Use virtual Trusted Platform Module (TPM) in Parallels Desktop

310 users found this article helpful

Overview

Virtual Trusted Platform Module (TPM) is a cryptographic component that can be added to Windows 10 and newer Windows virtual machines (VM) with UEFI BIOS. Virtual TPM is an optional layer of security for a virtual machine and allows you to protect data from unauthorized access and use additional Windows security features.

After adding a virtual TPM chip to a VM, Parallels Desktop creates an encrypted file within the virtual machine bundle that acts as a TPM storage. Parallels Desktop encrypts this file using Advanced Encryption Standard (AES) with 128 bits key length and puts the password in Mac System Keychain, which, in turn, is encrypted physical storage, and only Parallels Desktop (or Mac admin) can read the TPM password from Mac Keychain. 

Note: adding a TPM chip will automatically enable Secure Boot in your VM.

TPM availability in Parallels Desktop 

Starting with Parallels Desktop 17, virtual Trusted Platform Module (TPM) 2.0 support is available for all Parallels Desktop for Mac Editions: Standard, Pro, and Business. Moreover, Parallels Desktop 17 adds support for a virtual TPM on Mac computers with Apple M1 chip.

In Parallels Desktop 15 and 16 for Intel-based Mac computers, a vTPM chip is available for Pro and Business Editions only. All Editions of Parallels Desktop 16 support this feature on Mac computers with Apple M1 chips starting with Parallels Desktop 16.5.2.

Upgrade to Windows 11

On September 16, 2021, Microsoft has announced the change that aligns the enforcement of the Windows 11 system requirements on Virtual Machines (VMs) to be the same as it is for physical PCs.

So, a virtual TPM chip is required for upgrading to Windows 11.


Note: Starting with Parallels Desktop 17.1.0, a virtual TPM chip is added automatically to new Windows 11 virtual machines. 


Enable TPM

Important: it is not recommended to move, copy or clone a virtual machine with enabled TPM. Always have a backup of important information, especially recovery keys. When TPM is enabled, the virtual machine is restricted from running on other Mac computers, and by default, it cannot be started on another computer if copied or moved. 

Note: if a vTPM chip isn't presented in the list of devices on your Intel-based Mac to add upon clicking Hardware > +, it means your Windows virtual machine is based on Legacy BIOS. TPM chip will work with UEFI/EFI BIOS only. To check a BIOS type, follow the steps from KB 115815.

1. Shut down Windows.

2. Open the virtual machine's configuration > Hardware > click + > select TPM chip > click Add

3. Launch Windows. Windows will automatically detect the TPM chip. You can now use Windows features and applications that require TPM.

Note: there might be a delay once the upgrade to Windows 11 becomes available after adding a TPM chip. According to Microsoft, "upgrade rollout plan is being finalized and is scheduled to begin late in 2021 and continue into 2022. Specific timing will vary by device".

Move virtual machine with TPM to another Mac

Move VM with TPM using iCloud (recommended)

By default, starting with Parallels Desktop 17.1.0, if you use the same Apple ID and have iCloud set up on source and target Mac computers Parallels Desktop will automatically transfer respective Keychain Access.app records for your VM using iCloud. Follow the steps below to use this option:

1. Make sure you have the latest Parallels Desktop version installed on both Mac computers.

2. Login to iCloud on the source and target Mac System Preferences with the same Apple ID and make sure Keychain sync is enabled on each computer:

3. Both Macs should be connected to the Internet.

4. Locate the VM you want to move and copy it to the target Mac. Learn more at KB 114118.

5. Double-click the copied VM on the target Mac to start it.

Note: starting with Parallels Desktop 18, if Parallels Desktop can't find a TPM password for TPM storage in Mac Keychain, it'll automatically rename the migrated storage as a backup and create new TPM storage, encrypt it with a new password and create a new Keychain record for it.

Move VM with TPM manually

Note: it's not currently possible to move a VM with TPM manually in Parallels Desktop App Store Edition.

1. Open Spotlight on the source Mac and type in 'Keychain Access'. Hit Enter to open the Keychain Access.app.

2. On the top Mac menu bar click File > New Keychain... > create a name for the new Keychain and select the folder where it will be stored, e.g. Desktop. Click Create.

3. Once the window asking you to create a password appears, set a new password and verify it. Click OK.

4. Unlock both System and the created custom Keychain by right-clicking the Keychain and selecting Unlock Keychain "name_of_the_keychain".

Note: while unlocking the System Keychain it will ask you to enter the password from your Mac. Please enter it. While unlocking the created custom Keychain enter the password you've set for it.

5. Select System on the sidebar. Type in 'TPM' in the search field and locate the file with the UUID of your virtual machine:  

Note: UUID of the virtual machine can be located using Terminal (Finder > Applications > Utilities > Terminal). Open Terminal and execute the command below:

prlctl list -a

The output of the command will show the names of all your virtual machines and their UUID.

6. Right-click the entry with the same UUID and select Copy "Parallels.vTPM.{UUID_of_your_VM}" 

 

7. Open the created custom Keychain, right-click the box on the right and select the option to paste the item.

8. Copy the virtual machine to the destination Mac. Learn more in KB 114118.

9. Copy the created custom Keychain and transfer the file to the Home folder of the destination Mac.

10. Double-click the transferred custom Keychain to add it to Keychain Access. 

11. Unlock the transferred custom Keychain and enter the password you've set for it.

12. Perform the same for the System Keychain. Enter the password from the destination Mac.

13. Copy the file from the transferred custom Keychain by right-clicking it > Copy "Parallels.vTPM.{UUID_of_your_VM}".

 

14. Open the System Keychain, right-click the field on the right and select the option to paste the item. Keychain Access will ask you to enter the password for System Keychain. Enter the password from your Mac and click Modify Keychain.

Note: if you get An error has occurred. Unable to add an item to the current keychain error message, it means you have such a record in your System keychain. In this case, remove the existing record from System keychain, and restart Keychain Access.app. After that, try adding the record to System Keychain once again.

15. Start the virtual machine on the destination Mac by double-clicking it.

Troubleshooting

TPM chip is not on the list 

1) Parallels Desktop 16 doesn't support TPM on Mac computers with Apple M1 chip. Upgrade to Parallels Desktop 17 to use this feature.

2) Parallels Desktop versions older than Parallels Desktop 17 don't support TPM on Mac computers with Intel processors in Standard Edition, only in Pro and Business Editions.

3) If you go to Hardware > on your Mac with an Intel processor, but a TPM chip isn't there, it might be caused by the fact your Windows virtual machine is based on Legacy BIOS. TPM chip will work with UEFI/EFI BIOS only.

     0. Check if your virtual machine has Legacy BIOS by following the steps from KB 115815.

  1. If Legacy is set, create a new Windows virtual machine.
  2. When you get to the Name and Location window when creating a machine, enable Customize settings before installation.

  3. In the automatically opened configuration window go to Hardware, click + > select TPM chip > Add.

  4. Close the configuration window and proceed with Windows installation.

4) Please note that if you have set Parallels Desktop to run Windows from the BootCamp partition, Parallels Desktop doesn't support adding a TPM chip to such virtual machines as it might lead to some issues or even corruption of the BootCamp partition. That's why the option to add a TPM chip to such virtual machines is absent. To upgrade your virtual machine to Windows 11, import your BootCamp virtual machine as described here.

PRL_ERR_TPM_SETUP_KEYCHAIN_FAILED error after trying to add a TPM chip 

This issue has been fixed in Parallels Desktop App Store Edition 1.7.1. Please make sure you have the latest version of Parallels Desktop App Store Edition installed.

Deploy Windows 11 to end users' computers

Starting with Parallels Desktop 18, you can deploy Windows 11 to end users' computers. Upon migrating a Windows VM to a new hardware, Parallels Desktop will automatically create new TPM storage, encrypt it with a new password, and create a new Keychain record for it.

As one of the available options, you can use Provisioning a corporate VM image feature in My Account.

You have already left your feedback.