Can I delete Windows.old?

Can I delete Windows.old KB ID 0001904

Problem

The Windows.old folder is generated when you reinstall or upgrade Windows without formatting the drive. Here are some scenarios that would have create it.

Upgrading Windows: When you upgrade to a newer version of Windows (e.g., from Windows 10 to Windows 11), the system creates the Windows.old folder to back up your previous installation. This allows you to roll back to the earlier version if something goes wrong or if you’re not satisfied with the upgrade.
Reinstalling Windows: If you reinstall Windows without performing a clean installation (i.e., without formatting the drive), the system creates Windows.old to back up your previous installation, including your system files, installed programs, and personal data.
Windows Reset or Refresh: When you reset or refresh your PC, some versions of Windows (e.g., Windows 10/11) may create Windows.old to store your previous system state temporarily.
System Recovery: Performing a recovery operation (e.g., restoring from a recovery drive) without wiping the disk can also generate Windows.old.

The folder serves as a safety net to.

  • Roll back to the previous version of Windows (within 10 days for Windows 10/11).
  • Recover personal files or settings if needed.

So if you need drive space back or simply do not think you need it anymore, can you safely delete/removeit?

Solution

Yes, you can safely delete the Windows.old folder, but only if you’re sure you won’t need to revert to a previous version of Windows. Here’s what you need to know before deleting it:

Why Would You NOT Want to Delete Windows.old?

  • Revert to a previous version: You can use it to roll back to your old version of Windows within 10 days of the upgrade.
  • Recover personal files: If anything went missing during the upgrade, you might find it in Windows.old.

How to delete Windows.old safely

You can’t delete it like a normal folder. Use the Disk Cleanup tool:

Press Win + S and type Disk Cleanup, then select it.

Click Clean up system files.

Select Previous Windows Installation(s).

Click OK to delete it.

Related Articles, References, Credits, or External Links

NA

Upgrade Windows 10 to Windows 11

Upgrade Windows 10 to Windows 11 KB ID 0001902

Problem

As you may already know, Microsoft will officially end support for Windows 10 on October 14, 2025. This means no more security updates, bug fixes, or feature improvements! While your PC will still function, it will be at greater risk for viruses and malware – and yes – that does mean businesses and home users alike. So it’s crucial to start planning your transition to Windows 11 now, especially with larger estates.
Below, I’ll cover the key considerations and upgrade paths to help you prepare.

Need Help? If you’re unsure about your upgrade path or compatibility, feel free to leave a comment below.

Why Upgrade to Windows 11

Windows 11 offers several improvements over Windows 10, including:

  • Enhanced Security: Built-in support for TPM 2.0 and Secure Boot ensures a more secure operating system.
  • Modern UI: A fresh design with centred taskbar icons and rounded corners.
  • Productivity Features: Snap layouts, virtual desktops, and better multi-monitor support.
  • Improved Gaming Experience: DirectStorage and AutoHDR support.
  • Optimised for Hybrid Work: Deeper integration with Microsoft Teams and cloud services.

As mentioned (above) with support for Windows 10 ending, you’ll also reduce your risk of vulnerabilities by upgrading.

Solution Upgrade Windows 10 to Windows 11

Key Considerations Before Upgrading to Windows 11

Hardware Compatibility

Windows 11 has stricter hardware requirements than Windows 10. Your PC must meet the following criteria:

  • Processor: 1 GHz or faster, 2 or more cores, 64-bit compatible.
  • RAM: 4 GB minimum.
  • Storage: 64 GB or more.
  • TPM: Trusted Platform Module (TPM) version 2.0.
  • Graphics Card: DirectX 12 compatible with a WDDM 2.0 driver.
  • Display: At least 720p resolution and 9″ or larger diagonal screen size.

Run the PC Health Check Tool from Microsoft to verify if your system is compatible.

Software Compatibility

Check whether your existing software and drivers are compatible with Windows 11. Vendors are gradually releasing updates, but some legacy applications may not work as expected.

Backup your Data

Before upgrading, ensure all critical data is backed up to an external drive or cloud storage. While most upgrades are seamless, it’s better to err on the side of caution.

Upgrade Timing

For businesses, avoid upgrading during peak operational periods. Test Windows 11 on a subset of systems before a full rollout.

Licensing and Cost

If you have a valid Windows 10 license, the upgrade to Windows 11 is free. However, organizations with volume licensing may need to verify their agreements.

Upgrade Paths from Windows 10 to Windows 11 Paths

Option 1: In-Place Upgrade Windows 10 to Windows 11

An in-place upgrade allows you to install Windows 11 over your existing Windows 10 installation without losing data or applications.

Steps:

  1. Run the PC Health Check Tool to ensure compatibility.
  2. Open Windows Update (“Settings > Update & Security”).
  3. If your device is eligible, you’ll see the option to upgrade to Windows 11. Click “Download and Install.”

Option 2: Clean Installation Upgrade Windows 10 to Windows 11

A clean installation is a fresh start, which often results in better performance and fewer compatibility issues.

Steps:

  1. Download the Windows 11 installation media from the Microsoft website.
  2. Create a bootable USB drive using the Media Creation Tool.
  3. Boot from the USB drive and follow the on-screen instructions to install Windows 11.
  4. Restore your data and reinstall applications.

Option 3: Upgrade via IT Deployment Tools (Enterprise)

Organisations can use tools like Microsoft Endpoint Manager or Windows Autopilot to deploy Windows 11 to multiple devices seamlessly.

Steps:

  1. Assess hardware readiness using tools like Microsoft Endpoint Configuration Manager.
  2. Develop an upgrade strategy, including phased rollouts and testing.
  3. Use deployment tools to push the upgrade to target systems.

Upgrade Windows 10 to Windows 11 (Post deployment Checks)

  • Verify Drivers and Updates: After installation, check for driver updates via Windows Update or manufacturer’s websites.
  • Reconfigure Software: Test all critical applications to ensure they work correctly.
  • Enable New Features: Familiarize yourself and your team with productivity features like Snap layouts and widgets.
  • Educate Users: Provide training or resources for end-users transitioning to Windows 11.

With support for Windows 10 ending soon, transitioning to Windows 11 is essential to ensure your system remains secure and up-to-date. By planning carefully and understanding the upgrade paths, you can make the process as smooth as possible. Start by assessing your hardware and software readiness, then choose the upgrade route that best fits your needs.

Related Articles, References, Credits, or External Links

NA

RDP Issue Post Windows 11 24H2 Upgrade

RDP Issue KB ID 0001901

Problem: RDP Issue

Post updating Windows 11 to version 24H2, remote desktop connections to older systems i.e. running Windows 7 or Windows Server 2008 R2, encounter issues with displaying graphical content properly.

Reverting to the earlier version of Windows 11 RDP (23H2) does resolve the issue.

Connections to devices with newer operating systems remain unaffected.

Solution: RDP Issue

Note: You can simply use the RDP client from the MS Store and this should eliminate the problem,

The solution involves copying files form an older (23H2 or older) version of Windows, but first locate all the following files and RENAME them with a .OLD extension, to do this you will need to boot into safe mode, or from the recovery environment. Press and hold the Shift key while clicking Restart from the Start menu, Power menu, or the sign-in screen. Then the computer will reboot and enter the Recovery Mode.)

  • C:\Windows\System32\mstsc.exe
  • C:\Windows\System32\mstscax.dll
  • C:\Windows\System32\en-US\mstsc.exe.mui (en-US your locale may be different if you not using English US)
  • C:\Windows\System32\en-US\mstscax.dll.mui (en-US your locale may be different if you not using Engish US))
  • C:\Windows\SystemResources\mstsc.exe.mun
  • C:\Windows\SystemResources\mstscax.dll.mum

Copy those files back from a known working older system.

Related Articles, References, Credits, or External Links

NA

Windows SSH ‘No Matching Key’

No Matching Key KB ID 0001900

Problem : No Matching Key

Typically I see this problem on my mac or within various Linux distributions. I’ve covered extensively how to fix this on a mac in the following article.

macOS – SSH Error ‘No Matching Exchange Method Found’

So when I saw the same question asked for a Windows client, I went and looked, and found some patchy information, so I thought I’d work it out and post it here for you. Essentially you will see an error when attempting to SSH to a device something like one of the following.

Unable to negotiate with {IP-Or-Hostname} port 22 : no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Unable to negotiate with {IP-Or-Hostname} port 22 : no matching host key type found. Their offer: ssh-rsa

Solution : No Matching Key

With windows the fix is similar, less secure algorithms and ciphers have been depreciated by Windows, to re-enable them* you need to edit your ssh_config file this file lives in a folder called ssh, which is in a hidden folder on the root of your C Drive called ProgramData. On most Windows machines this file wont exist, but check first to make sure (particularly if you’re on a server that may be running SSH Services).

*Note: They are depreciated for a reason, this weakens your machines security. The following procedure will GLOBALLY allow these depreciated cyphers for all SSH sessions, if you want to operate a little more securely go to the individual SSH config section.

Showing Hidden Files and Folders : No Matching Key

Assuming like me you don’t already have an ssh_config file already then you need to create one and add the connection algorithms required. Open an administrative command window (if you don’t do this you will get access denied errors going forward!) Then execute the following commands.

[box]

copy nul > C:\ProgramData\ssh\ssh_config

notepad C:\ProgramData\ssh\ssh_config

[/box]

Note: If after you execute the first command, you get “copy : Cannot find path ‘C:\Windows\system32\nul’ because it does not exist.” don’t worry, it will still create the file.

A notepad window will open, remove any text withing it and paste in the following.

[box]

MACs hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-512
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
PubkeyAcceptedAlgorithms +ssh-rsa
HostKeyAlgorithms +ssh-rsa

[/box]

Save the notepad file then re-try your ssh command, this time it should succeed, or if it errors it will tell you which MAC, KexAlgorithms, or Key algorithm it’s missing that you can paste into the ssh_config file.

Individual Host SSH Settings

Its considered better practice to have a config for each target you will SSH to, for me that’s impractical because I have hundreds of clients and thousands of switches, routers and firewalls. (but you could add them as you go, I suppose). For this procedure you create a config file in your user profile, and in that config file you put the requirements in, on a host-by-host basis.

Firstly create the config file, open an administrative PowerShell window, and execute the following command.

[box]

New-Item -Path $HOME\.ssh\config -ItemType File

[/box]

Then to edit the config file.

[box]

C:\WINDOWS\System32\notepad.exe $HOME\.ssh\config

[/box]

A Notepad window will open with the blank config file, here’s an example of a config for two devices (my test Cisco ASA, and my test core switch).

Example.

[box]

# Config for my test firewall
  Host cisco-asa
  HostName 192.168.254.254
  User petelong
  Port 22
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  KexAlgorithms diffie-hellman-group1-sha1
  HostKeyAlgorithms +ssh-rsa

[/box]

Now simply issue an ssh cisco-asa command.

 

Related Articles, References, Credits, or External Links

SSH: Host Identification Has Changed

Printers “Some Of These Settings are Managed By Your Organisation”

Managed By Your Organisation KB ID 0001899

Problem

When attempting to add a printer, or engage with the printer settings dialog, you may see.

Some Of These Settings are Managed By Your Organisation

Solution : Managed By Your Organisation

This is usually because a policy is being applied, (or has been applied) that is making a change in your registry, to the following key.

[box]

HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Policies > Explorer > NoAddPrinter 

[/box]

Values are.

  • ENABLED  = 1 (Printers cannot be added).
  • DISABLED = 0 (Printers can be added).

Of course if this IS being enforced by group policy changing the registry key will only fix the problem until the policy is re applied!

I’ve previously written about how to locate where a group policy is coming from. the policy you are looking for is

[box]

User Configuration > Administrative Templates > Control Panel > Printers > Prevent addition of printers  

[/box]

In this case it was being enforced by Local User Policies

Running gpedit.msc got me to the culprit.

If yours is being enforced from your domain, gpresult will point to the correct policy.

Related Articles, References, Credits, or External Links

Allow Users to Install Printers with Group Policy

Deploying Printers with Group Policy Preferences

What GPO are Applied?

What GPO KB ID 0001898

Problem

There are a number of reasons for you to test and demonstrate group policy application. Recently on Experts Exchange there was a question. where a user could not add a printer because those settings were “Controlled by their organisation’ but was pretty sure no printer GPOs were applied.

Or you may simply be setting up a new GPO and it’s not applying, or not working as you would expect.

Solution : What GPO

I’ve been doing this a long time! Back in the day you could create a new MMC console (run mmc.exe) then add the “Resultant Set Of Policy” Snap in and rung that to evaluate and model different GPO applications and results. You can still do that but now you can simply run the RSOP command from an administrative command window.

In this case it will produce a list of applied group policies for the logged in user and the machine it was ran on (if you want results for differennt users or computers you can add the RSOP snap-in to mmc, or run the modelling from a machinesthat had the group policy management console installed)

But RSOP will give you output like this, you can see what policies are being applied, and what is the name of the group policy that applying that change.

But this will produce a complete list of all GPO settings and their status (even if they are not defined (see above)). An easier way to search is to use GPRESULT and send the output of that to an HTML file that you can open in a browser.

[box]

gpresult /h C:\{Path}\GPresult.htm

[/box]

This produces an easier to read report

You can get the same report and change the input parameters for users and computers etc, by running the Group Policy Results wizard that included with the AD DS RSAT tools

Related Articles, References, Credits, or External Links

Group Policy: Item-Level Targeting

Apply Group Policy To a Security Group

Add The ‘Group Policy Management Console’

Windows 11 – Remove Search Adverts

‘Remove Search Adverts KB ID 0001897

Problem

Why this has to be a ‘thing‘ in a business version of Windows I’m not really sure, but if you want to remove these adverts from the Windows Search function.

They are called ‘Search Highlights‘ or ‘Dynamic Search Box‘.

Solution: Remove Search Adverts

Option 1 Remove Search Adverts with Domain Group Policy

In a domain envronment we can simply crete a GPO and link it to the the computers you want to ‘remove’ this ‘feature’ from. On a domain controller > Administrative Tools > Group Policy Managment Console > Selct a policy that’s linked to the computers OU that the affected machines are in, or create a new policy and edit it.

Navigate to.

[box]

Computer Configuration > Policies > Administrative Templates > Windows Components > Search > Allow search highlights

[/box]

Wait there is no Allow Search Highlights option? If so click here

Then either wait a couple of hours for the policies to enforce, or manually force a policy renewal.

Option 2 Remove Search Adverts with Local Group Policy

If your PC is in a workgroup or simply a stand alone PC you can acheive the same by using Local Policies. (Note: Not avalable with Home versions of Windows). In the start menu search for and execute gpmc.msc

Navigate to.

[box]

Computer Configuration > Administrative Templates > Windows Components > Search > Allow search highlights

[/box]

Select Disabled > Apply  > OK > Close the policy editor and reboot or manually force a policy renewal.

Option 3 Remove Search Adverts with Local Settings

Another option, is to go to settings.

Privacy and Security > Search Permissions.

Scroll all the way to the bottom > More Settings > Show Search Highlights > Off > Then reboot the PC.

Option 4 Remove Search Adverts within The Registry

If you have a home edition of Windows then sometimes it’s easier to simply set this in the registry. Locate and execute regedit.

Navigate to.

[box]

Computer > HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > SearchSettings > IsDynamicSearchBoxEnabled

[/box]

Set to 0 (Zero) for Disabled.

Allow Search Highlights Option Missing From GPO

If you attempt to disable this but find the option missing like so.

You need to update your policy definitions for Windows 11 the updates are here and here. When you execute the updates, it will put the policy definisions in an odd place make sure you take a note of where the definisions are getting put.


Now you simply need to copy the ADMX and ADML files to the correct location on one of your domain contollers, to understand how to do that read the following article.

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

Related Articles, References, Credits, or External Links

NA

Microsoft Blue Screen of Death (BSOD)

BSOD KB ID 0001882

Problem

Recovering from a Microsoft Blue Screen of Death (BSOD) involves several steps to diagnose and resolve the issue. Here is a systematic approach to help you recover from a BSOD.

Solution : BSOD Resolution.

 

Note: If using Crowdstrike (18th Jul 2024) or you’re Stuck at the recovery screen. The problem is being worked on Ref:

TEMPORARY WORK AROUND

 

  1. Boot Windows into Safe Mode or WRE.
  2. Go to C:\Windows\System32\drivers\CrowdStrike
  3. Locate and delete file matching “C-00000291*.sys”
  4. Boot normally.

Alternative Crowdstrike Fix (from the recovery screen)

If you’re stuck at the recovery screen, try these steps:

  1. Click on ‘See advanced repair options’ on the Recovery screen.
  2. In the Advanced Repair Options menu, select ‘Troubleshoot’.
  3. Next, choose ‘Advanced options’.
  4. Select ‘Startup Settings’.
  5. Click on ‘Restart’.
  6. After your PC restarts, you will see a list of options. Press 4 or F4 to start your PC in Safe Mode.
  7. Open Command Prompt in Safe Mode.
  8. In the Command Prompt, navigate to the drivers directory: cd \windows\system32\drivers
  9. To rename the CrowdStrike folder, use ren CrowdStrike CrowdStrike_old

Alternative Crowdstrike Fix (For Virtual Machines)

  1. Attach an the system disk of the affected machine asunmanaged disk to another VM for offline repair (Note:Disks that are encrypted may need these additional instructions: Unlocking an encrypted disk for offline repair
  2. Once the disk is attached, customers can attempt to delete the following file. “Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys
  3. The disk can then be detached and re-attached to the original VM.

 

1. Note the BSOD Error Code

When a BSOD occurs, an error code is displayed on the screen. This code can be crucial in diagnosing the problem. Write down the error code and any associated information.

2. Restart Your Computer

Sometimes, a simple restart can resolve the issue. However, if the BSOD persists, proceed to the next steps.

3. Boot into Safe Mode

Safe Mode loads a minimal set of drivers and services. Booting into Safe Mode can help you determine if a default setting or basic device driver is causing the issue.

  • Windows 10/11:
    1. Restart your computer.
    2. As soon as your computer starts, press the F8 key repeatedly until the Advanced Boot Options menu appears.
    3. Select “Safe Mode” or “Safe Mode with Networking.”

4. Check for Hardware Issues causing BSOD

  • Disconnect External Devices: Unplug all external devices (USB drives, printers, etc.) and restart your computer to see if the BSOD persists.
  • Run a Memory Check: Use Windows Memory Diagnostic tool to check for memory issues.
    • Press Windows + R, type mdsched.exe, and press Enter.
    • Choose “Restart now and check for problems.”

5. Update or Roll Back Drivers

  • Update Drivers:
    • Open Device Manager (Windows + X > Device Manager).
    • Expand categories and update any drivers with a yellow exclamation mark.
  • Roll Back Drivers:
    • In Device Manager, right-click the driver causing the issue, select “Properties,” go to the “Driver” tab, and select “Roll Back Driver.”

6. Check for Software Issues

  • Uninstall Recent Software: Uninstall any software or updates installed recently.
    • Go to Settings > Apps > Apps & features and uninstall the problematic software.
  • Run System File Checker (SFC):
    • Open Command Prompt as Administrator.
    • Type sfc /scannow and press Enter.

7. Perform a System Restore

If the BSOD started after a recent change, performing a System Restore can revert your computer to a previous state.

  • Go to Control Panel > System and Security > System > System Protection > System Restore.
  • Follow the prompts to choose a restore point.

8. Check Disk for Errors

  • Open Command Prompt as Administrator.
  • Type chkdsk /f /r and press Enter.
  • Restart your computer to allow the check to run.

9. Update Windows

Ensure your Windows operating system is up to date.

  • Go to Settings > Update & Security > Windows Update and check for updates.

10. Perform a Clean Boot

A clean boot helps eliminate software conflicts.

  • Press Windows + R, type msconfig, and press Enter.
  • Go to the “Services” tab, check “Hide all Microsoft services,” and click “Disable all.”
  • Go to the “Startup” tab, open Task Manager, and disable all startup items.
  • Restart your computer.

11. Reset or Reinstall Windows

If none of the above steps work, you may need to reset or reinstall Windows.

  • Reset This PC:
    • Go to Settings > Update & Security > Recovery > Reset this PC.
    • Choose whether to keep your files or remove everything.
  • Reinstall Windows: Backup your data and perform a clean installation using a bootable USB drive with the Windows installation media.

Additional Tools and Resources

  • BlueScreenView: A utility to view minidump files created during BSODs.
  • WhoCrashed: Analyzes crash dumps to determine the cause of the crash.

Related Articles, References, Credits, or External Links

NA

Windows 11 Unsupported CPU

Unsupported CPU KB ID 0001878

Problem

I needed to upgrade a Windows 11 VM from 21H2 to 23H2, as is recommended I installed the PC Health Check, I was surprised to see this error.

The processor isn’t currently supported for Windows 11.
More about supported CPUs
Processor Intel Xeon CPU E5-2650 v3 @ 2.4GHz

I say surprised, because although this was a VMware virtual machine it was ultimately on a HPE DL360 Gen 9 – which is getting on, but is in no way ancient.

Solution : Windows 11 Unsupported CPU

I’ve written before about to how to bypass the lack of a TPM, but you can also get Windows 11 to bypass the processor check also.

Launch the registry editor (regedit) and navigate to the following location

[box]

HKEY_LOCAL_MACHINE > SYSTEM > Setup > MoSetup

[/box]

Note: On my 21H2 VM the MoSetup Key did not exist, so I had to create that key first!

Create a new 32 bit DWORD value called AllowUpgradesWithUnsupportedTPMOrCPU and set it value to 1 (one).

You should now be able to perform the upgrade without error.

Start and end results of winver prove the upgrade was then successful.

Related Articles, References, Credits, or External Links

NA

VMware vSphere Adding vTPM

vTPM KB ID 0001875

Problem

I’ve been asked about this a couple of times in the past, back then my test bench was running a mix of ESX 6.7 and 6.5 so I could not test and document the process. Now Everything is running ESX 8.x I can test the procedure in anger. The reason is because I was met with this today.

TPM 2.0 must be supported and enabled on this PC

So what’s a TPM, and a vTPM and why is that important?

Trusted Platform Module (TPM): A hardware component that enhances security by providing cryptographic functions and secure storage of cryptographic keys. It is used for tasks such as device authentication, secure boot, and encryption.

Virtual TPM (vTPM): A virtualised version of a TPM that provides the same functionality as a physical TPM but is implemented in software within a virtualised environment. It allows virtual machines (VMs) to use TPM features without requiring a physical TPM chip in the underlying hardware.

Key Functions of vTPM:

  • Secure Boot: Ensures that a system boots using only software that is trusted by the manufacturer.
  • Device Authentication: Verifies the integrity of the device and its software before it is allowed to connect to the network or perform sensitive operations.
  • Encryption Key Storage: Stores cryptographic keys securely, preventing unauthorized access even if the VM is compromised.

Use Cases:

  • Cloud Computing: Provides security features for VMs in cloud environments, ensuring that each VM can have its own isolated and secure TPM instance.
  • Virtualization Platforms: Enhances security in environments using hypervisors such as VMware, Microsoft Hyper-V, or KVM.

Implementation:

  • Software-Based: Implemented as part of the virtualization software stack.
  • Isolation: Each vTPM instance is isolated from others, ensuring that the security properties of TPM are maintained even in a multi-tenant environment.

Advantages:

  • Scalability: Easily scalable across many VMs without the need for physical TPM hardware.
  • Flexibility: Can be deployed in various virtualized environments and cloud infrastructures.

To summarise, vTPM provides the security benefits of TPM in virtualised and cloud environments, enabling secure operations and cryptographic functions for virtual machine

Solution: VMware vTPM

vTPM Prerequisites

To install and configure a vTPM (Virtual Trusted Platform Module) on VMware ESXi, certain prerequisites must be met to ensure compatibility and proper functionality. Here are the main prerequisites:

  • VMware ESXi Version: vTPM is supported on ESXi 6.7 and later versions. (If you have 1x older host then you will NOT be able to utilise vTPM).
  • VM Hardware Version: The virtual machine (VM) must be configured with hardware version 14 or higher. This ensures that the VM can support the vTPM functionality.
  • vSphere: vSphere 6.7 or later is required. This includes both vCenter Server and the ESXi hosts.
  • UEFI Firmware: The VM must be configured to use UEFI (Unified Extensible Firmware Interface) firmware instead of BIOS. vTPM is not supported with legacy BIOS firmware.
  • Key Management Server (KMS): A Key Management Server must be configured and accessible. VMware vSphere requires a KMS to manage the encryption keys used for VM encryption and vTPM. This cannot be done with the ‘built in’ Native Key Provider.
  • Virtual Machine Compatibility: Ensure that the guest operating system of the VM supports TPM. Most modern operating systems, including Windows 10, Windows Server 2016/2019, and certain Linux distributions, support TPM.
  • Permissions: Appropriate permissions are required to configure vTPM. Ensure that you have the necessary administrative privileges in vCenter Server to configure VM options and encryption settings.

vTPM: Adding VMware Native Key Provider

With you vCenter selected > Configure > Key Providers > Add > Give the Key Provider a sensible name > Untick “Use Key provider only with TPM protected ESXi Hosts  (Recommended)* > Add Key Provider.

*Note: Each ESXi server DOES NOT need to have its own physical TPM chip unticking this option lets you deploy vTPM to a VM on ANY host regardless of whether it has a TPM chip or not.

Before it can be used you have to back it up > Select you Key Provider > Backup > Tick ‘Protect this Native Key Provider with a password (Recommended) > Supply and conform a password > Tick “I have saved the password in a secure place” > Backup Key Provider.

Adding vTPM to a Virtual Machine

Right click the VM in question  > Edit Settings.

Add New Device > Trusted Platform Module > OK.

I Dont See Trusted Platform Module?

Yeah, I knew all my pre-requisites had been met, but if you’ve read from the start you will know this VM came from a 6.7/6.5 environment, so not being able to add a vTPM was probably a hardware version problem, to save you googling Hardware version 14 is ESX 6.7 compatibility, so you have to change the compatibility, like so.

 
Right click the VM > Compatibility > Upgrade VM Compatibility > Yes > Select a version that 6.7 or newer > OK.

Note: If you cannot perform this procedure, you can bypass the check for both a TPM and an unsupported CPU by following the procedure in the following article.

Windows 11 Unsupported CPU

Related Articles, References, Credits, or External Links

NA