With Windows 11 and soon Windows Server 2025 it’s a requirement to have vTPM but it’s also a good idea to have it even if you’re not using Windows 11 or Windows Server 2025. If you only have a single host, you still need to create a cluster to enable vTPM, so let’s go through how to enable native key provider.
Introduction
Validated on
This how-to have been tested and known to work, but not limited to the following versions
- vCenter 8
Prerequisite
- Permission to create a new cluster
- Permission to add native key provider
Recommendation
Make sure that you have a backup of your TPM recovery key and ID from your ESXi host, if you haven’t. You can read here how to do it.
Create a new cluster
You can’t enable the native key provider if you don’t have a cluster, this is regardless of if you have a single host or not. So, this is the first thing we need to do.
Right click on your datacenter and then click on New Cluster in the menu
Now enter a name for the cluster and if you’re using a single node, you can just make sure that it looks like in the picture below
Here you can compose a new image if you want to or just use the one that you have
Make sure that everything is how you want it and then click finish
Wait until the new cluster is created and after that we can continue
In the left menu left click and hold on your ESXi host and drag it to the cluster and release
We have now created a new cluster and added our ESXi host to the cluster, it’s time to add native key provider.
Add native key provider
Now it’s time to enable native key provider so we can use vTPM
Click on your vCenter in the left column then at the right click on Configure. In the left column click on Key Providers
Now it’s time to add a key provider, so click on Add and then in the menu that appears click Add Native Key Provider
Choose a name for it and make sure that you have checked “Use key provider only with TPM protected ESXi hosts (Recommended)” then click “Add key provider”
We have now added a native key provider but as you can see, we are missing an important thing, backup. So, let’s take a backup of it.
Take backup of your native key provider
This step is not mandatory, but it’s strongly recommended. Better safe than sorry.
Mark your native key provider and then click on Back-up in the menu
Now check both boxes and write a password then click Back up key provider. Make sure that you have saved the password in a safe place
This will generate a file that will be downloaded, make sure to save this file in a safe place
Status have now changed to “Active”
Conclusion
We are done! And now you can add vTPMs to your VMs. I’ll say it again make sure that you have saved the password and the backup certificate in a safe place