Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Windows 11 TPM and Encryption in VMware vSphere

  • February 17, 2022
  • 14 min read
Cloud and Virtualization Architect. Brandon has over 20 years of experience across multiple sectors. He is responsible for the creative and technical content direction at virtualizationhowto.com
Cloud and Virtualization Architect. Brandon has over 20 years of experience across multiple sectors. He is responsible for the creative and technical content direction at virtualizationhowto.com

Windows 11 is now fully GA, and many have begun their upgrades and other projects to migrate from Windows 10 to Windows 11. With Windows 11, new requirements need to be considered during installation and upgrades. In virtualized environments such as VMware vSphere, the steps to install Windows 11 require using new virtual hardware and disk encryption. What are these new requirements? Let’s consider Windows 11 TPM and Encryption in VMware vSphere and see how these new requirements can be satisfied when installing Windows 11 on top of VMware ESXi.

New Windows 11 installation requirements

Windows 11 is a step beyond the requirements of Windows 10. With Windows 11, Microsoft has introduced and enforced certain security requirements as part of the installation of the operating system. As noted by Microsoft, if your PC does not meet the minimum requirements necessary, you may not be able to install Windows 11 on your device, including in a virtual machine.

The basic hardware requirements for installing Windows 11 includes the following as detailed from Microsoft:

Processor: 1 gigahertz (GHz) or faster with 2 or more cores on a compatible 64-bit processor or System on a Chip (SoC)

RAM: 4 gigabytes (GB)

  • Storage: 64 GB or larger storage device Note: See below under “More information on storage space to keep Windows 11 up-to-date” for more details
  • System firmware: UEFI, Secure Boot capable. Check here for information on how your PC might be able to meet this requirement
  • TPM: Trusted Platform Module (TPM) version 2.0. Check here for instructions on how your PC might be enabled to meet this requirement
  • Graphics card: Compatible with DirectX 12 or later with WDDM 2.0 driver
  • Display: High definition (720p) display that is greater than 9” diagonally, 8 bits per color channel

By extension, to successfully install Windows 11 inside a VMware vSphere virtual machine, your ESXi host has to have certain hardware present to virtualize to the Windows 11 guest VM. For the most part, the hardware requirement that has caused the most issues for those looking to install Windows 11 or upgrade to this latest OS is the Trusted Platform Module (TPM).

A TPM module is a discrete security device that provides a secure location for storing sensitive information such as encryption keys. A TPM chip has hardcoded cryptographic keys that make it relatively impossible for a hacker to modify or alter in some way. The requirement for this hardware security device is a new baseline for security moving forward and will undoubtedly be required for all Microsoft OS’s moving forward.

VMware has had support for TPM 1.2 since ESXi 5.x. However, before vSphere 6.7, the APIs and functionality of TPM 1.2 were limited to very specific use cases. VMware vSphere 6.7 added support for TPM 2.0 and the ability to use a Virtual Trusted Platform Module (vTPM) device for Windows 10 and Windows Server 2016 and higher.

With the Virtual Trusted Platform Module (vTPM), you can add a TPM 2.0 virtual cryptoprocessor to a virtual machine. The vTPM is a software-based representation of a physical TPM 2.0 security device. If you have a VMware ESXi host with a TPM 2.0 card running an ESXi version before 6.7, it will not see the TPM 2.0 device. Conversely, the new features in vSphere 6.7 do not use a TPM 1.2 device.

To install Windows 11 in VMware vSphere, you need to be running VMware vSphere 6.7 or higher to add the vTPM device to meet the Windows 11 hardware requirements for installation.

Below is an image of a Supermicro TPM add-in card.

A picture containing text, electronics, circuit Description automatically generated Supermicro TPM Add-in module

Prerequisites for creating a Virtual Machine with a vTPM device

There are a few prerequisites to note when creating a virtual machine with a Virtual Trusted Platform Module. What are these?

  • VMware vSphere must be configured with a key provider, either third-party or using the vSphere Native Key Provider
  • The guest operating system must be Windows Server 2008 or Windows 7 and later, or Linux
  • For Windows guests, you must be running ESXi 6.7 or later and 7.0 Update 2 for Linux
  • The guest VM must be configured to use EFI firmware

What happens if you don’t have the required hardware configuration, including the TPM device for Windows 11 installation? You will see a screen that looks like the following, stating, “This PC can’t run Windows 11.”

This PC can’t run Windows 11

The workflow of creating a Windows 11 virtual machine in VMware vSphere includes:

  1. Adding a key provider
  2. Creating a new VM with an encrypted hard disk
  3. Adding a vTPM hardware device

Adding a key provider

Before you can encrypt virtual machine disks, you need to add a key provider. VMware vSphere 7.0 Update 2 added a new vSphere Native Key Provider, eliminating the need for a third-party solution to provide virtual machine disk encryption.

Adding a key provider in VMware vSphere Adding a key provider in VMware vSphere

Here I have selected to Add Native Key Provider. The configuration is simple. You give the key provider a name and click Add Key Provider.

Adding a native key provider in VMware vSphere Adding a native key provider in VMware vSphere

After adding the Native Key Provider, you need to back up the key provider to become active. Click the Back Up button.

Backing up the native key provider Backing up the native key provider

You will be asked if you want to protect the backup with a password. After selecting a password configuration, the key will download in the browser as a .p12 file.

Downloading a backup of the native key provider Downloading a backup of the native key provider

After you perform the backup, the native key provider will be active. At this point, you can begin encrypting virtual machine disks using the native key provider.

The native key provider is configured and ready to manage virtual machine disk encryption The native key provider is configured and ready to manage virtual machine disk encryption

Creating a new VM with an encrypted hard disk

Now, to install Windows 11 in a VMware vSphere virtual machine, we need to give attention to a few areas of the New Virtual Machine wizard. The first configuration we need to change is in step 4 Select storage. On the Select storage screen, select a datastore and check the checkbox next to Encrypt this virtual machine.

Encrypt the virtual machine disk storage Encrypt the virtual machine disk storage

Make sure on the select compatibility screen, you select at least ESXi 6.7 and later to allow using the vTPM feature.

Selecting the virtual machine compatibility level to use vTPM Selecting the virtual machine compatibility level to use vTPM

As of vSphere 7.0 Update 3c, there is no listing for Windows 11 in the Guest OS Version selector.

Selecting the Guest OS Version Selecting the Guest OS Version

Adding a vTPM hardware device

The last step in VMware vSphere to make the VM compatible with Windows 11 is to add the Trusted Platform Module. To do this, click the Add New Device dropdown on the 7 Customize hardware screen and select Trusted Platform Module.

Adding a Trusted Platform Module for Windows 11 installation Adding a Trusted Platform Module for Windows 11 installation

After adding the vTPM, you will see it listed under the virtual machine hardware as a Security Device.

Trusted Platform Module added to a Windows 11 virtual machine during installation Trusted Platform Module added to a Windows 11 virtual machine during installation

After finishing creating the new Windows 11 virtual machine, and before powering it up for the install, make sure the VM is configured to use EFI, and Secure Boot is enabled. When selecting Windows 10 x64 with recent vSphere versions, these are generally the defaults. However, it is a good idea to verify.

Verifying EFI firmware and Secure Boot Verifying EFI firmware and Secure Boot

Finish out the New Virtual Machine wizard and begin the installation of Windows 11 in the newly created guest virtual machine. You should not see the error shown earlier, “This PC can’t run Windows 11.” If you see the error, you need to revisit the hardware requirements and ensure the virtual TPM device has been added correctly.

Wrapping Up

Microsoft is doing a good thing by raising the bar of security requirements with Windows 11 and future operating systems. However, the new hardware requirements to ensure a higher level of security require additional configuration in virtualized environments, such as VMware vSphere. Adding the vTPM device creates a software representation of a TPM 2.0 security device and allows storing the encryption key for your disk encryption in the TPM, which is required for Windows 11.

Found Brandon’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!