Horizon vSphere / vCenter Windows 11

Prepare HomeLab for Windows 11 Desktops

With the release of the newest Microsoft desktop operating system, many of you are going to want to play with hosting in your #HomeLabs. As I started looking at the various documentation sites on what is required to run Windows 11, I found there were a couple things that I needed to accomplish first before I started trying to install it.

I was pleased to find that VMware updated their list of supported guest operating systems for Horizon 8 to include Windows 11. Per their KB article,, you will need to upgrade your Horizon infrastructure to Horizon 8 version 2106. It is not officially supported on any of the earlier releases of the Horizon Agent.

Per the Microsoft guide,, your Windows 11 VMs will need to be configured with the following minimal specifications:

Processor2 vCPUs, 1GHz or faster, 64-bit
Memory4 GB
Storage64GB or larger
Boot OptionsEFI Firmware, Secure Boot recommended
TPM DeviceVirtual Trusted Platform Module

Of these requirements, adding the Virtual Trusted Platform Module was the one that caused me to scratch my head. You will need to update your VMware vCenter and vSphere environment as well. I’ll walk through that process here. According to the VMware documentation, your ESXi hosts must be running version 6.7 or later for these Windows 11 guests. The first step is to navigate to your vCenter Key Providers Configuration using the vSphere Client as shown in the image below:

When you click the drop down to “Add” a new key provider, you are presented two options as shown here:

The Standard Key Provider is an external Key Management Server (KMS) on your network that is able to issue cryptographic keys. The Native Key Provider is an option that is available in vSphere 7.0 Update 2 or later. It allows your vCenter server to generate and manage the cryptographic keys that will be used for the Virtual Trusted Platform Modules and encrypted virtual machines. The Native Key Provider module is available in all vSphere editions, but for Virtual Machine Encryption, you will need to have vSphere Enterprise Plus edition. Luckily for us, the VMUG Advantage licenses that we are running provide that version.

For my purposes, since I don’t have an external KMS and all of my hosts are running vSphere 7.0 Update 2 or later, I will be using the Native Key Provider. But since not all of my hosts have a recognized TPM, I will not limit the key provider usage. I’m going to give a simple name to my NKP and leave the other option unchecked. Obviously, in a production environment, you will likely have TPMs enabled and working correctly, so I would recommend checking the block in those cases.

Once you click “Add Key Provider”, you will be brought back to the main Key Providers page and should see your new key provider. Select the provider and look at the details as shown here:

You will need to back up your key provider’s private key before the NKP will become active and usable. Click the “Back Up” button and you will be presented with the option to download the private key without a password.

Do yourself and my security neurosis a favor and click “Protect Native Key Provider data with password”. You will have to provide a password to be used to extract the private key from the backup. Choose something you can either remember easily or save it to your favorite Password Manager. Click the “I have saved the password in a secure place” and the “Back Up Key Provider” button will activate.

You will then be prompted to save the .p12 file. Store this in a safe place in the event you need to recover the key later.

Once saved, you will be brought back to the Key Providers page and should see that your new Native Key Provider is “Active”:

That is all I wanted to cover in this blog entry. Just cover a couple of the basic requirements that you will need to have in your #HomeLab environment if you’d like to start playing with the new Windows 11 as a VMware Horizon virtual desktop. Enjoy!

Leave a Reply