WilliamLam.com

Quick Tip - Adding a vTPM (Virtual Trusted Platform Module) to a Nested ESXi VM

by // 1 Comment

I had an interesting question this morning asking whether it was possible to add a vTPM (Virtual Trusted Platform Module) to a Nested ESXi VM? The user was interested in testing a particular scenario with the new vSphere Trust Authority feature that was introduced in the vSphere 7.0. I personally had not done much with vTPM and I had assumed it should just work as long as you have a physical TPM chip in the underlying hardware and you have setup either a Standard or Native Key Provider within your vCenter Server.

The user observed that adding a vTPM to a Windows VM was possible using the vSphere UI but when attempting to perform the same operation on a Nested ESXi VM, the option to add vTPM device was not available. After spending ~30 minutes asking around for hardware that had a physical TPM, I remember that my Quartz Canyon NUC (NUC 9 Pro) is a Xeon based system and it has TPM 2.0 chip. I was able to take a closer look and quickly found the solution was very pretty straight forward!

[Read more...]

Disabling TPM 2.0 connection cannot be established message in ESXi for Intel NUC 10

by // 2 Comments

For Intel NUC 10 (Frost Canyon) owners who have installed ESXi may have noticed that even after disabling Intel's Trusted Platform Module (TPM), the following warning message "TPM 2.0 device detected but a connection cannot be established." is still being displayed in the vSphere UI as shown in the screenshot below. 


Thanks to Reddit member mscaff and casperette who recently discovered and confirmed that the latest BIOS (FN0044) resolves an issue where disabling TPM in the BIOS was not actually working which would explain the behavior observed above. The really interesting thing is that I had initially ran into this problem several months back and after speaking with some internal VMware folks, I was able to get rid of this message without this update. This involved installing Windows 10 and clear the TPM keys which may have still been cache but since then, it has not been reproducible by other folks. In any case, it is always recommended to check and update to latest BIOS to ensure you have all the latest bug fixes.

Lastly, Intel states support for TPM 2.0 for these NUCs, so why is ESXi complaining? Well, it has to do with the interface type and not with SHA1 vs SHA256 which are both supported on the NUC 10. The NUC only supports CRB but proper compliant TPM 2.0 chip must support FIFO which is not configurable the last time I had checked. For more detail requirements and configuration of TPM 2.0 on ESXi, please refer to this blog post.