You can add a Virtual Trusted Platform Module (vTPM) to a virtual machine to provide enhanced security to the guest operating system. You must set up the KMS before you can add a vTPM.
You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual TPM is compatible with TPM 2.0 and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.
Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.
The guest OS you use must be either Windows Server 2016 (64 bit) or Windows 10 (64 bit).
The ESXi hosts running in your environment must be ESXi 6.7 or later.
The virtual machine must use EFI firmware.
- Connect to vCenter Server by using the vSphere Client.
- Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
- Right-click the object, select New Virtual Machine, and follow the prompts to create a virtual machine.
Select a creation type
Create a new virtual machine.
Select a name and folder
Specify a name and target location.
Select a compute resource
Specify an object for which you have privileges to create a virtual machine. See Prerequisites and Required Privileges for Encryption Tasks.
Select a compatible datastore.
Select ESXi 6.7 and later.
Select a guest OS
Select Windows Server 2016 (64 bit) or Windows 10 (64 bit) for use as the guest OS.
Click Add New Device and select Trusted Platform Module.
You can further customize the hardware, for example, by changing disk size or CPU.
Ready to complete
Review the information and click Finish.
The vTPM-enabled virtual machine appears in your inventory as specified.