Windows 11 on VMware ESXi - This PC can't run Windows 11

The latest release of Windows 11 requires a Trusted Platform Module (TPM) 2.0 chip. When you try to install Windows 11 as a Virtual Machine on VMware ESXi, the installation fails with a "This PC can't run Windows 11" error. There is no further information on why the setup fails.

By using SHIFT + F10 and notepad x:\windows\panther\setuperr.log or type x:\windows\panther\setuperr.log, you can verify that the reason for the failed setup is a missing TPM Chip:

This article explains two options to install Windows 11 by either disabling the TPM check, or by adding a Virtual Trusted Platform Module (vTPM) to the Virtual Machine.

Download Windows 11 ISO

If you want to test-drive Windows 11 as a Virtual Machine, you can download the installation Media from a website provided by Microsoft. There are two options - you can use the Installation Media creation tool, or just download a prepared .ISO file.

Download Windows 11

Create Windows 11 VM with Virtual Trusted Platform Module

As a prerequisite to enable vTPM for Virtual Machines, you have to provide a Key Provider. Since vSphere 7.0, vCenter Server comes with a native Key Provider, removing the need for an external KMS. Enabling the Key provider is done on vCenter level.

  1. Open vSphere Client
  2. Navigate to vCenter > Configure > Seurity > Key Provider
  3. Press ADD > Add Native Key Provider
  4. Give the Key Provider a name and disable "Use key provider only with TPM protected ESXi hosts". This allows you to use vTPM on ESXi hosts that do not have a TPM chip.
  5. As a security precaution, the Key Provider has to be backed up at least once to be eligible for use. Press BACK-UP.
  6. As this is a lab environment, I've disabled password protection. Press BACK UP KEY PROVIDER. Make sure that no popup blockers are active. It should download a .p12 file which needs to be kept in a safe location.

 

With the key provider enabled, you can use the vTPM feature in Virtual Machines that fulfill the following requirements:

  • Running on vSphere 6.7 or later
  • VM Hardware Version 14 (ESXi 6.7)
  • EFI Firmware
  • Virtual Machine encryption enabled
  • Windows Virtualization Based Security enabled

Create a new Virtual Machine and enable Encrypt this virtual machine in Step 4. Make sure that the VM Storage Policy is set to VM Encryption Policy. The compatibility warning "Datastore does not match current VM policy" can be ignored.

Set the hardware compatibility to be at least vSphere 6.7. I recommend using the latest version which is HW 19 (ESXi 7.0 U2) at the moment.

Currently, Windows 11 is not listed as a supported guest OS, so just select Windows 10 (64-bit). Make sure to tick Enable Windows Virtualization Based Security.

Add the Trusted Platform Module in Step 7 - Customize Hardware.

You should now be able to Install Windows 11

 

Existing Virtual Machines

For existing Virtual Machines, you can enable VM encryption within VM Options > Encryption by setting the policy to VM Encryption Policy.

To add the vTPM press ADD NEW DEVICE and add the Trusted Platform Module.

 

Install Windows 11 on a Virtual Machine by Disabling TPM Check

If you can't enable vTPM, you can still install Windows 11 by disabling the TPM check.

  1. Create a Virtual Machine and select Windows 10 (64-bit) as the Operating System.
  2. Mount the Windows 11 .ISO and boot the Virtual Machine
  3. When Windows 11 asks for the product key, press SHIFT + F10. This should bring up a command line
  4. Add a Registry Key to disable the TPM check
    REG ADD HKLM\SYSTEM\Setup\LabConfig /v BypassTPMCheck /t REG_DWORD /d 1
  5. Make sure that the operation is completed successfully
  6. Proceed with the Installation

Note: If you are not comfortable with command lines, you can also use the graphical registry editor by entering regedit in the command line.

3 thoughts on “Windows 11 on VMware ESXi - This PC can't run Windows 11”

    1. Nevermind I had a typo. Ran regedit and browsed to the key and I added it in as /BypassTPMCheck so deleted that and created a new dword key BypassTPMCheck and it works fine!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.