Fusion, Encryption, ESX 7.x, and a headache

It was supposed to be a simple task: move a Virtual Machine created in VMware Fusion Pro to vSphere 7. What ensued is a broken mess.

With VMware Fusion, virtual machine encryption and virtual TPM are machine based technologies. If you have either of these features enabled in your Windows 10 VM enrolled in Workspace ONE UEM, you can’t migrate the VM off of the machine it was created on. Disabling both means powering off the VM, removing the TPM virtual hardware item and then disabling encryption. Doing so will enable Fusion’s Upload to Server option. Choosing this option leads to the error:

A general system error occurred: PBM error occurred during PreCreateCheckCallback: Fault cause: pbm.fault.PBMFault

Googling this error leads to a number of various ESX related KB’s and ultimately sent me down a rabbit hole of troubleshooting vSAN that I abandoned after a few more grey hairs sprouted on my head.

So I gave up on migration and decided to get the VM back to it’s previous state. I re-enabled Encryption, added back the TPM chip and then booted Windows. As far as Windows 10 is concerned taking this action is similar to getting a new motherboard as the encryption keys and everything associated with the encryption is new.

The first thing you’ll notice after the VM boots is that the your Azure based end user is now greeted with this error upon attempts to login:

I had hoped resolving this issue would be as simple as clearing the TPM in Windows and rebooting the device, but it did not.

After logging into Windows 10 using the password instead of the PIN, Windows Hello prompted for an Azure login to “Fix my account” which failed with an error message to contact Microsoft tech support. In no mood to continue troubleshooting, I logged into Workspace ONE UEM and triggered an Enterprise Reset on the device. This feature promptly deletes the Azure user from the device, basically rendering the device unable to be used, so holding down the Control Key and choosing Shutdown, lead to the Windows OS Recovery Option to Reset this PC and 30 minutes later I’m back to a functional VM.

What a mess.