Encrypting a virtual machine secures it from unauthorized use. To decrypt a virtual machine, users must enter the correct encryption password. Restricting a virtual machine prevents users from changing configuration settings unless they first enter the correct restrictions password. You can also set other restriction policies.

When you encrypt a virtual machine, Workstation Pro prompts you for a password. After the virtual machine is encrypted, you must enter this password to open the virtual machine or to remove encryption from it. Workstation Pro displays the encrypted virtual machine with a lock icon until you enter the password to open the virtual machine.

If you also enable restrictions, users are prevented from modifying the virtual machine. For example, you can enable restrictions to prevent users from removing virtual devices, changing the memory allocation, modifying removable devices, changing the network connection type, and changing the virtual hardware compatibility. A password prompt appears whenever anyone performs any of the following actions on the virtual machine:

  • Clicks Edit virtual machine settings or Upgrade Virtual Machine on the virtual machine summary tab
  • Double-clicks a virtual device in the Devices list on the virtual machine summary tab
  • Selects the virtual machine and selects VM > Settings or VM > Manage > Change Hardware Compatibility from the menu bar
  • Clicks or right-clicks on a removable device icon to edit its settings
  • Uses a Removable Devices > device_name menu to edit the settings for a device

Besides restricting users from changing USB device settings, you can also optionally set a policy that prevents users from connecting USB devices to the guest operating system. If you set the policy to allow connecting USB devices, users are not prompted to enter the restrictions password to use the devices.

An optional policy includes a setting that forces users to change the encryption password if they move or copy the virtual machine. For example, a teacher might provide a copy of the virtual machine to all students in the class and set this restriction so that all students must create their own encryption password.

Another optional policy includes setting an expiration date for a virtual machine. For example, an administrator can create a virtual machine for a temporary employee and set the virtual machine to expire when the temporary employee leaves the company.

Important: Make sure you record the encryption password and the restrictions password. Workstation Pro does not provide a way to retrieve these passwords if you lose them.

Encryption applies to all snapshots in a virtual machine. If you restore a snapshot in an encrypted virtual machine, the virtual machine remains encrypted whether or not it was encrypted when the snapshot was taken. If you change the password for an encrypted virtual machine, the new password applies to any snapshot you restore, regardless of the password in effect when the snapshot was taken.