I’ve been asked about this a couple of times in the past, back then my test bench was running a mix of ESX 6.7 and 6.5 so I could not test and document the process. Now Everything is running ESX 8.x I can test the procedure in anger. The reason is because I was met with this today.
TPM 2.0 must be supported and enabled on this PC
So what’s a TPM, and a vTPM and why is that important?
Trusted Platform Module (TPM): A hardware component that enhances security by providing cryptographic functions and secure storage of cryptographic keys. It is used for tasks such as device authentication, secure boot, and encryption.
Virtual TPM (vTPM): A virtualised version of a TPM that provides the same functionality as a physical TPM but is implemented in software within a virtualised environment. It allows virtual machines (VMs) to use TPM features without requiring a physical TPM chip in the underlying hardware.
Key Functions of vTPM:
Secure Boot: Ensures that a system boots using only software that is trusted by the manufacturer.
Device Authentication: Verifies the integrity of the device and its software before it is allowed to connect to the network or perform sensitive operations.
Encryption Key Storage: Stores cryptographic keys securely, preventing unauthorized access even if the VM is compromised.
Use Cases:
Cloud Computing: Provides security features for VMs in cloud environments, ensuring that each VM can have its own isolated and secure TPM instance.
Virtualization Platforms: Enhances security in environments using hypervisors such as VMware, Microsoft Hyper-V, or KVM.
Implementation:
Software-Based: Implemented as part of the virtualization software stack.
Isolation: Each vTPM instance is isolated from others, ensuring that the security properties of TPM are maintained even in a multi-tenant environment.
Advantages:
Scalability: Easily scalable across many VMs without the need for physical TPM hardware.
Flexibility: Can be deployed in various virtualized environments and cloud infrastructures.
To summarise, vTPM provides the security benefits of TPM in virtualised and cloud environments, enabling secure operations and cryptographic functions for virtual machine
Solution: VMware vTPM
vTPM Prerequisites
To install and configure a vTPM (Virtual Trusted Platform Module) on VMware ESXi, certain prerequisites must be met to ensure compatibility and proper functionality. Here are the main prerequisites:
VMware ESXi Version: vTPM is supported on ESXi 6.7 and later versions. (If you have 1x older host then you will NOT be able to utilise vTPM).
VM Hardware Version: The virtual machine (VM) must be configured with hardware version 14 or higher. This ensures that the VM can support the vTPM functionality.
vSphere: vSphere 6.7 or later is required. This includes both vCenter Server and the ESXi hosts.
UEFI Firmware: The VM must be configured to use UEFI (Unified Extensible Firmware Interface) firmware instead of BIOS. vTPM is not supported with legacy BIOS firmware.
Key Management Server (KMS): A Key Management Server must be configured and accessible. VMware vSphere requires a KMS to manage the encryption keys used for VM encryption and vTPM. This cannot be done with the ‘built in’ Native Key Provider.
Virtual Machine Compatibility: Ensure that the guest operating system of the VM supports TPM. Most modern operating systems, including Windows 10, Windows Server 2016/2019, and certain Linux distributions, support TPM.
Permissions: Appropriate permissions are required to configure vTPM. Ensure that you have the necessary administrative privileges in vCenter Server to configure VM options and encryption settings.
vTPM: Adding VMware Native Key Provider
With you vCenter selected > Configure > Key Providers > Add > Give the Key Provider a sensible name > Untick “Use Key provider only with TPM protected ESXi Hosts (Recommended)* > Add Key Provider.
*Note: Each ESXi server DOES NOT need to have its own physical TPM chip unticking this option lets you deploy vTPM to a VM on ANY host regardless of whether it has a TPM chip or not.
Before it can be used you have to back it up > Select you Key Provider > Backup > Tick ‘Protect this Native Key Provider with a password (Recommended)> Supply and conform a password > Tick “I have saved the password in a secure place” > Backup Key Provider.
Adding vTPM to a Virtual Machine
Right click the VM in question > Edit Settings.
Add New Device > Trusted Platform Module > OK.
I Dont See Trusted Platform Module?
Yeah, I knew all my pre-requisites had been met, but if you’ve read from the start you will know this VM came from a 6.7/6.5 environment, so not being able to add a vTPM was probably a hardware version problem, to save you googling Hardware version 14 is ESX 6.7 compatibility, so you have to change the compatibility, like so.
Right click the VM > Compatibility > Upgrade VM Compatibility > Yes > Select a version that 6.7 or newer > OK.
Note: If you cannot perform this procedure, you can bypass the check for both a TPM and an unsupported CPU by following the procedure in the following article.
Directly on an ESX Host: If you have a stand-alone ESX Server running version 8.x, Log in via the web console > Select ‘Host’ > Actions > Services > Enable Secure Shell (SSH).
Via vSphere/vCenter: If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacentres’ view > Select the Host > Configure > Services > Locate SSH > Start.
Enable SSH Permanently: Some people don’t want this enabled for security reasons, and in production that makes sense, but on my test network I always have SSH enabled. from the same screen as above with SSH selected > Edit Start-up Policy > Select ‘Start an stop with host” > OK.
VMware Enable SSH 6.5
If you have a stand-alone ESX Server running version 6.5, it’s a lot easier to enable ESX access. Select ‘Host’ > Actions > Service > Enable Secure Shell (SSH). Note: You can also enable the direct console access here.
If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacenters’ view > Select the Host > Configure > Security Profile > Scroll down to ‘Services’ > Edit.
Locate ‘SSH > Start > OK.
Once enabled you will see the following warning on the hosts summary page, however, in version 6.5 you can suppress this error.
VMware Enable SSH ESX 5
ESX 5 has a built in firewall, which can have SSH opened in the VI clients, or just as with version 4.1.0 you can enable SSH Locally from the console from troubleshooting options.
Enable Remotely
1. Log into the host with the VI client > Select the host > Configuration > Security Profile > Properties.
2. Locate SSH Server > Tick it > Options > You can either manually start it or set it to start automatically.
3. You will see the following warning to “retrieve” the firewall settings (because you have just changed them) > Select Yes.
Note: Having it running will still cause the “Configuration Issues – SSH for the host has been enabled” nag screen on the summary tab of the host.
VMware Enable SSH ESX 4.0.1
Starting with version 4.0.1 you can enable SSH access from the server console.
1. Go to the normal ESX console > Press F2 > Log in >Troubleshooting Options.
2. Select “Enable Remote Tech support” toggle on and off with {enter} if you want to SSH in the server remotely using PuTTy for example > If you want to log on directly at the console choose “Enable Local Tech Support”.
3. Note: Having it running will still cause the “Configuration Issues – Remote Tech support Mode (SSH) for the host {hostname} has been enabled” nag screen on the summary tab of the host.
Grant SSH Access to ESX 4.0.0 and earlier
1. Go to the normal ESXi console.
2. Press ALT+F1 > the screen will change > Type unsupported {enter} > Note: Nothing will appear on the screen till you hit {enter} > Type in the root password and press {enter}.
3. You now need to edit a config file, the only editor we have is vi (sorry) issue the following command,
[box]vi /etc/inetd.conf[/box]
4. The vi editor will open the file, use the arrow keys to move down to the line that says,
[box]#ssh stream tcp nowait root…[/box]
Press I on the keyboard (that puts the vi editor into insert mode) and delete the hash “#” mark from the beginning of the line.
5 Then, to save the changes press {Esc} > type in :wq {Enter} (that’s write the changes and quit if you’re interested).
6. Enter the following command.
[box]
cat /var/run/inetd.pid
[/box]
It will provide you with a number, (in the example below its 4983, yours will be different).
7. Issue the following command.
[box]
kill -HUP {the number you got from above}
[/box]
8. To get back to the usual ESXi screen and exit command line press ALT+F2.
9. You can now connect with an SSH client like Putty.
Related Articles, References, Credits, or External Links
iSCSI storage is nice and cheap, so adding iSCSI 10/1Gbps storage to your virtual infrastructure is a common occurrence.
vSphere Adding iSCSI Solution (vSphere 7/8)
Add a Software iSCSI Adaptor: Select the host > Configure > Storage Adapters > Add > Software iSCSI adaptor > OK.
After a few seconds you should see it appear at the bottom of the list.
Create a vSwitch and VMKernel:If you already have this configured you can skip this section, but basically you need a vSwitch, with a VMKernel interface (that has an IP address on it that can ‘see’ your iSCSI device), and then you need to connect a physical NIC from that vSwitch the iSCSI network (or VLAN).
With the host still selected > Configure > Virtual Switches > Add Networking.
.
VMKernel Network Adapter > Next.
New Standard Switch > Set the MTU to 9000 to enable jumbo frames > Next.
Note: Make sure the physical switches you are connecting to also support Jumbo Frames. Each vendor will be slightly different to configure.
THIS IS CONFUSING: Select the NIC you want to add the the vSwitch, and then ‘Move Down‘ so that it is listed in Active Adapters > Next.
Give the switch a sensible name (like iSCSI) > Next.
Define the IP address of the VMKernel (this needs to be able to see the iSCSI Target IP addresses) > Next.
Note: Don’t worry about the default gateway, it will display the default gateway of the managment network, that’s fine, unless you need to route to the iSCSI devices).
Review the settings > Finish.
You should now have a new vSwitch for iSCSI.
vSphere Adding iSCSI Storage: Create Port Binging
Back on the Storage Adapters tab > Select the iSCSI adapter > Network Port Binding > Add.
Select the one you’ve just created > OK.
vSphere Adding iSCSI Storage: Add iSCSI Target
Dynamic Discovery > Add.
Add in the iSCSI Target IP for your storage device/provider > OK.
At this point it’s a good idea to do a full storage rescan.
No Storage Has Appeared? Remember at this point your iSCSI storage device probably needs to ‘allow’ this ESX server access to the storage before it will either appear (if it’s already been formatted as VMFS and is in use by other hosts) or if it’s the first host that needs to connect to format the datastore as VFMS.
How this is done varies from vendor to vendor.
If you need to add the storage manually > Host > Storage > New Datastore.
vSphere Adding iSCSI Solution (vSphere 5/6)
Add a Software iSCSI Adaptor: Select the host > Configure > Storage Adaptor > Add > Software iSCSI adaptor.
After a few seconds you should see it appear at the bottom of the list.
Create a vSwitch and VMKernel:If you already have this configured you can skip this section, but basically you need a vSwitch, with a VMKernel interface (that has an IP address on it that can ‘see’ your iSCSI device), and then you need to connect a physical NIC from that vSwitch the iSCSI network (or VLAN).
Note: You can add a port group to an existing switch, (or use a distributed switch!) Here I’m using a standard vSwitch and keeping my storage on its own vSwitch.
With the host still selected > Configure > Virtual Switches > Add.
VMware Kernel Adaptor > Next > New Standard Switch > Next > Add in the Physical NIC that’s connected to your iSCSI network > Next.
Give the VMKernel port a name (i.e. Storage-iSCSI) > Next > Put in the IP details* > Next > Finish.
*Note: You may need to add a gateway if your iSCSI device is on another network.
Jumbo Frames Warning: Edit the properties of the switch and set it’s MTU to 9000 to allow for jumbo frames.
vSphere Adding iSCSI Storage, make sure the physical switches you are connecting to also support Jumbo Frames. Each vendor will be slightly different in my case the switches are Cisco Catalyst 3750-X’s so I just need to enable jumbo frames universally on the switch (which requires a reload/reboot!)
Allow Jumbo Frames Cisco Catalyst 3750-X
Execute the following commands;
[box]
Petes-Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Switch(config)#system mtu jumbo 9198
Changes to the system jumbo MTU will not take effect until the next reload is done
Then Reboot/Reload the Switch and Check
Petes-Switch#show system mtu
System MTU size is 1500 bytes
System Jumbo MTU size is 9198 bytes
System Alternate MTU size is 1500 bytes
Routing MTU size is 1500 bytes
[/box]
vSphere Configure iSCSI: Back on your vCenter, we need to ‘Bind’ the VMKernel port we created above, to our Software iSCSI adaptor. With the host selected > Configure > Storage Adaptors > Select the iSCSI Adaptor > Network Port Binding > Add.
Select the VMKernel Port > OK.
Note: If you can’t see/select anything, make sure each iSCSI port group is set to use ONLY ONE physical NIC, (i.e. move the others into ‘unused’). That’s on the port group properties NOT the failover priority of the vSwitch.
Add an iSCSI Target to vSphere: With the iSCSI Adaptor still selected > Targets Add.
Give it the IP address of your iSCSI device.
At this point, I would suggest you perform a ‘Storage Rescan’.
Ensure ALL HOSTS, have had the same procedure carried out on them. Then (assuming you have configured your iSCSI device), presented the storage, and allowed access to it from your ESX hosts. Right click the Cluster > Storage > New Datastore > Follow the instructions.
IBM Storagewize v3700 iSCSI
This article is just for configuring the VMware side, but just as a placeholder, (and to jog my memory if ever I put in another one.) The process is.
1. iSCSI IP addresses, Note: these are under Settings > Network > Ethernet Ports. (Not iSCSI confusingly.)
2. Create the Hosts (Note: you can copy the iqn in from vCenter).
3. Create MDiscs (RAID groups) from the available disks, Note: Global Spares are allocated here.
4. Create a Pool, I don’t really see the point of these, but you need one to create a volume.
5. Create the Volumes, which you will present to the Hosts, then create host mappings.
Related Articles, References, Credits, or External Links
When attempting to install Windows 11 on ESX (in this example vSphere 6.7) you will receive the following error;
Windows Setup
This PC can’t run Windows 11
This PC doesn’t meet the minimum system requirements to install this version of Windows. For more information, visit https://aka.ms.WindowsSysReq
The reason you are seeing this is probably not because you don’t have the RAM,CPU, or storage requirements, it’s probably because setup can’t see a TPM 2.0 chip. So you can either bypass this requirement or install a virtual TPM 2 chip. (I could not do this, as I’ve still got ESX 6.5 in my test cluster and all the hosts need to be 6.7 or above).
VMware Fusion Note: Be aware to run Windows 11 on VMware Fusion, you need to set the HDD to 64GB (or greater) and the RAM to 4096 GB or this error will persist.
VMware ESX Note: MAKE SURE you change the boot options to EFI and enable secure boot, in the VM properties.
Windows 11: Bypass the TPM 2.0 Requirement
Press SHIFT+F10 (or Fn+Shift+F10 on a mac) this will open a command window > type ‘regedit’ {Enter} > the registry editor will open > Navigate to;
[box]
HKEY_LOCAL_MACHINE > SYSTEM > Setup
[/box]
Create a NEW KEY called LabConfig.
Note: There is a newer version of this fix you can find here
In the new key, create a new 32 Bit DWORD object.
Call the new object ByPassTPMCheck and give it a value of 1.
Close the registry editor, type exit to close the command window. Then close the error window, (as shown below).
You will be asked to confirm that you want to exit, do so, and setup will restart, and then progress normally.
Note: If you are in a VMwar environment, you can also (with some caveats) install a vTPM
One annoying thing about the vSphere web client is the fact it throws you out after a period of inactivity. Now I know there are straight forward security reasons for this, and on a production environment thats fine. But on my test network theres just me, sighing every few minutes and logging back in again.
As the ‘Flash’ client is getting depreciated I’ll concentrate on the HTML5 client, but I’ll mention how to alter the flash client also. (If your version of VCSA still supports it!_
vSphere Disable Timeout
vCenter Appliance (VCSA) vSphere Disable Timeout
Connect directly to the console or via SSH. to launch a BASH type ‘shell‘, then execute the following commands
[box]
cd /etc/vmware/
ls
[/box]
You will see a folder for vsphere-ui (the HTML5 client)
Note: For older versions of the VCSA, you will also see vsphere-client (the legacy Flash client).
Change directory to the client you want to alter the settings for, then edit the web client-properties file.
[box]
cd vsphere-ui
vi webclient.properties
[/box]
Locate the ‘session.timeout = 120′ value and change it to zero ‘0’ to disable, (or a new figure in minutes).
Note: Navigate with the arrow keys > press ‘I’ to insert > change the text > press ‘Esc’ > type ‘:wq’ to save and exit.
Then restart the HTML5 client with the following commands’
While explaining to a client the difference between Sockets, Cores, Logical processors, I had to revisit this post today, so I updated it for vSphere7
Calculating Sockets and Cores
Essentially;
A: Processor Sockets: The Physical amount of CPUs on the motherboard.
B: Cores Per Socket: For a dual core processor this would be 2, triple core=3, quad core = 4, hex core = 6, octa core=8, deca core=12, etc.
C: Logical Processors: This is the amount of sockets, multiplied by the cores, and if Hyperthreading is enabled on the processors (see above), then that figure is doubled.
Related Articles, References, Credits, or External Links
I updated my vCenter to 6.7.0.45100 yesterday, and since then every time I tried to login to the HTML5 web client, it authenticated, let me in, showed me the error (below), then kicked me out again?
Solution
I assumed, (wrongly) that the upgrade had overwritten the webclient.properties file that controls timeouts. this may be you problem, see the following article If my ‘fix’ does not work for you.
In the end my fix was quick and simple, go to add/remove programs and locate the vSphere Enhanced Authentication Plugin (in my case version 6.5.0) and uninstall it.
Related Articles, References, Credits, or External Links
I had this problem (on sphere 6.7) the other day when trying to deploy some OVA files on my test network.
Solution
Well as stated elsewhere I tried reconnecting to my vCenter using its FQDN, this didn’t solve the problem, using Flash or HTML5 didn’t cure the problem either. What did cure the problem was using a different browser! I switched from IE to Chrome and it worked fine.
Update: I Also cured this problem by using Microsoft Edge (The new chromium based one).
Related Articles, References, Credits, or External Links
A few weeks ago I needed to sort out some extended warranty for a customers servers. To do that I needed the serial numbers of those servers, (a mixture of IBM/Lenovo and Dell Servers).
As I didn’t fancy a drive to two different datacenters, I wanted to try and get them programatically.
Solution
After some searching I came across a post by one of my old EE buddies LucD with exactly what I needed. I’m assuming you have PowerCLI setup before beginning.
Connect to your Virtual infrastructure;
[box]
Connect-VIServer {vCenter-server-FQDN}
[/box]
Then, (assuming you have a folder called C:\Temp that you can write to).
Using: vSphere 6.7 and VMware Standalone Converter Version 6.2.0
I’m performing this procedure on vSphere 6.7, back ith the release of vSphere 5, This process changed, with vSphere 4 and VI3, you had to install VMware Converter on the vCenter Server then download and enable the plugin in your VI client software (like this).
VMware now only has the “standalone converter“, so now you DONT install anything on the vCenter server, the converter runs on a client machine/server.
Note: This article is primarily concerned with shrinking guest hard drives, If you want to make your drives larger you can also use this process but the following article will be easier. Resizing Windows Volumes / Drives in VMware vSphere / ESX
Remember you are cloning a machine, don’t have clients writing data to the machine while this is going on, or there is the potential for data to be lost. If possible disable any services that will accept data, e.g. Exchange, SQL, Oracle, etc, prior to cloning.
Licensing: Only really applicable if you’re cloning a physical machine, but make sure you DO NOT have OEM Licensing. Also if you have Windows Storage Server, or Windows Appliance Edition, you should speak to a license specialist.
Installing VMware converter is pretty straightforward, run the install file accept the EULA, select. local installation, and I opt out of the ‘User Experience’, when complete it will open the Converter client by default, (as shown).
When the program opens > Convert machine > Type in the name of the machine you are going to convert, and credentials to logon and install the converter agent > Next.
Type in the name of the machine you are going to convert, and credentials to logon and install the converter agent.
If you’re going to retire the target machine afterwards, this it does not really matter, but I leave it on the defaults > Yes.
5. Now enter the vSphere/ESX target details that you are going to create the cloned copy on. > Next.
Give the new VM a name, select which folder to place the new VM into > Next. (Note: You may get a certificate warning, if so click ignore).
7. Chose a Cluster/Host > Choose which storage to place the files into. > Next.
8. In the ‘Data to Copy’ section > Edit.
9. Here you can select the NEW sizes for the drive(s) on the cloned machine. > Next.
10. Finish.
11. Depending on the size of the VM it can take a while.
12. Now power of the original, and power on the new machine and TEST IT THOROUGHLY, when you are happy you can delete the source machine.
Resizing (Shrinking) Guest Hard Drives in vSphere 4 (and older)
The following procedure was done with VSphere4 but the process is the same in VI3. Before you start ensure that VMware Converter has been installed on the Virtual Center Server.
Related Articles, References, Credits, or External Links