The VMware Workstation Pro supports TPM version 2.0, you can enable trusted platform module on virtual machine. In this post, I will show you how to encrypt a virtual machine and enable TPM on VM.
According to VMware, you can add a virtual cryptoprocessor that uses Trusted Platform Module (TPM) technology to an encrypted virtual machine. Later, you can also remove the cryptoprocessor from the virtual machine.
TPM technology provides hardware-based, security-related functions. A TPM cryptoprocessor carries out cryptographic operations.
Windows 11 requires TPM 2.0 to be enabled before you install it on a VM. This guide should help you to enable trusted platform module on Virtual Machine and install Windows 11.
In Windows 10, BitLocker is an encryption feature available in both Professional and Enterprise editions. However, it requires a Trusted Platform Module (TPM) on the system.
If you don’t have TPM, you can still enable BitLocker encryption. To enable BitLocker encryption on Windows 10 without TPM, read this post.
Note – You can add TPM device on an encrypted virtual machine with a minimum hardware version of 14 that uses the UEFI firmware type.
On a Virtual Machine, when you attempt to add a trusted platform module, it won’t allow you to do that. This is because the VM must be encrypted before you enable TPM.
Hence, let’s look at the steps to encrypt the VM and then enable TPM on it.
Step 1 – Encrypt the Virtual Machine
To encrypt a virtual machine :-
- First of all Power Off the VM. You cannot encrypt a VM while it is in Power On state.
- Edit the VM settings and click Options tab.
- Under Settings, click Access Control. To encrypt the VM, click Encrypt.
To encrypt a VM, you must set a password for the virtual machine. Enter a strong password and click Encrypt.
Depending on the size of the virtual machine, the encryption process could take some time.
After the VM encryption is complete, edit the VM settings and click Access Control. Now it shows This virtual machine is encrypted.
If you wish to change the secure password, you can do that by clicking Change Password button. Click OK.
Step 2 – Enable Trusted Platform Module on Virtual Machine
After you encrypt the virtual machine, use the below steps to enable Trusted Platform Module(TPM) on virtual machine.
- Power off the VM (In case if its turned on).
- Go the virtual machine settings and under Hardware tab, click Add button.
- On the Add hardware wizard box, select Trusted Platform Module and click Finish.
- Clicking Finish button enables the TPM on virtual machine.
Once the TPM is enabled, you can verify it under the VM settings. The Trusted Platform Module shows as Present.
To verify if the TPM has been enabled on the VM, restart the VM and go to BIOS. Check the TPM configuration and it should show the TPM version as 2.0.
In addition to the above method, you can also login to the OS and check the TPM details. Type TPM.msc in the run command and press enter. This opens the TPM management on local computer. Under Status it shows TPM is ready for use. For TPM version, look for the details under TPM Manufacturer Information.
To check the TPM details using command line, read this post.
Having difficulty with imaging a VM with SCCM that has a TPM option enabled. We only need the TPM for Windows 11 compatibility. We currently do not have it set to encrypt the hard drive, but the configuration files are still getting encrypted. When we go to image the machine through SCCM, it errors out immediately. We have had this issue with laptops where the drive was still BitLocked, and before we would reimage the laptop, the drive needed to be decrypted.
Any assistance on how to setup TPM in VCenter for VMWare for Windows 11 compatibility would be greatly appreciated. We use SCCM for imaging and managment of all of our systems.
Thanks PD.
So it seems there is no way to do this with a standalone ESXi host. Looks like it requires vCenter. If that is correct then that’s too bad. We are a small shop and use standalone ESXi host as a test environment.
thank you
It wont allow me to add a TPM it says i need to have UEFI firmware how do I fix it?
perform step 1 in this article first.
Ditto to comments above! Thanks for publishing
For our work it’s required to have turned on Bitlocker as well which requires a TPM in our case. Due to TPM the VM is already encrypted bu Fusion or VMware Workstation which does mean we are doubling encryption if I’m correct. Is there a way around the requirement to encrypt the VM from fusion or VMware Workstation so we will benefit from disk performance. Bitlocker seems to have much less impact compared to the VMware encryption of the VM.
Nice
Amazing article. Bundle of thanks and keep up the good work.