VMware Communities
Stefano33
Contributor
Contributor
‎03-21-2024 03:47 PM

VMWare Workstation 17 TPM without encryption

Hi,
I have VMWare PRO 17.5 with Window 11 as host and also as guest on all my virtual machines.
I'm very concerned about TPM and encription. Windows 11 requires TMP.
If I want to enable TPM on the virtual machine, it looks it's not possible without encrypting the machine.
So, I'm forced to encrypt the machine.
When I encrypt the machine, I select the option "only the files needed to support TPM are encrypted (.nvram, .vmss, .vmem, .vmx, .vmsn)" because I don't want to encrypt virtual disk as well.
I always have disk C for operating system and software a disk D with all my precious data.
After encrypted the machine and enaled TPM, if I need to copy the virtual disk D to another virtual machine for any reason, I always get the error mesage: "cannot decrypt disk because key or password is incorrect"

So I'm now very afraid, if for any reason I cannot boot my machine, or the operating system gets corrupted, I cannot take my virtual disk D where I have all my data and attach it to a new virtual machine.

In the past with Windows 10, nothing was encrypted and I was able to move my virtual disk as I wanted and where I wanted.
Especially usefull when travelling and in case of booting problems or operating system crashes.
This is what I liked from the virtualization. Now, with this forced encryption it seems very danger.

Is it possible to enable TPM WITHOUT encrypting anything ?
If not, then is it possible to copy a virtual disk from an encrypted virtual machine to another machine (encrypted and/or not encrypted) ?

Another big problem that I have discovered: once the virtual machine is encrypted, if I create a new virtual disk, then I cannot remove it anymore.
It was a test virtual disk and I wanted to remove it, but the "Remove" button was not enable.
So I manually deleted that vmdk file hoping it was removed. Booom, no way to access my machine. No way to unencrypt my machine. Alway got an error about the missing disk (but it was not the booting disk, was the number 4 disk I have carted for couple of test and then I wanted to ermove it as I was able to do in the past when nothing was encrypted)


From my experiemnce, basically, only between not encrypted machines it's possible to move virtual hard disks.
If I want to add TPM to the virtual machine, I must encrypt the virtual machine, otherwise is not possible to add only the TPM without encrypting the virtual machine.
But if I encrypt the virtual machine, it becomes very danger if the hard disk cannot be attached to another machine in case of booting failure.

Do you have a solution ?
Thank you very much

0 Kudos
5 Replies
Technogeezer
Immortal
Immortal
‎03-21-2024 10:20 PM

It is not possible to run a TPM without having some kind of encryption.

It's the VM encryption isn't dangerous, you just have to take different precautions. 

You have a couple of options.

One of which is to take complete backups of the VM with the VM shut down. If your original host system breaks, then restore the complete VM backup to another machine. You will need to know the encryption key for the original VM to power up the VM on the new machine. 

Or, store your VM on an external disk. Then if your computer fails, you can attach the disk to another system, and the entire VM is available to run. You still need to know the password of the VM.

- Paul (Technogeezer)
Editor of the Unofficial Fusion Companion Guides
0 Kudos
RDPetruska
Leadership
Leadership
‎03-22-2024 04:55 AM

"Do you have a solution ?"

Stick with Windows 10 - don't give in to Microsoft's latest beta OS.  Remember - only update to every OTHER generation - they historically screw up the ones in between (WinMe, Vista, Win 8, and now Win 11).

0 Kudos
Stefano33
Contributor
Contributor
‎03-22-2024 05:18 AM

I don't think it's a problem of Windows 11 which is pretty stable, I have waited more that 2 years before jumping on Win 11.

I guess it's how VMWare is engineered. Why I must encrypt the dard disk data as well ? Couldn't they just encrypt what they need to encrypt for TPM, but leave my additional virtual disks unencrypted or leave me the possibility to move my disk to another virtual machine without problems ?

I'm ok with the concept of retyping a password when I attach a virtual disk to another virtual machine, but it seems not possible.

Also, why I cannot remove an existing virtual disk from an encrypter machine ? These problems are not related to Windows 11

0 Kudos
RDPetruska
Leadership
Leadership
‎03-22-2024 05:33 AM

@Stefano33 wrote:

I don't think it's a problem of Windows 11 which is pretty stable, I have waited more that 2 years before jumping on Win 11.

 

Sure it is.  MS forces Hyper-V with Win 11 unless you dig through a half dozen steps to rip it out by the roots - and even then you're not completely certain.  With Hyper-V installed, VMware uses that virtualization engine, which then doesn't allow you to use nested virtualization, among other issues.  MS forces the TPM and (at least partial) encryption.

Yes, Workstation does have the setting to only encrypt necessary components as an option.  You claim you selected that but still have issues accessing the virtual hard disk.  That to me sounds like either a bug or some odd configuration issue that went wrong.  But of course, once it's encrypted, it's nearly impossible to solve.

0 Kudos
Stefano33
Contributor
Contributor
‎03-25-2024 12:21 AM

I have found myself the way to use Windows 11 inside my virtual machines without TPM and without encryption.

I did not use any trick or special settings or any strange registry entry.

This is what I wanted, so now I can copy virtual disks to any another virtual machine without encryption problems or any restrictions. Booting is also faster than before.

So far all is working fine

0 Kudos