They must be able to fix it because Fusion has the decrypted file open for both read and write, so it is a matter of a small amount of code to clear out the offending lines from the settings file.

Hey all,

I have a working solution for those who are in a situation like mine who had the entire VM encrypted.

To resolve editing the VMX file on an encrypted VM do the following:

1. Shut down the VM (if running)

2.  From the Virtual Machine Menu select settings.

3. IMPORTANT select the TPM chip in your devices and click  remove

4. under encryption, select this VM is not encrypted to remove ALL encryption.

5. Once that is done and you see the green and white checkmark confirming success quit, and relauch VMWare.

6. Go back to settings for the Virtual machine, and choose encryption.  This time select only encrypt for TPM support and leave the vmx file unencrypted.

7.  edit the vmx file once done in settings to remove the serial0 lines, they are not needed so remove all lines referencing serial0.

8. Save changes and close the vmx file.

9. Power on the Virtual machine and let windows load..  Because of the changes made in security, your login pin will be gone.  You will need to go through the process of resetting the pin.

10. Reset your pin according to the onscreen instructions.

11.  Login to windows, once you have set up your pin.

Notes, I did check and activation does NOT seem to be affected, my copy of windows 11 Pro 22H2, in this VM was still active when checking status.

Hope this helps and have a great weekend!

---

@gen843620 wrote:

Yep, me, too.

In all three VMs I use: Debian (not encrypted), Ubuntu (not encrypted) and Windows 11 (encrypted, TPM, all).

The error appears when each starts, just like everyone here posted.

I deleted the Debian and Ubuntu VMs then created new VMs for them (overkill method). No errors now.

Then for giggles I looked at their vmx file content and there's no line including "serial" or "thinprint," which many of you recommened removing.

I'll wait for VMWare to update Fusion 13.5 again to fix the problem before I deal with my Windows 11 VM (all encrypted, TPM).

 

PS I hope Broadcom's purchase of VMWare and imminent layoffs won't delay or hurt the quality of a fix for this. A friend who works at VMWare said layoffs are expected by Oct 28th.

---

Check my post above yours for how to fix you Windows VM.  Mine (both windows 10, and 11) are working without errors with the above method, and I actually gained speed, by removing full encryption from both, and changing Win 11 to TPM encrypted only.

Thanks.

I considered turning off TPM and Encryption in order to edit the vmx but was frightened by the TPM warning, "Removing...will destroy all encrypted data on this virtual machine. It is unrecoverable."

I assume "all encrypted data" means the entire VM -- Windows and everything in it -- because I have Fusion Encryption set to "All the files...."

If I had Encryption set to "Only the files needed to support a TPM..." then I'd venture turning off TPM etc.

What were your settings and the destructive effects, if any, when you disabled TPM and encryption? 

I have data backups outside of the VM, so it's doable but it'd be a big hassle to reinstall Win11 and programs I use.

---

@gen843620 wrote:

Thanks.

 

I considered turning off TPM and Encryption in order to edit the vmx but was frightened by the TPM warning, "Removing...will destroy all encrypted data on this virtual machine. It is unrecoverable."

 

I assume "all encrypted data" means the entire VM -- Windows and everything in it -- because I have Fusion Encryption set to "All the files...."

 

If I had Encryption set to "Only the files needed to support a TPM..." then I'd venture turning off TPM etc.

 

What were your settings and the destructive effects, if any, when you disabled TPM and encryption? 

 

I have data backups outside of the VM, so it's doable but it'd be a big hassle to reinstall Win11 and programs I use.

---

I never got a warning.  As per my post, the only destructive circumstances in Winn 11 were having to reset my windows PIN for login. beyond that, nothing else was affected.  Keep in mind per my instructions, don't power the machine back on UNTIL the changes are made and TPM is back on and the VM has the new encryption settings (TPM only ) vs full encryption.

I understand if you want to wait, i did the tutorial in case VMWare DOESN'T"T provide a fix, then my instructions will fix the issue.

If you want peace of mind before doing the fix, backup your VM, if it breaks in your circumstances, simply restore your backed up VM.

Thanks, it worked.

My Win11 VM boots without errors and without encryption (and no TPM). Windows remained intact. I might enable encryption again.

It was hard for me to trust that removing TPM and Encryption (set to all) wouldn't destroy the Windows 11 VM, which I backed up before trying as you suggested.

While removing serial0 and thinprint references from the vmx file, I noticed some obsolete references to "virtual printer" and removed them, too:

sata0:0.deviceType = "cdrom-image"
sata0:0.fileName = "/Applications/VMware Fusion.app/Contents/Library/virtualprinter/VirtualPrinter-Windows.iso"
sata0:0.present = "TRUE"

Without your testimony about no destruction following TPM removal, I wouldn't have tried it.

Fusion's verbiage on its TPM and Encryption Settings dialogs seems misleading by implying VM annihilation when removing TPM if Encryption is set to "All"; "All the files (.vmsk, .vmx, etc) for this virtual machine are encrypted" isn't clarified enough by the dialog box "?" button, which still made me think the entire VM would be annihilated after removing TPM:

"Full VM Encryption
"Full encryption refers to encryption of all VM files as follows:

"• Disk file headers. These are encrypted with the key in the configuration file.

"• Disk file data. These are encrypted with the key in the configuration file." (I thought this meant the TPM warning about destroying all encrypted data includes Windows and everything inside it. That isn't the case, as you found out and I and others verified. I wonder a little bit what "Disk file data" means here.)

"• Ancillary data files such as the snapshot/screenshot/NVRAM files. These are encrypted with the key in the configuration file.

"• VM configuration file is encrypted with authentication keys.

Thanks again!

I am running Centos 9 streaming VMs on MacOS 13.6.  I managed to chase this away by doing

1) with VMware fusion NOT running, edit the vmx file.  Delete the two lines referencing "thinprint".

2) Start VMware fusion.  Click on the vmware host, right click and bring up settings.  Note that a "serial port" device will appear that was not there before.   Click on it, and then uncheck "connect serial port".

3) Start up the vmware host.  The complaint about "thinprint" should have disappeared.  Voila, fixed.

4) If you don't need the serial device in the vmware host, then remove it in settings.

You only need to remove the TPM and decrypt the VM to edit the VM file to remove ThinPrint if you have the VM encrypted with the "All Files" option (i.e. fully encrypted). For unencrypted and partial encrypted VMs, you can edit the .vmx file to remove those lines once the VM is shut down - no need to mess around with encryption settings.

---

@Technogeezer wrote:

You only need to remove the TPM and decrypt the VM to edit the VM file to remove ThinPrint if you have the VM encrypted with the "All Files" option (i.e. fully encrypted). For unencrypted and partial encrypted VMs, you can edit the .vmx file to remove those lines once the VM is shut down - no need to mess around with encryption settings.

That was the point of my tutorial was for people who had a fully encrypted VM (including VMX file) was to decrypt the VM by removing the TPM so they could edit the file, and then after re-adding the TPM set the VM to only encrypt the TPM requirements so the VMX file would remain decrypted.

I created my Windows 11 VM in VMWare 12, so it was full encryption only then.  VMs created in 13, or newer will  have the options for full, or TMP requirements only.

 

I was trying to help people save their existing VMs without having to create a brand new one, and risk losing their windows activation in the process.

 

---

@iFrog 

Agreed with you 100%. The warning message about the TPM is scary. But the only time you have to be wary of deleting the TPM for a VM is if you have enabled BitLocker in the VM. Removing the TPM is the same as if you lost it on a physical machine or had to swap motherboards. Losing the contents of the TPM with BitLocker enabled requires you to go through BitLocker recovery. procedures. In that case you'd better have the BitLocker recovery key or else your VM will be a meaningless pile of random bits. 

---

@Technogeezer wrote:

@iFrog 

Agreed with you 100%. The warning message about the TPM is scary. But the only time you have to be wary of deleting the TPM for a VM is if you have enabled BitLocker in the VM. Removing the TPM is the same as if you lost it on a physical machine or had to swap motherboards. Losing the contents of the TPM with BitLocker enabled requires you to go through BitLocker recovery. procedures. In that case you'd better have the BitLocker recovery key or else your VM will be a meaningless pile of random bits. 

---

I understand, and personally, I don't think the average person should be using Bitlocker, it's too easy to lose data.  If they need a secure backup, it should be outside the VM, or physical computer.

On a physical machine, bitlocker is critical - especially if it's a laptop.  Otherwise all your data is at risk when it's stolen.  Bonus is that when the drive fails, you don't have to resort to the same level of physical destruction as  you would with an unencrypted drive (that's why all my externals are encrypted - I got tired of drilling holes in the cases, bending plates, etc)..  Same is true with FileVault on Macs - turn it on.

But I agree, in a VM, its superfluous - you're much better off just encrypting the underlying disk that the VM resides on (both for data loss, as well as for performance.

---

@ColoradoMarmot wrote:

On a physical machine, bitlocker is critical - especially if it's a laptop.  Otherwise all your data is at risk when it's stolen.  Bonus is that when the drive fails, you don't have to resort to the same level of physical destruction as  you would with an unencrypted drive (that's why all my externals are encrypted - I got tired of drilling holes in the cases, bending plates, etc)..  Same is true with FileVault on Macs - turn it on.

But I agree, in a VM, its superfluous - you're much better off just encrypting the underlying disk that the VM resides on (both for data loss, as well as for performance.

---

I think it really depends on what data you store on the computer that makes FileVault, or BitLocker worth it.  For example most of my personal banking info is stored in my account behind my login / password / two factor authentication, and the Bank's other safe guards.

Also, if I have any personal data on the computer, that "may be" at risk, I typically just encrypt that data.

Many of the resources I follow, such as Security now, or a man named Carey Holzman, and various other professionals suggest technologies  such as bit locker only for high risk  individuals where the data is top secret, or personal such as medical, government, etc.

They don't typically suggest it for an average consumer that doesn't have a lot of sensitive data on that scale because of how easy it is to lose data, if something goes wrong.   I agree people should be wise and keep good safe backups of data, and be responsible with their data.  It should just be a balance though and be tailored to the environment as to what protective measures are in place.  It's not a one size fits all.

Anyway, Linux, FreeBSD, or any Unix OS is still probably a better alternative for security over Windows.  Mainly because Windows probably still has the  highest target rate, and we could put stealing computers into that category as well.

Anyway, glad I was able to provide feedback, and help for others here, with the initial problem being discussed here.

Except for the web browser cache, your local email cache, etc.

I work in cybersecurity professionally, and can say with confidence that anyone who recommends against bitlocker/filevault is committing malpractice.   Good, encrypted, backups are equally critical.

All our Macs run FileVault. 

What are the security risks of running an unencrypted Windows 11 VM in a FileVault environment?

FileVault protects against the risk of physical theft (along with our locked Mac Mini cage mounts). 

The only risk I can imagine for an unencrypted Windows 11 VM in that environment is if a hacker or in-person rogue user gained access to the Mac side, then copied the VM over the internet or onto a flash drive. They'd be able to open the VM copy later and access the content.

Is that correct? Are there other security risks in that environment?

All our TimeMachine backups are encrypted. 

I've already decided to only switch to network bridge mode to print then switch back to NAT mode to keep any remote intruder in either system from using the network to access the other (especially any intruder in the Windows VM accessing anything on the LAN).

We don't web browse at all from the Windows side. If we need any a Windows program, we download it onto the Mac side then drag it over to the Windows VM or place it in a small VM-shared folder -- both rare.

It seems bridge mode is more of a security threat than an unencrypted VM in a macOS FileVault environment. What do you think?

I have to decide if I'm going to train users to switch back and forth between bridge mode and NAT. The switch in either direction takes 12 seconds on Intel Macs I've tested so far and doesn't require restarting Windows.

It's practical if users rarely print, which is our case. But I don't want to handle calls for print failure because someone forgot to switch to bridge mode, though a simple text reply would straighten them out. I'm probably going to leave them in bridge mode since they don't web browse from Windows and the risk of infection is very low. But I'm not thrilled with the risk of Windows and existing Windows programs probing the LAN. C'est la vie.

---

@gen843620 wrote:

All our Macs run FileVault. 

 

What are the security risks of running an unencrypted Windows 11 VM in a FileVault environment?

 

FileVault protects against the risk of physical theft (along with our locked Mac Mini cage mounts). 

 

The only risk I can imagine for an unencrypted Windows 11 VM in that environment is if a hacker or in-person rogue user gained access to the Mac side, then copied the VM over the internet or onto a flash drive. They'd be able to open the VM copy later and access the content.

 

Is that correct? Are there other security risks in that environment?

 

All our TimeMachine backups are encrypted. 

 

I've already decided to only switch to network bridge mode to print then switch back to NAT mode to keep any remote intruder in either system from using the network to access the other (especially any intruder in the Windows VM accessing anything on the LAN).

 

We don't web browse at all from the Windows side. If we need any a Windows program, we download it onto the Mac side then drag it over to the Windows VM or place it in a small VM-shared folder -- both rare.

 

It seems bridge mode is more of a security threat than an unencrypted VM in a macOS FileVault environment. What do you think?

---

Security is all about managing risk. 

A NAT network is less risky because any systems on the outside network do not have "inbound" access to the VM. They have to traverse the NAT gateway to connect to a host on the NAT segment. Which is not possible unless you've configured port forwarding on the NAT virtual network. Bridged networking puts the IP address of the guest right on the same segment as the host, so yes it's more risky. 

I'd investigate other methods to print other than having the user switch back and forth between NAT and Bridged networking. You can print to a printer accessible from the host from the guest. You just have to perform more configuration to do so (e.g. knowing the IP address of the printer, perhaps installing vendor drivers like you would for a physical system). 

You are correct that enabling FileVault protects the virtual machine if the system or hard drive gets stolen. During normal operation the system has the disks unlocked. Any process on the system that has disks unlocked has access to information on the system as if were in plaintext. So the risk does exist that if a bad actor gets access to your host, the virtual machine files on the guest are exposed if the virtual machine is unencrypted. You have to decide if that's a risk you can take for a VM that resides on a system you're using as a server. 

But @ColoradoMarmot is right in that if this was a laptop system, it would be security malpractice not to encrypt it. Because laptops seem to grow feet and walk away when you least expect it. Along with all of your data in a form that can be easily discovered.

Comment: You mention Time Machine. I certainly hope that you are not relying on Time Machine to back up your virtual machines. It's not reliable. 

I wanted to find out,  if right clicking on a VM in the Virtual Machine Library, and then holding option bypasses the encrypted  VMX file.  Since VMware Fusion stores the password so the VM can start.

When I initially did the fix, I did it through Finder,  not through VMWare directly.  I re-read the VMWare docs on how to enable 3D acceleration  for big sur and above guests, and found that You can edit the file right through VMware.