→ Applies to: VMware ESXi 6.7 and above
VMware vSphere 6.7 or later is required to support the Virtual Trusted Platform Module (vTPM), with a cluster (even single node) correctly configured in your datacenter in vCenter.
The article will show you how to enable Trusted Platform Module (TPM) through the following steps:
- Key Provider: configure a Key Provider in vSphere (either vSphere Native Key Provider or a third-party provider) to enable the vTPM;
- EFI firmware: the virtual machine must be configured to use EFI firmware;
- TPM 2.0: Windows 11 requires TPM 2.0, which is supported by vTPM in vSphere 6.7 and later.
Step 1. Login to VMware vSphere GUI (replace <your_ip_address_or_hostname> with the correct ip/hostname)
https://<your_ip_address_or_hostname>
Step 2. Click on Configure
Step 3. Click on Add and Add Native Key Provider
Eliminates the need for a third-party solution to provide VM disk encryption.
Step 4. Choose a name and click on Add Key Provider
Make sure to uncheck “Use key provider only with TPM protected ESXi hosts (Recommended)” if your host does not have a TPM chip installed, because the vTPM works without a hardware TPM chip present on the ESXi host.
Step 5. Click on Back up
Save the file with .p12 extension
Step 6. Create a new Windows 11 VM from New Virtual Machine wizard
Step 7. During storage configuration (4 Select storage), make sure to de-select “Encrypt this virtual machine” option
Step 8. During compatibility configuration (5 Select compatibility), select at least ESXi 6.7 to be able to use the vTPM feature
Step 9. During hardware configuration (7 Customize hardware), click on Add new device → Trusted Platform Module
Step 10. Click on VM Options → Boot Options and select Firmware EFI
Step 11. Click OK
Step 12. Power on the VM