Windows 11, TPM 2.0 and VMware

Submitted by zubanst on Wed, 01/12/2022 - 12:56

Many users have been excited by the arrival of Windows 11 to learn that one of the main requirements is the TPM 2.0, creating a lot of confusion around the migration. Along with that, a long list of not supported CPUs. And when it comes to the virtualization of a Windows 11 workstation, this is again a different story. I went through the journey to install a Windows 11 VM and I share here my experience. 

 

What is TPM 2.0 ?

 

Short recall: TPM stands for Trusted Platform Module as defined by the Trusted Computing Group (TCG) responsible for maintaining TPM standards, and it is most of the time a physical device, usually on the motherboard. Its job is to protect data used to authenticate a PC, but a TPM device can also be used to maintain the platform integrity, facilitate disk encryption, store passwords and certificates, the list goes on. TPMs are efficient methods securing Windows PCs . In fact, since July 2016, Microsoft has actually required TPM 2.0 support on all new PCs that run any version of Windows 10 for desktop (Home, Pro, Enterprise, or Education). Likewise, Windows 11 will only run on PCs that have TPM capabilities. Microsoft has been strict on this requirement ahead of the Windows 11 general availability.

 But what of the virtual machines? How can a Windows 11 VM be created all requirements considered? I will address those questions related to a VMware hypervisor.

 VMware worked on the matter and TPM 2.0 is available as virtualization on ESXi 6.7 and 7.0 hosts. A vTPM is a software-based representation of a physical Trusted Platform Module 2.0 chip and it acts as any other virtual device.

There is a complete guide to set up vTPM (https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-10F7022C-DBE1-47A2-BD86-3840C6955057.html) but my journey taught me that there are a few points of attention, I list here:

 

  1. The host

First thing, the host must have a TPM 2.0 device, enabled. You need to check this in the BIOS. Here is an example on a HP DL 380 GEN 10 server

 

TPM 2.0 on host

 

  1. Secure boot

 

 Second, the Hypervisor must be booted in Secure boot mode. This setting is to be configured in the BIOS as well.

  1. vCenter

 

vCenter is service that acts as a central administrator for VMware ESXi hosts connected on a network. vCenter Server directs actions on the virtual machines and the virtual machine hosts (the ESXi hosts) and its resources. vCenter is a requirement to setup vTPM. Steps 1 and 2 must be performed on all hosts connected to the vCenter. To check this, connect to the vCenter portal and on the vCenter object > Monitor > Security

 

vCenter security

 

Should a least one of the hosts not be configured for TPM 2.0, the trust key provider cannot be configured. If for whatever reason TPM 2.0 is not configured on one or several hosts connected to vCenter, there are troubleshooting guides on the VMware knowledge base specific to the ESXi version, the host HW and so one. As a temporary measure, that or those specific host(s) might be temporarily disconnected from vCenter.

  1. Key providers

 

Once all the hosts are correctly configured for TPM 2.0, we need to create the key providers. Connect to the vCenter portal and on the vCenter object > Configure > Key Providers > ADD and BACK-UP. Once this procedure complete, you should have a new key provider as follows:

 

vCenter key provider

 

When this is complete, vTPM would be available for virtual machines.

 

  1. The Windows 11 Virtual machine creation

 

Remember that a vTPM is a software-based representation of a physical Trusted Platform Module 2.0 chip and it acts as any other virtual device. Same as the physical chip, the virtual one will supply a unique code called a cryptographic key and it’s unique for each virtual machine. As such, a vTPM cannot be added at the VM creation. It must be added AFTER the VM creation. So, in order to have a vTPM attached to a VM supposed to be installed with Windows 11, we first create the VM with the specific configuration from the vCenter (in this configuration the vTPM is not available at the vSphere level), without booting it. Once the VM created, we edit the VM an we add the vTPM module:

 

vCenter VM configuration

That’s it. The VM can be powered on now and installed with Windows 11. Here’s mine :

 

Windows 11

 

  1. Other Hypervisors

 

At the time of writing, Citrix Xenserver had no plans yet as to support TPM 2.0 virtualization, so if you want to have Windows 11 virtualized workstations, go for a VMware host. I have no information about Microsoft Hyper-V when it comes to TPM virtualization or passthrough, as I didn’t tested it (yet).

 

Hope this few hints allowed you clarify some questions you might have had reading official documentation, or issues you may have ran into. Should you need any additional information, contact me at zuban@pennyitsupport.eu