Ah, that's a good point. Passwords will not be migrated for all clones of encrypted VMs.
Clones (especially full clones, and we allow only full clones for encrypted VMs) are treated as completely independent VMs. They get a new UUID and new MAC address. The encryption password for a clone is independent of the original VM. You can change the password of one (or even decrypt one) without affecting the other. In Workstation 26H1, encrypted clones get separate entries in the Credential Manager.
Unfortunately, the old Credential Manager usage that Workstation 25H2 and earlier had a number of design issues (which again is why it needed to be overhauled). Among them was that all clones of an encrypted VM shared the same credential in Credential Manager, so changing or removing the encryption password to one would break the rest. Another issue is that it's not possible to automatically add saved encryption passwords for all clones because we don't necessarily know what clones have been created. Furthermore, although users opted-in to saving the encryption password to the original VM, they never opted-in to saving encryption passwords for the clones.
-------------------------------------------
Original Message:
Sent: May 31, 2026 09:18 PM
From: State2816
Subject: Critical: Automatic VM encryption and lost snapshot chain after migrating from 25H2 to 26H1
Same issue, and i think it's related to cloned VMs.
Started with Win11-base image (using Workstation 17). Has TPM and showing partially encrypted. Cloned the base image, for a number of VMs. All using older versions of workstation. Never prompted for password.
Updated to 26H1, Win11-base image opened fine. All other VMs that are cloned prompted for a password.
There's one relevant entry in credential manager, for base image only:
Target: LegacyGeneric:target=VMware Encrypted VM: C:\Users\xxxxx\OneDrive\Documents\Virtual Machines\Win11-Base\Win11-Base.vmx
Type: Generic
Local machine persistence
All the previously cloned VMs did not have an entry in credential manager.
Decrypting that entry using ps module
$creds = Get-StoredCredential -Target "VMware Encrypted VM: C:\Users\xxxxx\OneDrive\Documents\Virtual Machines\Win11-Base\Win11-Base.vmx" -AsCredentialObject
and converting it to readable format
$passwordBytes = [System.Text.Encoding]::Unicode.GetBytes($creds.Password)
$asciiString = [System.Text.Encoding]::ASCII.GetString($passwordBytes)
Write-Host "Password: $asciiString"
yields a password, which can be used to unlock the VMs, and there's a box to save the password in credential manager (that is barely visible with dark theme). This then saves the credentials for each VM into creds manager, and does not require an unlock password on stopping and re-starting VMware workstation. Not checking box does not save the password (as expected).
When password is saved for these VMs, it is exactly as in the format above, pointing to the .vmx file.
Cloning my Win11-base image into a new VM in 26H1, closing and re-opening VMware workstation ALSO prompts for password, which is the same as in what was pulled via powershell, so a cloned VM does not generate an entry automatically in 26H1 and still expects a password.
There definitely seems to be some kind of an issue - i imagine that cloned VMs should reference the same password as base-VM in cred manager (as the password is the same), but that does not happen in 26h1.
Original Message:
Sent: May 25, 2026 02:48 AM
From: James Lin
Subject: Critical: Automatic VM encryption and lost snapshot chain after migrating from 25H2 to 26H1
Also, to anyone else encountering a problem where an encrypted VM is not automatically unlocked in VMware Workstation 26H1 but was automatically unlocked in Workstation 25H2 or earlier, I would be curious to know the following:
- Examine the encrypted VM's
.vmx file and note the value of encryptedVM.guid. - Open the Windows Credential Manager, and click "Windows Credentials". In the "Generic Credentials" section, does an entry exist for the GUID observed in step 1?