8 Replies Latest reply on Sep 15, 2017 9:29 AM by sg253

    Virtual TPM

    sg253 Lurker

      Is the Virtual TPM available in the Tech Preview?  Can't seem to find it.

        • 1. Re: Virtual TPM
          JSmith9 Lurker

          I have the same issue - I'm testing with installing an MDT Windows 10 build, this successfully formats the disk with the correct layout for a UEFI PC, then fails to pre-provision BitLocker with an error that there is no TPM present in the PC.


          Is this expected behaviour?

          Is there a way to enable the TPM?

          • 2. Re: Virtual TPM
            bluefirestorm Master

            From the Workstation Pro Preview on Linux/Windows 10, I managed to have a virtual TPM 2.0 device on a Windows 10 Pro x64 guest VM.


            It doesn't seem to require an actual TPM hardware device in the host as I was also able to see a TPM 2.0 device in the Win10 guest on a Linux host with TPM 1.2 chip.


            Presumably it should work the way for Fusion. On Workstation the line


            vtpm.present = "TRUE"


            will have to be added to the vmx configuration. After that line is added, next power up, it will then require the VM to be encrypted and the TPM 2.0 appears as a Security Device in Device Manager with Vendor ID for VMware.

            • 3. Re: Virtual TPM
              JSmith9 Lurker

              Thanks for that, I've added the configuration item:


              vtpm.present = "TRUE"


              To the VMX and it did indeed prompt to enable VM encryption.

              I enabled the encryption but unfortunately my VM won't power on, I receive the error:


              Virtual TPM initialisation failed.

              Module 'DevicePowerOn' power on failed.

              Failed to start the virtual machine.


              So I'm a little bit closer, but not there yet..

              I'm running on a late 2016 Retina MacBook Pro, which I would hope has a TPM 2.0 chip. But that probably isn't touched as the TPM is emulated by the virtualisation engine.

              • 4. Re: Virtual TPM
                bluefirestorm Master

                You could go to the "Processor" setting and enable the virtualization technology for directed IO. That's according to this thread reply


                Re: Enable Intel Virtualization Technology for Directed I/O in this virtual machine


                On the Workstation Pro side, the minimum requirement seems to be just that the VM has UEFI instead of BIOS. The equivalent setting "virtualize IOMMU" does not seem to be required. I can uncheck that and the VM still powers up with the vtpm option. If I check the "Enable virtualization based security" (sorry I haven't tried the Fusion tech preview yet, so I don't know the equivalent), the virtual firmware is set to UEFI with secure boot, and the virtualize VT-x and VT-d/IOMMU options in the processor are also checked.

                • 5. Re: Virtual TPM
                  sg253 Lurker

                  Hi bluefirestorm, thanks for your suggestion.  There's an 'Enable Virtualisation Based Security' check box under 'Advanced' settings in Fusion that automatically enables these processor options.  I've checked that box and have them selected and also confirmed that the firmware type is set to UEFI. 


                  I also tried your previous suggestion of adding the vTPM option to the config file and encrypting the VM.  I ended up with the same error as JSmith9 where the VM won't power on.  Seems we're getting a step closer, but wonder if the vTPM option may not be quite ready in the Fusion Tech Preview yet.

                  • 6. Re: Virtual TPM
                    bluefirestorm Master

                    I managed to get a VM to power up with VTPM on an old 2010 MacBook Pro.


                    Use vi or nano to create/edit a file /Library/Preferences/VMware Fusion/config with the following contents (NOTE: Careful if you have installed a release version of Fusion side by side with the Tech Preview as the release version will likely refer to the same file, so you may want to check if such a file already exists or rename the file appropriately before/after the Tech Preview VTPM test).


                    .encoding = "UTF-8"

                    libdir = "/Applications/VMware Fusion Tech Preview.app/Contents/Frameworks"

                    authd.fullpath = "/Applications/VMware Fusion Tech Preview.app/Contents/Library/vmware-authd"


                    The strange thing was a VM with VTPM created in Fusion Tech Preview did not print out the endorsement key certificates for storage root and root of trust of the virtual TPM module.


                    | vmx| A100: ConfigDB: Setting vtpm.ekCSR = <not printed>

                    | vmx| A100: ConfigDB: Setting vtpm.ekCRT = <not printed>


                    But when I copied over a VM with TPM created from Workstation Pro Tech Preview over to Fusion Tech Preview, both the values of vtpm.ekCSR and vtpm.ekCRT still gets shown in the vmware.log.


                    It looks like the VTPM is all implemented in software. There is an executable called TPM2EMU in the Tech Preview application folder.

                    • 7. Re: Virtual TPM
                      JSmith9 Lurker

                      bluefirestorm, that appears to have worked a treat..


                      With the config file and vtpm.Present = "TRUE" in the vmx I have been able to successfully install Windows 10 with a 'Pre-Provision BitLocker' step in my MDT Task Sequence.


                      So that's very handy.



                      • 8. Re: Virtual TPM
                        sg253 Lurker

                        Hi Bluefirestorm, like Jsmith9 mentioned, that's done the trick.  Thanks for the great info and taking the time to investigate this.  The TPM is now present and correct and I have successfully configured a BitLocker encrypted Windows 10 VM with the Virtualisation Based Security controls enabled.


                        Thanks again for your help.