The latest release of Windows 11 requires a Trusted Platform Module (TPM) 2.0 chip. When you try to install Windows 11 as a Virtual Machine on VMware ESXi, the installation fails with a "This PC can't run Windows 11" error. There is no further information on why the setup fails.
By using SHIFT + F10 and notepad x:\windows\panther\setuperr.log or type x:\windows\panther\setuperr.log, you can verify that the reason for the failed setup is a missing TPM Chip:
This article explains two options to install Windows 11 by either disabling the TPM check, or by adding a Virtual Trusted Platform Module (vTPM) to the Virtual Machine.
Download Windows 11 ISO
If you want to test-drive Windows 11 as a Virtual Machine, you can download the installation Media from a website provided by Microsoft. There are two options - you can use the Installation Media creation tool, or just download a prepared .ISO file.
Create Windows 11 VM with Virtual Trusted Platform Module
As a prerequisite to enable vTPM for Virtual Machines, you have to provide a Key Provider. Since vSphere 7.0, vCenter Server comes with a native Key Provider, removing the need for an external KMS. Enabling the Key provider is done on vCenter level.
- Open vSphere Client
- Navigate to vCenter > Configure > Seurity > Key Provider
- Press ADD > Add Native Key Provider
- Give the Key Provider a name and disable "Use key provider only with TPM protected ESXi hosts". This allows you to use vTPM on ESXi hosts that do not have a TPM chip.
- As a security precaution, the Key Provider has to be backed up at least once to be eligible for use. Press BACK-UP.
- As this is a lab environment, I've disabled password protection. Press BACK UP KEY PROVIDER. Make sure that no popup blockers are active. It should download a .p12 file which needs to be kept in a safe location.
With the key provider enabled, you can use the vTPM feature in Virtual Machines that fulfill the following requirements:
- Running on vSphere 6.7 or later
- VM Hardware Version 14 (ESXi 6.7)
- EFI Firmware
- Virtual Machine encryption enabled
- Windows Virtualization Based Security enabled
Create a new Virtual Machine and enable Encrypt this virtual machine in Step 4. Make sure that the VM Storage Policy is set to VM Encryption Policy. The compatibility warning "Datastore does not match current VM policy" can be ignored.
Set the hardware compatibility to be at least vSphere 6.7. I recommend using the latest version which is HW 19 (ESXi 7.0 U2) at the moment.
Currently, Windows 11 is not listed as a supported guest OS, so just select Windows 10 (64-bit). Make sure to tick Enable Windows Virtualization Based Security.
Add the Trusted Platform Module in Step 7 - Customize Hardware.
You should now be able to Install Windows 11
Existing Virtual Machines
For existing Virtual Machines, you can enable VM encryption within VM Options > Encryption by setting the policy to VM Encryption Policy.
To add the vTPM press ADD NEW DEVICE and add the Trusted Platform Module.
Install Windows 11 on a Virtual Machine by Disabling TPM Check
If you can't enable vTPM, you can still install Windows 11 by disabling the TPM check.
- Create a Virtual Machine and select Windows 10 (64-bit) as the Operating System.
- Mount the Windows 11 .ISO and boot the Virtual Machine
- When Windows 11 asks for the product key, press SHIFT + F10. This should bring up a command line
- Add a Registry Key to disable the TPM check
REG ADD HKLM\SYSTEM\Setup\LabConfig /v BypassTPMCheck /t REG_DWORD /d 1
- Make sure that the operation is completed successfully
- Proceed with the Installation
Note: If you are not comfortable with command lines, you can also use the graphical registry editor by entering regedit in the command line.
That registry command says sucessful but still you get This PC can't run Windows 11.
Nevermind I had a typo. Ran regedit and browsed to the key and I added it in as /BypassTPMCheck so deleted that and created a new dword key BypassTPMCheck and it works fine!
in ESXI 7.0, good works for me.
I have a copy of ESXi 7.0u2b running on an older Dell Precision T5600. I have successfully installed a VM of Windows 11 Pro using the above trick (thanks!). However, I have not been able to upgrade a Windows 10 VM, even if I add the registry flags before attempting the upgrade, and there doesn't seem to be the opportunity to interrupt the install to add the hacks during the upgrade process. Any way to get around the TPM and SecureBoot checks during an upgrade?
Hola. Yo tengo el mismo problema. No quiero tocar registro, y configurando todo como aquí indica puedo instalar w11 nuevo pero no actualizar de w10 a w11. Me indica que el procesador no es soportado, cuando no es verdad porque la MV coge un procesador que aparece como compatible por Microsoft.
A alguien se le ocurre algo?.
[Automatic English Translation]
Hello. I have the same problem. I don't want to touch the registry, and configuring everything as indicated here I can install new w11 but not update from w10 to w11. It tells me that the processor is not supported, when it is not true because the MV takes a processor that appears as compatible by Microsoft.
Does anyone comes up with something?.
Can you make this somehow work without vSphere? I use a single ESX host without vSphere.
I think you are confusing vSphere and vCenter. VMware vSphere is what they call ESXi nowadays.
"vSphere" refers to the wholistic VMware environment. ESXi is ESXi and vCenter is vCenter.
Thanks for this! I used your guide to help with my own Win 11 packer build last week
Has anyone figured out how to export a Win 11 VM? OVF is failing thanks to encryption.