Enable vTPM in vSphere

With Windows 11 and soon Windows Server 2025 it’s a requirement to have vTPM but it’s also a good idea to have it even if you’re not using Windows 11 or Windows Server 2025. If you only have a single host, you still need to create a cluster to enable vTPM, so let’s go through how to enable native key provider.

Introduction

Validated on

This how-to have been tested and known to work, but not limited to the following versions

  • vCenter 8

Prerequisite

  • Permission to create a new cluster
  • Permission to add native key provider

Recommendation

Make sure that you have a backup of your TPM recovery key and ID from your ESXi host, if you haven’t. You can read here how to do it.

Create a new cluster

You can’t enable the native key provider if you don’t have a cluster, this is regardless of if you have a single host or not. So, this is the first thing we need to do.

  • Right click on your datacenter and then click on New Cluster in the menu

  • Now enter a name for the cluster and if you’re using a single node, you can just make sure that it looks like in the picture below

  • Here you can compose a new image if you want to or just use the one that you have

  • Make sure that everything is how you want it and then click finish

  • Wait until the new cluster is created and after that we can continue

  • In the left menu left click and hold on your ESXi host and drag it to the cluster and release

We have now created a new cluster and added our ESXi host to the cluster, it’s time to add native key provider.

Add native key provider

Now it’s time to enable native key provider so we can use vTPM

  • Click on your vCenter in the left column then at the right click on Configure. In the left column click on Key Providers

  • Now it’s time to add a key provider, so click on Add and then in the menu that appears click Add Native Key Provider

  • Choose a name for it and make sure that you have checked “Use key provider only with TPM protected ESXi hosts (Recommended)” then click “Add key provider”

We have now added a native key provider but as you can see, we are missing an important thing, backup. So, let’s take a backup of it.

Take backup of your native key provider

This step is not mandatory, but it’s strongly recommended. Better safe than sorry.

  • Mark your native key provider and then click on Back-up in the menu

  • Now check both boxes and write a password then click Back up key provider. Make sure that you have saved the password in a safe place

  • This will generate a file that will be downloaded, make sure to save this file in a safe place

  • Status have now changed to “Active”

Conclusion

We are done! And now you can add vTPMs to your VMs. I’ll say it again make sure that you have saved the password and the backup certificate in a safe place

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.