I have the same problem...

VMs do NOT encrypt themselves.  Encryption being enabled is either a choice that you made, or was made for you when you created a Windows 11 guest operating system with Fusion 13. In either case, you're prompted for a password (or offered to auto-generate one) and offered to save it in the Keychain.  You get a very stern warning if you do not offer to save the key in the keychain.

Take a look at that entry of "VMware Fusion Encryption Key" in the Keychain. You'll find that the "Where" field points to the .vmx configuration file of the VM, and if you double click  the item and click on the "show password" buttion, you'll see the password. 

The old full VM encryption feature also asked you for an encryption key when you turned on the encryption.

The only time that Fusion encrypted a VM "by itself" with a key that you didn't specify is if you made the unfortunate choice (or mistake) of enabling the experimental partial encryption feature of Fusion 12 or Workstation 16. Even then, it didn't do things by itself - you  had to go out of your way and manually edit the .vmx file in order to enable that feature. The feature wan't ready for prime time and was a one-way street to problems. 

Fusion 13.5 does not upgrade the encryption scheme to the new XTS encryption unless you tell it to. It will not apply that to an unencrypted VM. 

If you've partially encrypted the VM "Only encrypt the files necessary to support a TPM" - then the VMDK files of the VM are not encrypted. A new VM can be created and the virtual disks "transplanted" from the old VM into the new one. If you've fully encrypted the VM and forgot/don't have access to the password - you've hit a brick wall. 

That's indeed very strange.

You wouldn't happen to have a copy of that VM and its .vmx file available from before the 13.5 update, would you? Just would like to take a look at it.

Hers the VMX file, its from my last backup from 27 September which was before the latest VMware update (which I installed yesterday). 

Well I understand what's going on now...

The VM was encrypted with the experimental vTPM implementation of Fusion 12.2. That's evident by the presence of the following line in the .vmx file

managedVM.autoAddVTPM = "software"

The system did auto-generated the encryption key for you without your input. It didn't automatically encrypt the VM though. The vmx file had to be hand edited in order for the encryption to be enabled. The experimental vTPM did not have a GUI setting to enable it. 

That vTPM should never have seen the light of day nor should anyone have used it. As I said, it's a one-way street. One of the huge failures of that implementation was that it autogenerated the encryption key and didn't give you any way to know what it is. The second big failure of the implementation was that the auto-generated encryption key is tied to the system somehow - meaning you can't easily move the VM to another machine.

Those defects were fixed in Fusion 13 and Workstation 17. Since those releases didn't change anything, all worked fine. But it looks like if you try to upgrade to Fusion 13.5 and then try to upgrade the encryption algorithm of a VM using that broken feature, that's where the problems occur. 

Did you notice if Fusion 13.5 asked you to upgrade the encryption the first time you powered on the VM after upgrading the Fusion release?

I'd recommend any user that had the experimental vTPM enabled to back up all the files within the VM before upgrade. Then rebuild the VM under Fusion 13.5 using the partial encryption option. 

You may wish to view a blog post by Wil van Antwerpen https://www.vimalin.com/blog/what-you-should-know-about-vmwares-experimental-vtpm/ abut the subject and you'll get an idea of just how broken that feature is. He also has some discussion about how to recover from that mess but there is "some assembly required".

Hmmm, I wonder if I edit the vmx file and removed those lines before placing it into the Vmware folder and then trying to open it?  Will give that a go and let you know.  I did have a look at the article you mentioned prior to finding this forum.  I tried some of that but it didnt work as the VM file was already in the folder.

Thanks for your insight.

Nope, that didnt work.  I have now created a new VM and will try moving the disk files from the original into that one.

So that didnt work either, still got the password message and couldnt open the VM.

I have created a fresh VM and put everything back.  Very dissapointed that this has been forced on people without warning.  

I am having the same issue after upgrading my VMware Fusion Player version to 13.5 on my work Macbook Pro.  Prior to updating, I did not do anything with encrypting the VM, including creating an encryption password.

At Home I have another Macbook Pro that when I opened VMware, it popped up a window stating that there is a new update.  After it downloaded, it asked for me to quit VMware and relaunch.  However I did notice that it mentioned that doing so would auto-generate an encryption password.  But it did not say or show anything about saving the password, simply continue or Quit.

Here is a copy of my .vmx file.  It does not contain the line

managedVM.autoAddVTPM = "software"

But it does have a line "vtmp.present = "TRUE"", as well as "vmx.encryptionType = partial", and "vtmp.ekCSR = "some long data encrypted text", and "encryption.keySafe = "vmware:key/list/(pair/(phrase/some long data encrypted text".

Prior to updating, I did not do anything with encrypting the VM, including creating an encryption password

.The .vmx file says otherwise. This VM is partially encrypted. It did not get that way automatically.

Can you clarify what VM this is from, and is it before or after the Fusion upgrade and accepting any re-encryption and VM upgrade requests?

If you want to clean things up, you can create a new Windows 11 ARM VM using "Create a Custom Virtual Machine". Answer the operating system type and encryption dialogs.  then when it asks you to select a virtual disk, opt to use an existing virtual disk, locate the vmdk files of your old VM, and elect to copy it into the new VM. You may need to edit the vmx file and change the uuid.bios, uuid.location, and ethernet0.generatedAddress values to match the old VM before you power the new one up. 

This VM is from Fusion Player v13.5.  This encryption came up after the upgrade to 13.5 in which I did not see anything about re-encrypting.

I'll try creating a new ARM VM and use the vmdk files being used by this encrypted version.

Thanks for your input.

Do you have a copy of the VM from before you upgraded? (Please say you do... that's always a best practice for any software to make sure you have backups of things before you start and upgrade because you want to make sure something doesnt come around and bite you during the upgrade).

What Fusion version did you upgrade from?

Nope, I did not create a backup of the VM prior to having it password protected.  I ended up having to re-create a totally new VM, where it did have me add an encryption password. I should be good to go, and will also create a backup.

Thanks again for all your input.

I am wondering too.  I have a bunch of VMs that used the 12.2 encryption. In 13.5 they had been prompting to upgrade encryption and I would skip it.  Today being the first time I opened a VM in 2024 it wants the VM encryption key and all of them are broken this way now.  I can see I have in keychain virtual machine passwords and a private key for VMware Fusion Encryption Key - but I take it once these things quit working there is no recovery?

Update:  I realized I had tied the VMs to OneDrive accounts and by creating new ones with the same Microsoft accounts I got all the files back.  The Windows 11 Home did refuse to activate - but when I clicked on the hardware changed option it showed me a list of other VMs and PCs I had activated using the key.  I selected the VM that I was replacing and tada Windows activated.  I did have to reinstall apps but that went OK also - except that the store app prompting me I had it installed on ten instances.  Like the activation I could click though to see a list of the VMs and PCs going back to 2015 and delete all the ones that no longer existed.  I usually do a clean start on these VMs once every few years anyway so not it is done for the 2020s.

Same problem, started to create an ARM 64 version of Windows 11 on my new Mac M3 when none of my old x86 machines that I moved over would work.... dumb me... and now I can't get back into the "new" ARM machine without a password that I didn't create in the first place?  Is there a cookbook version for this solution for a machine "rookie".  Your exchange is at the upper end of my expertise.... sorry to say.  It's clear to me that Apple didn't give cx&p about people using their machines for critical apps that run in production under a VM setup???