Reposted from February 2022
Congratulations on your vExpert Award!
I was very honored to receive another vExpert award this past year!  This made it 10 years in a row for me!!
One of the most useful perks for achieving the vExpert is given by Pluralsight   which offers a 1-year full access to its technology learning platform for vExperts and many other VIP programs.
If you are a vExpert, or other VIP, check out pluralsight.com/teach/resource/vips for details.
And congratulations to all of the 2022 vExperts!!

On my previous post, vTPM Support on vSphere Part 1, I outlined the steps to enable vTPM in a vShpere environment, to be able to support the installation of  Windows 11 virtual machines.
What does the giant cat picture above have to do with this?  Absolutely nothing!  In my free time I volunteering at a local cat sanctuary, and we are always posting silly cat pictures...Sorry....
​Anyway, back to the vTPM topic.
When you have the requirements set up, and your ESXi hosts are now in Encryption Mode, that means any core dumps and the vm-support files will be encrypted.
So on an ESXi host with encryption enabled you will get this when you run the log bundle collection with the vm-support command:

But not to worry, there are a number of good VMware documents explaining how to collect the vm-support bundles, and how to decrypt and re-encrypt them.
The VMware articles use the crypto-util utility.
Crypto-util can be launched from the root of an ESXi server, and is in /bin/crypto-util

When you run the crypto-util vm-support prolog command before vm-support, a file -vm-support-incident-key-
will appear at the top of the host support bundle.  The vm-support-incident-key file contains a the incident key which is dynamically generated each time vm-support runs, and crypto-util vm-support prolog is run before it. The incident key is encrypted/wrapped via the specified password.

Some details on the core dump files-
All encrypted core dump files include the key ID (keyID) of the key required for decryption. The keyID can be used to locate a key and its attributes from a Key Management Server (KMS), from the ESXi key cache, or from a key file.
zdump files:

• Unencrypted zdump files are the same as they always have been - A zdump header followed by data
• Encrypted zdump files contain a zdump header (with minimal information including that the core dump is encrypted), followed by an envelope header, and there the encrypted data begins. The encrypted data contains the "real" zdump header and data
• vmkdump_extract will recognize an encrypted zdump but is unable to manipulate it. It will, however, advise you as to how to decrypted the zdump

Monitor core dump files:

• Unencrypted monitor core dumps are placed in vmmcores.gz - a monitor core dump file that is compressed
• Encrypted monitor core dumps are placed in vmmcores.ve - a monitor core dump file which has been compressed and encrypted
  

I have run through the process of creating a vm-support log bundle, then using crypto-util. Not real fun, but following the steps and the VMware doc's was able to extract and get the password.

If you ever run into this I sure hope this will be helpful!

So what is vTPM??  Well I asked myself that when our environments needed to support Windows 11 vm's.  We also needed to provide for encrypting the vm files as well.
vTPM stands for Virtual Trusted Platform Module. A TPM is a hardware chip in the server that stores hardcoded cryptographic keys that make it impossible for a hacker to modify. This hardware security device is a new baseline for security moving forward and may be required for all Microsoft OS’s, and others, in the near future.
Check out the Microsoft Windows 11 requirements here.
Starting in vSphere 6.5, the feature for VM Encryption was added, to add the ability to encrypt all virtual machine files.  This not only encrypted the vm files and VMDK, but all the metadata files and the core dump files of the vm.  Core dump files? More on that later..
Then in vSphere 6.7 support for the TPM 2.0 cryptoprocessor was added. This provided the ability to create a Virtual Trusted Platform Module (vTPM) device that can be added to a Windows 10, windows 11 or Windows Server 2016 and higher vm.  Here's one VMware doc with more details.
Note that vTPM uses the *.nvram file to store the credentials and keys, which is encrypted using virtual machine encryption.  So when backing up a vm with vTPM enabled, be sure to include the *.nvram file!

Now you have your brand new Windows 11 files or ISO (I don't need to know where you got it from), and you want to create a new vm with it.
If you tried to create a new Windows 11 vm before setting up your environment to support vTPM you will get this awful setup error:

There are several VMware articles to step you through enabling vTPM support, so I will outline the high level steps I followed.
To use a vTPM, your vSphere environment must meet these requirements:
Virtual machine requirements:
EFI firmware
Hardware version 14 or later
vSphere component requirements:
vCenter Server 6.7 or later for Windows virtual machines.
Virtual machine encryption (to encrypt the virtual machine home files).
Key provider configured for vCenter Server. See Set up a Key Management Server Cluster.
​Below I installed a Native Key Provider onto my vCenter:

This will also enable Host Encryption Mode on you ESXi servers:

Now that we have the Key Provider configured on our vCenter, and confirmed the ESXi hosts are in Encryption Mode, we can now add the vTPM onto the Windows 11 vm.
When creating a new virtual machine, there is now the option to Encrypt this virtual machine under Select Storage:

Next on the Virtual Hardware tab, you can select Add New Device and select the Trusted Platform Module:

The Trusted Platform Module now shows added to the vm:

​Now, on the VM Options tab, set the Boot Options to EFI:

And viola!  Our Windows 11 vm will now run the install!!

So once you have this all set up, you can now deploy Windows 11 and the new Windows Server versions.
Ah about the encrypted core dumps?  I will have more details on core dumps on my next post
​on vTPM Support on vSphere Part 2