Usually, when trying to install the latest Windows 11 desktop OS within VMware vSphere, you had problems finding a disk to install Windows because W11 ISO did not have the PVSCSI drivers. You ended up juggling with VMware PVSCSI drivers on a virtual floppy so your Windows 11 installation assistant finally finds the disk to install to.

I have already tested the Windows 11 2H22 Tech preview installation within the latest VMware Workstation product here so you can see some new capabilities of VMware Workstation as well. But today, we’ll have a look at the Golden Image preparation within VMware vSphere 8.0.

The latest Windows 11 version 2H22 which was released the September 22 this year, can now be downloaded from Microsoft. Windows 11 version 2H22 ISO contains the VMware PVSCSI driver as well as VMware VMXNET3 driver as an inbox driver. Like this, the default disks will show up finally within the installation assistant and you no longer need to do anything else. Just continue the installation. This is great.

New TPM requirements

As you know, Microsoft has a requirement to have Trusted Platform Module version (TPM) 2.0. TPM 2.0 is required to run Windows 11 and it is an important building block for security-related features. TPM 2.0 is used in Windows 11 for a number of features. For example, Windows Hello for identity protection, or a BitLocker for data protection. So, you really need it.

However, when thinking of preparing a Golden Image that will be cloned multiple times, the best practice is to create the golden image without Bitlocker turned ON (or any other services relying on TPM). Just turn those services ON after, when you clone a VM from the template.

Otherwise, if you save your Golden Image with Bitlocker enabled, you’ll need to keep copying that TPM device and you’ll end up with a bunch of VMs with the same TPM device being able to access the secrets from other, already cloned VMs, which is not really best practice.

VMware improving the deployments of Windows 11 at scale in vSphere 8.0. A TPM device should be unique per OS instance. With vSphere 8.0, there Is a new assistant when deploying Windows 11, and you’ll have the possibility to:

  • Copy the existing TPM – not recommended, but if, for some reason (application compatibility, license keys etc.)
  • Replace the TPM – best practice. The VMs clone with a new TPM device, which will not have access to the source VM’s secrets.

vSphere 8.0 also has an advance setting – “vpxd.clone.tpmProvisionPolicy”. This advanced setting is here to make the default clone behavior for vTPMs to be replaced. But can be changed if you have that requirement.

Select TPM Provision Policy

Select TPM Provision Policy

VMware vSphere Golden Image Creation – The Steps:

Connect to your vCenter server via vSphere web client and select the vCenter server in the inventory > Configure > Under Security, select Key Providers and Add New Key provider > Then click Backup and save it to a secure location. You should end up with a green check everywhere, as in the image below.

Native Key Provider Backed up and Active

Native Key Provider Backed up and Active

If you don’t already have it, download the latest Windows 11 ISO image from Microsoft here.

Place the ISO on a datastore on in your content library and start the VM creation assistant. Enter the usual information about placement, VM name and folder, etc, then pick Windows 11 as an OS (until vSphere 7.x we had only Windows 10 as an option) and start the installation.

Select Windows 11 as Guest OS

Select Windows 11 as Guest OS

Within the Customize Hardware step, the hardware defaults to a “Thick” disk, with LSI Logic SAS. I’ve changed it to VMware Paravirtual. Also, the Network card defaults to E1000E which I changed to VMXNET3. The TPM is already part of the template.

VM hardware version 20 with PVSCSI and VMXNET3

VM hardware version 20 with PVSCSI and VMXNET3

Once you have the TPM configured you need to backup and wait until it became active. If you start creating VMs earlier, you’ll get errors.

Native Key Provider Backed up and Active

Native Key Provider Backed up and Active

Click Finish to close the assistant. Then Select the VM > Edit > Attach the Datastore ISO of Windows 11 that you have previously downloaded and check the “Connect at Power ON” check box. Start the Windows 11 installation wizard.

The internal disk where you’ll install W11 is found without problems, even without loading a driver externally.

Windows 11 found my hard disk with PVSCSI driver by default

Windows 11 found my hard disk with PVSCSI driver by default

From that point on, you install Windows 11 without any problem and you can finalize the image to fit your needs. Install VMware tools, reboot, and then pre-install with software or so, etc.

Windows 11 Golden Image

Windows 11 Golden Image

Then you can convert the VM into a template and have it ready for when you’ll need to deploy new VMs based on W11 OS.

Note: I skipped the part of Microsoft Licensing where under the corporate licenses you have different possibilities of activation etc. This part is not included in this short tutorial.

Note also, that VMware drivers are also part of the Windows Update now, however, VMware still recommends using the latest VMware Tools within the VM.

A screenshot from VMware shows Network drivers pushed via Windows Update into a W11 system.

VMware PVSCSI and VMXNET3 drivers included in Windows Updates

VMware PVSCSI and VMXNET3 drivers included in Windows Updates

StarWind HyperConverged Appliance is a turnkey hyper-converged hardware platform fitted into a small two-node footprint. You don’t need anything else to build a budget-friendly new IT infrastructure or upgrade an existing one. All your systems will be “babysitted” by StarWind 24/7/365, troubleshooting any concerns without your involvement. Everything’s operated through a neat web UI. We’ll also migrate your workloads at no extra cost.

Dramatically decrease your CapEx, OpEx, and IT management costs, while visibly increasing return on investment (ROI) with hyperconvergence for ROBO, SMB & Edge from StarWind.

Wrap Up

As you can see, for creating and running VMs with TPM devices (a vTPM), you’ll need to configure Key Provider. VMware made it easy since vSphere 7.x where addition of Native Key Provider has been introduced. Once you have fulfilled this option, you can easily create and deploy Windows 11 VMs. The fact that there is now the new Windows 11 OS template you can start from, optimizes and streamlines the VM workflow creation.

As usual with VMware, time will tell if the vSphere 8.0 release is good and not buggy, or we’ll have to wait for 8.1 to be able to safely deploy into the production environment. I highly recommend preparing a testing environment for a couple of months, then waiting for acceptance with your backup software vendor and other dependent software you might be running, before finally rolling into production.

Virtual hardware 20 is an evolution, but not a revolution. If you absolutely need some of the new features it brings, you might want to deploy a small cluster and place some of your VMs there first, before thinking of a general upgrade of a whole infrastructure.

Back to blog