I already have an Windows 11 encrypted VM created under the old Fusion. Now that Fusion 12.2 "sorta" supports the software TPM module that does not require encryption, is there any way to migrate my VM to it without encryption? I added the "managedvm.AddVTPM="software"" lines to my vmx file, but the VM still shows it's encrypted and that removing encryption will destroy the data.
It depends on which data and whether BitLocker has been enabled inside the Windows 11 VM.
If Bitlocker encryption was enabled inside the Windows 11 VM, I think even just removing the TPM2.0 will be problematic with the data inside the VM virtual disks. Having said that, the Windows 11 VM looks like already uses the vTPM to store the login PIN. I used the managedVM.autoAddvTPM = "software" line on Workstation Player 16.2 and after I cleared the TPM from within the VM (using tpm.msc), Windows 11 prompted to set up the login PIN again.
The best way to migrate is to
Anything goes wrong, restore from step 1.
Note the entry setting is managedVM.autoAddvTPM, not "managedVM.addvTPM" as you had typed in your post.
Thank you, BitLocker is not enabled so hopefully I'll be ok. I'll try out your steps. The "managedvm.AddVTPM="software"" was the line mentioned on the Fusion Blog which is why I had it...
Awesome, everything worked like a champ. Windows 11 asked me to reset my PIN as I logged in, and I had to re-login to my Microsoft account, but after doing those steps I logged in normally. I rebooted just to make sure, but it looks like I didn't have to clear my TPM. Thank you again.
Oops, I take it back, just checked my VM settings again, and encryption is re-enabled somehow. I'll play with it some more. I wonder if it's showing Encryption enabled, but it's not really encrypted since I have not given the VM a new password.
Well, since it encrypted the VM on its own, I don't know the password. This is going to be tricky...
After adding the managedVM.autoAddVTPM = "software" line and starting Fusion, the following lines are added automatically (keys removed):
managedVM.ID =
encryption.encryptedKey =
vtpm.ekCSR =
vtpm.ekCRT =
vtpm.present = "TRUE"
encryption.keySafe =
So as far as I can tell, the VM is re-encrypting itself after re-adding the TPM.
No it is a GUI problem. If you can edit your VMX the VM is not encrypted. It would be a lot less scary if the GUI was fixed!
Thanks for the instruction, they worked a treat for me as well. One thing I noticed is that you have to allow It to do an encryption process again which then also gets added to the VMX file. Until you let it fully finish it will act oddly and not start up normally. It only needs to do it once though. This is obviously not an actual file encryption, as the vmx remains editable, maybe is done in order to fool Windows 11.
The closing of the Fusion app after adding the VMX entry does a few things aside from the auto add of the vTPM. Aside from adding vTPM related entries and other encrypted strings, it also looks like it encrypts the VMDK descriptor file. But the rest of the VMDK files (the ones that store the actual data of the virtual disk) is not encrypted though.
@bluefirestorm wrote:
The closing of the Fusion app after adding the VMX entry does a few things aside from the auto add of the vTPM. Aside from adding vTPM related entries and other encrypted strings, it also looks like it encrypts the VMDK descriptor file. But the rest of the VMDK files (the ones that store the actual data of the virtual disk) is not encrypted though.
That's correct, the vmdk data itself is untouched, vmdk descriptor files are encrypted and if you don't use vmdk disk slices that means the descriptor meta-data within your vmdk file will be encrypted.
Note that it also encrypts the .vmsd file (and obviously any .vmsn/.vmem file as well, if available)
Besides that the .nvram file also looks like it is encrypted.
--
Wil
I noticed everyone is having the same desire I have, - how to remove the software TPM.
I tried the 'remove' the tpm before boot, and Microsoft required the re-creation of a PIN. I even had Windows Hello turned off.
Searching around a bit I even tried using these instructions (https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/disabling-secure-boot?view=win...) with a slight modification. Using the "Shift"+Restart and and the instructions, I get to a UEFI setup menu. Once there I hit a bit of a roadblock as the UEFI variant for Vmware guess doesnt seems to allow disabling. To work around this, Powered Off (option+ShutDdown) from the menu, and then removed the TPM at that point. Then I restarted the VM. The prior instructions force the subsequent boot into UEFI setup, and now the TPM is disabled in the nvram/etc files, because the TPM isnt recognized - so I simply booted normally. Net... booted without TPM
Sadly this still required a PIN reset,
OS runs fine.
I think if the VMware UEFI had supported disabling the TPM, the Microsoft instructions would have simply worked without needing to PowerOff.
ps, honestly, given it didn't change needing to re-gen a PIN, I am not sure it's really worth the trouble.
My Problem is, that my old MacBook is now out of order but I've made Backups. But now on my new MacBook VMWare ask me for an Password for the Win11 VM. But my Password don't works 😞
What can I do now?
I can't edit the VM configuration, because he needs every time the password and in the VMX File there is already the entry "managedVM.autoAddVTPM = "software""
Which entry I have to delete to get the VM one time working. I need only few files insides the VM...
If I were you I would just make a new VM and add your old .vmdk disk file to it so you can grab your files.
The .vmdk files don't get encrypted when using this "unsupported, undocumented" feature.
It's really for testing, folks shouldn't be trying to work with VMS that have this feature. That'd be crazy, since you'll end up in situations like these.
The feature wasn't designed with end users in mind.
That said, the Tech Preview that we are releasing later this week builds on top of that technology and 'does the right thing' wrt to using keychain and storing the password. You can even use your own password or have us generate one for you.
@Mikero wrote:If I were you I would just make a new VM and add your old .vmdk disk file to it so you can grab your files.
The .vmdk files don't get encrypted when using this "unsupported, undocumented" feature.
That won't work as the metadata still gets encrypted.
So no go on that one.
PS: Good to hear that this part got some love.
--
Wil
HabibAzimi,
You should just re-create the VMDK assuming that you are not using a single-growable file.
If you are using a single-growable file, the encrypted part of the VMDK needs to be replaced. This requires an old vmware.log so that it can be known what is needed to replace the encrypted bits of the VMDK. See this thread:
https://communities.vmware.com/t5/VMware-Workstation-Player/VMware-Player-Try-to-add-virtual-TPM-to-...
If you can't figure the how to re-create the VMDK and/or the Python program, it is better you a create a new thread post of your own with the necessary details. An old vmware.log (or vmware-0.log, vmware-1.log, vwmare-2.log) that successfully opened the VMDK would be needed.