DVE2000
Enthusiast
Enthusiast

How easy is it to move a TPM2 Win11 VM to another host?

I couldn't find an easy answer with google, so I figured I'd ask here.

I've been able to upgrade a Win10 VM to Windows 11 by using TPM2, expanding the hard drive, etc. But from what I've read and understand, you lose the ability to move the VM to another host. I totally get why that is in terms of security, but I'm wondering if anyone has done this and what the steps would be? Before I upgrade some other VMs....

Tags (3)
0 Kudos
19 Replies
Technogeezer
Virtuoso
Virtuoso

If you’re using Fusion 12.2’s experimental vTPM support, have a look at this blog article written by our own @wila : https://www.vimalin.com/blog/what-you-should-know-about-vmwares-experimental-vtpm/

DVE2000
Enthusiast
Enthusiast

Thanks for the reply. The one machine I converted has always been fully encrypted, so I guess it’s now stuck on my current Mac… 

I had played with the experimental option on another machine, and really borked it up. Couldn’t restore any of the snapshots by the time I was done. Luckily, I had a full copy of the VM folder on another drive, so total restoration of the folder fixed things. At least I now know what to back up if I want to go the partial encryption route. 

 

0 Kudos
wila
Immortal
Immortal

Hi,

I wrote that article about the experimental vTPM feature and also made the statement about "you can't move your VM to another host". While that is true for a VM using the experimental feature right now, this might change (and hopefully does change as it is a major showstopper from my point of view).

What I explicitly did not mention is how it works for full encrypted VM's as I don't normally use that feature myself.

So I just set out with a small VM (running Haiku OS) played a bit with that.. then cloned it and subsequently encrypted that Haiku VM.

Dragged it over to another host and tried to run it there.
I had no problem using that VM after supplying the password, it just worked.
This particular test shows that it is not the encryption itself that locks a VM to one physical host.

Note the following:

Haiku OS does not use a vTPM, so the VM had no TPM.

But Windows 11 really wants to have a vTPM, but as long as you have not used that vTPM to encrypt the data within your VM (like with bitlocker), you can remove the vTPM (and add one back later on)

As stated in the article Windows will complain a bit during login as Windows 11 will ask you to setup the login PIN again.

More testing will follow. Like with an actual Windows 11 VM 😂, but the initial test with a fully encrypted VM looks promising.

Hope this helps,

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
DVE2000
Enthusiast
Enthusiast

Thanks Wil, that's really good to hear! I'm not using Bitlocker, but yeah, Win 11 wants the TPM2 module. Even though I may not be encrypting anything with it, Fusion does say that removing it will destroy all encrypted data. From what you've said, this doesn't seem quite right.

So the steps would be remove the tpm2 module. Ignore any warnings of Death By Data Loss. Move the VM to another computer, add a new TPM2 module, and then everything should boot up just fine. I'll probably have to use my login password, and then setup a new PIN.

Hopefully, the TPM module could be removed on the second computer if not removed on the first. (Like in the case of the original Mac going belly up or whatever.)

0 Kudos
bluefirestorm
Champion
Champion

If you remove the virtual TPM 2.0 from the Windows 11 VM, the login account would have to be verified again (assuming you are logging in using PIN). So there are stuff that uses the vTPM even though you may not be using BitLocker.

0 Kudos
DVE2000
Enthusiast
Enthusiast

What does "verified" mean? That I'd have to login with a password?

0 Kudos
bluefirestorm
Champion
Champion

If you use a local Windows 11 account (instead of an online Microsoft account) that has been delinked from the online Microsoft account, the PIN becomes invalid and Windows 11 would want verification with the online Microsoft account.

 

0 Kudos
DVE2000
Enthusiast
Enthusiast

Interesting. This VM has never used an online account and only uses a local one. I guess I should make a copy of the folder and experiment with removing the tpm module and adding it back again. 

0 Kudos
wila
Immortal
Immortal

Hi,


@DVE2000 wrote:

 Fusion does say that removing it will destroy all encrypted data. From what you've said, this doesn't seem quite right.

So the steps would be remove the tpm2 module. Ignore any warnings of Death By Data Loss. Move the VM to another computer, add a new TPM2 module, and then everything should boot up just fine. I'll probably have to use my login password, and then setup a new PIN.

Hopefully, the TPM module could be removed on the second computer if not removed on the first. (Like in the case of the original Mac going belly up or whatever.)


I _think_ that you can ignore that, but to be sure I wouldn't remove the TPM on the first computer on my first try. In your case I would make a full backup of the VM before doing anything that might result in data loss, just to make certain to have something to fall back on.
Like you say, it would be safer to remove the TPM on the 2nd computer, but only if you have to do that.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
DVE2000
Enthusiast
Enthusiast

I have backups all over. 🙂 when I get a chance, I’ll put the free version of vm player on my work PC and try run the VM there. It’s a PC with Windows 11. I’ll report back when done. 

0 Kudos
DVE2000
Enthusiast
Enthusiast

I copied the VM to my work PC and dowloaded VMWare Player temporarily. When I added the VM, It booted up and ran just fine. Didn't even try mess with the TPM2 module. I obviously did have to put in the password to allow the machine to run. So I'm all good to go now. I guess if I decide to upgrade any of my other PC VMs to Win 11, I'm just going to fully encrypt them first.

0 Kudos
bluefirestorm
Champion
Champion

If your Fusion version/license is Fusion 12 Professional, you should be able to use the same license key on Workstation Pro 16.x. VMware EULA for Fusion/Workstation allows up to 3 devices now.

With Workstation Pro, you should be able to fully encrypt/decrypt VMs with your own password. Player does not let you do that although Player 16.2.x also has that experimental vTPM.

wila
Immortal
Immortal

That's really good to hear.
I have updated my article with your findings, thanks for reporting it back here.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
DVE2000
Enthusiast
Enthusiast


@bluefirestorm wrote:

If your Fusion version/license is Fusion 12 Professional, you should be able to use the same license key on Workstation Pro 16.x. VMware EULA for Fusion/Workstation allows up to 3 devices now.


That's awesome to hear! I knew I could put the license on 3 machines, but I'd thought that it could only be used for Fusion. Really good to know that I can use it for Workstation Pro as well.

0 Kudos
DVE2000
Enthusiast
Enthusiast


@wila wrote:

That's really good to hear.
I have updated my article with your findings, thanks for reporting it back here.

--
Wil


Cool. Glad to have been able to contribute something to add. I wasn't aware of vimalin, but now that I am, I'm definitely going to look into it. I've been doing the manual backup copy every few months with shutdown machines...

0 Kudos
wila
Immortal
Immortal


@DVE2000 wrote:


Cool. Glad to have been able to contribute something to add. I wasn't aware of vimalin, but now that I am, I'm definitely going to look into it. I've been doing the manual backup copy every few months with shutdown machines...


Sadly though making a backup of an encrypted VM that is running is not supported atm. That's on my list of things to look into once I have a bit more time.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
RDPetruska
Leadership
Leadership


@bluefirestorm wrote:

If your Fusion version/license is Fusion 12 Professional, you should be able to use the same license key on Workstation Pro 16.x. VMware EULA for Fusion/Workstation allows up to 3 devices now.


Might want to double-check all the license wording on that one, since the OP stated he installed Workstation on his *work* (i.e. company-owned) PC.  I'd be willing to bet that your license allows cross-product installation on up to 3 devices *which you own*.

0 Kudos
bluefirestorm
Champion
Champion

RDPetruska,

Does "Work PC" also mean violating the "Non commercial purpose" uses for the free VMware Workstation Player/Fusion Player? If a work PC belongs to a poster's employer or poster works as a freelance software developer and uses VMs to write code, it is also breaks or comes close to break the non-commercial purpose clause.

If a PC/Mac belongs to an employer, it is probably not a good idea to be installing software on company owned equipment as it could be violating work related policies/rules (i.e. using company resources for personal use apart from the non-commercial use clause of VMware EULA).

For this specific thread, I just simply take it considering that OP has considerable control to install software on it, he/she owns it.

As a general rule, I don't post replies nor try to help anymore, if there is a hint/suspicion something is amiss. For example, some thread asking for help to install version 10 of Workstation Pro in 2021, it seems rather suspicious that they want this version because they probably got hold some of license key off somebody posted on the internet. Or somebody downloaded some Windows 98 ISO from some dodgy website and struggling to install it as VM.

I know I have replied some of these Windows 95/98 threads in the past, but ask me today, 95%-98% chance I won't post a reply anymore to such a thread.

Apologies for this long-winded philosophical digression...

0 Kudos
DVE2000
Enthusiast
Enthusiast

It was a convenient machine to run a test on. I used VMPlayer Free edition, and uninstalled  it within 30 minutes of installing it. Just to see if I could boot the encrypted VM on. I’m thinking of either buying a small desktop, or using one of my old PC’s to run one VM. One barrier was having to fork out 200 bucks for VMWare Pro, because I’d want the snapshot capability.  It’s nice to know that I wouldn’t have to do that.