You can enable Microsoft VBS and add a Virtual Trusted Platform Module (vTPM) device to instant-clone desktop pools.

Note: vTPM can be enabled for desktop pools without enabling VBS. Additionally, although Microsoft recommends a vTPM when enabling VBS, it is not a requirement.

To set up the Key Management Server cluster, which is a prerequisite, see "Set up the Key Management Server Cluster" in the vSphere Security document in the vSphere documentation..

For compatibility requirements, see "Securing Virtual Machines with Virtual Trusted Platform Module" in the vSphere Security document in the vSphere documentation.

The golden image used for vTPM instant-clone desktop pools must have VBS enabled when creating the VM and the local security policy set to enable VBS inside the guest operating system.

A vTPM device can be added to instant clones with ClonePrep or Microsoft Sysprep guest customization. If you are using Sysprep customization, and have smart provisioning enabled or have parent VMs disabled (Mode B), make sure that all hosts in the cluster are running ESXi 7.0 Update 3f or later.

You can also select or deselect the option to add or remove a vTPM during a push-image operation.

Note: In order to use Mode B (Instant Clones without Parent VM) for vTPM-enabled desktop pools, all hosts in the cluster must be running ESXi 7.0 Update 3f or later. Since Smart Provisioning selects Mode B if the pool is vGPU-enabled, if you require vGPU and vTPM and are running older ESXi versions, you can force a Mode A provisioning scheme to be used for the pool. See https://kb.vmware.com/s/article/81026 for details.