Installing and running Windows 11 on VMware vSphere

Before we can create a new Windows 11 virtual machine in vSphere, we first need to enable the vSphere Native Key Provider (NKP).

Otherwise we will run into the following error.

Microsoft Windows 11 (64-bit) requires a Virtual TPM device, which cannot be added to this virtual machine because the vSphere environment is not configured with a key provider.

Windows 11 enforces TPM 2.0 as a hardware/system requirement for client devices.

The rationale is security baseline: BitLocker, Windows Hello, Credential Guard, and features like Windows Defender System Guard rely on TPM for key storage and attestation.

On bare metal, this ensures all consumer and business PCs meet a certain minimum security posture.

On VMs, that translates to Virtual TPM (vTPM) being required in order to even install Windows 11.

Windows Server 2025 in contrast do not enforce TPM/vTPM at install time.
Microsoft assumes server administrators operate in controlled datacenter environments where they can make explicit security design decisions.
Features that can use TPM still exist (BitLocker, shielded VMs, HGS, etc.), but TPM is optional.
More about you will find here https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-recommendation.

Table Of Contents

Enable the vSphere Native Key Provider (NKP)
Create a new Windows 11 Virtual Machine
Links

Enable the vSphere Native Key Provider (NKP)

In vCenter navigate to vCenter Server node -> Configure -> Security -> Key Providers and click on Add -> Add Native Key Provider.

Enter a name for like nkp-win11 for example and click on Add Key Provider.

Back in the Key Providers list select your new key provider and click on Back-Up, we need to backup it before it will be active.

It is recommended to protect the Key Provider data with a password.

Download and store the backup securely (this is important for recovery)

This key provider can be used to support vTPM and encryption

Create a new Windows 11 Virtual Machine

The virtual machine we can now create as usual, on the Select a guest OS select Microsoft Windows 11.

By selecting above Microsoft Windows 11 for the guest OS, it will by default adding our required virtual TPM device as shown below.

From now on as usual.

Links

TPM recommendations
https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-recommendations

Blog Post

Installing and running Windows 11 on VMware vSphere

Enable the vSphere Native Key Provider (NKP)

Create a new Windows 11 Virtual Machine

Links

Tags In

Latest posts

Azure Automation – Virtual Machine Start/Stop Schedule

Using Azure Key Vault for Passwords in Azure Bastion

How to use the Serial Console and Special Administration Console (SAC) for VMware vSphere Windows Virtual Machines

Azure Automation – Virtual Machine Start/Stop Schedule

Using Azure Key Vault for Passwords in Azure Bastion

How to use the Serial Console and Special Administration Console (SAC) for VMware vSphere Windows Virtual Machines

Blog Post

Installing and running Windows 11 on VMware vSphere

Enable the vSphere Native Key Provider (NKP)

Create a new Windows 11 Virtual Machine

Links

Tags In

Related Posts

Update Firmware, UEFI and Device drivers for IBM x3650 M5 (5462) Server by using the Lenovo XClarity Essentials UpdateXpress

What is Microsoft Entra ID Governance?

Active Directory Cheat Sheet essential Commands

Latest posts

Azure Automation – Virtual Machine Start/Stop Schedule

Using Azure Key Vault for Passwords in Azure Bastion

How to use the Serial Console and Special Administration Console (SAC) for VMware vSphere Windows Virtual Machines

Azure Automation – Virtual Machine Start/Stop Schedule

Using Azure Key Vault for Passwords in Azure Bastion

How to use the Serial Console and Special Administration Console (SAC) for VMware vSphere Windows Virtual Machines