Use virtual Trusted Platform Module (vTPM) in Parallels Desktop

48 users found this article helpful

Note: this article applies only to the virtual machines running on Intel-based Mac computers. The use of TPM modules in Parallels Desktop virtual machines running on a Mac computer with Apple M1 chip will be introduced in future updates.


Overview

Parallels Desktop 15 for Mac Pro Edition and Business Edition introduced virtual Trusted Platform Module (TPM) support for Windows 10 (EFI).

Note: It is not recommended to move, copy or clone a virtual machine with enabled TPM. Always have a backup of important information, especially recovery keys. When TPM is enabled, the virtual machine is strictly bound to the Mac and cannot be started on another computer if copied.

Enable TPM

Important: A virtual machine with enabled TPM cannot be started on another Mac.

1. Open the virtual machine's configuration > Hardware > click + > select TPM chip > click Add

2. Launch Windows. Windows will automatically detect the TPM chip. You can now use Windows features and applications that require TPM.

 

Enable BitLocker and Secure boot

Important: If you intend to enable BitLocker in Windows, make sure to enable Secure boot as well. Otherwise, Windows will require a recovery key after installing Parallels Desktop updates/upgrades.

1. With TPM enabled, in Windows click Start > type "BitLocker" > open Manage BitLocker.

2. Click Turn on BitLocker > click Next several times > save the recovery key to a secured place and click Next > click Next > click Start encrypting.

    Note: A Windows virtual machine will take much more disk space after enabling the BitLocker encryption.

3. When encryption is finished, shut down the Windows virtual machine.

4. Enable Secure boot using instructions from KB 124242.

Disable TPM

Important: It is highly recommended to back up your virtual machine before disabling TPM. Depending on configured security features, Windows may not boot without having access to a TPM chip.

1. Open virtual machine's configuration > Hardware > select TPM chip > click the minus sign [-] to remove component > click Remove to confirm. 

2. TPM will be disabled for this virtual machine. However, TPM information will not be removed. Add the TPM chip again to enable it.

Troubleshooting

TPM chip is not on the list 

If you go to Hardware > +, but a TPM chip isn't there, it means your Windows virtual machine is based on Legacy BIOS. TPM chip will work with UEFI/EFI BIOS only.

  1. If Legacy is set, create a new Windows virtual machine.
  2. When you get to the Name and Location window when creating a machine, enable Customize settings before installation.

  3. In the automatically opened configuration window go to Hardware, click + > select TPM chip > Add.

  4. Close the configuration window and proceed with Windows installation.

Was this article helpful?

Tell us how we can improve it.