Prep a Virtual Machine for testing VMware Workspace ONE UEM

January 27, 2021   |   by bgarmon

At least once a week someone asks me why their Windows 10 virtual machine doesn’t work properly with VMware Workspace ONE UEM. Enrollment failures, invalid Serial Numbers, inability to encrypt, lack of a TPM…. it usually all boils down to some not so obvious setting that need to be changed. Follow this guide and your VM will fully support Workspace ONE UEM

Getting Started:

If you have never done this before, scroll down to the next section where every step is detailed. This section hits the highlights for those that already know how to tweak the files

For Windows VM’s You need an .ISO of Windows 10 Professional. You want to start with Pro because most test cases for UEM and Windows 10 involve Drop Ship Provisioning and those require using the Professional Edition. For the most flexibility I recommend downloading the Windows 10 Business Edition .ISO from as this includes Professional and Enterprise editions. At the time of this writing en_windows_10_business_editions_version_20h2_updated_nov_2020_x64_dvd_e5d7759b.iso is the ISO you need to download.

A common problem we run into with MDM is that people forgot to Activate the Windows 10 OS. While VMware Horizon virtual desktops work fine (for POC) without valid, activated Windows 10 license keys, most MDM commands do not. You will need to license and activate Windows 10 for MDM to properly function. Use a working KMS server, Retail keys, or MAK keys to make this happen.

Edit the .VMX file for Windows 10 VMs as follows:

  1. Shorten the Serial Number by editing the VMX file:
    Note: Prior to VMware Fusion 12 editing the VMX file could be done with VMware Fusion running. As of VMware Fusion 12.x and above the app must be closed prior to adjusting the VMX file.
SMBIOS.useShortSerialNumber = “TRUE”
SMBIOS.use12CharSerialNumber= ”TRUE”

2. From the Virtual Machine Settings page first encrypt the VM. Now choose Add Hardware to add a Virtual TPM from the same menu

3. Testing Bitlocker support for multiple hard drives? The virtual drives need to be added as fixed hard drives for this to function. Edit the VMX file to include:

ahci.port.hotplug.enabled = “FALSE”
devices.hotPlug = “FALSE”

One more tip for Bitlocker secondary drives: After Windows 10 is installed, open Windows 10 Disk Manager and make sure the secondary drive is setup as a Basic Data Partition and NOT a primary partition.

4. For the Win10 OS installation, Windows PE needs a minimum of 4096MB of RAM. Adjust the VM’s available RAM to this value or higher.

5. After Windows 10 OS installs and the computer reboots into OOBE, trigger Windows 10 Audit Mode by pressing Ctrl-Shift-Fn-F3 and the OS will reboot. While in Audit mode, install VMTools. Do not reboot.

6. While in Windows 10 Audit Mode if you plan to test Microsoft AutoPilot: open Powershell and run Set-ExecutionPolicy Unrestricted then run Get-WindowsAutoPilotInfo to get the device hardware ID, then run Sysprep with the OOBE box triggered to power off the VM.

7. Take a Snapshot. This will give you a clean OS build to revert back to for all subsequent tests.

That’s it. If you have never done this before, a much more detailed Step-By-Step is in the section below.

What about macOS VM’s?

Legally speaking Apple allows the use of macOS VM’s only on Apple hardware. Here’s what you need for macOS.

Note: Prior to Fusion 12 editing the VMX file could be done with Fusion running. As of Fusion 12.x and above Fusion must be closed prior to adjusting the VMX file.

  1. Adjust the serial number of the VM. Workspace ONE UEM needs serial numbers to be alphanumeric characters only. This is the new default for VMware Fusion 11.1.0 and higher. If your existing VM’s were created prior and are not working, add the following to the VMX:
smbios.restrictSerialCharset = "TRUE"

The next config will depend on if you need the VM to support Apple Business Manager (ABM), formerly Apple Device Enrollment Program:

2. I don’t need Apple ABM:
Adjust the .VMX file to set a valid serial number, a valid Hardware Model Identifier, and adjust the board-id. Here’s a sample for a MacBook Pro:

hw.model.reflectHost = “FALSE"
hw.model = “MacBookPro15,2"
serialNumber.reflectHost = “FALSE"
serialNumber = “Replace me with the serial number from your host machine”
smbios.reflectHost = "FALSE"
board-id.reflectHost = "FALSE"

2a. I NEED Apple ABM:

In this case the host macOS machine must already be registered with ABM. First launch Terminal and run the following 3 terminal scripts to gather the data from a physical MAC is that DEP enabled:

The Hardware Model:

ioreg -l | awk '/product-name/ { split($0, line, "\""); printf("%s\n", line[4]); }'

The Serial Number:

ioreg -l | awk '/IOPlatformSerialNumber/ { split($0, line, "\""); printf("%s\n",line[4]); }'

The Board-ID:

ioreg -lp IOService | awk '/board-id/ { split($0, line, "\""); printf("%s\n", line[4]);}'

Then adjust the .VMX file as follows:

board-id.reflectHost = "FALSE”

serialNumber.reflectHost = "FALSE” 
hw.model.reflectHost = "FALSE” 
hw.model = "Hardware Model from Script above”
serialNumber = "Serial Number from Script above” 
board-id = "Board-ID from Script above”  
smbios.reflectHost = "FALSE"

To confirm Step 2 or 2a worked successfully, boot the macOS VM, choose the Apple Logo > About this Mac and verify both the serial number and the hardware model have valid values in them. If not, try step 2 or 2a again. MDM enrollment will fail if you get this part wrong.

I’ve never done this before. Give me the Step-By-Step for Windows 10 VMs:

This step-by-step guide is written for VMware Fusion version 12.X running on macOS Big Sur 11.1 (Intel CPU) and is written to build a Windows 10 VM. The configurations described below are supported for VMware Workstation for Windows and for VM’s running on VMware vSphere but the exact steps will vary slightly.

  1. Open VMware Fusion on your Mac
  2. Click the Plus mark to “Add a New VM”
  3. On the “Select the installation method” drag and drop the en_windows_10_business_editions_version_20h2_updated_nov_2020_x64_dvd_e5d7759b.iso then click Continue
  4. Uncheck “Use Easy Install” then click Continue
  5. Choose Firmware Type: Choose UEFI then click Continue
  6. On the “Finish” page, if you click “Finish” the VM will auto launch and will break a number of things that must be changed BEFORE first launch so don’t do that. Instead click on “Customize Settings” 
  7. At the prompt to “Save As” – change the file name to something meaningful to you, I tend to use something like “AutoPilot_20H2,” and if necessary, change the file path, then click Save which will now launch the Settings Pane for the VMs.
  8. Now that we have stopped the VM from starting, close both the Settings Pane and the newly created VM window so that you are back to the Virtual Machine Library Folder. Next we are going to shorten the Serial Number for the VM. 
    1. From the Virtual Machines List, select the VM you just created right-click on it and choose “Show in Finder”
    2. From Finder, right-click on the name.vmwarevm file and choose 
      “Show Package Contents”
    3. Find the .VMX file in the list and using a text editor, open the .VMX file for editing
    4. Add the following two lines at the end of the VMX file:
      SMBIOS.useShortSerialNumber = “TRUE”
      SMBIOS.use12CharSerialNumber=”TRUE”hci.port.hotplug.enabled = “FALSE”

      devices.hotPlug = “FALSE”
    1. Save the file and close it. 
  9. Back in the Fusion Virtual Machine Library, right-click on the new VM and choose Settings. Click on “Encryption and Restrictions” and Enable Encryption

Pick a password, it’s a lab so “111111” works well, then click “Remember Password” then click OK. 

  1. Click OK on the “Encryption Added” screen
  2. Click Show All to go back to the Core: Settings menu
  3. Click Add Device
  4. Choose “Trusted Platform Module”
  5. Click Add
  6. Click Show All
  7. This step is optional but if your physical machine can handle the settings change the following: Processor & Memory: 2 Core and 4096 MB for Memory
  8. Under Display settings: Make sure “Use full resolution for Retina display” is NOT checked. 
  9. Under Network Adapter, change the Network Adapter to use Bridged Networking with AutoDetect and at the bottom of this page under “Advanced options” make sure a MAC address is populated. If it is not, choose the Generate Button to do so. Click Show All from the top when finished. 
  10. Now click the Red Circle on the top left of the Core Settings page to close this dialog
  11. The VM is now configured
  12. Before you power on the VM a few points about what is about to happen. When you click the big white Play Button to Power On the VM, Fusion will tell the VM to attempt to boot from the ISO. What you are looking for is a single line of white text that reads 

“Press Any Key to Boot from the CD”

On a VM, on a modern computer, this is almost instantaneous so you must be ready to hit a key almost as soon as you power on the VM. However, when you power on the VM, VMWare Fusion changes the focus of the mouse and keyboard from the existing VM to the host machine. If you were to press any key when this happens, the key press would happen on the MacOS not inside your Windows 10 VM and the VM will not boot from the ISO because it did not respond to your button press. To avoid this pesky feature of Fusion, hover your mouse over the Play button, click Play, then immediately single click the Window again to make sure the focus of your mouse remains with the VM. You might have to click a couple of times with your mouse. While you are clicking away, have your finger on your keyboard ready to press a button the moment you see the “Press Any key to Boot from the CD”

  1. If everything worked in the previous step you should now be looking at a purple background and the Windows Setup screen
  2. If you are in the USA, keep the default language, time, and keyboard inputs to the default and click Next
  3. Click Install Now then you should see “Setup is Starting”
  4. The next screen that appears is “Select the operating system you want to install” 

Be careful and DO NOT select “Windows 10 Enterprise N”

I will point out that technically every version listed here will function for Autopilot but for most demo use cases Windows 10 Pro is the Best Practice. Use Workspace ONE UEM to upgrade Pro to Enterprise.

Pick “Windows 10 Professional” x64 Architecture and Click Next

  1. Click “I accept the license terms” then Click Next
  2. On the screen “Which type of installation do you want?” 

Choose Custom: Install Windows only (advanced)

  1. Leave the “Where do you want to install Windows?” page alone and click NEXT
  2. At this point Windows Setup begins and you should see “Installing Windows”
  3. Stand up and stretch. You’ve got between 5 minutes and 20 minutes depending on what type of hardware your physical machine is on. Grab a coffee. You’ve earned it by getting this far. 
  4. Windows will reboot several times eventually prompting you to join a Wireless Network.

There will not be a prompt if you are using a wired network or you are on a VM and your host is already internet connected. 

  1. If your device is ETHERNET Connected, Windows will skip a prompt for Region, if not, at the “Let’s start with Region. Is this right?” Choose the correct region and select Yes
  2. Next Windows asks: Is this the right keyboard layout? Choose Yes
  3. Next Windows asks: Want to add a second keyboard layout? Choose Skip
  4. Wait for the screen “Now we have some important setup to do” and a few seconds later the screen “Sign in with Microsoft” appears. 
  5. Congratulations! The Windows 10 VM is now configured


Leave Your Comment