VMware Communities
markwabbott
Enthusiast
Enthusiast
‎07-15-2022 02:43 PM
Jump to solution

Workstation Pro 16.2.3 + TPM Support

I just purchased and installed Workstation Pro and my Windows 10 VM runs great.  I am trying to get it ready to migrate to Windows 11.  To do this, I needed to encrypt the VM to then turn on TPM support and migrate the Boot sector from MBR to GPT to enable secure boot.

The issue am having is that when I try and add the Trusted Platform Module device, it's not available to add.  I am running my windows 10 client VM under Ubuntu 20.10.

Any idea what I could have done wrong?

 

Thanks!

 

0 Kudos
1 Solution

Accepted Solutions
bluefirestorm
Champion
Champion
‎07-15-2022 03:09 PM
Jump to solution

0. back up VM (in case something goes wrong)
1. convert the Windows 10 VM boot disk partition structure from MBR to GPT using MBR2GPT tool
2. shut down VM
3. change firmware from BIOS to UEFI, turn on secure boot
4. (optional) power on VM to check that GPT conversion is successful and VM is still bootable
5. encrypt VM
6. add vTPM

For encrypted VM, it will encrypt the virtual disk(s) as well. For encrypted VMs, the virtual disks need to be preallocated. If it is not preallocated, you can longer "Compact" the disks and it will continually grow. By definition, encrypted virtual disks will never have contiguous space that are zero-filled (such as using SDelete from within the Windows 10 VM) as the zeroes written will also have to be encrypted.

View solution in original post

0 Kudos
5 Replies
bluefirestorm
Champion
Champion
‎07-15-2022 03:09 PM
Jump to solution

0. back up VM (in case something goes wrong)
1. convert the Windows 10 VM boot disk partition structure from MBR to GPT using MBR2GPT tool
2. shut down VM
3. change firmware from BIOS to UEFI, turn on secure boot
4. (optional) power on VM to check that GPT conversion is successful and VM is still bootable
5. encrypt VM
6. add vTPM

For encrypted VM, it will encrypt the virtual disk(s) as well. For encrypted VMs, the virtual disks need to be preallocated. If it is not preallocated, you can longer "Compact" the disks and it will continually grow. By definition, encrypted virtual disks will never have contiguous space that are zero-filled (such as using SDelete from within the Windows 10 VM) as the zeroes written will also have to be encrypted.

0 Kudos
markwabbott
Enthusiast
Enthusiast
‎07-15-2022 03:19 PM
Jump to solution

Thanks for the quick reply bluefirestorm.  When I enable UEFI, the secure boot option is not present as shown in many of the online tutorials.  Is there a secondary method to enable the secure boot?

0 Kudos
bluefirestorm
Champion
Champion
‎07-15-2022 03:22 PM
Jump to solution

The virtual hardware version needs to be at least 14.

Go to VM menu -> Managed -> Change Hardware Compatibility

0 Kudos
markwabbott
Enthusiast
Enthusiast
‎07-15-2022 07:26 PM
Jump to solution

Hey Bluefirestorm, thanks for the idea.  I am digging and learning as I go.  Seems the transition from MBR --> GPT was not without issue, I'll get that fixed first.  Then see if the rest falls in place.  I'll update here when I get something meaningful.

0 Kudos
markwabbott
Enthusiast
Enthusiast
‎07-16-2022 02:08 PM
Jump to solution

bluefirestorm, your directions worked.  I ended up creating a new vmware session, and I am upgrading to windows 11 now.  It worked better because the reinstall of windows 10 did not start with windows 7, so it had the UEFI by default and the GPT system.  Thanks for the help!

0 Kudos