VMware Communities
manniongeo
Contributor
Contributor
‎07-19-2022 08:36 AM
Jump to solution

What is the default encryption password for virtual TPM?

Environment:

  • Workstation: 16.2.3
  • Host: Windows 10 Pro 21H2
  • Guest: Windows 11 Pro for Workstations 21H2

My physical hardware has an older TPM that is not compatible with Windows 11. Therefore, I followed the instructions in VMware support article 86207 to use a virtual TPM for the Windows 11 guest.

Specifically, I used option 3A, which describes adding the following line to the guest's .vmx file:

managedVM.autoAddVTPM = "software"

This worked, and I was able to install and configure Windows 11 normally.

The problem now is that I am trying to move this VM to another host, but the new host is prompting me for a password to decrypt the VM - and I don't have that password.

After some additional reading/testing, I've found that encryption happens automatically when using the workflow in the aforementioned support article. But, Workstation neither prompts me to create a password, nor tells me which password it picked on my behalf. So, I seem to be stuck running the guest on this one host, at least for the moment.

  • Does anyone know the default password used with the autoAddVTPM feature, or how I can discover the password for an existing encrypted VM?

Thanks in advance for your help.

Labels (1)
Labels

  • i

0 Kudos
1 Solution

Accepted Solutions
manniongeo
Contributor
Contributor
‎07-19-2022 09:36 AM
Jump to solution

Workaround

As a test, I created a new Windows 11 guest on my VMware Workstation host with the unsupported TPM (1.2) and was subsequently able to move it to and start it on a second VMware Workstation host, without being prompted for an encryption password.

In this case, I again followed the installation instructions in support article 86207 for steps 1 and 2. But, I skipped step 3 and instead used the workflow described in the "In case you do not want to Encrypt the Virtual Machine" section to create the BypassTPMCheck registry value.

I am going to rebuild the VM I created yesterday using this workaround. It'll take some time, but it's worth it to me at this early stage, to have the flexibility to move it once it's laden with more customizations.

 

Considerations

I get the gist of the Windows 11 TPM requirements and the basics of the blog that @RDPetruska referenced above. But, I'm no expert in TPM/Windows/VMware, so take the following with caution.

  • This workaround allows me to run Windows 11 on an unsupported platform. Obviously, there's the potential for problems - including security vulnerabilities, given that I'm using an older TPM standard. These risks are acceptable in my test environment, but make your own judgement before doing the same.

 

  • I'm unclear as to whether the BypassTPMCheck method disregards the TPM requirement entirely, or falls back to allowing the older TPM 1.2 standard. I read that there's an official Microsoft workaround (AllowUpgradesWithUnsupportedTPMOrCPU registry value) that allows 1.2 (and, apparently, will fail if you have no TPM at all) but I'm not sure about the specific BypassTPMCheck behavior. This detail doesn't impact my current use case, so I'm just going to proceed as-is. Again, do your own research.

View solution in original post

8 Replies
RDPetruska
Leadership
Leadership
‎07-19-2022 08:39 AM
Jump to solution

Noone knows.  This is, unfortunately, one of the limitations of using the experimental vTPM feature.  See wila's blog https://www.vimalin.com/blog/what-you-should-know-about-vmwares-experimental-vtpm/ for more details.

0 Kudos
manniongeo
Contributor
Contributor
‎07-19-2022 08:42 AM
Jump to solution

  1. Would you mind posting a link to "wila's blog"? I see it now; thanks.
  2. Is there a better option where I can run a Windows 11 guest on a host that doesn't not support Windows 11, and still be able to move the guest

Thanks!

0 Kudos
RDPetruska
Leadership
Leadership
‎07-19-2022 09:23 AM
Jump to solution

@manniongeo wrote:
  1. Would you mind posting a link to "wila's blog"? I see it now; thanks.
  2. Is there a better option where I can run a Windows 11 guest on a host that doesn't not support Windows 11, and still be able to move the guest

Thanks!

1. Yeah, I posted my reply then looked for the link.  Edited once I found it.  You likely started replying in-between.

2. I honestly don't know.  With everything I read about Win 11, I'm not touching it with a 10' pole.  Seems too much like Vista to me.

0 Kudos
manniongeo
Contributor
Contributor
‎07-19-2022 09:36 AM
Jump to solution

Workaround

As a test, I created a new Windows 11 guest on my VMware Workstation host with the unsupported TPM (1.2) and was subsequently able to move it to and start it on a second VMware Workstation host, without being prompted for an encryption password.

In this case, I again followed the installation instructions in support article 86207 for steps 1 and 2. But, I skipped step 3 and instead used the workflow described in the "In case you do not want to Encrypt the Virtual Machine" section to create the BypassTPMCheck registry value.

I am going to rebuild the VM I created yesterday using this workaround. It'll take some time, but it's worth it to me at this early stage, to have the flexibility to move it once it's laden with more customizations.

 

Considerations

I get the gist of the Windows 11 TPM requirements and the basics of the blog that @RDPetruska referenced above. But, I'm no expert in TPM/Windows/VMware, so take the following with caution.

  • This workaround allows me to run Windows 11 on an unsupported platform. Obviously, there's the potential for problems - including security vulnerabilities, given that I'm using an older TPM standard. These risks are acceptable in my test environment, but make your own judgement before doing the same.

 

  • I'm unclear as to whether the BypassTPMCheck method disregards the TPM requirement entirely, or falls back to allowing the older TPM 1.2 standard. I read that there's an official Microsoft workaround (AllowUpgradesWithUnsupportedTPMOrCPU registry value) that allows 1.2 (and, apparently, will fail if you have no TPM at all) but I'm not sure about the specific BypassTPMCheck behavior. This detail doesn't impact my current use case, so I'm just going to proceed as-is. Again, do your own research.
syvik
Contributor
Contributor
‎09-25-2023 06:57 PM
Jump to solution

Spend some time and figured out the password.

https://www.syvik.com/multidesk/howto.win11.vmware16.en.html

 

cthrockmorton
Contributor
Contributor
‎10-21-2023 04:13 PM
Jump to solution

Hi Syvik,

Thank you for creating this utility. It works GREAT!

I was able to retrieve the password for the Experimental vTPM, which is unknown when using managedvm.autoAddVTPM = "software", and completely remove the encryption from my VM, so that I could upgrade it to the latest supported encryption mode in VMware Workstation 17.5.0.

0 Kudos
CaptainO
Contributor
Contributor
‎04-03-2024 01:38 PM
Jump to solution

Hi Syvik

I found your post after resetting windows and trying to reload an encrypted virtual machine.  I've tried using your utility which looks great, but I'm getting an error message "Decrypt failed, error code 2148073483."  I don't suppose you'd have any idea what I'm doing wrong?  Many thanks

0 Kudos
syvik
Contributor
Contributor
‎04-04-2024 06:34 PM
Jump to solution

The decryption key was saved by Windows. If you have reset Windows, then the key was lost.

 

0 Kudos