VMware Horizon – Windows 11 Golden Image without vTPM

When creating a Windows 11 golden image in VMware, it’s best not to include vTPM on the master image.

A Windows 11 golden image is a pre-configured version of Windows 11 that has all the necessary settings, applications, and updates installed. This image can be used to create multiple identical copies of Windows 11 VMs quickly and easily.

Virtual Trusted Platform Modules (vTPM) is a feature in VMware that emulates a hardware-based security component — TPM. TPM is used to encrypt and secure data on a computer.
So why not use vTPM with Windows 11 golden image? If you use the same vTPM for all VMs, restoring data from an encrypted VM will cause data loss. In other words, if one of the VMs has encrypted data and you try to restore it using the same vTPM as other VMs, you might lose data on those other VMs.

How do you create a Windows 11 master image without vTPM? I’m so glad you asked.

First, download the following:
• Windows ADK
• Windows PE add-on for the Windows ADK

https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

Login to any VM running Windows server 2019/2022 or existing windows 11 PC.
I’m using a Windows Server for future updating of the WinPE image.
Run and install Windows Assessment and Deployment Kit (ADK)

Accept the license agreement.

Continue and install the selected features:

Wait for the installation to complete.

Un-check “Launch the getting started guide.”

Install Windows Preinstallation Environment (PE) ADK Add-on:

Accept the license agreement.

Creating the WinPE ISO:

Create three directories:
• C:\test\mount
• C:\test\drivers
• C:\test\scripts

Open Deployment and Imaging Tools Environment as “administrator”:

Run this command to create the WinPE folder:
copype amd64 c:\test\winpe

Execute this command to mount the WinPE image to the mount directory:
dism /Mount-Image /ImageFile:C:\test\winpe\media\sources\boot.wim /index:1 /MountDir:C:\test\mount\

Copy the base files (that you download from this link) to the scripts folder:

Run the following commands:
cd c:\test\scripts
copy startnet.cmd C:\test\mount\Windows\System32\
copy deploy.cmd C:\test\mount\
copy CreatePartitions-UEFI.txt C:\test\mount\
copy Unattend.xml C:\test\mount

If you’re using the Unattend.xml file, change the admin and user password to clear text or to another Base64 password that you like.

Copy VMTools drivers to WinPE folder:
Download the latest VMTools ISO from the following Link
Mount the ISO to your PC/VM
Copy the drivers from the mounted drive to WinPE drivers folder
copy “E:\Program Files\VMware\VMware Tools\Drivers\pvscsi\Win10\amd64\” C:\test\drivers

Run this command to add the drivers to the mounted image:
dism /image:C:\test\mount\ /add-driver /driver:C:\test\drivers\ /Recurse

To commit all changes just unmount the image with this command:
dism /Unmount-Image /Mountdir:C:\test\mount\ /commit

The last step is to create the ISO file from the image you created:
MakeWinPEMedia /ISO C:\test\winpe C:\test\WinPE_amd64.iso

Create a new VM:
Create a VM with the requirements for Windows 11 and two CD drives
• First drive – WinPE ISO
• Second drive – Windows 11 ISO

You can download the ISO from this Link:

https://www.microsoft.com/en-us/software-download/windows11

Start your Windows 11 VM

A DISKPART script will run:

Immediately following, you will be prompted to choose the version of Windows 11 you wish to install.

After selecting the OS, the script will apply the OS image.

After the completion, the VM will boot automatically.

The sysprep unattended file will run all the customization configurations.

Now you can see the desktop of the Windows 11 OS running without TPM!

You can find further documentation of this process at VMware KB: https://kb.vmware.com/s/article/88320.

Contributed by: Guy Hemed, TeraSky VDI Specialist