Prep a Virtual Machine for testing VMware Workspace ONE UEM

January 27, 2021   |   by bgarmon

Last Updated 9/8/2021

At least once a week someone asks me why their Windows 10 virtual machine doesn’t work properly with VMware Workspace ONE UEM. Enrollment failures, invalid Serial Numbers, inability to encrypt, lack of a TPM…. it usually all boils down to some not so obvious setting that need to be changed. Follow this guide and your VM will fully support Workspace ONE UEM

Getting Started:

If you have never done this before, scroll down to the header below named “I’ve never done this before” for a step-by-step list of instructions.

For Windows VM’s you will need an .ISO of Windows 10 Professional. Why Professional Edition? In most test cases for UEM Drop Ship Provisioning (DSP) is the most common POC and DSP requires using the Professional Edition.

At the time of this writing the current version of Windows 10 is 21H1 Updated for August 2021. If you plan to test OS Updates, make sure you download a version earlier than that so your VM has something to update to. I would recommend downloading one of the 2004 versions as this seems to be the most common branch I see in production use.

A Note about Windows Activation: A common problem we run into with MDM is that people forgot to Activate the Windows 10 OS. While VMware Horizon virtual desktops work fine (for POC) without valid, activated Windows 10 license keys, many MDM commands do not. You will need to license and activate Windows 10 for MDM to properly function. To do so use a working KMS server, Retail keys, or MAK keys.

The Short Version:

After creating the Windows 10 VM, BEFORE powering on the VM for the first time, edit the .VMX file and add the following lines:

Note: If you’re using VMware Fusion on macOS, prior to VMware Fusion 12 editing the VMX file could be done with VMware Fusion running. As of VMware Fusion 12.x and above the app must be closed prior to adjusting the VMX file.

  1. Shorten the Serial Number:
    While not technically required, it’s a good idea as it makes troubleshooting easier.

    SMBIOS.useShortSerialNumber = “TRUE”
    SMBIOS.use12CharSerialNumber = “TRUE”

  2. This step is optional. BitLocker support for multiple hard drives requires the drives to be fixed. To achieve this add the following to the .VMX file


  3. Make sure your VM has the following configuration:
    1. Adjust the VM’s available RAM to a minimum of 4096MB to ensure Windows PE loads properly
    2. Add a virtual TPM to the VM by first choosing to encrypt the VM, setting a password, then choosing Add Hardware and selecting the TPM from the list
  4. Testing Microsoft AutoPilot? Complete the following:
    1. After the OS has finished the install and the computer reboots into OOBE for the first time you need to enter Windows 10 Audit Mode. On a macOS host machine, press Ctrl-Shift-Fn-F3. For Windows host machines Shift-F3 will get you there. If done properly, the computer will reboot and you will see the computer login as admin
    2. Install VMTools using the Complete Option. DO NOT allow VMTools reboot the computer
    3. Adjust the Windows 10 Timezone and the Time
    4. Get the device hardware ID to copy and import into the Microsoft AutoPilot registration site
      1. Open Powershell and run:
        1. Set-ExecutionPolicy Unrestricted
        2. Install-Script Get-WindowsAutoPilotInfo -Force
        3. Get-WindowsAutoPilotInfo
        4. Once you have copied the ID, run Sysprep with the Cleanup Action set to “Enter System Out-of-Box Experience (OOBE) and change the Shutdown Options box to “Shutdown,” then select OK
        5. When the VM powers off, take a Snapshot

That’s it!

If you have never done this before, a much more detailed Step-By-Step is in the section below.

What about testing macOS VM’s?

Legally speaking Apple allows the use of macOS VM’s only on Apple hardware. Here’s what you need for macOS.

Note: Prior to Fusion 12 editing the VMX file could be done with Fusion running. As of Fusion 12.x and above Fusion must be closed prior to adjusting the VMX file.

  1. Adjust the serial number of the VM. Workspace ONE UEM needs serial numbers to be alphanumeric characters only. This is the new default for VMware Fusion 11.1.0 and higher. If your existing VM’s were created prior and are not working, add the following to the VMX:
smbios.restrictSerialCharset = "TRUE"

The next config will depend on if you need the VM to support Apple Business Manager (ABM), formerly Apple Device Enrollment Program:

2. I don’t need Apple ABM:
Adjust the .VMX file to set a valid serial number, a valid Hardware Model Identifier, and adjust the board-id. Here’s a sample for a MacBook Pro:

hw.model.reflectHost = “FALSE"
hw.model = “MacBookPro15,2"
serialNumber.reflectHost = “FALSE"
serialNumber = “Replace me with the serial number from your host machine”
smbios.reflectHost = "FALSE"
board-id.reflectHost = "FALSE"

2a. I NEED Apple ABM:

In this case the host macOS machine must already be registered with ABM. First launch Terminal and run the following 3 terminal scripts to gather the data from a physical MAC is that DEP enabled:

The Hardware Model:

ioreg -l | awk '/product-name/ { split($0, line, "\""); printf("%s\n", line[4]); }'

The Serial Number:

ioreg -l | awk '/IOPlatformSerialNumber/ { split($0, line, "\""); printf("%s\n",line[4]); }'

The Board-ID:

ioreg -lp IOService | awk '/board-id/ { split($0, line, "\""); printf("%s\n", line[4]);}'

Then adjust the .VMX file as follows:

board-id.reflectHost = "FALSE”

serialNumber.reflectHost = "FALSE” 
hw.model.reflectHost = "FALSE” 
hw.model = "Hardware Model from Script above”
serialNumber = "Serial Number from Script above” 
board-id = "Board-ID from Script above”  
smbios.reflectHost = "FALSE"

To confirm Step 2 or 2a worked successfully, boot the macOS VM, choose the Apple Logo > About this Mac and verify both the serial number and the hardware model have valid values in them. If not, try step 2 or 2a again. MDM enrollment will fail if you get this part wrong.

I’ve never done this before. Give me the Step-By-Step for Windows 10 VMs:

This step-by-step guide is written for VMware Fusion version 12.X running on macOS Big Sur 11.1 (Intel CPU) and is written to build a Windows 10 VM. The configurations described below are supported for VMware Workstation for Windows and for VM’s running on VMware vSphere but the exact steps will vary slightly.

  1. Open VMware Fusion on your Mac
  2. Click the Plus mark to “Add a New VM”
  3. On the “Select the installation method” drag and drop the en_windows_10_business_editions_version_20h2_updated_nov_2020_x64_dvd_e5d7759b.iso then click Continue
  4. Uncheck “Use Easy Install” then click Continue
  5. Choose Firmware Type: Choose UEFI then click Continue
  6. On the “Finish” page, if you click “Finish” the VM will auto launch and will break a number of things that must be changed BEFORE first launch so don’t do that. Instead click on “Customize Settings” 
  7. At the prompt to “Save As” – change the file name to something meaningful to you, I tend to use something like “AutoPilot_20H2,” and if necessary, change the file path, then click Save which will now launch the Settings Pane for the VMs.
  8. Now that we have stopped the VM from starting, close both the Settings Pane and the newly created VM window so that you are back to the Virtual Machine Library Folder. Next we are going to shorten the Serial Number for the VM. 
    1. From the Virtual Machines List, select the VM you just created right-click on it and choose “Show in Finder”
    2. From Finder, right-click on the name.vmwarevm file and choose 
      “Show Package Contents”
    3. Find the .VMX file in the list and using a text editor, open the .VMX file for editing
    4. Add the following two lines at the end of the VMX file:
      SMBIOS.useShortSerialNumber = “TRUE”
      SMBIOS.use12CharSerialNumber=”TRUE”hci.port.hotplug.enabled = “FALSE”

      devices.hotPlug = “FALSE”
    1. Save the file and close it. 
  9. Back in the Fusion Virtual Machine Library, right-click on the new VM and choose Settings. Click on “Encryption and Restrictions” and Enable Encryption

Pick a password, it’s a lab so “111111” works well, then click “Remember Password” then click OK. 

  1. Click OK on the “Encryption Added” screen
  2. Click Show All to go back to the Core: Settings menu
  3. Click Add Device
  4. Choose “Trusted Platform Module”
  5. Click Add
  6. Click Show All
  7. This step is optional but if your physical machine can handle the settings change the following: Processor & Memory: 2 Core and 4096 MB for Memory
  8. Under Display settings: Make sure “Use full resolution for Retina display” is NOT checked. 
  9. Under Network Adapter, change the Network Adapter to use Bridged Networking with AutoDetect and at the bottom of this page under “Advanced options” make sure a MAC address is populated. If it is not, choose the Generate Button to do so. Click Show All from the top when finished. 
  10. Now click the Red Circle on the top left of the Core Settings page to close this dialog
  11. The VM is now configured
  12. Before you power on the VM a few points about what is about to happen. When you click the big white Play Button to Power On the VM, Fusion will tell the VM to attempt to boot from the ISO. What you are looking for is a single line of white text that reads 

“Press Any Key to Boot from the CD”

On a VM, on a modern computer, this is almost instantaneous so you must be ready to hit a key almost as soon as you power on the VM. However, when you power on the VM, VMWare Fusion changes the focus of the mouse and keyboard from the existing VM to the host machine. If you were to press any key when this happens, the key press would happen on the MacOS not inside your Windows 10 VM and the VM will not boot from the ISO because it did not respond to your button press. To avoid this pesky feature of Fusion, hover your mouse over the Play button, click Play, then immediately single click the Window again to make sure the focus of your mouse remains with the VM. You might have to click a couple of times with your mouse. While you are clicking away, have your finger on your keyboard ready to press a button the moment you see the “Press Any key to Boot from the CD”

  1. If everything worked in the previous step you should now be looking at a purple background and the Windows Setup screen
  2. If you are in the USA, keep the default language, time, and keyboard inputs to the default and click Next
  3. Click Install Now then you should see “Setup is Starting”
  4. The next screen that appears is “Select the operating system you want to install” 

Be careful and DO NOT select “Windows 10 Enterprise N”

I will point out that technically every version listed here will function for Autopilot but for most demo use cases Windows 10 Pro is the Best Practice. Use Workspace ONE UEM to upgrade Pro to Enterprise.

Pick “Windows 10 Professional” x64 Architecture and Click Next

  1. Click “I accept the license terms” then Click Next
  2. On the screen “Which type of installation do you want?” 

Choose Custom: Install Windows only (advanced)

  1. Leave the “Where do you want to install Windows?” page alone and click NEXT
  2. At this point Windows Setup begins and you should see “Installing Windows”
  3. Stand up and stretch. You’ve got between 5 minutes and 20 minutes depending on what type of hardware your physical machine is on. Grab a coffee. You’ve earned it by getting this far. 
  4. Windows will reboot several times eventually prompting you to join a Wireless Network.

There will not be a prompt if you are using a wired network or you are on a VM and your host is already internet connected. 

  1. If your device is ETHERNET Connected, Windows will skip a prompt for Region, if not, at the “Let’s start with Region. Is this right?” Choose the correct region and select Yes
  2. Next Windows asks: Is this the right keyboard layout? Choose Yes
  3. Next Windows asks: Want to add a second keyboard layout? Choose Skip
  4. Wait for the screen “Now we have some important setup to do” and a few seconds later the screen “Sign in with Microsoft” appears. 
  5. Congratulations! The Windows 10 VM is now configured


Leave Your Comment