You can add a Virtual Trusted Platform Module (vTPM) to a virtual machine to provide enhanced security to the guest operating system. You must set up the KMS before you can add a vTPM.

You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual TPM is compatible with TPM 2.0 and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.

Prerequisites

  • Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.
  • The guest OS you use can be Windows Server 2008 and later, and Windows 7 and later.
  • The ESXi hosts running in your environment must be ESXi 6.7 or later.
  • The virtual machine must use EFI firmware.

Procedure

  1. Connect to vCenter Server by using the vSphere Client.
  2. Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
  3. Right-click the object, select New Virtual Machine, and follow the prompts to create a virtual machine.
    Option Action
    Select a creation type Create a new virtual machine.
    Select a name and folder Specify a name and target location.
    Select a compute resource Specify an object for which you have privileges to create a virtual machine. See Prerequisites and Required Privileges for Encryption Tasks.
    Select storage Select a compatible datastore.
    Select compatibility Select ESXi 6.7 and later.
    Select a guest OS Select Windows Server 2016 (64 bit) or Windows 10 (64 bit) for use as the guest OS.
    Customize hardware

    Click Add New Device and select Trusted Platform Module.

    You can further customize the hardware, for example, by changing disk size or CPU.

    Ready to complete Review the information and click Finish.

Results

The vTPM-enabled virtual machine appears in your inventory as specified.