Use Packer to install Windows 11 and enable vTPM and VBS

I use Packer for building images for VMware VDI environments. With the latest version (when writing this blog Packer version 1.7.7 is the latest version) it is not possible to configure a TPM in the Hashicorp Configuration Languag (HCL) config file. TPM 2.0 is required to install Windows 11. A vTPM emulates a physical TPM 2.0 and is available in VMware vSphere.

Update: January 27, 2022: Packer with the VMware vSphere plugin ((V1.0.3) has now support for adding a vTPM device. More information can be found here: link.

You can install Windows 11 using a registry hack (link) to bypass the TPM check:

reg ADD "HKLM\SYSTEM\Setup\LabConfig" /f /v BypassSecureBootCheck /t REG_DWORD /d 1

vCommunity member Sidney Laan from vEUCaddict wrote a nice blog about using Packer to install Windows 11 using this registry hack (link). When using this hack, it doesn’t enable vTPM or VBS.

For LAB environments, this is no issue but for production, environments you want to have a vTPM enabled and even Virtualization-Based Security (VBS) depending on the security requirements.

So what are TPM and VBS?

TPM

Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys.

VBS

Virtualization-based security, or VBS, uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. Windows can use this “virtual secure mode” to host a number of security solutions, providing them with greatly increased protection from vulnerabilities in the operating system, and preventing the use of malicious exploits which attempt to defeat protections.

source link

After the Windows 11 installation with Packer, it is possible to add a vTPM and even enable Virtualization-Based Security (VBS)  by using VMware PowerCLI.

Requirements

  • Use vCenter Server system versions 6.7 or later
  • Add a Key Provider (link)
  • Install PowerCLI by using the following command in PowerShell:
    • Install-Module VMware.PowerCLI -Scope CurrentUser
  • The Windows 11 VM must be powered off
  • Use VM hardware version 14 or higher
  • Don’t create a snapshot with Packer (create_snapshot = false)

PowerCLI Script

The following PowerCLI script can be executed after the Packer Windows 11 deployment. This script adds vTPM, enables VBS support, and creates a snapshot.

  • Change the variables for your environment.

# Import PowerCLI 
Import-Module VMware.PowerCLI

# Variables
$vcentername = "vcentername"
$VMTempName = "VMname"
$snapname = "v0.1"
$snapdescription = "Packer deployement with vTPM and VBS enabled"

# Connect to vCenter Server
Connect-VIServer -Server $vcentername

# Add vTPM
Write-Host 'Set vTPM' 
New-VTpm -VM $VMTempName

# Enable Virtualization Based Security (VBS)
Write-Host 'Enable VBS' 
$vm = Get-VM $VMTempName
$spec = New-Object VMware.Vim.VirtualMachineConfigSpec
$spec.Firmware = [VMware.Vim.GuestOsDescriptorFirmwareType]::efi
$spec.NestedHVEnabled = $true
$boot = New-Object VMware.Vim.VirtualMachineBootOptions
$boot.EfiSecureBootEnabled = $true
$spec.BootOptions = $boot
$flags = New-Object VMware.Vim.VirtualMachineFlagInfo
$flags.VbsEnabled = $true
$flags.VvtdEnabled = $true
$spec.flags = $flags
$vm.ExtensionData.ReconfigVM($spec)

# Create Snapshot
Write-Host 'Create snapshot' -ForegroundColor green
Get-VM -Name $VMTempName | New-Snapshot -Name $snapname -Description $snapdescription
    
# Disconnect vCenter Server
Disconnect-VIServer -Server * -Confirm:$false
  • When the script is finished, vTPM and VBS support is added
  • Start the VM
  • Check if a TPM is displayed in Device Manager and with the TPM.MSC command

  • Using Powershell the command “Get-TPM” can check the presence of the TPM

    • For Enabling VBS (*1) go to “Device security” in Windows 11, select “Core isolation details” and enable “Memory Integrity”
        • Enabling VBS can also be done by using the following registry settings
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked"

More info: Link

(*1) Adding VBS in Windows 11 can have a performance impact on the VM

  • Reboot the VM

  • When the VM is restarted run “msinfo32”
  • Scroll down and check if “Virtualization-Based Security” is running

Adding the PowerCLI script after the Packer deployment will enable vTPM and VBS for the Windows 11 VM. I hope the vTPM and VBS options will be added soon in Packer so we use the HCL config file without the need for an extra PowerCLI script.

Runecast Analyzer makes hardware checking against the VMware HCL easy

Runecast Analyzer is a tool that helps VMware administrators to proactive manage there vSphere environment. It discovers potential risks in the VMware environment before they can cause a major outage. It uses best practices, security hardening guides (VMware, DISA STIG, PCI-DSS v3.2.1 and HIPAA) and known issues found in the VMware Knowledge Base to protect the Software Defined Data Center (SDDC).  Runecast Analyzer supports the following VMware products:

  • VMware vSphere
  • VMware vSAN
  • VMware NSX-V
  • VMware Horizon

Runecast Analyzer introduced a new feature called “Automated VMware HCL” and “ESXi Compatibility Simulation“. The “Automated VMware HCL” feature checks the VMware ESXi host hardware, driver and firmware versions against the VMware Hardware Compatibility List (HCL). The VMware Hardware Compatibility List (HCL) lists all the physical hardware components, driver and firmware versions that are supported by VMware. Keeping the hardware aligned with the VMware HCL is essential for a healthy, stable and supported VMware environment but can be difficult to perform. For example see the blog post below how to identify a networkcard and the supported driver.

Identify NIC driver and supported driver version for ESXi server

 

Within the “Automated VMware HCL” feature you can enable “ESXi Comparability Simulation“. ESXi comparability simulation checks the existing hardware against a newer VMware ESXi version before upgrading to this new version so you can verify if the hardware, driver and firmware levels are supported.

Automated Hardware Compatibility

After deploying the Runecast Analyzer appliance and connecting to one or more vCenter Servers, the first scan can be performed by clicking on the purple “Analyze Now” button. When the scan is completed select “HW Compatibility” on the left menu bar. By default all ESXi hosts are listed. In the action pane you can specify a specific clusters or one or more host(s).

The screenshot shows the host, ESXi release, hardware summary and the compatible status of the BIOS and I/O devices. The BIOS and I/O Devices are red in this example which means they need attention. All the hardware, firmware and driver  results can be exported to a CSV file. Per ESXi host you can drill down to the server hardware.

The BIOS state needs an update, it’s reported as possible incompatibility “Not Found” in the HCL Data field. When clicking on the “HCL online” button we’ve got redirected to the VMware Compatibility List (HCL).

The VMware HCL tells that the BIOS level that matches is version 1.2. After the BIOS view we go to the I/O devices by clicking on the I/O Devices tab

The Intel I350 Gigabit and the Samsung NVMe SSD Controller needs attention. When looking at the Intel I350 in the HCL we see that the the firmware level is okay and that the installed driver version is 0.1.1.0 is old. The HCL reports that version 1.4.1 is needed.

ESXi Compatibility Simulation

With the Hardware Compatibility Overview there is another feature called “ESXi Compatibility Simulation“.  ESXi Compatibility Simulation checks the existing hardware against a newer VMware ESXi version before upgrading to this new version so you can verify if the hardware, driver and firmware levels are supported.

After turning on the ESXi Compatibility Simulation feature and selecting the ESXi version to upgrade to you can fire the simulation. In this environment I want to upgrade to ESXi 6.7 U2 and it shows that the BIOS not compatible.

Conclusion

It can be difficult and time consuming for VMware admins to check if the server hardware is aligned with the VMware Hardware Compatibility List (HCL) for maintaining a healthy, stable and supported environment. Runecast Analyzer makes this very easy and fast by performing a simple scan and see if the hardware of the VMware environment is complaint with the VMware HCL.

Another great feature is the ESXi Compatibility Simulation. Again with a simple scan you check if the hardware is compatible against a newer version of ESXi before actually upgrading to this version. The Automated Hardware Compatibility and ESXi Compatibility Simulation are great new features that saves a lot of value time investigating if the VMware environment is compliant.

You can download a 30 day full trial version of Runecast Analyzer and try it yourself.