Use virtual Trusted Platform Module (vTPM) in Parallels Desktop

44 users found this article helpful

Overview

Parallels Desktop 15 for Mac Pro Edition and Business Edition introduced virtual Trusted Platform Module (TPM) support for Windows 10 (EFI).

Note: It is not recommended to move, copy or clone a virtual machine with enabled TPM. Always have a backup of important information, especially recovery keys. When TPM is enabled, virtual machine is strictly bound to the Mac and cannot be started on another computer if copied.

Enable TPM

Important: A virtual machine with enabled TPM cannot be started on another Mac, without having the decryption key copied to Mac Keychain. See Start VM on another Mac for more details.

1. Open the virtual machine's configuration > Hardware > click + > select TPM chip > click Add

2. Launch Windows. Windows will automatically detect TPM chip. You can now use Windows features and applications that require TPM.

 

No TPM chip to add

If you went to Hardware > + but see no TPM chip there it means your Windows virtual machine is based on Legacy BIO. TPM chip will work with UEFI/EFI BIOS only.

  1. If Legacy is set, create a new Windows virtual machine.
  2. When you get to Name and Location window when creating a machine, enable Customize settings before installation.

  3. In the automatically opened configuration window go to Hardware.

  4. Scroll down to Boot Order.

  5. Open Advanced Settings.

  6. Enable EFI Secure Boot.

  7. Close the configuration window and proceed with Windows installation.

Enable BitLocker and Secure boot

Important: If you intend to enable BitLocker in Windows, make sure to enable Secure boot as well. Otherwise, Windows will require a recovery key after installing Parallels Desktop updates/upgrades.

1. With TPM enabled, in Windows click Start > type "BitLocker" > open Manage BitLocker.

2. Click Turn on BitLocker > click Next several times > save the recovery key to a secured place and click Next > click Next > click Start encrypting.

    Note: A Windows virtual machine will take much more disk space after enabling BitLocker encryption.

3. When encryption is finished, shut down the Windows virtual machine.

4. Enable Secure boot using instructions from KB 124242.

Disable TPM

Important: It is highly recommended to back up your virtual machine before disabling TPM. Depending on configured security features, Windows may not boot without having access to a TPM chip.

1. Open virtual machine's configuration > Hardware > select TPM chip > click the minus sign [-] to remove component > click Remove to confirm. 

2. TPM will be disabled for this virtual machine. However, TPM information will not be removed. Add the TPM chip again to enable.

Was this article helpful?

Tell us how we can improve it.