Solved: Re: Questions about Version 17 Workstation

gregeeh · ‎08-27-2023

Hi all,

My W11 PC had Vmware Workstation 15 and some W11 Guests that were working fine.

1. I upgraded to Vmware Workstation 17 and now when I start a W11 Guest it pops up immediately with a progress bar with the title encrypting. Why? What is the encrypting password/passphase?

2. Now when I create a W11 guest I get this option which I never got before. Why? Is it something I can disable so it works like V15?

TIA

Technogeezer · ‎08-28-2023

managedVM.autoAddVTPM = "software"

This line is in your .vmx file and I don't think it should be there if you have a VM that's running under Workstation 15. It does nothing for Workstation 15 and should not be there. If this VM was running on Workstation 16.2, it would have enabled an experimental vTPM. But I see no evidence that this experimental feature was enabled for this VM - if it were there would be other lines in your .vmx file - but there aren't.

What I think may be happening is that while that line does nothing in Workstation 15, opening the VM in Workstation 17 will cause it to try to enable the Workstation 16.2 broken vTPM feature. Which is a really, really bad idea.

My advice is to restore the Workstation 15 version of the VM, remove this line from the .vmx file with your favorite text editor, then power up the VM with Workstation 17. If you get the VM powered up and you want a TPM for your Windows 11 VM, modify the VM's settings to reflect that you have a Windows 11 VM, enable encryption (choosing "only files necessary to support a TPM device"), specify a password (don't let Workstation generate one for you), and decided whether you want that password saved by Windows. Then you can add the TPM device.

The Workstation 16.2 vTPM is a half-baked feature and should be avoided at all costs. It encrypts with a password that can't be recovered. It also had other severe problems (especially if you wanted to clone the VM or move it to another machine. The deficiencies that this feature had were fixed in Workstation 17 with its virtual TPM and partial encryption implementation.

- Paul (Technogeezer)
Editor of the Unofficial Fusion Companion Guides

View solution in original post

Technogeezer · ‎08-27-2023

Re: 2: If you adhere to the Microsoft requirements, Windows 11 requires a Trusted Platform Module device. Workstation 17 recognizes Windows 11 as a supported guest type,. Because of the Microsoft requirements, it automatically adds a TPM device for you when you create a Windows 11 VM. The virtualized TPM device requires the VM to be encrypted, so that's why the dialog appears that you attached to your post.

It's recommended that in almost all cases, you choose the encryption option to encrypt only the files necessary to support a TPM device. This option has minimal performance impact to the VM because it does not encrypt the contents of the virtual disks (unlike the encryption option you're used to in Workstation 15, which encrypted the entire VM including the virtual disks).

When you encrypt the Windows 11 VM in Workstation 17, you should choose to create your own password and remember it. If you check the "Remember password" checkbox, the password will also be remembered in (the Windows) Credential Manager, and Workstation 17 will use it to automatically unlock the VM in the GUI. You should also be able to find the password for the VM in the Credential Manager should you forget it.

Personally I would not attempt to disable the automatic addition of the TPM device and the associated encryption for Windows 11. Without the TPM, you will need to hack registry entries during Windows 11 installation to disable the TPM check. The recommended encryption option and the TPM adds almost no overhead to a running Windows 11 VM. Why make it harder on yourself?

You would not see this under Workstation 15 because it did not directly support a Windows 11 guest operating system type. You had to call it a Windows 10 and then either configure full encryption and a TPM device, or hack Windows during install to disable the TPM check. Workstation 15 did not have a partial encryption option.

Re: 1: If you don't know the password for a encrypted VM, you might want to check the Windows Credential Manager and see if it's in there.

- Paul (Technogeezer)
Editor of the Unofficial Fusion Companion Guides

gregeeh · ‎08-27-2023

Thanks Paul for the great response. It's much clearer now.

With Workstation 15 and my Windows 11 guest there was no encryption at all. But when I start this guest under Workstation 17 it immediately comes up with a progress bar saying encrypting.

I understand now why this is happening, but what is the password as nothing is ever entered and nothing is asked? It just starts encrypting.

Thanks again.

Greg

EDIT:

It is strange that Workstation 17 goes ahead and encrypts the W11 guest and you have no idea what the password is. Settings show this after the encryption. There's nothing in Credential Manager either.

Technogeezer · ‎08-28-2023

I agree it’s bizarre. Do you have a copy of the VM as it was on Workstation 15? If so, it would be interesting to see the .vmx file of the Windows 11 VM before it was opened on Workstation 17.

- Paul (Technogeezer)
Editor of the Unofficial Fusion Companion Guides

gregeeh · ‎08-28-2023

Here is the WS 15 VMX.

Technogeezer · ‎08-28-2023

managedVM.autoAddVTPM = "software"

This line is in your .vmx file and I don't think it should be there if you have a VM that's running under Workstation 15. It does nothing for Workstation 15 and should not be there. If this VM was running on Workstation 16.2, it would have enabled an experimental vTPM. But I see no evidence that this experimental feature was enabled for this VM - if it were there would be other lines in your .vmx file - but there aren't.

What I think may be happening is that while that line does nothing in Workstation 15, opening the VM in Workstation 17 will cause it to try to enable the Workstation 16.2 broken vTPM feature. Which is a really, really bad idea.

My advice is to restore the Workstation 15 version of the VM, remove this line from the .vmx file with your favorite text editor, then power up the VM with Workstation 17. If you get the VM powered up and you want a TPM for your Windows 11 VM, modify the VM's settings to reflect that you have a Windows 11 VM, enable encryption (choosing "only files necessary to support a TPM device"), specify a password (don't let Workstation generate one for you), and decided whether you want that password saved by Windows. Then you can add the TPM device.

The Workstation 16.2 vTPM is a half-baked feature and should be avoided at all costs. It encrypts with a password that can't be recovered. It also had other severe problems (especially if you wanted to clone the VM or move it to another machine. The deficiencies that this feature had were fixed in Workstation 17 with its virtual TPM and partial encryption implementation.

- Paul (Technogeezer)
Editor of the Unofficial Fusion Companion Guides

gregeeh · ‎08-28-2023

@Technogeezer wrote:
managedVM.autoAddVTPM = "software"
My advice is to restore the Workstation 15 version of the VM, remove this line from the .vmx file with your favorite text editor, then power up the VM with Workstation 17. If you get the VM powered up and you want a TPM for your Windows 11 VM, modify the VM's settings to reflect that you have a Windows 11 VM, enable encryption (choosing "only files necessary to support a TPM device"), specify a password (don't let Workstation generate one for you), and decided whether you want that password saved by Windows. Then you can add the TPM device.

Followed this and all is now perfect. Thank you very much for all your time and effort, it's greatly appreciated.

Greg

All

Questions about Version 17 Workstation