The guest operating system that runs in the virtual machine is vulnerable to the same security risks as any physical system. To boost security in your virtual environment, you can add a virtual Trusted Platform Module (vTPM) to your ESXi hosts. You can also enable virtualization-based security (VBS) for the virtual machines that run the latest Windows 10 and Windows Server 2016 operating systems.

Using Virtual TPM in the VMware Host Client

The Trusted Platform Module (TPM) is a specialized chip that stores host-specific sensitive information, for example private keys and OS secrets. The TPM chip is also used to perform cryptographic tasks and attest the integrity of the platform.

The virtual TPM device is a software emulation of the TPM functionality. You can add a virtual TPM (vTPM) device to the virtual machines in your environment. The vTPM implementation does not require a physical TPM chip on the host. ESXi uses the vTPM device to exert the TPM functionality in your vSphere environment.

vTPM is available to virtual machines that have Windows 10 and Windows Server 2016 operating systems. The virtual machine must be of hardware version 14 or later.

You can add a virtual TPM device to a virtual machine only in the vCenter Server instance. For more information, see the vSphere Security documentation.

In the VMware Host Client, you can only remove the virtual TPM device from a virtual machine.

Using VBS in the VMware Host Client

Virtualization-based security (VBS) uses the Microsoft Hyper-V based virtualization technology to isolate core Windows OS services in a separate virtualized environment. Such isolation provides an additional level of protection, because it makes it impossible for the key services in your environment to be manipulated.

Enabling VBS on a virtual machine automatically enables the virtual hardware that Windows requires for the VBS feature. By enabling VBS, a variant of Hyper-V starts in the virtual machine and Windows starts running inside the Hyper-V root partition.

VBS is available on the latest Windows OS versions, for example Windows 10 and Windows Server 2016. To use VBS on a virtual machine, the virtual machine compatibility must be ESXi 6.7 and later.

In the VMware Host Client, you can enable VBS during a virtual machine creation. Alternatively, you can enable or disable VBS for an existing virtual machine.
Note: You can enable VBS on a virtual machine only if the TPM validation of the host is successful.