In this post, I will show you how to encrypt a VMware VM (virtual machine) and enable TPM on a virtual machine. The latest versions of VMware Workstation Pro support TPM version 2.0, and you can enable the trusted platform module on a virtual machine.
Before you can install Windows 11 on a VM, TPM 2.0 must be turned on. The good news is that you can enable TPM on a virtual machine and encrypt a VMware Workstation VM, so you can install Windows 11. This guide should help you encrypt the workstation virtual machine (VM) and turn on the trusted platform module on the VM.
According to VMware, you can add a virtual cryptoprocessor that uses Trusted Platform Module (TPM) technology to an encrypted virtual machine. Later, you can also remove the cryptoprocessor from the virtual machine. TPM technology provides hardware-based, security-related functions. A TPM cryptoprocessor carries out cryptographic operations.
In Windows 10, BitLocker is an encryption feature available in both Professional and Enterprise editions. However, it requires a Trusted Platform Module (TPM) on the system. If you don’t have TPM, you can still enable BitLocker encryption. Read this excellent guide to enable BitLocker encryption on Windows 10 without TPM.
You can add a Trusted Platform Module to an encrypted virtual machine with a minimum hardware version of 14 that uses the UEFI firmware type.
Unable to add TPM on VMware VM
On a VMware virtual machine, when you attempt to add a trusted platform module, it won’t allow you to do that. “The virtual machine must be encrypted and use UEFI firmware,” says the explanation. You see this because the VM must be encrypted before you enable TPM.
Let’s look at the steps to encrypt VMware VM and then enable tpm on a virtual machine.
Step 1: Encrypt VMware VM (Virtual Machine)
Before you enable the Trusted Platform Module, you must first encrypt the virtual machine. If you are using VMware Workstation, you can follow the below steps to encrypt the virtual machine in VMware:
- First of all Power Off the VM. You cannot encrypt a VM while it is in Power On state.
- Edit the VM settings and click Options tab.
- Under Settings, select Access Control.
- To encrypt the VM, select Encrypt.
Encrypting a virtual machine requires you to set a password for the virtual machine. Enter a strong password and click Encrypt. Remember to write down this password because it is required to turn on the VM. The encrypted VM passwords can be saved to a password manager such as Bitwarden.
Depending on the size of the virtual machine, the encryption process could take some time. While the encryption is taking place, you cannot work with the other VMs.
After the VMware VM encryption is complete, edit the VM settings and select Access Control. Now you see the message “This virtual machine is encrypted.” If you wish to change the secure password, you can do that by clicking the Change Password button.
Click OK to close the Virtual Machine Settings window.
Step 2: Enable TPM on a Virtual Machine
After you encrypt the virtual machine, use the below steps to enable TPM on a virtual machine:
- Power off the VM (In case if it is turned on).
- Go to the virtual machine settings and under Hardware tab, click Add button.
- On the Add hardware wizard, select Trusted Platform Module and click Finish.
- Click Finish button to complete adding the Trusted Platform Module to a virtual machine.
Once you have added the Trusted Platform Module for a VM, you can verify it under the VM settings. The Trusted Platform Module appears to be “present.”
To verify if the TPM has been enabled on the VM, restart the VM and go to BIOS. Check the TPM configuration, and you should now see the current TPM device version as 2.0.
In addition to the above method, you can also log in to the Windows Operating System and check the TPM details. Type TPM.msc in the run command and press Enter. This launches the TPM management interface on the local computer. Under Status, we see the TPM is ready for use. For the TPM version, look for the details under TPM Manufacturer Information.
If you are interested, there is an easy way to check the TPM status from command line.