Virtual TPM Enhances Safety for Windows Users


A TPM, short for Trusted Platform Module, is a small microcontroller specializing in authentication. It provides access control, generates encryption keys and can encrypt content—even in a virtual machine. A TPM chip is standard in state-of-the-art systems, providing for features such as BitLocker and Secure Boot. These are used to encrypt the hard disk of a Windows system and (optionally) to prompt for a password to allow the computer to boot up. These options are mandatory in many organisations as a way to protect their systems and data. It can also be quite advisable to provide virtual machines with such an additional safety layer–if the VM container is stored on an external hard disk, for instance. 

Using BitLocker in a virtual machine 

In a virtualized environment on a Mac, this TPM is basically absent. Macs do use their own TPM implementation but unfortunately, Windows cannot access this from inside a virtualized environment. Parallels Desktop for Mac Business Edition has a remedy for this, however. This software system has the ability to use a virtual TPM (vTPM) that offers the same functionality as its physical counterpart. 

And this is how Administrators can activate the virtual TPM for BitLocker in a VM: When setting up a virtual Windows machine, the “adjust settings before installing” option needs to be activated before starting the actual setup process. Within the following configuration procedure, extended settings should be selected and the “EFI Secure Boot” option activated that can be found there. 

The procedure looks a little different if the vTPM needs to be activated afterwards: The IT specialist concerned has to add the virtual TPM to the VM’s configuration. First, this implies that the Windows machine has been set up using the UEFI installation method and not under the Legacy option. In this case, the configuration menu should be opened in Parallels Desktop while the Windows VM is paused or stopped. Under the Hardware item a virtual TPM-Chip can be added to the system using the “+” symbol. Now the administrator can activate BitLocker in the Windows settings and then Secure Boot as well, once the hard disk has been encrypted. 

As an option, the host Mac can store the BitLocker and Secure Boot password in Keychain, its built-in password manager. In general, users should note that a virtual machine with activated BitLocker should not be moved to or run on a different Mac computer if at all possible.   

Other safety features of Parallels Desktop 

Parallels Desktop for Mac Business Edition offers other safety features that can help secure the virtual Windows-machine and isolate it from the Mac as its host system. Parallels Desktop can also safeguard the VM container using a built-in encryption feature, for instance. 

Learn more: 

Parallels Blog | Parallels Desktop and a Virtualized Trusted Platform Module (vTPM) 

How To Geek | Why Windows needs a TPM for Encryption 

Parallels Blog | Die Sicherheitsfeatures von Parallels Desktop Business 

Parallels Knowledge Base| How to enable Secure Boot in UEFI based virtual machines 

Leave a Reply

Your email address will not be published. All fields are required.