To enable a virtual Trusted Platform Module (vTPM) for a virtual machine in vCenter using Aria Automation Orchestrator (vRO), follow these steps. This process enhances security by enabling cryptographic features like BitLocker encryption and secure boot.
What is vTPM?
Before it, let us see TPM first – TPM or Trusted Platform Module is a specialized chip on an endpoint device that stores RSA encryption keys specific to the host system for hardware authentication that, in simple language, makes it relatively impossible for a hacker to modify or alter those keys in any way. A virtual Trusted Platform Module (vTPM) as implemented in VMware vSphere is a virtual version of a physical TPM 2.0 chip, implemented using VM Encryption. It offers the same functionality as a physical TPM but is used within virtual machines (VMs).
Prerequisites
- A Key Provider (Native or Standard) must be configured in vCenter.
- Guest OS compatibility: Windows Server 2008+, Windows 7+, or supported Linux distributions.
- ESXi hosts must run 6.7+ ( for Windows VMs) or 7.0+ (for Linux VMs).
Step-by-Step Guide
All the resources provided below are to be tested on your own risk. Scripts may not be fully developed and may require some modification to be production-ready.
1. Create a vRO Action to enable vTPM
Go to Actions and create a new action and select Runtime to PowerCLI and copy-paste this code and save it as EnableVtpm in module in.co.cloudblogger.actions. Make sure to add 4 inputs:
- vcServer – FQDN of vCenter where VM exist.
- user – username to authenticate to vcServer.
- password – password to authenticate to vcServer.
- vmName – VM name on which vTPM to be enabled.
function Handler($context, $inputs) {
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCeip:$false -ScopeSession -Confirm:$false
Connect-VIServer -Server $inputs.vcServer -Protocol https -User $inputs.user -Password $inputs.password -verbose
#$output = get-vm | get-snapshot | format-table created,VM,@{label="Size in GB";Expression={"{0:N2}" -f ($_.SizeGB)}
$output = Get-VM $inputs.vmName | New-vTPM
Write-Host $output
#Disconnect-VIServer -Server $inputs.server
$output = "true"
return $output
}2. Add scripts to a Workflow
Modify this script to suit your case. Create a workflow and copy-paste the modified script to a scriptable task. Make sure to add and map inputs accordingly, especially inputProperties. This wf will be triggered via Event Subscription.
//Prepare Inputs
fullUserName = user +"@"+ domain;
vcServerName = "vcServer01.domain.local";
System.debug(JSON.stringify(inputProperties, null, 2));
inputProperties = JSON.parse(JSON.stringify(inputProperties))
if(inputProperties.customProperties.hostName || inputProperties.customProperties || inputProperties)
vmName = inputProperties.customProperties.hostName;
else throw "InputProperties not valid! Please check if Event topic is set to \"Compute initial power on\"";
System.log("Selected Virtual Machine: "+vmName);
//Power off VM
var vmObject = VcPlugin.getAllVirtualMachines(null, "xpath:name[matches(.,'"+vmName+"')]")[0];
if(vmObject) System.log("VM found in vCenter");
System.log("VM PowerState: "+vmObject.runtime.powerState.name);
var poweredOn = (vmObject.runtime.powerState.name == 'poweredOn');
if(poweredOn){
System.log("Powering off the VM...");
var task = vmObject.powerOffVM_Task();
if(task) System.getModule("com.vmware.library.vc.basic").vim3WaitTaskEnd(task, true, 1);
}
//Enable vTPM
actionResult =
System.getModule("in.co.cloudblogger.actions").EnableVtpm(vcServer,user,password,vmName);
3. Enable Event Subscription
Make sure to add this workflow to an Event Subscription in Aria Automation to be triggered during “Compute initial power on” event.
Trigger a VM provisioning in Automation tool to test it.
Verification
- Via PowerCLI: Check if the VM now includes a vTPM device: powershell
Get-VM -Name <VM_Name> | Select -ExpandProperty ExtensionDataLook forVirtualTpmunderConfig.Hardware.Device. - Via vSphere Client:
- Navigate to the VMโs settings.
- Confirm a “Trusted Platform Module” device is listed under Hardware.
Troubleshooting
- Error: “Cannot apply encryption policy. You must set the default key provider.”
- Solution: Configure a Key Provider in vCenter under Administration > Key Providers.
- vTPM Not Visible in Guest OS:
- Ensure the VM is powered on and the guest OS supports TPM (e.g., Windows 11).
- For Windows, check Device Manager > Security Devices for “Trusted Platform Module 2.0”.
That’s all in this post. Thanks.
Discover more from Cloud Blogger
Subscribe to get the latest posts sent to your email.
