VMware vSphere Adding vTPM

vTPM KB ID 0001875

Problem

I’ve been asked about this a couple of times in the past, back then my test bench was running a mix of ESX 6.7 and 6.5 so I could not test and document the process. Now Everything is running ESX 8.x I can test the procedure in anger. The reason is because I was met with this today.

TPM 2.0 must be supported and enabled on this PC

So what’s a TPM, and a vTPM and why is that important?

Trusted Platform Module (TPM): A hardware component that enhances security by providing cryptographic functions and secure storage of cryptographic keys. It is used for tasks such as device authentication, secure boot, and encryption.

Virtual TPM (vTPM): A virtualised version of a TPM that provides the same functionality as a physical TPM but is implemented in software within a virtualised environment. It allows virtual machines (VMs) to use TPM features without requiring a physical TPM chip in the underlying hardware.

Key Functions of vTPM:

  • Secure Boot: Ensures that a system boots using only software that is trusted by the manufacturer.
  • Device Authentication: Verifies the integrity of the device and its software before it is allowed to connect to the network or perform sensitive operations.
  • Encryption Key Storage: Stores cryptographic keys securely, preventing unauthorized access even if the VM is compromised.

Use Cases:

  • Cloud Computing: Provides security features for VMs in cloud environments, ensuring that each VM can have its own isolated and secure TPM instance.
  • Virtualization Platforms: Enhances security in environments using hypervisors such as VMware, Microsoft Hyper-V, or KVM.

Implementation:

  • Software-Based: Implemented as part of the virtualization software stack.
  • Isolation: Each vTPM instance is isolated from others, ensuring that the security properties of TPM are maintained even in a multi-tenant environment.

Advantages:

  • Scalability: Easily scalable across many VMs without the need for physical TPM hardware.
  • Flexibility: Can be deployed in various virtualized environments and cloud infrastructures.

To summarise, vTPM provides the security benefits of TPM in virtualised and cloud environments, enabling secure operations and cryptographic functions for virtual machine

Solution: VMware vTPM

vTPM Prerequisites

To install and configure a vTPM (Virtual Trusted Platform Module) on VMware ESXi, certain prerequisites must be met to ensure compatibility and proper functionality. Here are the main prerequisites:

  • VMware ESXi Version: vTPM is supported on ESXi 6.7 and later versions. (If you have 1x older host then you will NOT be able to utilise vTPM).
  • VM Hardware Version: The virtual machine (VM) must be configured with hardware version 14 or higher. This ensures that the VM can support the vTPM functionality.
  • vSphere: vSphere 6.7 or later is required. This includes both vCenter Server and the ESXi hosts.
  • UEFI Firmware: The VM must be configured to use UEFI (Unified Extensible Firmware Interface) firmware instead of BIOS. vTPM is not supported with legacy BIOS firmware.
  • Key Management Server (KMS): A Key Management Server must be configured and accessible. VMware vSphere requires a KMS to manage the encryption keys used for VM encryption and vTPM. This cannot be done with the ‘built in’ Native Key Provider.
  • Virtual Machine Compatibility: Ensure that the guest operating system of the VM supports TPM. Most modern operating systems, including Windows 10, Windows Server 2016/2019, and certain Linux distributions, support TPM.
  • Permissions: Appropriate permissions are required to configure vTPM. Ensure that you have the necessary administrative privileges in vCenter Server to configure VM options and encryption settings.

vTPM: Adding VMware Native Key Provider

With you vCenter selected > Configure > Key Providers > Add > Give the Key Provider a sensible name > Untick “Use Key provider only with TPM protected ESXi Hosts  (Recommended)* > Add Key Provider.

*Note: Each ESXi server DOES NOT need to have its own physical TPM chip unticking this option lets you deploy vTPM to a VM on ANY host regardless of whether it has a TPM chip or not.

Before it can be used you have to back it up > Select you Key Provider > Backup > Tick ‘Protect this Native Key Provider with a password (Recommended) > Supply and conform a password > Tick “I have saved the password in a secure place” > Backup Key Provider.

Adding vTPM to a Virtual Machine

Right click the VM in question  > Edit Settings.

Add New Device > Trusted Platform Module > OK.

I Dont See Trusted Platform Module?

Yeah, I knew all my pre-requisites had been met, but if you’ve read from the start you will know this VM came from a 6.7/6.5 environment, so not being able to add a vTPM was probably a hardware version problem, to save you googling Hardware version 14 is ESX 6.7 compatibility, so you have to change the compatibility, like so.

 
Right click the VM > Compatibility > Upgrade VM Compatibility > Yes > Select a version that 6.7 or newer > OK.

Note: If you cannot perform this procedure, you can bypass the check for both a TPM and an unsupported CPU by following the procedure in the following article.

Windows 11 Unsupported CPU

Related Articles, References, Credits, or External Links

NA

VMware Enable SSH (vSphere ESX)

 

VMware Enable SSH KB ID 0000299 

Problem

Should you wish to get SSH (remote secure console) access to your ESX  hosts, you need to do the following.

ESX Version 8 and Newer

ESX Version 6.5 and Newer

ESX version 5 and Newer

ESX version 4.1.0

ESX version 4.0.0 and earlier

ESX version 4.0.0 and earlier

Solution

VMware Enable SSH ESX 8.0

Directly on an ESX Host: If you have a stand-alone ESX Server running version 8.x, Log in via the web console >  Select ‘Host’ > Actions > Services > Enable Secure Shell (SSH).

Via vSphere/vCenter: If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacentres’ view > Select the Host  > Configure > Services > Locate SSH > Start.

Enable SSH Permanently: Some people don’t want this enabled for security reasons, and in production that makes sense, but on my test network I always have SSH enabled. from the same screen as above with SSH selected > Edit Start-up Policy > Select ‘Start an stop with host” > OK.

VMware Enable SSH 6.5

If you have a stand-alone ESX Server running version 6.5, it’s a lot easier to enable ESX access. Select ‘Host’ > Actions > Service > Enable Secure Shell (SSH). Note: You can also enable the direct console access here.

If you want to enable SSH on an ESX host through the vCenter Web client then, from the ‘hosts and datacenters’ view > Select the Host  > Configure > Security Profile > Scroll down to ‘Services’ > Edit.

Locate ‘SSH > Start > OK.

Once enabled you will see the following warning on the hosts summary page, however, in version 6.5 you can suppress this error.

VMware Enable SSH ESX 5

ESX 5 has a built in firewall, which can have SSH opened in the VI clients, or just as with version 4.1.0 you can enable SSH Locally from the console from troubleshooting options.

Enable Remotely

1. Log into the host with the VI client > Select the host > Configuration > Security Profile > Properties.

2. Locate SSH Server > Tick it > Options > You can either manually start it or set it to start automatically.

3. You will see the following warning to “retrieve” the firewall settings (because you have just changed them) > Select Yes.

Note: Having it running will still cause the “Configuration Issues – SSH for the host has been enabled” nag screen on the summary tab of the host.

VMware Enable SSH ESX 4.0.1

Starting with version 4.0.1 you can enable SSH access from the server console.

1. Go to the normal ESX console > Press F2 > Log in >Troubleshooting Options.

2. Select “Enable Remote Tech support” toggle on and off with {enter} if you want to SSH in the server remotely using PuTTy for example > If you want to log on directly at the console choose “Enable Local Tech Support”.

3. Note: Having it running will still cause the “Configuration Issues – Remote Tech support Mode (SSH) for the host {hostname} has been enabled” nag screen on the summary tab of the host.

Grant SSH Access to ESX 4.0.0 and earlier

1. Go to the normal ESXi console.

2. Press ALT+F1 > the screen will change > Type unsupported {enter} > Note: Nothing will appear on the screen till you hit {enter} > Type in the root password and press {enter}.

3. You now need to edit a config file, the only editor we have is vi (sorry) issue the following command,

[box]vi /etc/inetd.conf[/box]

4. The vi editor will open the file, use the arrow keys to move down to the line that says,

[box]#ssh stream tcp nowait root…[/box]

Press I on the keyboard (that puts the vi editor into insert mode) and delete the hash “#” mark from the beginning of the line.

5 Then, to save the changes press {Esc} > type in :wq {Enter} (that’s write the changes and quit if you’re interested).

6. Enter the following command.

[box]

cat /var/run/inetd.pid

[/box]

It will provide you with a number, (in the example below its 4983, yours will be different).

7. Issue the following command.

[box]

kill -HUP {the number you got from above}

[/box]

8. To get back to the usual ESXi screen and exit command line press ALT+F2.

9. You can now connect with an SSH client like Putty.

 

Related Articles, References, Credits, or External Links

Original Article written: 07/12/11

ESX4 – Grant Root User SSH Access

Thanks to Dave Corrasa for the feedback.

vSphere Adding iSCSI Storage

vSphere Adding iSCSI KB ID 0001378

Problem

iSCSI storage is nice and cheap, so adding iSCSI 10/1Gbps storage to your virtual infrastructure is a common occurrence.

vSphere Adding iSCSI Solution (vSphere 7/8)

Add a Software iSCSI Adaptor: Select the host > Configure > Storage Adapters > Add > Software iSCSI adaptor > OK.

After a few seconds you should see it appear at the bottom of the list.

Create a vSwitch and VMKernel:If you already have this configured you can skip this section, but basically you need a vSwitch, with a VMKernel interface (that has an IP address on it that can ‘see’ your iSCSI device), and then you need to connect a physical NIC from that vSwitch the iSCSI network (or VLAN).

With the host still selected > Configure > Virtual Switches > Add Networking.

.

VMKernel Network Adapter > Next.

New Standard Switch > Set the MTU to 9000 to enable jumbo frames > Next.

Note: Make sure the physical switches you are connecting to also support Jumbo Frames. Each vendor will be slightly different to configure.

THIS IS CONFUSING: Select the NIC you want to add the the vSwitch, and then ‘Move Down‘ so that it is listed in Active Adapters > Next.

Give the switch a sensible name (like iSCSI) > Next.

Define the IP address of the VMKernel (this needs to be able to see the iSCSI Target IP addresses) > Next.

Note: Don’t worry about the default gateway, it will display the default gateway of the managment network, that’s fine, unless you need to route to the iSCSI devices).

Review the settings > Finish.

You should now have a new vSwitch for iSCSI.

vSphere Adding iSCSI Storage: Create Port Binging

Back on the Storage Adapters tab > Select the iSCSI adapter > Network Port Binding > Add.

Select the one you’ve just created > OK.

vSphere Adding iSCSI Storage: Add iSCSI Target

Dynamic Discovery > Add.

Add in the iSCSI Target IP for your storage device/provider > OK.

At this point it’s a good idea to do a full storage rescan.

No Storage Has Appeared? Remember at this point your iSCSI storage device probably needs to ‘allow’ this ESX server access to the storage before it will either appear (if it’s already been formatted as VMFS and is in use by other hosts) or if it’s the first host that needs to connect to format the datastore as VFMS.

How this is done varies from vendor to vendor.

If you need to add the storage manually > Host > Storage > New Datastore.

vSphere Adding iSCSI Solution (vSphere 5/6)

Add a Software iSCSI Adaptor: Select the host > Configure > Storage Adaptor > Add > Software iSCSI adaptor.

After a few seconds you should see it appear at the bottom of the list.

Create a vSwitch and VMKernel:If you already have this configured you can skip this section, but basically you need a vSwitch, with a VMKernel interface (that has an IP address on it that can ‘see’ your iSCSI device), and then you need to connect a physical NIC from that vSwitch the iSCSI network (or VLAN).

Note: You can add a port group to an existing switch, (or use a distributed switch!) Here I’m using a standard vSwitch and keeping my storage on its own vSwitch.

With the host still selected > Configure > Virtual Switches > Add.

VMware Kernel Adaptor > Next > New Standard Switch > Next > Add in the Physical NIC that’s connected to your iSCSI network > Next.

Give the VMKernel port a name (i.e. Storage-iSCSI) > Next > Put in the IP details* > Next > Finish.

*Note: You may need to add a gateway if your iSCSI device is on another network.

Jumbo Frames Warning: Edit the properties of the switch and set it’s MTU to 9000 to allow for jumbo frames.

vSphere Adding iSCSI Storage, make sure the physical switches you are connecting to also support Jumbo Frames. Each vendor will be slightly different in my case the switches are Cisco Catalyst 3750-X’s so I just need to enable jumbo frames universally on the switch (which requires a reload/reboot!)

Allow Jumbo Frames Cisco Catalyst 3750-X

Execute the following commands;

[box]

Petes-Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Petes-Switch(config)#system mtu jumbo 9198
Changes to the system jumbo MTU will not take effect until the next reload is done

Then Reboot/Reload the Switch and Check

Petes-Switch#show system mtu

System MTU size is 1500 bytes
System Jumbo MTU size is 9198 bytes
System Alternate MTU size is 1500 bytes
Routing MTU size is 1500 bytes

[/box]

vSphere Configure iSCSI: Back on your vCenter, we need to ‘Bind’ the VMKernel port we created above, to our Software iSCSI adaptor. With the host selected > Configure > Storage Adaptors > Select the iSCSI Adaptor > Network Port Binding > Add.

Select the VMKernel Port  > OK.

Note: If you can’t see/select anything, make sure each iSCSI port group is set to use ONLY ONE physical NIC, (i.e. move the others into ‘unused’). That’s on the port group properties NOT the failover priority of the vSwitch.

Add an iSCSI Target to vSphere: With the iSCSI Adaptor still selected > Targets Add.

Give it the IP address of your iSCSI device.

At this point, I would suggest you perform a ‘Storage Rescan’.


Ensure ALL HOSTS, have had the same procedure carried out on them. Then (assuming you have configured your iSCSI device), presented the storage, and allowed access to it from your ESX hosts. Right click the Cluster > Storage > New Datastore > Follow the instructions.

IBM Storagewize v3700 iSCSI 

This article is just for configuring the VMware side, but just as a placeholder, (and to jog my memory if ever I put in another one.) The process is.

1. iSCSI IP addresses, Note: these are under Settings > Network > Ethernet Ports. (Not iSCSI confusingly.) 

2. Create the Hosts (Note: you can copy the iqn in from vCenter).

 

3. Create MDiscs (RAID groups) from the available disks, Note: Global Spares are allocated here.

4. Create a Pool, I don’t really see the point of these, but you need one to create a volume.

5. Create the Volumes, which you will present to the Hosts, then create host mappings.

 

Related Articles, References, Credits, or External Links

vSphere ESX – Configure Buffalo Terastation 5000 as an iSCSI Target

ESX: This PC Can’t Run Windows 11

KB ID 0001763

Problem: This PC Can’t Run windows 11 

When attempting to install Windows 11 on ESX (in this example vSphere 6.7) you will receive the following error;

Windows Setup
This PC can’t run Windows 11
This PC doesn’t meet the minimum system requirements to install this version of Windows. For more information, visit https://aka.ms.WindowsSysReq

The reason you are seeing this is probably not because you don’t have the RAM,  CPU, or storage requirements, it’s probably because setup can’t see a TPM 2.0 chip. So you can either bypass this requirement or install a virtual TPM 2 chip. (I could not do this, as I’ve still got ESX 6.5 in my test cluster and all the hosts need to be 6.7 or above).

VMware Fusion Note: Be aware to run Windows 11 on VMware Fusion,  you need to set the HDD to 64GB (or greater) and the RAM to 4096 GB or this error will persist.

VMware ESX Note: MAKE SURE you change the boot options to EFI and enable secure boot, in the VM properties.

Windows 11: Bypass the TPM 2.0 Requirement

Press SHIFT+F10 (or Fn+Shift+F10 on a mac) this will open a command window > type ‘regedit’ {Enter} > the registry editor will open > Navigate to;

[box]

HKEY_LOCAL_MACHINE > SYSTEM > Setup

[/box]

Create a NEW KEY called LabConfig.

Note: There is a newer version of this fix you can find here

In the new key, create a new 32 Bit DWORD object.

Call the new object ByPassTPMCheck and give it a value of 1.

Close the registry editor, type exit to close the command window. Then close the error window, (as shown below).

You will be asked to confirm that you want to exit, do so, and setup will restart, and then progress normally.

 

Note: If you are in a VMwar environment, you can also (with some caveats) install a vTPM

VMware vSphere Adding vTPM

Or if upgrading, you can bypass the TPM and CPU checks.

Windows 11 Unsupported CPU

Related Articles, References, Credits, or External Links

NA

VMware ESX – Sockets and Cores (Logical Processors)

KB ID 0001124 

Problem

While explaining to a client the difference between Sockets, Cores, Logical processors, I had to revisit this post today, so I updated it for vSphere7

Calculating Sockets and Cores

 Essentially;

A: Processor Sockets: The Physical amount of CPUs on the motherboard.

B: Cores Per Socket: For a dual core processor this would be 2, triple core=3, quad core = 4, hex core = 6, octa core=8, deca core=12, etc.

C: Logical Processors: This is the amount of sockets, multiplied by the cores, and if Hyperthreading is enabled on the processors (see above), then that figure is doubled.

Related Articles, References, Credits, or External Links

NA

Your vSphere Client Session Is No Longer Authenticated

KB ID 0001711

Problem

I updated my vCenter to 6.7.0.45100 yesterday, and since then every time I tried to login to the HTML5 web client, it authenticated, let me in, showed me the error (below), then kicked me out again?

Solution

I assumed, (wrongly) that the upgrade had overwritten the webclient.properties file that controls timeouts. this may be you problem, see the following article If my ‘fix’ does not work for you.

vSphere HTML5 Web Client – Disable the Console Timeout

In the end my fix was quick and simple, go to add/remove programs and locate the vSphere Enhanced Authentication Plugin (in my case version 6.5.0) and uninstall it.

Related Articles, References, Credits, or External Links

NA

OVA / OVF Deployment Gets Stuck ‘Validating’

KB ID 0001664

Problem

I had this problem (on sphere 6.7) the other day when trying to deploy some OVA files on my test network.

Solution

Well as stated elsewhere I tried reconnecting to my vCenter using its FQDN, this didn’t solve the problem, using Flash or HTML5 didn’t cure the problem either. What did cure the problem was using a different browser! I switched from IE to Chrome and it worked fine.

Update: I Also cured this problem by using Microsoft Edge (The new chromium based one).

Related Articles, References, Credits, or External Links

VMware vSphere – How to Import and Export OVF and OVA Files

VMware: Export a VM to OVA With PowerCLI

VMware: ISO Upload or Deploy OVA Fails ‘Undetermined Reason’

vSphere: Get ESX Server Serial Numbers

KB ID 0001670

Problem

A few weeks ago I needed to sort out some extended warranty for a customers servers. To do that  I needed the serial numbers of those servers, (a mixture of IBM/Lenovo and Dell Servers).

As I didn’t fancy a drive to two different datacenters, I wanted to try and get them programatically.

Solution

After some searching I came across a post by one of my old EE buddies LucD with exactly what I needed. I’m assuming you have PowerCLI setup before beginning.

Connect to your Virtual infrastructure;

[box]

Connect-VIServer {vCenter-server-FQDN}

[/box]

Then, (assuming you have a folder called C:\Temp that you can write to).

[box]

Get-VMHost | Select Name, @{N='Serial';E={(Get-EsxCli -VMHost $_).hardware.platform.get().SerialNumber}} | Export-Csv c:\temp\serial.csv -NoTypeInformation -UseCulture

[/box]

Then  open your C:\Temp\SerialNumber.csv file, and there’s your serial numbers.

 

Related Articles, References, Credits, or External Links

NA

Resizing (Shrinking) Drives With VMware Standalone Converter

KB ID 0000185

Problem

Using: vSphere 6.7 and VMware Standalone Converter Version 6.2.0

I’m performing this procedure on vSphere 6.7, back ith the release of vSphere 5, This process changed, with vSphere 4 and VI3, you had to install VMware Converter on the vCenter Server then download and enable the plugin in your VI client software (like this).

VMware now only has the “standalone converter“, so now you DONT install anything on the vCenter server, the converter runs on a client machine/server.

Note: This article is primarily concerned with shrinking guest hard drives, If you want to make your drives larger you can also use this process but the following article will be easier. Resizing Windows Volumes / Drives in VMware vSphere / ESX

Also if space is your consideration, you also might want to consider; VMware ESXi – Converting ‘Thick’ Provisioned Drives to ‘Thin’

Solution

Resizing (Shrinking) Guest Hard Drives in vSphere

Before you start:

Remember you are cloning a machine, don’t have clients writing data to the machine while this is going on, or there is the potential for data to be lost. If possible disable any services that will accept data, e.g. Exchange, SQL, Oracle, etc, prior to cloning.

Licensing: Only really applicable if you’re cloning a physical machine, but make sure you DO NOT have OEM Licensing. Also if you have Windows Storage Server, or Windows Appliance Edition, you should speak to a license specialist.

Installing VMware converter is pretty straightforward, run the install file accept the EULA, select. local installation, and I opt out of the ‘User Experience’, when complete it will open the Converter client by default, (as shown).

When the program opens > Convert machine > Type in the name of the machine you are going to convert, and credentials to logon and install the converter agent > Next.

 

Type in the name of the machine you are going to convert, and credentials to logon and install the converter agent.

If you’re going to retire the target machine afterwards, this it does not really matter, but I leave it on the defaults > Yes.

5. Now enter the vSphere/ESX target details that you are going to create the cloned copy on. > Next.

Give the new VM a name, select which folder to place the new VM into > Next. (Note: You may get a certificate warning, if so click ignore).

7. Chose a Cluster/Host > Choose which storage to place the files into. > Next.

8. In the ‘Data to Copy’ section > Edit.

9. Here you can select the NEW sizes for the drive(s) on the cloned machine. > Next.

10. Finish.

11. Depending on the size of the VM it can take a while.

12. Now power of the original, and power on the new machine and TEST IT THOROUGHLY, when you are happy you can delete the source machine.

Resizing (Shrinking) Guest Hard Drives in vSphere 4 (and older)

The following procedure was done with VSphere4 but the process is the same in VI3. Before you start ensure that VMware Converter has been installed on the Virtual Center Server.

 

Related Articles, References, Credits, or External Links

VMware Converter ‘A file I/O Error Occurred’

VMware Converter Slow!

VMware Converter ‘Unable to Connect to the Network Share’

VMware Converter – Unable to Deploy Agent