails to upgrade or deploy due to TPM not being enabled
search cancel

Windows VM fails to upgrade or deploy due to TPM not being enabled

book

Article ID: 387992

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Not able to Deploy Windows 11 VM as TPM not enabled.

Environment

VMware vSphere ESXi 7.0.x

VMware vSphere ESXi 8.0.x

VMware vCenter Server 7.0.x

VMware vCenter Server 8.0.x

Cause

Since Windows 11, Microsoft has make the TPM mandatory to install and run the operating system.

Resolution

Create a native Key Provider

  • Open vSphere Client
  • Navigate to vCenter > Configure > Security > Key Provider
  • Click ADD > Add Native Key Provider

 

  • Enter a name for the key provider
  • If one or more of the hosts registered in vCenter do not have a physical TPM installed, disable the option "Use key provider only with TPM protected ESXi hosts". This allows you to use vTPM on ESXi hosts that don't have a TPM.
  • When ready, click on "ADD KEY PROVIDER" to create the native key provider.



  • The new native key provider will be listed. At this point it is not ready for use yet.
  • As a security precaution, the Key Provider has to be backed up at least once to be eligible for use.
  • Either click the BACK-UP button on top of the page, or use the one at the bottom:



  • A new window will be shown. If it does not show, make sure that no popup blockers are active. 
  • In the Window, decide if you want to protect the backup with a password, then click on the BACK UP KEY PROVIDER button:

 

  • This will trigger the download of a PCKS12 crypto file (*.p12) to the local file system
  • The file will be needed in order for restoring the key provider, so keep it in a safe location.
  • The Native Key Provider is now ready for use.

 

Deploying the Windows 11 virtual machine

  • Create a new virtual machine.
  • If you do this in vCenter Server 7.0, ensure to enable the option "Encrypt this virtual machine" in step 4, otherwise adding the vTPM as an additional hardware device will be blocked (If you do this in vCenter Server 8.0, you do not need to select "Encrypt this virtual machine", the VM will be automatically silent-encrypted, when the vTPM is added later).
  • In addition verify that "Managent Storage policy - Encryption" is selected as VM Storage Policy
  • Ignore the Compatibility warning "Datastore does not match current VM policy"

 

  • On the next page (5), for "Compatible with:", select either "ESXi 7.0 U2 and later" or a newer compatiblity version. This will ensure that the VM is created in hardware version 19, which is the minimum requirement for using a virtual TPM.
  • Make sure to additionally set the check mark for Enable Windows Virtualization Based Security.

 

  • Add the Trusted Platform Module in Step 7 - Customize Hardware:

  • Proceed with Windows installation.

 

Adding a vTPM to an existing VM

  • For existing Virtual Machines, first enable VM encryption in the VM settings
  • For this, right-click the VM, and select "Edit Settings"
  • In the configuration widget, select the "VM options" tab, and expand the "Encryption" section
  • In vCenter Server 7.0, enable encryption by selecting "VM Encryption Policy" for the "Encrypt VM" option
  • In vCenter Server 8.0, enable encryption using the switch, then verify that the correct key provider and VM Storage Policy are automatically set:

  • Go back into the "Virtual Hardware" tab and click on ADD NEW DEVICE,
  • select the Trusted Platform Module then click on OK to add the vTPM

 

 

Powered by Wolken Software