【VMware ESXi】如何在獨(dú)立的ESXi主機(jī)上配置vTPM并安裝Windows 11操作系統(tǒng)。

這篇具有很好參考價(jià)值的文章主要介紹了【VMware ESXi】如何在獨(dú)立的ESXi主機(jī)上配置vTPM并安裝Windows 11操作系統(tǒng)。。希望對(duì)大家有所幫助。如果存在錯(cuò)誤或未考慮完全的地方，請(qǐng)大家不吝賜教，您也可以點(diǎn)擊"舉報(bào)違法"按鈕提交疑問(wèn)。

根據(jù)微軟發(fā)布的Windows 11操作系統(tǒng)要求，這個(gè)版本的系統(tǒng)需要硬件支持受信任的平臺(tái)模塊 (TPM) 才能進(jìn)行安裝和使用，不然就會(huì)提示你“這臺(tái)電腦無(wú)法運(yùn)行Windows11。這臺(tái)電腦不符合安裝此版本的Windows所需的最低系統(tǒng)要求。有關(guān)詳細(xì)信息，請(qǐng)?jiān)L問(wèn)https://aka.ms/WindowsSysReq”錯(cuò)誤。關(guān)于受信任的平臺(tái)模塊(TPM)的功能和技術(shù)這里不再概述，具體的官方文檔說(shuō)明可以看這里。

本文主要說(shuō)明如何在獨(dú)立的ESXi主機(jī)上安裝Windows 11 23H2的操作過(guò)程，為什么說(shuō)是在獨(dú)立的ESXi主機(jī)呢？

通常情況下，如果我們的安裝環(huán)境是筆記本或者臺(tái)式機(jī)，并且主板帶有TPM 2.0芯片，那么可以直接安裝系統(tǒng)，無(wú)需多言，或者我們想基于操作系統(tǒng)之上通過(guò)VMware Workstation、VirtualBox以及HyperV這種嵌套虛擬化的方式安裝Windows 11，只需要在配置虛擬機(jī)硬件的時(shí)候?qū)μ摂M機(jī)進(jìn)行加密即可，比如官方文檔或者這里，當(dāng)然如果使用低版本的客戶端程序可能默認(rèn)不提供Windows 11選擇，只需要選擇Windows 10對(duì)虛擬機(jī)加密并手動(dòng)添加可信平臺(tái)模塊(TPM)也可以，比如這里。上述這些情況的前提條件是，你的硬件必須要支持TPM的情況下才能進(jìn)行，如何確定你的硬件是否支持TPM呢？可以看這里。但是，如果我的虛擬化客戶端既不支持Windows11，又不支持TPM，然后又想安裝Windows 11怎么辦呢？可以參考這里繞過(guò)TPM檢查。

如果是企業(yè)級(jí)VMware vSphere環(huán)境，可以通過(guò)在虛擬機(jī)上配置虛擬TPM（vTPM）將TPM2.0用作虛擬設(shè)備，對(duì)于vSphere 7.0 U2之前，需要單獨(dú)配置密鑰服務(wù)器（KMS），對(duì)于vSphere 7.0 U2之后，在vCenter Server中內(nèi)置了vSphere Native Key Provider功能，可以更加方便的為虛擬機(jī)配置vTPM，具體可以看這里。使用vTPM的一個(gè)主要好處是，底層ESXi主機(jī)中可以不需要物理TPM芯片，并且通過(guò)加密存儲(chǔ)密鑰的.nvram文件來(lái)保護(hù)vTPM密鑰。用于加密vTPM的加密密鑰由密鑰提供程序置備，該提供程序可以是符合KMIP的外部標(biāo)準(zhǔn)密鑰提供程序（SKP），也可以使用vCenter Server的內(nèi)置本機(jī)密鑰提供程序（NKP）。這些關(guān)鍵提供程序及其配置使用管理需要使用vCenter Server，從而在使用vTPM功能時(shí)提供集中式控制平面和無(wú)縫的用戶體驗(yàn)。但是，這里要使用vTPM的前提是，環(huán)境中必須要vCenter Server，雖然強(qiáng)烈建議使用vCenter Server以獲得更良好的vTPM用戶使用體驗(yàn)，但從技術(shù)上講，vTPM運(yùn)行并不需要它。

這也是寫(xiě)本篇文章的主要原因，對(duì)于使用VMware ESXi虛擬化的HomeLab環(huán)境，可能只有一臺(tái)主機(jī)（工作站或服務(wù)器）安裝了ESXi，并不需要vCenter Server進(jìn)行管理，但是又想使用vTPM功能，比如本篇文章中安裝Windows 11需要vTPM，這時(shí)可以參考本篇文章中的方法，如何在獨(dú)立的ESXi主機(jī)上為虛擬機(jī)添加vTPM。

警告：ESXi主機(jī)最好支持TPM，并開(kāi)啟密鑰持久性，若沒(méi)有TPM請(qǐng)看最后。
注意：ESXi主機(jī)需要獲得許可證，除免費(fèi)的ESXi之外的任何許可都沒(méi)問(wèn)題。
前提：客戶機(jī)連接需要準(zhǔn)備PowerShell(系統(tǒng)自帶)和PowerCLI(安裝參考)。

由于默認(rèn)的PowerCLI模塊中不支持某些指令，比如ESXi主機(jī)上加密vSphere APIs，所以需要?jiǎng)?chuàng)建幾個(gè)PowerCLI指令，這些指令由PowerShell腳本文件（vTPMStandaloneESXiFunctions.ps1）創(chuàng)建，只需要在PowerShell里執(zhí)行這個(gè)腳本文件后，即可輕松地為不受vCenter Server管理的獨(dú)立ESXi主機(jī)配置vTPM。腳本可以通過(guò)上面的鏈接地址進(jìn)行下載，或者將下面的內(nèi)容復(fù)制到記事本里，另存為vTPMStandaloneESXiFunctions.ps1即可。

vTPMStandaloneESXiFunctions.ps1

# Author: William Lam
# Description: PowerCLI functions to configure host encryption for a standanlone ESXi host to support vTPM without vCenter Server

Function New-256BitKey {
<#
    .NOTES
    ===========================================================================
    Created by:    William Lam
    Organization:  VMware
    Blog:          www.williamlam.com
    Twitter:       @lamw
    ===========================================================================
    .DESCRIPTION
        This function returns randomly generated 256 bit key encoded using base64
    .EXAMPLE
        New-256BitKey
#>
    # Generate 256 bit key
    # Thank you ChatGPT for this code
    $randomKey = [byte[]]::new(32)
    $rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
    $rand.GetBytes($randomKey)

    # Encode the key using Base64
    return [Convert]::ToBase64String($randomKey)
}

Function Prepare-VMHostForEncryption {
<#
    .NOTES
    ===========================================================================
    Created by:    William Lam
    Organization:  VMware
    Blog:          www.williamlam.com
    Twitter:       @lamw
    ===========================================================================
    .DESCRIPTION
        This function prepares the ESXi host for encryption
    .EXAMPLE
        Prepare-VMHostForEncryption
#>
    $cm = Get-View $global:DefaultVIServer.ExtensionData.Content.CryptoManager

    $cryptoState = (Get-VMHost).ExtensionData.Runtime.CryptoState

    if($cryptoState -eq "incapable") {
        Write-Host -ForegroundColor Yellow "`nPreparing ESXi Host for encryption ..."
        $cm.CryptoManagerHostPrepare()
        Write-Host -ForegroundColor Green "Successfully prepared ESXi Host for encryption ...`n"
    } else {
        Write-Host "`nESXi Host has already been prepared for encryption ...`n"
    }
}

Function New-InitialVMHostKey {
<#
    .NOTES
    ===========================================================================
    Created by:    William Lam
    Organization:  VMware
    Blog:          www.williamlam.com
    Twitter:       @lamw
    ===========================================================================
    .DESCRIPTION
        This function creates and/or ipmorts host key
    .PARAMETER Operation
        CREATE or IMPORT
    .PARAMETER KeyName
        Name of the VM Key
    .PARAMETER CSVTPMKeyFile
        Name of CSV file to save TPM keys (Default: tpm-keys.csv)
    .EXAMPLE
        # Request new VM Key
        New-InitialVMHostKey -Operation CREATE -KeyName "host-key-1"
    .EXAMPLE
        # Imports an existing VM Key
        New-InitialVMHostKey -Operation IMPORT -KeyName "host-key-1" -CSVTPMKeyFile tpm-keys.csv

#>
    param(
        [Parameter(Mandatory=$true)][ValidateSet("CREATE","IMPORT")][string]$Operation,
        [Parameter(Mandatory=$true)][String]$KeyName,
        [Parameter(Mandatory=$false)][String]$CSVTPMKeyFile="tpm-keys.csv"
    )

    $cryptoState = (Get-VMHost).ExtensionData.Runtime.CryptoState

    if($cryptoState -eq "safe") {
        Write-Host -ForegroundColor Red "`nESXi host has already been configured with initial host key ...`n"
        break
    }

    if($cryptoState -ne "prepared") {
        Write-Host -ForegroundColor Red "`nESXi host has not been prepared for encryption ...`n"
        break
    }

    $cm = Get-View $global:DefaultVIServer.ExtensionData.Content.CryptoManager

    # Create or import initial host key
    if($Operation -eq "CREATE") {
        Write-Host -ForegroundColor Yellow "Generating random 256 bit host key ..."
        $hostBase64Key = New-256BitKey
        $keyAlgorithim = "AES-256"
    } else {
        $csvfile = Import-Csv $CSVTPMKeyFile
        foreach ($line in $csvfile) {
            if($line.KEYID -eq $KeyName -and $line.TYPE -eq "HOST") {
                Write-Host -ForegroundColor Yellow "Importing existing host key from $CSVTPMKeyFile ..."
                $hostBase64Key = $line.DATA
                $keyAlgorithim = $line.ALGORITHIM
                break
            }
        }
    }

    if($hostBase64Key -eq $null) {
        Write-Host -ForegroundColor Red "Failed to find host key ${KeyName} ...`n"
        break
    }

    $hostKeyId = New-Object VMware.Vim.CryptoKeyId
    $hostKeyId.keyId = $KeyName

    $hostKeySpec = New-Object VMware.Vim.CryptoKeyPlain
    $hostKeySpec.KeyId = $hostKeyId
    $hostKeySpec.Algorithm = $keyAlgorithim
    $hostKeySpec.KeyData = $hostBase64Key

    Write-Host -ForegroundColor Yellow "Adding ESXi Host Key ${KeyName} ..."
    try {
        $cm.CryptoManagerHostEnable($hostKeySpec)
    } catch {
        Write-Host -ForegroundColor Red "Failed to add host key ${KeyName} ...`n"
        break
    }

    # Automatically backup host key to CSV file
    if($Operation -eq "CREATE") {
        if (Test-Path -Path $CSVTPMKeyFile -PathType Leaf) {
            Write-Host -ForegroundColor Yellow "ESXi TPM Keys file $CSVTPMKeyFile exists, please use import operation"
        } else {
            $newcsv = {} | Select "KEYID","ALGORITHIM","TYPE","DATA" | Export-Csv $CSVTPMKeyFile
            $csvfile = Import-Csv $CSVTPMKeyFile
            $csvfile.KEYID = $KeyName
            $csvfile.ALGORITHIM = $keyAlgorithim
            $csvfile.TYPE = "HOST"
            $csvfile.DATA = $hostBase64Key
            Write-Host -ForegroundColor Yellow "Exporting ${KeyName} to $CSVTPMKeyFile ..."
            $csvfile | Export-CSV -Path $CSVTPMKeyFile
        }
    }
    Write-Host -ForegroundColor Green "Successfully added initial host encryption key ${KeyName} ...`n"
}

Function New-VMTPMKey {
<#
    .NOTES
    ===========================================================================
    Created by:    William Lam
    Organization:  VMware
    Blog:          www.williamlam.com
    Twitter:       @lamw
    ===========================================================================
    .DESCRIPTION
        This function creates and/or ipmorts Host key
    .PARAMETER Operation
        CREATE or IMPORT
    .PARAMETER KeyName
        Name of the VM Key
    .PARAMETER CSVTPMKeyFile
        Name of CSV file to save TPM keys (Default: tpm-keys.csv)
    .EXAMPLE
        # Request new Host Key
        New-VMTPMKey -Operation CREATE -KeyName "windows-11-key"
    .EXAMPLE
        # Imports an existing Host Key
        New-VMTPMKey -Operation IMPORT -KeyName "windows-11-key" -CSVTPMKeyFile tpm-keys.csv

#>
    param(
        [Parameter(Mandatory=$true)][ValidateSet("CREATE","IMPORT")][string]$Operation,
        [Parameter(Mandatory=$true)][String]$KeyName,
        [Parameter(Mandatory=$false)][String]$CSVTPMKeyFile="tpm-keys.csv"
    )

    $cm = Get-View $global:DefaultVIServer.ExtensionData.Content.CryptoManager

    # Ensure ESXi host encryption is enabled
    if($cm.Enabled) {
        # Create or import VM key
        if($Operation -eq "CREATE") {
            Write-Host -ForegroundColor Yellow "Generating random 256 bit VM key ..."
            $vmBase64Key = New-256BitKey
            $keyAlgorithim = "AES-256"
        } else {
            $csvfile = Import-Csv $CSVTPMKeyFile
            foreach ($line in $csvfile) {
                if($line.KEYID -eq $KeyName -and $line.TYPE -eq "VM") {
                    Write-Host -ForegroundColor Yellow "Importing existing VM key from $CSVTPMKeyFile ..."
                    $vmBase64Key = $line.DATA
                    $keyAlgorithim = $line.ALGORITHIM
                    break
                }
            }
        }

        if($vmBase64Key -eq $null) {
            Write-Host -ForegroundColor Red "Failed to find VM key ${KeyName} ...`n"
            break
        }

        $vmKeyId = New-Object VMware.Vim.CryptoKeyId
        $vmKeyId.keyId = $KeyName

        $vmKeySpec = New-Object VMware.Vim.CryptoKeyPlain
        $vmKeySpec.KeyId = $vmKeyId
        $vmKeySpec.Algorithm = $keyAlgorithim
        $vmKeySpec.KeyData = $vmBase64Key

        Write-Host -ForegroundColor Yellow "Adding VM key ${KeyName} ..."
        try {
            $cm.AddKey($vmKeySpec)
        } catch {
            Write-Host -ForegroundColor Red "Failed to add VM key ${KeyName} ...`n"
            break
        }

        # Automatically backup VM key to CSV file
        if($Operation -eq "CREATE") {
            if (Test-Path -Path $CSVTPMKeyFile -PathType Leaf) {
                $tmp = [PSCustomObject] [ordered]@{
                    KEYID = $KeyName;
                    ALGORITHIM = $keyAlgorithim;
                    TYPE = "VM";
                    DATA = $vmBase64Key
                }
                Write-Host -ForegroundColor Yellow "Exporting ${KeyName} to $CSVTPMKeyFile ..."
                $tmp | Export-CSV -Append -NoTypeInformation -Path $CSVTPMKeyFile
            } else {
                Write-Error "Unable to find $CSVTPMKeyFile ..."
            }
        }
        Write-Host -ForegroundColor Green "Successfully added VM encryption key ${KeyName} ...`n"
    } else {
        Write-Host -ForegroundColor Red "`nESXi host has not been prepared for encryption ...`n"
    }
}

Function Remove-VMTPMKey {
<#
    .NOTES
    ===========================================================================
    Created by:    William Lam
    Organization:  VMware
    Blog:          www.williamlam.com
    Twitter:       @lamw
    ===========================================================================
    .DESCRIPTION
        This function removes an existing VM key
    .PARAMETER KeyName
        Name of the VM Key
    .PARAMETER Force
        Force remove VM Key
    .EXAMPLE
        # Remove VM key
        Remove-VMTPMKey -KeyName "windows-11-key"
    .EXAMPLE
        # Forcefully remove VM key
        Remove-VMTPMKey -KeyName "windows-11-key" -Force $true
#>
    param(
        [Parameter(Mandatory=$true)][String]$KeyName,
        [Parameter(Mandatory=$false)][Boolean]$Force=$false
    )

    $cm = Get-View $global:DefaultVIServer.ExtensionData.Content.CryptoManager

    $key = $cm.ListKeys($null) | where {$_.KeyId -eq $KeyName}
    Write-Host -ForegroundColor Yellow "Removing VM key ${KeyName} ..."
    try {
        $cm.RemoveKey($key,$Force)
    } catch {
        Write-Host -ForegroundColor Red "Failed to remove VM key, maybe in use or use -Force option to forcefully remove ...`n"
        break
    }
    Write-Host -ForegroundColor Green "Successfully removed VM key ...`n"
}

Function Get-VMHostTPMKeys {
<#
    .NOTES
    ===========================================================================
    Created by:    William Lam
    Organization:  VMware
    Blog:          www.williamlam.com
    Twitter:       @lamw
    ===========================================================================
    .DESCRIPTION
        This function returns all Host/VM keys
    .EXAMPLE
        Get-VMHostTPMKeys
#>

    $cm = Get-View $global:DefaultVIServer.ExtensionData.Content.CryptoManager

    if($cm.Enabled) {
        $cm.ListKeys($null)
    } else {
        Write-Host -ForegroundColor Red "`nESXi host has not been prepared for encryption or does not contain initial host key ...`n"
    }
}
Function Reconfigure-VMWithvTPM {
<#
    .NOTES
    ===========================================================================
    Created by:    William Lam
    Organization:  VMware
    Blog:          www.williamlam.com
    Twitter:       @lamw
    ===========================================================================
    .DESCRIPTION
        This function adds vTPM to existing VM and applies an existing VM key for encryption
    .PARAMETER KeyName
        Name of the VM Key
    .PARAMETER VMName
        Name of the VM to add vTPM
    .EXAMPLE
        Reconfigure-VMWithvTPM -KeyName "windows-11-key" -VMName "Windows-11"
#>
    param(
        [Parameter(Mandatory=$true)][String]$KeyName,
        [Parameter(Mandatory=$true)][String]$VMName
    )

    $vm = Get-VM $VMName

    $cm = Get-View $global:DefaultVIServer.ExtensionData.Content.CryptoManager

    # Retrieve VM key
    $cryptoSpec = New-Object VMware.Vim.CryptoSpecEncrypt
    $cryptoSpec.CryptoKeyId = $cm.ListKeys($null) | where {$_.KeyId -eq $KeyName}

    $spec = New-Object VMware.Vim.VirtualMachineConfigSpec

    # Set VM encryption key
    $spec.Crypto = $cryptoSpec

    # Add TPM device
    $spec.deviceChange = New-Object VMware.Vim.VirtualDeviceConfigSpec
    $spec.deviceChange[0].operation = 'add'
    $spec.deviceChange[0].device = New-Object VMware.Vim.VirtualTPM
    $spec.DeviceChange[0].Device.Key = 11000

    # Reconfigure VM
    Write-Host -ForegroundColor Yellow "Adding vTPM to ${VMName} using encryption key ${KeyName} ..."
    $task = $vm.ExtensionData.ReconfigVM_Task($spec)
    $task1 = Get-Task -Id ("Task-$($task.value)")
    $task1 | Wait-Task
}

1.在PowerShell里運(yùn)行vTPMStandaloneESXiFunctions.ps1腳本文件以獲取指令；

. .\Desktop\vTPMStandaloneESXiFunctions.psl  //腳本存放的絕對(duì)位置