PowerCLI for VM Encryption and TPM Configuration: Secure Workload Provisioning at Scale

Paul Bryant

10 months ago

Introduction

Security-sensitive workloads often require encryption at rest and support for virtual TPM (vTPM) devices. These features are built into vSphere and can be automated using PowerCLI. This article shows how to encrypt virtual machines, manage encryption policies, configure vTPM devices, and validate encryption status programmatically.

Topics include:

Enabling VM encryption
Assigning KMS-based storage policies
Adding virtual TPM devices to VMs
Auditing encryption and vTPM compliance
Error handling and operational guidance

My Personal Repository on GitHub

VMware Repository on GitHub

Prerequisites

Before automating encryption:

vCenter must be configured with a trusted KMS cluster
You must have administrator privileges
PowerCLI 13 or newer is recommended

Connect to vCenter:

Connect-VIServer -Server "vcenter.lab.local"

Step 1: Identify or Create Encrypted Storage Policy

List available policies:

Get-SpbmStoragePolicy | Where-Object {$_.Name -like "*Encrypt*"}

Example policy name: VM Encryption Policy

If no policy exists, create one in vSphere Client that uses KMS-backed encryption rules.

Step 2: Encrypt an Existing VM

$vm = Get-VM -Name "SQLSecure01"
$policy = Get-SpbmStoragePolicy -Name "VM Encryption Policy"

Set-SpbmEntityConfiguration -Entity $vm -StoragePolicy $policy

PowerCLI automatically migrates the VM to an encrypted storage policy if supported.

Step 3: Deploy a New Encrypted VM

New-VM -Name "SecureApp01" `
       -Template "Win2019-Base" `
       -Datastore "Encrypted-DS" `
       -VMHost "esxi01.lab.local" `
       -StoragePolicy $policy

Step 4: Add vTPM to a VM

Virtual TPM devices require:

Hardware version 14 or newer
Encrypted VM home files

$vm = Get-VM -Name "SecureApp01"

New-VTpm -VM $vm

You can also verify TPM status:

$vm.ExtensionData.Config.VAppConfig.Properties | Where-Object {$_.Label -eq "TPM Enabled"}

Step 5: Verify Encryption and TPM Status

Get-VM | Select Name, @{N="Encrypted";E={$_.ExtensionData.Config.VmEncryptionInfo.EncryptionPolicyId}}, @{N="vTPM";E={($_.ExtensionData.Hardware.Device | Where-Object {$_.DeviceInfo.Label -like "*Trusted Platform Module*"}).DeviceInfo.Label}}

Export to CSV:

Get-VM | Select Name, PowerState, @{N="Encrypted";E={$_.ExtensionData.Config.VmEncryptionInfo}}, VMHost | Export-Csv "C:\Reports\VM_Encryption_Status.csv" -NoTypeInformation

Diagram: Encryption and TPM Workflow

Use Case: Secure Workload Baseline for New App Tier

Use encrypted VM template and vTPM by default:

New-VM -Name "NewFinanceVM" `
       -Template "Encrypted-Win2022-Base" `
       -VMHost "esxi02.lab.local" `
       -Datastore "SecureDS" `
       -StoragePolicy (Get-SpbmStoragePolicy -Name "VM Encryption Policy")

Add vTPM immediately after:

New-VTpm -VM (Get-VM -Name "NewFinanceVM")

Troubleshooting

Problem	Fix
Encryption fails with error	Ensure KMS is configured and policy is available
vTPM device not allowed	VM must use encrypted VM home and hardware version 14 or later
Set-SpbmEntityConfiguration fails	Confirm datastore supports encryption and policy is correct
Encryption compliance shows Unknown	Wait for sync or rescan policies via vCenter

What’s Next

The next article will focus on:

Disaster recovery automation using PowerCLI
Snapshots, exports, and failover preparation scripting

Nutanix NearSync Replication: The Definitive Guide for Modern Enterprise DR

Disaster Recovery (DR) strategies must evolve to keep pace with modern business demands. Nutanix NearSync Replication offers organizations near real-time data protection, low RPO, and granular failover capabilities. In this…