diff --git a/wfvm/autounattend.nix b/wfvm/autounattend.nix
index 1508fc8..c3f6277 100644
--- a/wfvm/autounattend.nix
+++ b/wfvm/autounattend.nix
@@ -15,6 +15,7 @@
 , impureShellCommands ? []
 , driveLetter ? "D:"
 , imageSelection ? "Windows 11 Pro N"
+, enableTpm
 , ...
 }:
 
@@ -146,12 +147,14 @@ let
           </DriverPaths>
         </component>
         <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-          <RunSynchronous>
-            <RunSynchronousCommand wcm:action="add">
-              <Order>1</Order>
-              <Path>reg add HKLM\System\Setup\LabConfig /v BypassTPMCheck /t reg_dword /d 0x00000001 /f</Path>
-            </RunSynchronousCommand>
-          </RunSynchronous>
+          ${lib.optionalString (!enableTpm) ''
+            <RunSynchronous>
+              <RunSynchronousCommand wcm:action="add">
+                <Order>1</Order>
+                <Path>reg add HKLM\System\Setup\LabConfig /v BypassTPMCheck /t reg_dword /d 0x00000001 /f</Path>
+              </RunSynchronousCommand>
+            </RunSynchronous>
+          ''}
 
           <DiskConfiguration>
             <Disk wcm:action="add">
diff --git a/wfvm/utils.nix b/wfvm/utils.nix
index f4fe9b2..fee901f 100644
--- a/wfvm/utils.nix
+++ b/wfvm/utils.nix
@@ -1,4 +1,9 @@
-{ pkgs, baseRtc ? "2022-10-10T10:10:10", cores ? "4", qemuMem ? "4G" }:
+{ pkgs
+, baseRtc ? "2022-10-10T10:10:10"
+, cores ? "4"
+, qemuMem ? "4G"
+, enableTpm ? false
+}:
 
 rec {
   # qemu_test is a smaller closure only building for a single system arch
@@ -19,8 +24,19 @@ rec {
     "-device qemu-xhci"
     "-device virtio-net-pci,netdev=n1"
     "-bios ${OVMF.fd}/FV/OVMF.fd"
+  ] ++ pkgs.lib.optionals enableTpm [
+    "-chardev" "socket,id=chrtpm,path=tpm.sock"
+    "-tpmdev" "emulator,id=tpm0,chardev=chrtpm"
+    "-device" "tpm-tis,tpmdev=tpm0"
   ] ++ extraFlags;
 
+  tpmStartCommands = pkgs.lib.optionalString enableTpm ''
+    mkdir -p tpmstate
+    ${pkgs.swtpm}/bin/swtpm socket \
+      --tpmstate dir=tpmstate \
+      --ctrl type=unixio,path=tpm.sock &
+  '';
+
   # Pass empty config file to prevent ssh from failing to create ~/.ssh
   sshOpts = "-F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=1";
   win-exec = pkgs.writeShellScriptBin "win-exec" ''
@@ -96,6 +112,7 @@ rec {
       ]);
     in pkgs.writeShellScriptBin "wfvm-run-${name}" ''
       set -e -m
+      ${tpmStartCommands}
       ${qemu}/bin/qemu-system-x86_64 ${pkgs.lib.concatStringsSep " " qemuParams} &
 
       ${win-wait}/bin/win-wait
diff --git a/wfvm/win.nix b/wfvm/win.nix
index 58ca88e..d3ce95a 100644
--- a/wfvm/win.nix
+++ b/wfvm/win.nix
@@ -5,6 +5,7 @@
 , impureMode ? false
 , installCommands ? []
 , users ? {}
+, enableTpm ? true
 # autounattend always installs index 1, so this default is backward-compatible
 , imageSelection ? "Windows 11 Pro N"
 , ...
@@ -12,7 +13,7 @@
 
 let
   lib = pkgs.lib;
-  utils = import ./utils.nix { inherit pkgs; };
+  utils = import ./utils.nix { inherit pkgs enableTpm; };
   inherit (pkgs) guestfs-tools;
 
   # p7zip on >20.03 has known vulns but we have no better option
@@ -52,7 +53,7 @@ let
 
   autounattend = import ./autounattend.nix (
     attrs // {
-      inherit pkgs;
+      inherit pkgs enableTpm;
       users = users // {
         wfvm = {
           password = "1234";
@@ -126,6 +127,8 @@ let
         virt-make-fs --partition --type=fat win/ usbimage.img
         rm -rf win
 
+        ${utils.tpmStartCommands}
+
         # Qemu requires files to be rw
         qemu-img create -f qcow2 c.img ${diskImageSize}
         qemu-system-x86_64 ${lib.concatStringsSep " " qemuParams}
@@ -153,6 +156,8 @@ let
 
   in ''
     set -x
+    ${utils.tpmStartCommands}
+
     # Create an image referencing the previous image in the chain
     qemu-img create -F qcow2 -f qcow2 -b ${acc} c.img