Install Windows 11 on VMware vSphere with a virtual TPM

Yesterday I wrote a blog called “Install Windows 11 as VM on VMware vSphere / Workstation without TPM 2.0 chipset“. In this blog article, I explained how to install Windows 11 without having a TPM 2.0 chipset by using a registry hack. Paul Braren from tinkertry.com created a cool video (link) about installing Windows 11 on VMware vSphere using my blog article. Bob Plankers (@plankers) replied on Twitter that virtual TPM can be used too. 

So I did some research in my home lab. With VMware vSphere and VMware Workstation, it is possible to install Windows 11 by using a vTPM device that emulates a physical TPM 2.0 chipset without having one. This is called Virtual Trusted Platform Module (vTPM). A vTPM performs the same functions as a hardware TPM, it performs cryptographic coprocessor capabilities in software So without having a physical TPM 2.0 you can run Windows 11 without performing any hacks to the Windows 11 Operating System.

In this blog post, I explain how to configure vTPM for VMware vSphere and install Windows 11. Here are the steps:

Requirements for vTPM

  • EFI firmware
  • Hardware Version 14 or later
  • vSphere 6.7 or later
  • Virtual Machine encryption
  • Key Provider. The Key Provider is used to enable encrypted technologies such as TPM

To enable vTPM you must first add a Key Provider

  • Open the vSphere Client URL (https://vcentername/ui)
  • Log-in
  • Click on the vCenter name – Configure and select Key Providers
  • Click on ADD
  • Select Add Native Key Provider. When using the Native Key provider you don’t need an external key server.
  • Enter a name for the Key Provider and uncheck “Use key provider only with TPM protected ESXi hosts (Recommended).

  • Select Backup and uncheck “Protect Native Key Provider data with password (Recommended)” and click on BACK UP KEY PROVIDER

  • The Key Provider is configured and active now

 

Windows 11 VM Configuration

For the Windows 11 VM configuration, I configured the following:

  • Create or download a Windows 11 ISO (for more information see the blog post mentioned at the beginning).
  • Copy the ISO to a datastore that can be accessed  when used to install Windows 11

In the vCenter client create a new VM with the following specification:

  • Configuration step 1: Create a new Virtual Machine
  • Configuration step 2: Enter the Virtual Machine name
  • Configuration step 3: Select the ESXi host or cluster for the VM
  • Configuration step 4: Select the datastore and select Encrypt this virtual machine

  • Configuration step 5: Compatibility: ESXi 7.0 U2 and later (I’m using ESXi 7)

  • Configuration step 6: Guest OS: Guest OS Family: Windows
    • Guest OS Version: Windows 10 (64-bit)
    • Enable Windows Virtualization Based Security: Check

  • Configuration step 7: CPU: 2 or more
    • Memory: 4 GB or more
    • Hard disk: 64 GB or more
    • CD/DVD: Mount the ISO on the datastore
    • Custom Hardware Select Add New Device and choose for Trusted Platform Module

 

  • Configuration step 8: VM configuration overview
    • Click on Finish

  • Start the VM and the installation begins without complaining that this PC can’t run Windows 11

Windows 11 can be installed without having a physical TPM 2.0 chipset or using the registry hack mentioned at the beginning of the blog post. How cool is that!

Install Windows 11 as VM on VMware vSphere / Workstation without TPM 2.0

Yesterday Windows 11 is officially released. Windows 11 require a Trusted Platform Module (TPM) version 2.0 (link). My VMware ESXi servers at home don’t have a TPM 2.0. During the installation, Windows will check for the presence of a TPM 2.0, if not available the installation will fail. There is a registry hack available to bypass the TPM 2.0 check. Use this only for demo purposes and not in production environments!

The first step is to download Windows 11. This can be done by visiting the Windows 11 download page (link) and download the ISO image or create an ISO image with the MediaCreationTool (Quick Tip: Download the latest Windows 10 ISO file). After the download put the ISO on a datastore and create a VM with the following specifications:

  • Hardware Specifications:
    • Compatibility: ESXi 7.0 U2 and later (I’m using ESXi 7)
    • Guest OS: Windows 10 (64-bit)
      • Enable Windows Virtualization Based Security: Check
    • CPU: 2
    • Memory: 4 GB
    • Hard Disk: 64 GB
    • CD/DVD: Datastore on ISO
      • Connect: Check
  • Boot the VM with the ISO connected and the installation of Windows 11 will begin.
  • Select the correct Language, Time and currency format, and keyboard layout

  • Select “Install Now”

  • A Message appears that this PC can’t run Windows 11

  • Press Shift + F10
  • A DOS box appears. Typ regedit and hit enter

  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\Setup and create a new Key named LabConfig
  • Create in the LabConfig Key a ByPassTPMCheck DWORD (32-bit) with the value of 1
  • Close the Regedit window (click on the Red X in the right corner)
  • Typ exit to leave the command prompt
  • Click on the Red X in the right corner and the setup will start again

  • The setup is now able to install Windows 11 as VM in VMware ESXi or VMware Workstation.
  • When the setup is finished you have a Windows 11 VM running.

With this procedure, you can run Windows 11 on hardware that doesn’t have a TPM 2.0 chip.  This procedure is not officially supported of course! For example, you may not receive security updates in the future if you bypass the hardware requirements such as TPM.

VMware vSphere supports a Virtual Trusted Platform Module (vTPM) that emulates a physical TPM 2.0 without having one. Want to know more? Read my other blog post called “Install Windows 11 on VMware vSphere with a virtual TPM“.

 

Create a central VMware Tools repository

VMware Tools releases have been decoupled from VMware vSphere release since version 10.0. You can now standardize to the latest VMware Tools by configuring a centralized repository. This can be useful when you want to point to a new VMware Tools version when for example a security vulnerability in identified VMware Tools. This is recently happened and described in the VMSA-2021-0013 security advisory. (link) for example.

Requirements:

  • VMware ESXi 6.7 Update 1 or later
  • PowerCLI installed

Here are the steps to create a central VMware Tools repository:

  • Create a folder structure on a central datastore (all VMware ESXi hosts have access to this datastore)  in the cluster. For example:
    • On the nfs01 datastore is created a folder called “vmwtools“, under that folder, I created another folder called “11.3.0-18090558
  • Download the latest VMware Tools version, link
  • Extract the VMware Tools ZIP file. Two folders are extracted:
    • floppies
    • vmtools
  • Upload the two folders to the folder structure created. In this example I used: /vmfs/volumes/vmwtools/11.3.0-18090558

  • Change the following variables so it matches the vSphere environment:
    • $cluster
    • $datastore
  • The PowerCLI script below will point all the VMware ESXi hosts in a cluster to the central VMware Tools repository location.
  • Execute this script
# Import PowerCLI module
Import-Module VMware.PowerCLI

# VMware VirtualCenter server name 
$VCserver = read-host "Enter the vCenter server name"

# Connect to the vCenter server 
Connect-VIServer -server $VCserver

$cluster = 'CL-MGNT'
$hosts = Get-Cluster -Name $cluster | Get-VMHost
$datastore = '/vmfs/volumes/nfs01/vmwtools/11.3.0-18090558/'

# Display current VMware Location
$hosts | Get-AdvancedSetting -Name "UserVars.ProductLockerLocation" | Select-Object Entity,Value

# Change VMware Tools location 
Get-cluster -name $cluster | Get-VMhost | %{$_.ExtensionData.UpdateProductLockerLocation($datastore)}  

# Display current VMware Location
$hosts | Get-AdvancedSetting -Name "UserVars.ProductLockerLocation" | Select-Object Entity,Value

# Disconnect vCenter 
Disconnect-VIserver -server * -Confirm:$false

The default location of the VMware Tools is: /locker/packages/vmtoolsRepo/

  • Select a Windows VM in the vSphere cluster. A message is displayed that there is a newer version of VMware Tools available.
  • Select Upgrade VMware Tools (It is possible that the VM is automatically rebooted when choosing for an Automatic Upgrade).

  • After the installation, check if VMTools is running and if the version is current.

Creating a central VMware Tools repository is an easy step that is very useful to stay up to date with the latest VMware Tools versions for the Virtual Machines.

The VMware PowerCLI script listed above can be found on my GitHub repository, link.