Cant add TPM device to ESXi 7.3 VM

Is the virtual machine configured to use EFI firmware? My guess is that with it being Win10 it is, but you may want to double check. Also, the account you are using, if it is not the local administrator account has to have these permissions to enable it on the VM's. So you may need to verify that as well.

VMware-Crypto.jpg

Here is where to check the VM for EFI boot. I accidentally submitted the last comment before I finished.

It does not require a physical TPM device in the host to add a vTPM to the VM. 

I've created some tutorial videos on EE of adding a vTPM to a VM and Native Key Provider, these are for vSphere 8.0 but the process is exactly the same for 7.0.

1. Part 11: HOW TO: Add and Create a vSphere Native Key Provider in VMware vSphere vCenter Server 8.0.
2. Part 12: HOW TO: Create your first Windows Virtual Machine Microsoft Windows 11 on VMware vSphere Hypervisor 8.0 (ESXi 8.0) using a Trusted Platform Module.

In the W10's Edit Settings's Boot options, EFI is selected and Secure Boot is checked. I also tried to create a new VM (call it AAA), same problem.

I watched the videos yesterday and they were very helpful. I opened a question because I just dont have the device "Trusted Platform Module" like shown in the video, and I cant figure out why.  Some other things I've tried/noticed:

- When creating a new VM, on step 4 - Selelct Storage, the checkbox Encrypt this VM (Requires Key Mgt Server) is grayed out. Is there a way to make sure the ESXi hosts are talking to the Native Key Provider I set up? Should I look somewhere for log entries saying if there's a problem?
- When I run esxcli system settings encryption get, I see:
     Mode: None
     Require Executables Only From Installed VIBs: false
     Require Secure Boot: false
Should I do something to change the Mode to TPM? I read it cant be undone so I didnt do anything.
- I have seen prereqs mentioning permissions. I have signed on as root (ESXi) or administrator@MyDomain.local (vCenter). They have the permissions assigned when I installed the software. Do I need to add something?
- I havent set up a Trust Authority, only a Native Key Provider. It looks like a TA requires another vCenter license, which would be prohibitive. Do I need to do that?
- A week or so ago, when I first started looking at TPM, I created a Native Key Provider and deleted it (w/no backup). This is before I installed the TPM chip, did any other setup or tried to create VMs. Later I created a NKP and backed it up. Could this cause any problems?

Thanks.

There is no requirement to have a hardware TPM chip in the host to support vTPM.

Deleting the Key provider, just means you would not have been able to start VMs which had a vTPM, hence the reason to backup the keys, otherwise if you have a hardware TPM, they are stored and cached in the hardware TPM device.

All these hosts are in a cluster, because vSphere Native Key Provider only operates on ESXi Hosts in a Cluster. If you notice in the video, the second host is moved into the cluster, and later the VM is created in the Cluster via vCenter Server.

I apologize, I have not worked with Clusters before.  I created a Cluster and added the 2 hosts into it, but It seems to be stuck in the QUickstart step, saying not hosts are in maintenance mode. The vCenter VM is on one of the hosts. Can I do this?

This will be the issue.

Create a cluster and move the host which does not have vCenter Server hosted on it, as the host will need to have no VMs powered-up because it's in Maintenance Mode.

Do you have vMotion, HA and DRS ?

I only have vCenter Server 7 Essentials and vSphere 7 Essentials. I assume none of the 3 you asked about are in them.

I'm afraid Essentials is just a very basic addition with no HA, DRS or vMotion.

Try Disconnecting the hosts and drag and drop into the Cluster.

This does not stop hosting.

I deleted the vCenter VM am importing it from a backup made a few days ago. I will try the drag/drop when it is done. Question: does the vCenter cluster have to be in a VM or only the VMs using the vTPM?

Sorry, I meant Does the vCenter VM have to be in a Cluster, ...

It worked! I think I got confused the last time when moving hosts into the Cluster. Somehow, I got onto the Cluster's Configuration quickstart panel and it was telling me I needed to put the host (that contains vCenter) into maintenance mode. That just didnt work and I tried a couple of things that really messed things up. I ended up restoring the vCenter VM and disconnecting/moving/reconnecting like you said. I restored the Native Key and made it the default, and Walla, it worked! Thank you.

No problems thanks for the kind words and watching the EE videos