10 Replies Latest reply on Sep 14, 2017 6:43 AM by mike

    VMWARE Workstation TPM / vTPM support for next update/release

    thorias Lurker

      Hi,

       

      Is the next VMware Workstation update coming out with TPM or vTPM support (Trusted Platform Module)?

       

      As it became a must in my everyday work...and for sure will boost some sales from my side as currently Windows Hyper-V is supporting it (I know is a different animal but still, it's technically feasible (via direct hardware support or emulating it)...some dudes did it for virtualbox...) and myself keep pushing management to still use VMware Vs the Win10 Hyper-V solution...help me to promote you up!!=$$$ for you guys!

       

      Thanks for the reply/update,

       

      Moderator note by wila: Discussion moved from Workstation Pro to Workstation Pro Tech Preview

        • 1. Re: VMWARE Workstation TPM / vTPM support for next update/release
          bluefirestorm Master

          You should try out the VMware Workstation 2017 Tech Preview Workstation Pro Tech Preview

           

          Create custom VM for Windows 10 Pro x64 with VBS enabled (which will enable secure boot UEFI, virtualised VT-x and virtualised IOMMU options in Processor)

          Install Windows 10 Pro guest OS, VMware Tools.

          Add the line vtpm.present = "TRUE" to the vmx file

          Once you try to power the VM, it requires that the VM be encrypted.

           

          A TPM 2.0 Security Device appears in the Device Manager of the Windows 10 Pro x64 VM the next time the encrypted VM is powered up.

          • 2. Re: VMWARE Workstation TPM / vTPM support for next update/release
            thorias Lurker

            Hi Bluefirestorm,

             

            I'll give a try, basically I need TPM or vTPM, for a windows 7 VM, as I need to try out if bitlocker works with it (we are switching to bitlocker instead of another third party encryption software) and having TPM is a must, I saw some alternative solutions around but not viable for me...

             

            I'll test to see how it goes...and give an update here.

             

            Thanks for the info!

            • 3. Re: VMWARE Workstation TPM / vTPM support for next update/release
              thorias Lurker

              Well unfortunatly it didn't worked.

               

              I was expecting to be able to just set vtpm to the vmx and it shows up in my existing virtual machine (my case a win 7 64 vm) device manager, and be able to run bitlocker to encrypt the system drive directly from the vm.

              Or also if there is a pci passthrough option in order to be able to use the existing TPM from the host to do the same as it'll be showing up in the vm device manager.

               

              Is there a way to perform any of the two above?

               

              Thanks,

              • 4. Re: VMWARE Workstation TPM / vTPM support for next update/release
                bluefirestorm Master

                The Tech Preview creates a TPM 2.0 device; Windows 7 requires a hotfix to support the TPM 2.0 module.

                 

                https://support.microsoft.com/en-us/help/2920188/update-to-add-support-for-tpm-2-0-in-windows-7-and-windows-server-2008

                 

                After the hotfix is installed, it does not automatically install the TPM 2.0 driver. You have to go to Device Manager and you should see an "Unknown device" under "Other devices". You should update the driver manually and select the "Let me choose ...." and select Security Device and select the TPM 2.0 driver; automatically search for drivers does not seem to work.

                 

                I think the bare minimum is that the VM is using UEFI (not BIOS). I was able to create a VM with the virtual TPM 2.0 inside even though the host only has a TPM 1.2 chip; unchecking the virtualize IOMMU options also lets the VM power up even with the vtpm option. So it appears it does not rely on an actual TPM chip.

                • 5. Re: VMWARE Workstation TPM / vTPM support for next update/release
                  thorias Lurker

                  Bluefirestorm,

                   

                  Thank you for the extras help/clarifications details, to go further on what I/we want to achieve, my windows 7 VM has a customized bios440 rom (and so bios) (called in the vmx, containing specific bios/system/board/chassis serial numbers/asset tags strings, basically dmi specific s/n strings, that's all).

                  Is it possible to implement these in the new VM uefi64 rom/or via the vmx (of course having win 7 ran from a gpt partition scheme instead of mbr=UEFI bios)? (the vm is a different machine from where it is being ran from, so no smbios=host in the vmx, virtualbox does this easily straight out of the box, check there what I meant : Chapter 9. Advanced topics ...). As it is a requirement for deployment, is there any editor to implement these (and I'm sure you have it/know how to)? It'll help a lot and help in taking management decision point.

                   

                  Keep in mind, I'm not asking innocent questions there, but convincing our management side to not switch over to hyper-v solution stuff (you can modify the above quite easily in there, a demo was ran showing it...)...couldn't argue on that...(again=$$$ for you guys, I'm defending your case=sticking on VMware solution instead of switching over...).

                   

                  Thanks again for the support,

                  • 6. Re: VMWARE Workstation TPM / vTPM support for next update/release
                    bluefirestorm Master

                    ..(again=$$$ for you guys, I'm defending your case=sticking on VMware solution instead of switching over...).

                    Hmmmm....I am not a VMware employee nor do I get $$$ to post here. So there is really nothing in it for me in terms of money.

                     

                    Anyway, even before this 2017 preview, it was already possible to create a VM with EFI instead of BIOS as the virtual firmware. But you can't simply switch from one to the other by just editing the vmx as it would render the VM unbootable.

                     

                    Though may not be relevant to you at the moment, the latest Windows 10 1703 includes a tool to allow such conversion.

                     

                    https://docs.microsoft.com/en-us/sccm/osd/deploy-use/task-sequence-steps-to-manage-bios-to-uefi-conversion

                     

                    One search engine result also turned up these unofficial steps for Windows 7/8;

                     

                    https://social.technet.microsoft.com/wiki/contents/articles/14286.converting-windows-bios-installation-to-uefi.aspx

                     

                    But there could be several other ways.I would guess it is a matter of knowing the nuts and bolts of partitions (which I don't) and willingness to experiment.

                    • 7. Re: VMWARE Workstation TPM / vTPM support for next update/release
                      thorias Lurker

                      No problem thanks a lot for your time and replies.

                       

                      Well it doesn't work with a win 7 x64 VM set with UEFI64, when vtpm is set in the vmx as you mentioned, when you launch the virtual machine, it throws a pop-up with an error as the VM need to be encrypted, vtpm couldn't start and that's it.

                       

                      Anyway I'll go for the alternative option for now, expecting that vmware improve/review the tpm/vtpm integration as a "real" device seen by the VM and then which will give access to bitlocker executed on an existing VM for drive encryption.

                       

                      Thanks again!

                      • 8. Re: VMWARE Workstation TPM / vTPM support for next update/release
                        bluefirestorm Master

                        Well it doesn't work with a win 7 x64 VM set with UEFI64, when vtpm is set in the vmx as you mentioned, when you launch the virtual machine, it throws a pop-up with an error as the VM need to be encrypted, vtpm couldn't start and that's it.

                        I already indicated in the first reply to you that the VM has to be encrypted once you add the vtpm.present = "TRUE" line. After you encrypt you would be able to power up the VM. You would see an "Unknown Device" as there is no built-in TPM 2.0 support for Windows 7 which requires installation of the hotfix.

                        • 9. Re: VMWARE Workstation TPM / vTPM support for next update/release
                          thorias Lurker

                          Ok my bad I understood the opposite way, I was expecting once you set vtpm in the vmx the vtpm will appear in the device manager (win 7 x64 with UEFI64, will have been perfect if it worked with Bios mode as well...) and from there you can use bitlocker to encrypt the system drive as it is on the real hardware, storing the encryption keys in the vtpm of the VM...

                          But you have to first encrypt the VM via VMware by itself and then you can set the vtpm... it doesn't work the way I was expecting...which is useless for my case...Hopefuly VMWare team will work on something to get this working as close as possible as it is like on real hardware for VMware Workstation next release (and again for both UEFI/Bios mode VM together).

                           

                          Thanks again!

                          • 10. Re: VMWARE Workstation TPM / vTPM support for next update/release
                            mike Lurker

                            I've tried the vTPM feature and I have more questions.

                            Why does it require me to encrypt the VM which includes encrypting the disk and vmx file? I want vTPM without changing my disk.

                            Once vmx is encrypted, how can I edit any other setting in vmx again?

                            How can I toggle vTPM on/off in different snapshot?