“What is a ‘TPM’, and why should I care?”
“TPM” is not something talked about in the Mac community, so it is not surprising if you don’t know about it. However, that all changed this summer.
In this blog post, I will present a short overview of TPM and explain why a Mac user – and, in particular, a Parallels® Desktop user – needs to know and care about TPM.
What is TPM?
The Trusted Platform Module (TPM) is a specification for a chip to be added to Windows PCs. The goal of TPM is to improve security on these PCs. When a TPM chip is available and enabled on a PC, a variety of security features can be added to Windows, including:
- BitLocker – A full volume disk encryption feature included with Microsoft Windows.
- Secure Boot – A security standard designed to ensure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM).
- Windows Hello – A set of Windows log-in technologies including fingerprint recognition and face authentication.
Since the release of the TPM specification in 2009, more than 20 manufacturers have released certified TPM chips. Apple, of course, is not on this list. (Apple has alternate security technologies including FileVault, Touch ID, Face ID, and GateKeeper, all powered by the Apple T2 Security Chip — a secure enclave hardware chip.)
Why should I care, and what changed in June 2021?
In June 2021, Microsoft announced and previewed Windows 11 and included TPM as a requirement to run Windows 11, on a PC, or in a virtual machine. (Microsoft released Windows 11 on October 5th, 2021.)
Fortunately, Parallels Desktop added support for a virtual TPM (vTPM) in version 15, released in 2019. Like many other features in Parallels Desktop, vTPM is an implementation on the Mac of a Windows component or feature. vTPM uses several of the Apple security technologies to implement the features of TPM. As far as Windows is concerned, the Parallels virtual machine has a TPM chip, and thus Windows 11 can be installed and can be used in Parallels Desktop. vTPM was added to Parallels Desktop 15 because multiple enterprise customers needed TPM in their highly secured corporate environments, and some corporate applications require TPM support as a security requirement. The vTPM feature was not enabled by default in Parallels Desktop 15 or 16, because this feature was only needed by certain enterprise customers, and vTPM was only available in the Pro and Business Editions of Parallels Desktop.
This is all changing due to Windows 11.
All the editions of Parallels Desktop (Standard, Pro, Business, and the App Store Edition) starting with version 17.1.0 include the vTPM feature, and will enable vTPM by default for all virtual machines that must have it:
- Intel-based Mac computers, for all Windows 11 virtual machines, both new and existing.
- Apple M1-based Mac computers, for all Windows 10 and Windows 11 virtual machines, both new and existing. As Windows 10 Insider Preview Builds do expire eventually, we recommend upgrading a Windows 10 Insider Preview VM to a Windows 11 Insider Preview VM at the earliest convenience. This will also reportedly improve compatibility with “regular” (Intel-based) Windows applications.
Consequences of enabling the TPM chip
After adding a virtual TPM chip to a VM, Parallels Desktop creates an encrypted file within the virtual machine bundle that acts as a TPM storage. This storage must be secured, so Parallels Desktop encrypts this file using Advanced Encryption Standard (AES) with a 128-bit key length and puts the password in Mac System Keychain, which, in turn, is in encrypted physical storage, and only Parallels Desktop (or a Mac admin) can read the TPM password from the Mac Keychain.
Such an implementation ensures that users don’t have to come up with a password and enter it every time they start a VM, plus we all have too many passwords to remember. Users can continue running their virtual machines as usual, up to the moment when one wants to transfer the VM to a new hardware.
For a VM with TPM chip added, just copying the PVM bundle to a new Mac is not enough. The VM will NOT start without the corresponding record in the Mac Keychain that contains a password to decrypt the TPM file. It is not easy to copy this record to a new Mac, but it is possible. We have prepared detailed instructions on how to do it in this Knowledge Base article.
Apart from the nuance above, virtual machines will not be affected in any other way – Windows will continue to work as usual, as well as all Windows applications.
Here are some of the questions you might be asking:
Because my Windows 11 VM in Parallels Desktop has a vTPM, does that mean that I can enable other Windows security features in that VM like BitLocker and fingerprint recognition?
Yes, you can enable other Windows technologies that require a TPM. You can see the details about enabling fingerprint recognition in this blog post.
Will an existing VM run slower after vTPM is enabled?
No, adding a vTPM to a VM has no noticeable performance effect.
Can I enable vTPM for my other VMs, macOS VMs, or Linux VMs?
Yes, you can, but the vTPM feature will not be used by a macOS or Linux VM, so there is no reason to do so. The consequences listed above will still apply, even though the guest OS is not making use of the vTPM.