You can add a Virtual Trusted Platform Module (vTPM) to a virtual machine to provide enhanced security to the guest operating system. You must set up the KMS before you can add a vTPM.

You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual TPM is compatible with TPM 2.0 and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.


  • Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.

  • The guest OS you use must be either Windows Server 2016 (64 bit) or Windows 10 (64 bit).

  • The ESXi hosts running in your environment must be ESXi 6.7 or later.

  • The virtual machine must use EFI firmware.


  1. Connect to vCenter Server by using the vSphere Client.
  2. Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
  3. Right-click the object, select New Virtual Machine, and follow the prompts to create a virtual machine.



    Select a creation type

    Create a new virtual machine.

    Select a name and folder

    Specify a name and target location.

    Select a compute resource

    Specify an object for which you have privileges to create a virtual machine. See Prerequisites and Required Privileges for Encryption Tasks.

    Select storage

    Select a compatible datastore.

    Select compatibility

    Select ESXi 6.7 and later.

    Select a guest OS

    Select Windows Server 2016 (64 bit) or Windows 10 (64 bit) for use as the guest OS.

    Customize hardware

    Click Add New Device and select Trusted Platform Module.

    You can further customize the hardware, for example, by changing disk size or CPU.

    Ready to complete

    Review the information and click Finish.


The vTPM-enabled virtual machine appears in your inventory as specified.