The ESXi-Arm team has just released v1.11 of the ESXi-Arm Fling and one of the most exciting new capability is that you can now run Windows 11 Arm using an ESXi VM! There is also a TON of new features, so definitely check out the official ESXi-Arm Blog post announcement for more details.
One of the requirements for running Windows 11 Arm is the need for a Trusted Platform Module (TPM). Luckily, the latest ESXi-Arm v1.11 also now supports adding a vTPM to a guest and a requirement for setting this is a Key Management Server (KMS). Currently, the ESXi-Arm Fling is based on vSphere 7.0 (GA) and you can either use an existing compatible KMS (which you can look through VMware KMS Compatibility List) or for lab/testing purposes, you can use my KMIP Docker Container, which was also updated recently to support both amd64 and arch64 architecture.
For those interested in quickly setting this up and using my KMIP Docker Container for the KMS component, below is a quick walkthrough on how to set this up.
UPDATE (10/16/23) - vCenter Server may not be needed as you can use ESXi vSphere API to manually add encryption keys for use with vTPM, at least for x86. This same technique might also work with ESXi-Arm, for more information please see this blog post HERE.
Note: While vSphere 7.0 Update 2 introduced an embedded Native Key Provider (NKP) within vCenter Server, it can not be used with ESXi-Arm as both ESXi and vCenter must be running 7.0 Update 2 and the ESXi-Arm Fling is based on 7.0 GA.
Pre-Requisite:
- Install or upgrade to the latest ESXi-Arm 1.11 release
- Download and create a Windows 11 Arm ISO, please refer to Page 30 of this document for detailed instructions which is also applicable for the VMware Fusion Tech Preview for Apple Silicon
- A Linux (x86 or Arm) VM with the Docker runtime installed and enabled to run the KMIP Docker Container
Setting up Standard Key Provider (SKP)
Step 1 - Login to your Linux VM (any Linux distribution that can run Docker is fine) and run the following command which will pull down my KMIP Docker Container and start running it in daemon mode.
docker run -d -p 5696:5696 lamw/vmwkmip
If the command was successful, you will see the ID of the running container. Optionally, you can watch the logs to ensure that your vCenter Server is able to connect in next step by running the command:
docker logs -f [CONTAINER-SHORT-ID]
You will also need to make a note of the IP Address or FQDN of the Linux VM and the KMS port that the KMIP Docker Container is configured to run, which by default is 5696.
Step 2 - Next, add the SKP to vCenter by selecting the vCenter Server inventory object and under Configure->Security->Key Providers click on add and provide the IP Address/FQDN and port (5696) of your KMIP Docker Container. If your vCenter Server can properly communicate with the Linux VM hosting the KMIP Docker Container, you should get a prompt displaying the details from the SKP and confirm to complete the configuration.
Step 3 - The last thing we need to do before vCenter Server can start using the KMS is to establish a trust between the two systems. Click on the newly configured SKP and expand the Establish Trust window as shown in the screenshot above and then click on Trust KMS button.
You are now ready to start using the KMS whether it is for VM Encryption or adding a vTPM to a VM.
Creating Windows 11 Arm VM
During the VM creation wizard, select the Windows 10 guest operating system option whether you are installing Windows 10 or 11. You can add a vTPM during the initial VM creation by clicking on the Add New Device option and then selecting Trusted Platform Module
Lastly, browse to the location on your ESXi host where your Windows 11 ISO has been uploaded and power on the VM to start the OS installation.
Windows 11 Arm does not include VMware's VMXNET3 network driver, so you will need to manually install the driver for network connectivity. To do so, click on the "Install VMware Tools" link in the yellow banner in the VM summary view (as shown in screenshot above) which will mount the VMware Tools ISO. Currently, the VMware Tools ISO does not actually contain the typical VMware Tools auto-installer, but rather a generic ISO that contains the Windows network driver.
Once the ISO has been mounted in the guest, you will need to browse to VMXNET3 directory and install the networking driver under Windows Device Manager. I should also note that this is the same experience as VMware Fusion for Apple Silicon and ESXi-Arm is simply distributing the exact same VMware Tools ISO.
Note: Make sure you DO NOT install the SVGA driver, it is currently not supported and will cause issues with the Windows 11 installation which will require a reinstallation.
QQ: How do you install win 11 without a cluster? That’s an even more ridiculous requirement that tpm itself.
vCenter Server provides the full KMS management, so that's going to be a requirement and this no different than ESXi-x86
just upgraded from 7.0.0-20133114, now i lost console (both web/vmrc) to vm. keyboard is not responding. only have photon linux clients running.
reinstalled from scratched. same behaviour. May be a bug in the new release.
I realize this thread is old but I just loaded Windows 11 using tiny11 for Arm64. Just created a virtual machine on my ESXi-fling server running on a Raspberry PI4, mounted the ISO file as a CD in my guest machine and booted from it. The install worked like a regular Windows install. No messing with TPM or vCenter, just a stand alone ESXi server with a free license. Hope this helps someone.
Looking for Server type hardware to support 50+ VMs. Anyone doing that?
Hi! Compatible for nvidia jetson nano ?