You can enable Microsoft VBS and add a Virtual Trusted Platform Module (vTPM) device to Windows instant-clone desktop pools.

Note: vTPM can be enabled for desktop pools without enabling VBS. Additionally, although Microsoft recommends a vTPM when enabling VBS, it is not a requirement.

To set up the Key Management Server cluster, which is a prerequisite, see "Set up the Key Management Server Cluster" in the vSphere Security document in the vSphere documentation..

For compatibility requirements, see "Securing Virtual Machines with Virtual Trusted Platform Module" in the vSphere Security document in the vSphere documentation.

To enable VBS, the golden image used must have VBS enabled when creating the VM and the local security policy set to "enable VBS" inside the guest operating system.

A vTPM device can be added to instant clones with ClonePrep or Microsoft Sysprep guest customization. Instant clone Smart Provisioning uses Mode B (clones created without parent VM) by default. However, if you are using a vTPM device on ESXi hosts with versions older than 7.0 update 3f then Smart Provisioning will select Mode A (clones created with parent VM). See https://kb.vmware.com/s/article/81026 for changing provisioning modes.

You can also select or deselect the option to add or remove a vTPM during a push-image operation.