You can add a Virtual Trusted Platform Module (vTPM) to an existing virtual machine to provide enhanced security to the guest operating system. You must set up the KMS before you can add a vTPM.

You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual TPM is compatible with TPM 2.0, and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.


  • Ensure your vSphere environment is configured for virtual machine encryption. See Set up the Key Management Server Cluster.
  • The guest OS you use can be Windows Server 2008 and later, and Windows 7 and later.
  • Verify that the virtual machine is turned off.
  • The ESXi hosts running in your environment must be ESXi 6.7 or later.
  • The virtual machine must use EFI firmware.
  • Verify that you have the required privileges:
    • Cryptographic operations.Clone
    • Cryptographic operations.Encrypt
    • Cryptographic operations.Encrypt new
    • Cryptographic operations.Register VM


  1. Connect to vCenter Server by using the vSphere Client.
  2. Right-click the virtual machine in the inventory that you want to modify and select Edit Settings.
  3. In the Edit Settings dialog box, click Add New Device and select Trusted Platform Module.
  4. Click OK.
    The virtual machine Summary tab now includes Virtual Trusted Platform Module in the VM Hardware pane.