Deploying a Windows 11 virtual machine Instance on Apache CloudStack requires compliance with Microsoft’s system requirements. These include a compatible CPU (notably, the default KVM CPU model qemu64 is unsupported in Windows 11 24H2), UEFI firmware with Secure Boot, and a Trusted Platform Module (TPM) version 2.0, typically implemented as a vTPM.
In CloudStack 4.20.0.0 and earlier, deployment was complex: administrators had to configure the guest CPU mode globally and manually add a vTPM device via CloudMonkey CLI commands using extraconfig. From CloudStack 4.20.1.0 onwards, deployment was simplified: Administrators can set the CPU mode and model directly in Instance settings, and users can specify the vTPM model (e.g., tpm-tis or tpm-crb) and version in the Instance settings tab. Additionally, vTPM support for VMware was introduced, requiring administrators to configure a Native Key provider and ensure UEFI boot type.
Windows 11 is the latest major release of Microsoft’s Windows operating system, succeeding Windows 10. It was officially announced on June 24, 2021, and released on October 5, 2021. Windows 11 introduces a redesigned user interface, enhanced performance, and new security features, while maintaining compatibility with most Windows 10 apps and hardware. This guide introduces the best practice for deploying a Windows 11 Instance on KVM hosts in Apache CloudStack.
Requirements
Microsoft has published the system requirements on its website. Among these requirements, to deploy a Windows 11 Instance on virtualization environments, it must meet the following specifications:
- Compatible CPU
Microsoft lists the supported processors (see ). Please note that qemu64 CPU (the default Instance CPU model on KVM hosts) is no longer supported in the latest Windows 11 24H2.
- System Firmware
The hardware should be capable of using UEFI (Unified Extensible Firmware Interface, a modern version of the PC BIOS) and Secure Boot. To support this, users should configure UEFI on the KVM host.
- TPM Module
Trusted Platform Module (TPM) version 2.0 is required. The TPM technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. If the hardware does not meet the requirements, the user will get an error message when deploying an Instance from a Windows ISO.
If the hardware doesn’t meet the requirements, the User will get an error message while deploying the Windows ISO Instance.
Deploying Windows 11 on CloudStack 4.20.0.0 and Earlier
- Configure guest CPU mode and model
Administrators must configure the CPU mode for Instances on the KVM Host. This setting affects all Instances on the Host, making it less than ideal.
- Deploy with Secure Boot
In the UI, when creating an Instance, go to the “Advanced” section. Set “Boot type” to UEFI and “Boot mode” to SECURE.
- Add vTPM via extraconfig
Since TPM is required, administrators must enable extra Instance configuration and allow users to add TPM devices:
update configuration name=enable.additional.vm.configuration value=true
update configuration name=allow.additional.vm.configuration.list.kvm value="backend,tpm,devices"
Users can then add a vTPM to a stopped VM. Example (adding tpm-crb version 2.0):
update virtualmachine id=<vmid> extraconfig="<devices><tpm model='tpm-crb'> <backend type='emulator' version='2.0'/> </tpm></devices>"
Deploying Windows 11 on CloudStack 4.20.1.0 and Later
From CloudStack 4.20.1.0, deployment was simplified:
- Administrators can set CPU mode and model per Instance.
- Users can specify vTPM model and version in the VM settings tab.
Supported TPM models:
- tpm-tis (TPM Interface Specification)
- tpm-crb (Command-Response Buffer)
Supported TPM versions:
- 2.0 (default; used if unspecified or invalid)
- 1.2 (not supported with tpm-crb)
vTPM Support on VMware
CloudStack 4.20.1.0 also introduced vTPM support for Windows 11 instances on VMware.
Steps for Administrators:
- Add a Native Key provider.
2. After creation, click BACK UP to activate it.
Users can then add vTPM via Instance settings.
Note: The Instance must use UEFI boot type. Boot mode can be SECURE (recommended) or LEGACY.
Conclusion
Deploying Windows 11 on Apache CloudStack requires meeting Microsoft’s hardware and firmware requirements, including a supported CPU, UEFI with Secure Boot, and TPM 2.0. Earlier versions of CloudStack (≤ 4.20.0.0) required global host configuration changes and manual vTPM setup, which made deployments more complex. From version 4.20.1.0 onward, administrators and users can configure CPU models and vTPM settings directly in the VM configuration, simplifying the process and providing better alignment with Windows 11 requirements. VMware environments are also supported with vTPM, provided a Native Key provider is configured. These improvements make Windows 11 deployments more straightforward and consistent across hypervisors in Apache CloudStack.
References
https://www.microsoft.com/en-us/windows/windows-11-specifications
https://learn.microsoft.com/en-us/windows-hardware/design/minimum/windows-processor-requirements
https://docs.cloudstack.apache.org/en/latest/installguide/hypervisor/kvm.html#uefi-legacy-secureboot
Wei Zhou works as a Software Architect at ShapeBlue. He has many years experience on cloud computing and a passion for various cutting-edge knowledge. Wei works on software design and implementation, as well as resolving issues for customers and community users. Wei has been a committer of the Apache CloudStack project since 2013 and a PMC member since 2017.
