Obscure Problems and Gotchas

Introduction

Cool story bro – where’s the answer?
If you just want the answer click here.

Not that long ago, like maybe four months ago (December 2024), I upgraded my Windows 10 virtual machine to Windows 11. I am never the first to do these things because I like to wait and see what happens to everyone else first. This is my personal development VM, so it matters what happens to it. The upgrade wasn’t that big a deal, it worked, but there was one particular warning I didn’t totally understand the gravity of. VMWare’s virtual TPM (vTPM) is experimental.

Expirmental vTPM

Okay it’s experimental. So what? Honestly, it was working fine. VM boots, I can use it like I always have. The only thing that sucked is Windows 11. The UI experience is horrible on a VM. The UI experience on a physical machine is almost equally as bad, so I wasn’t totally shocked by this. Well the one thing I didn’t count on is that when my machine was upgraded from Windows 10 to Windows 11 is that my VM was encrypted without my knowledge. I had no idea this happened and I only learned that this happened when I tried moving my VM to a new host.

Moving to a new host

I have recently sworn off Windows and have moved to Arch Linux (I highly recommend it). When I tried starting my Windows 11 VM, all of a sudden I was prompted for a password…

I don’t have a screenshot of this to share because I was more preoccupied with getting my VM to boot than writing an article. If I couldn’t get this thing to boot I was going to have to rebuild my VM which takes hours to do. Just imagine being prompted for a password and being told that your VM is encrypted.

I didn’t encrypt my VM and I also didn’t password protect it

Luckily, I am not alone in this discovery. This problem has taken many people by surprise recently. So this is just an FYI.

When you include a vTPM, you are automatically encrypting your VM. Under normal circumstances, meaning you are creating a NEW Windows 11 VM, you are given the choice to encrypt just key files or include the VMDK file(s) also. Luckily, the upgrade I performed did NOT encrypt my VMDK files.

This didn’t end up helping me in the long run, but it’s worth a mention for anyone else debugging this hell.

What password?!

This is to assure you, you are not crazy. You didn’t provide a password during the encryption process if you performed a Windows 10 to Windows 11 upgrade like I did. VMWare automatically generated one and just didn’t share it with you, which frankly is shitty. However, this is an experimental feature after all. Just for reference my auto-generated password is 45 characters long.

How do I get the password?

So please take the necessary precautions before just jumping into the deep end here:

1. Backup your VM if you haven’t already.
2. Please scan the file I am recommending you use with anti-virus and/or a malware-scanner. Downloading random executables from the internet is dangerous. However, if you are desperate like I was and you sandbox these kinds of things like I do, then you might be willing to take the risk. You have been warned.
3. Follow the instructions here: https://www.syvik.com/multidesk/howto.win11.vmware16.en.html
   • I found this solution here: https://community.broadcom.com/communities/community-home/digestviewer/viewthread?GroupId=7171&MessageKey=bb7ab1e5-8eac-47c3-9789-45ca623cac2e&CommunityKey=fb707ac3-9412-4fad-b7af-018f5da56d9f
   • If you are not aware, Broadcom purchased VMWare on November 22, 2023.
   • The user named Syvik has graciously produced a decryption utility to get the password.
4. Follow the instructions from Syvik’s website.
5. The file in question is dputil.zip which contains an executable of the same name dputil.exe.
6. This is a command line utility and it will get you the password that was automatically generated for your VM.

My observations

These are some differences I experienced with Syvik’s instructions:

1. It didn’t matter if I changed the encrypted password in the *.vmx file or not. I actually tried it both ways. Old encrypted key and new encrypted key, it made no difference.
2. After providing the new encrypted key, my VM still asked for a password.
3. On a complete whim, I took the decrypted password, popped it into the prompt and it worked.

So that’s the key difference between what Syvik says in his instructions and what actually worked for me. The decrypted password is the randomly generated password that VMWare creates without telling you while it encrypts your VM so it can meet the TPM requirement of Windows 11. Just one more reason to stop using Windows all together. This TPM stuff is pure nonsense and just making everything worse.

Credit where credit is due

All credit goes to Syvik for producing a decryption utility. Not sure why Broadcom couldn’t just throw its users a bone here and help out since they are just hiding behind the idea that their vTPM is experimental. Okay cool, how about you don’t encrypt my VM and not give me the password? Not cool guys.

• Post thumbnail image generated with https://designer.microsoft.com/image-creator
• I modified the output by adding the VMWare logo on top of it.
• The final image says TPU, that’s my fault, kept typing TPU instead of TPM.
  • It was bothering me, so I fixed it with my terrible paint skills.