Use virtual Trusted Platform Module in Parallels Desktop

43 users found this article helpful

Overview

Parallels Desktop 15 for Mac Pro and Business Edition introduced virtual Trusted Platform Module (TPM) support for Windows 10 (EFI). Parallels Desktop stores TPM-related information in a secure file that is encrypted with a password, which is stored in a secured vault, macOS Keychain.

Note: it is not recommended to move, copy or clone virtual machine with enabled TPM. Always have a backup of important information, especially recovery keys.

Enable TPM

Important: A virtual machine with enabled TPM cannot be used on another Mac as all TPM chips are unique including virtualized ones.

1. Open the virtual machine's configuration > Hardware > click + > select TPM chip > click Add

2. Launch Windows > Windows will automatically detect TPM chip. You can now use Windows features and applications that require TPM.

 

No TPM chip to add

If you went to Hardware > + but see no TPM chip there it means your Windows virtual machine is based on Legacy BIOS, TPM chip will work with UEFI/EFI BIOS only.

  1. If Legacy is set, create a new Windows virtual machine.
  2. When you get to Name and Location window when creating a machine, enable Customize settings before installation > in the automatically opened configuration window go to Hardware > scroll down to Boot Order > unwrap Advanced Settings > enable EFI Secure Boot.

  3. Close the configuration window and proceed with Windows installation.

Enable BitLocker and Secure Boot

Important: If you intend to enable BitLocker in Windows, make sure to enable Secure Boot as well. Otherwise Windows will require a recovery key after installing Parallels Desktop updates/upgrades.

1. With TPM enabled, in Windows click Start > type "BitLocker" > open Manage BitLocker.

2. Click Turn on BitLocker > click Next several times > save recovery key to a secured place and click Next > click Next > click Start encrypting.

    Note: A Windows virtual machine will take much more disk space after enabling BitLocker encryption.

3. When encryption is finished, shutdown the Windows virtual machine.

4. Enable Secure Boot using instructions from KB 124242.

Disable TPM

Important: It is highly recommended to back up your virtual machine before disabling TPM. Depending on configured security features, Windows may not boot without having access to TPM chip.

1. Open virtual machine's configuration > Hardware > select TPM chip > click - below to remove component > click Remove to confirm. 

2. TPM will be disabled for this virtual machine. However, TPM information will not be removed. Add the TPM chip again to enable it back.

Was this article helpful?

Tell us how we can improve it.