The ESXi-Arm team has just released v1.11 of the ESXi-Arm Fling and one of the most exciting new capability is that you can now run Windows 11 Arm using an ESXi VM! There is also a TON of new features, so definitely check out the official ESXi-Arm Blog post announcement for more details.
One of the requirements for running Windows 11 Arm is the need for a Trusted Platform Module (TPM). Luckily, the latest ESXi-Arm v1.11 also now supports adding a vTPM to a guest and a requirement for setting this is a Key Management Server (KMS). Currently, the ESXi-Arm Fling is based on vSphere 7.0 (GA) and you can either use an existing compatible KMS (which you can look through VMware KMS Compatibility List) or for lab/testing purposes, you can use my KMIP Docker Container, which was also updated recently to support both amd64 and arch64 architecture.
For those interested in quickly setting this up and using my KMIP Docker Container for the KMS component, below is a quick walkthrough on how to set this up.
UPDATE (10/16/23) - vCenter Server may not be needed as you can use ESXi vSphere API to manually add encryption keys for use with vTPM, at least for x86. This same technique might also work with ESXi-Arm, for more information please see this blog post HERE.
Note: While vSphere 7.0 Update 2 introduced an embedded Native Key Provider (NKP) within vCenter Server, it can not be used with ESXi-Arm as both ESXi and vCenter must be running 7.0 Update 2 and the ESXi-Arm Fling is based on 7.0 GA.
- Install or upgrade to the latest ESXi-Arm 1.11 release
- Download and create a Windows 11 Arm ISO, please refer to Page 30 of this document for detailed instructions which is also applicable for the VMware Fusion Tech Preview for Apple Silicon
- A Linux (x86 or Arm) VM with the Docker runtime installed and enabled to run the KMIP Docker Container
Setting up Standard Key Provider (SKP)
Step 1 - Login to your Linux VM (any Linux distribution that can run Docker is fine) and run the following command which will pull down my KMIP Docker Container and start running it in daemon mode.
docker run -d -p 5696:5696 lamw/vmwkmip
If the command was successful, you will see the ID of the running container. Optionally, you can watch the logs to ensure that your vCenter Server is able to connect in next step by running the command:
docker logs -f [CONTAINER-SHORT-ID]
Step 2 - Next, add the SKP to vCenter by selecting the vCenter Server inventory object and under Configure->Security->Key Providers click on add and provide the IP Address/FQDN and port (5696) of your KMIP Docker Container. If your vCenter Server can properly communicate with the Linux VM hosting the KMIP Docker Container, you should get a prompt displaying the details from the SKP and confirm to complete the configuration.
Step 3 - The last thing we need to do before vCenter Server can start using the KMS is to establish a trust between the two systems. Click on the newly configured SKP and expand the Establish Trust window as shown in the screenshot above and then click on Trust KMS button.
You are now ready to start using the KMS whether it is for VM Encryption or adding a vTPM to a VM.
Creating Windows 11 Arm VM
During the VM creation wizard, select the Windows 10 guest operating system option whether you are installing Windows 10 or 11. You can add a vTPM during the initial VM creation by clicking on the Add New Device option and then selecting Trusted Platform Module
Windows 11 Arm does not include VMware's VMXNET3 network driver, so you will need to manually install the driver for network connectivity. To do so, click on the "Install VMware Tools" link in the yellow banner in the VM summary view (as shown in screenshot above) which will mount the VMware Tools ISO. Currently, the VMware Tools ISO does not actually contain the typical VMware Tools auto-installer, but rather a generic ISO that contains the Windows network driver.
Once the ISO has been mounted in the guest, you will need to browse to VMXNET3 directory and install the networking driver under Windows Device Manager. I should also note that this is the same experience as VMware Fusion for Apple Silicon and ESXi-Arm is simply distributing the exact same VMware Tools ISO.