Use virtual Trusted Platform Module in Parallels Desktop

43 users found this article helpful

Overview

Parallels Desktop 15 for Mac Pro and Business Edition introduced virtual Trusted Platform Module (TPM) support for Windows 10 (EFI). Parallels Desktop stores TPM-related information in a secure file that is encrypted with a password, which is stored in a secured vault, macOS Keychain.

Note: it is not recommended to move, copy or clone a virtual machine with enabled TPM. Always have a backup of important information, especially recovery keys.

Enable TPM

Important: A virtual machine with enabled TPM cannot be started on another Mac without having the decryption key copied to Mac Keychain. See Start VM on another Mac for more details.

1. Open the virtual machine's configuration > Hardware > click + > select TPM chip > click Add

2. Launch Windows > Windows will automatically detect TPM chip. You can now use Windows features and applications that require TPM.

 

No TPM chip to add

If you went to Hardware > + but see no TPM chip there it means your Windows virtual machine is based on Legacy BIOS, TPM chip will work with UEFI/EFI BIOS only.

  1. If Legacy is set, create a new Windows virtual machine.
  2. When you get to Name and Location window when creating a machine, enable Customize settings before installation > in the automatically opened configuration window go to Hardware > scroll down to Boot Order > unwrap Advanced Settings > enable EFI Secure Boot.

  3. Close the configuration window and proceed with Windows installation.

Enable BitLocker and Secure Boot

Important: If you intend to enable BitLocker in Windows, make sure to enable Secure Boot as well. Otherwise Windows will require a recovery key after installing Parallels Desktop updates/upgrades.

1. With TPM enabled, in Windows click Start > type "BitLocker" > open Manage BitLocker.

2. Click Turn on BitLocker > click Next several times > save the recovery key to a secured place and click Next > click Next > click Start encrypting.

    Note: A Windows virtual machine will take much more disk space after enabling BitLocker encryption.

3. When encryption is finished, shut down the Windows virtual machine.

4. Enable Secure Boot using instructions from KB 124242.

Disable TPM

Important: It is highly recommended to back up your virtual machine before disabling TPM. Depending on configured security features, Windows may not boot without having access to TPM chip.

1. Open virtual machine's configuration > Hardware > select TPM chip > click - below to remove component > click Remove to confirm. 

2. TPM will be disabled for this virtual machine. However, TPM information will not be removed. Add the TPM chip again to enable it back.

Start VM on Another Mac

To start a virtual machine with enabled TPM on another Mac you need to transfer the TPM password first.

1. Transfer TPM password

To transfer the TPM password from one Mac to another, you need to copy Keychain file manually.

1. Open Finder on the Mac where TPM was added > on menu bar click Go > select Go to Folder > type /Library/Keychains/ > click Go.

2. Copy System.keychain file to destination Mac > double-click the file to open in Keychain Access > your passwords will be added to a new Mac.

2. Move and start VM

Important: You may need to enter BitLocker recovery key upon the first start on another Mac due to hardware changes.

1. Move your virtual machine to a new Mac. Double-click the virtual machine to open in Parallels Desktop > select Moved.

2. The virtual machine will be started automatically.

Was this article helpful?

Tell us how we can improve it.