VMware Communities
CarltonR
Hot Shot
Hot Shot
Jump to solution

"Safely Remove" Devices from Windows 11 with TPM [encryption]

I have installed Windows 11 with TPM (encryption) enabled, using Workstation Pro 16, and am unable to remove unwanted devices from the Windows 'Safely Remove' toolbar selection.

I would have normally edited the .vmx file and added the devices.hotplug = "FALSE" line to it, but unfortunately with the TPM encryption in place, this no longer works.  The .vmx file has also been significantly shortened with the majority now filled with the encryption data/key:

.encoding = "windows-11"
displayName = "Win 11 [x64] 21H2"
devices.hotplug = "FALSE"
guestOS.detailed.data = "xxxxxxx"
encryption.keySafe = "xxxxxxxx"
encryption.data = "xxxxxxxxx"

I have tried the 'devices.hotplug' line in various locations to no avail, clearly, as encryption is in place it would seem logical that all 'unexpected' entries would be ignored.

I would therefore be grateful for advice on how this may be resolved.

Many thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
CarltonR
Hot Shot
Hot Shot
Jump to solution

Thank you very much for this link . . . it worked a treat, and Win 11 installed with no issues . . with VMware v16.2.0.

 

When checking the the VM's hardware settings the TPM has been added to the list, and has been recognised within Win 11 Computer Management (Secure devices) . 

 

There is however one VMware idiosyncrasy which I was unaware of, but perhaps I should have been, is that to get the VMware app to read the vmx file correctly you have to close the associated VM tab from within the VMware App, So:

  1. create a new VM and link it to the Win 11 iso file
  2. close the newly created VM tab in the VMware Workstation app
  3. edit vmx and add the managedvm.autoAddVTPM = "software" line to it
  4. then power on the new VM and run through the Win 11 install.

Many thanks for your help, and to all those involved in creating this "new experimental and currently undocumented feature".

View solution in original post

Reply
0 Kudos
7 Replies
bluefirestorm
Champion
Champion
Jump to solution

Reply
0 Kudos
CarltonR
Hot Shot
Hot Shot
Jump to solution

Many thanks for this information . . . will give it a try.

As an aside, is it likely that VMware will consider introducing in-app support for editing decrypt/encrypt .vmx config files  ?

bluefirestorm
Champion
Champion
Jump to solution


As an aside, is it likely that VMware will consider introducing in-app support for editing decrypt/encrypt .vmx config files  ?


I am not a VMware employee so I have no idea. There is a another thread where Mike Roy (VMware product manager for Workstation/Fusion product lines) responded they are working on removing the encryption of virtual disks as a requirement for encrypted VMs (largely due to the virtual TPM 2.0 to be added for a Windows 11 VM). No timeline given though. If the encryption of virtual disks is removed as prerequisite for vTPM, I suppose it is slightly less onerous to decrypt, edit and re-encrypt the vmx file.

Reply
0 Kudos
CarltonR
Hot Shot
Hot Shot
Jump to solution

Might this be the thread to which you refer:

Windows 11 vTPM

https://communities.vmware.com/t5/VMware-Workstation-Pro/Windows-11-vTPM/m-p/2867009#M171330

Reply
0 Kudos
wila
Immortal
Immortal
Jump to solution

It's out.... (well.. OK, only the download links, official release notes and blog post from VMware are coming soon)

There's a new experimental setting in the .vmx so that you don't have to encrypt anymore.

See;
https://twitter.com/mikeroySoft/status/1448675626714501122

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
CarltonR
Hot Shot
Hot Shot
Jump to solution

Thank you very much for this link . . . it worked a treat, and Win 11 installed with no issues . . with VMware v16.2.0.

 

When checking the the VM's hardware settings the TPM has been added to the list, and has been recognised within Win 11 Computer Management (Secure devices) . 

 

There is however one VMware idiosyncrasy which I was unaware of, but perhaps I should have been, is that to get the VMware app to read the vmx file correctly you have to close the associated VM tab from within the VMware App, So:

  1. create a new VM and link it to the Win 11 iso file
  2. close the newly created VM tab in the VMware Workstation app
  3. edit vmx and add the managedvm.autoAddVTPM = "software" line to it
  4. then power on the new VM and run through the Win 11 install.

Many thanks for your help, and to all those involved in creating this "new experimental and currently undocumented feature".

Reply
0 Kudos
JohnBurke
Contributor
Contributor
Jump to solution

that devices.hotplug = "FALSE" could be why Symantec endpoint encryption can not see my C drive on the Guest?

 

I've never run into issues before with see seeing the drive.

Reply
0 Kudos