Encrypting a virtual machine secures it from unauthorized use. To decrypt a virtual machine, users must enter the correct encryption password. Restricting a virtual machine prevents users from changing configuration settings unless they first enter the correct restrictions password. You can also set other restriction policies.

When you encrypt a virtual machine, Workstation prompts you for a password. After the virtual machine is encrypted, you must enter this password to open the virtual machine or to remove encryption from it. Workstation displays the encrypted virtual machine with a lock icon until you enter the password to open the virtual machine.

If you also enable restrictions, users are prevented from modifying the virtual machine. For example, you can enable restrictions to prevent users from removing virtual devices, changing the memory allocation, modifying removable devices, changing the network connection type, and changing the virtual hardware compatibility. A password prompt appears whenever anyone performs any of the following actions on the virtual machine:

Clicks Edit virtual machine settings or Upgrade Virtual Machine on the virtual machine summary tab

Double-clicks a virtual device in the Devices list on the virtual machine summary tab

Selects the virtual machine and selects VM > Settings or VM > Manage > Change Hardware Compatibility from the menu bar

Clicks or right-clicks on a removable device icon to edit its settings

Uses a Removable Devices > device_name menu to edit the settings for a device

Besides restricting users from changing USB device settings, you can also optionally set a policy that prevents users from connecting USB devices to the guest operating system. If you set the policy to allow connecting USB devices, users are not prompted to enter the restrictions password to use the devices.

An optional policy includes a setting that forces users to change the encryption password if they move or copy the virtual machine. For example, a teacher might provide a copy of the virtual machine to all students in the class and set this restriction so that all students must create their own encryption password.

Another optional policy includes setting an expiration date for a virtual machine. For example, an administrator can create a virtual machine for a temporary employee and set the virtual machine to expire when the temporary employee leaves the company.


Make sure you record the encryption password and the restrictions password. Workstation does not provide a way to retrieve these passwords if you lose them.

Encryption applies to all snapshots in a virtual machine. If you restore a snapshot in an encrypted virtual machine, the virtual machine remains encrypted whether or not it was encrypted when the snapshot was taken. If you change the password for an encrypted virtual machine, the new password applies to any snapshot you restore, regardless of the password in effect when the snapshot was taken.

The encryption feature has certain limitations.

You can encrypt a virtual machine to secure it from unauthorized use. You can also enable restrictions to prevent users from changing configuration settings.

You can remove encryption from a virtual machine.

You can change the password for an encrypted virtual machine. Changing the password does not re-encrypt the virtual machine.