You can add a Virtual Trusted Platform Module (vTPM) to an existing virtual machine to provide enhanced security to the guest operating system. You must set up the KMS before you can add a vTPM.

You can enable a vTPM for virtual machines running on vSphere 6.7 and later. The VMware virtual TPM is compatible with TPM 2.0, and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.


  • Ensure your vSphere environment is configured for virtual machine encryption. See the vSphere Security documentation.
  • The guest OS you use must be either Windows Server 2016 (64 bit) or Windows 10 (64 bit).
  • Verify that the virtual machine is turned off.
  • The ESXi hosts running in your environment must be ESXi 6.7 or later.
  • The virtual machine must use EFI firmware.


  1. Connect to vCenter Server by using the vSphere Client.
  2. Right-click the virtual machine in the inventory that you want to modify and select Edit Settings.
  3. In the Edit Settings dialog box, click Add New Device and select Trusted Platform Module.
  4. Click OK.
    The virtual machine Summary tab now includes Virtual Trusted Platform Module in the VM Hardware pane.