You can add a Virtual Trusted Platform Module (vTPM) when you create a virtual machine to provide enhanced security to the guest operating system. You must create a key provider before you can add a vTPM.

The VMware virtual TPM is compatible with TPM 2.0 and creates a TPM-enabled virtual chip for use by the virtual machine and the guest OS it hosts.


  • Ensure your vSphere environment is configured with a key provider. See the vSphere Security documentation.
  • The guest OS you use can be Windows Server 2008 and later, Windows 7 and later, or Linux.
  • The ESXi hosts running in your environment must be ESXi 6.7 and later (Windows guest OS), or 7.0 Update 2 and later (Linux guest OS).
  • The virtual machine must use EFI firmware.
  • Verify that you have the required privileges:
    • Cryptographic operations.Clone
    • Cryptographic operations.Encrypt
    • Cryptographic operations.Encrypt new
    • Cryptographic operations.Migrate
    • Cryptographic operations.Register VM
    • Cryptographic operations.Register host
Note: After creating a virtual machine with a vTPM, the Cryptographic operations.Direct Access privilege is required to open a console session.


  1. Connect to vCenter Server by using the vSphere Client.
  2. Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
  3. Right-click the object, select New Virtual Machine, and follow the prompts to create a virtual machine.
    Option Action
    Select a creation type Create a new virtual machine.
    Select a name and folder Specify a name and target location.
    Select a compute resource

    Specify an object for which you have privileges to create a virtual machine. See "Prerequisites and Required Privileges for Encryption Tasks" in the vSphere Security documentation.

    Select storage Select a compatible datastore.
    Select compatibility You must select ESXi 6.7 and later for Windows guest OS, or ESXi 7.0 U2 and later for Linux guest OS.
    Select a guest OS Select Windows or Linux for use as the guest OS.
    Customize hardware

    Click Add New Device and select Trusted Platform Module.

    You can further customize the hardware, for example, by changing disk size or CPU.

    Ready to complete Review the information and click Finish.


The vTPM-enabled virtual machine appears in your inventory as specified.