[Feature Request] Hybrid mode backup for VM with TPM module / Enable/Allow Storage Snapshots from Win11 VMs

[fmarchand]

Adding a TPM module to a VM automatically encrypts VM configuration files and flags the VM as encrypted and disable direct storage access mode for backup.
This prevents general use of TPM module in production VM as we cannot generalize the use of network mode backup without severe performance impacts.

Considering that hard disks are not encrypted, it should be possible to backup configuration files using network mode and backup hard disk using direct storage access.

Please impletment hybrid transport mode where encrypted configuration files are backed up through network and unencrypted hard disk are backed up through direct storage access.

[HannesK]

Hello,
and welcome to the forums.

Considering that hard disks are not encrypted

Hmm, that sounds more like a corner case scenario. What's the purpose of adding a vTPM and then not encrypting the disks? I try to understand the scenario and how often customers would configure that.

Best regards,
Hannes
PS: HotAdd mode is usually faster than network mode and could be an alternative

[fmarchand]

The TPM is a security device designed to store secrets.
It can be used in various scenarios, not just encrypting disk

Main example is the configuration of virtualization based security with Credential Guard

In this case, windows use the virtual TPM to protect the credentials. The hard disk is not encrypted and does not need to be.
In this case, the only encrypted files are the configuration files of the VM which can be captured through network in a snap in all cases.

https://blogs.vmware.com/vsphere/2018/0 ... e-6-7.html

[HannesK]

Hello,
yes, I see the use-case. I'm just surprised customers do it

The link mentioned shows that one is technically doing nested virtualization (aka running Hyper-V in VMware). Not many customers I see do that today (it happens from time to time yes, but not many).

But yes, the scenario with credential guard without encryption makes sense.

Best regards,
Hannes

[fmarchand]

Stored hashed passwords and kerberos tickets are highly vulnerable and the main cause of security breaches through lateral movements.
The ability to store them securely is a valuable feature.

I don't know if my request is easy to implement or not.
But if that's the case, then it can become a strong added value.

[pexafrit]

Since we have an increasing number of win11 vms and tpm is mandatory for win11,
I wanted to ask if there is a way to back up these vms with storage snapshots in the meantime?
Of course we have deactivated disk encryption.

thanks, fritz

[HannesK]

Hello,
There were no changes on Veeam side, but internet search tells me, that one can install Windows 11 without TPM (I did not test it myself).

Best regards
Hannes

[pexafrit]

Many thanks for the tip!

We will discuss the method internally, but we have the this challenges:

• existing systems can not be changed with this method

• the installation process is automated (matrix42), the change in the installation process (registry key) is not provided during installation, but can possibly be integrated somehow with a workaround

• because the tpm check is only deactivated during installation, the vm could theoretically stop working after a windows update.

In my opinion, this method is applicable for test systems, but for production another way should be found.

I will also create a feature request for this in the veeam forum.

Thanks, fritz

[pexafrit]

Hello!
Storage Snapshot Backup is not possible for Win11 VMs.
Even, if we disable the disk encryption, the TPM (vTPM) is active (and mandatory for Win11) - so Backup from Storage Snapshot is not possible.
Maybe also other/more Windows OS in future needs TPM to be active?

Explanation from Veeam Support (Case 07619267)
Even if you disable disk encryption, the VM files remain encrypted.
This means we still need to communicate with the VMware Key Provider, similar to how we handle normally encrypted VMs.
It’s not possible because it relies on the Key Provider service. Instead, you should use HotAdd or NBDSSL and treat it like an encrypted VM.

Entry in the log is:
[ViVmStorageIntegrationChecker] VM 'XXX' is encrypted. VM is not storage snapshot mode compatible.

I guess this entry is also about this problem:
vmware-vsphere-f24/hybrid-mode-backup-f ... 90627.html

Would be a great help, to enable storage snapshots in such cases, because it will be much quicker and with lower performance impact on the VM environment.

Thanks, Fritz

[HannesK]

Hello Fritz,
I merged the feature request into the existing thread as it's the same request.

because it will be much quicker

just curious, how big is the performance gain in your environment for incremental backups? Because we improved NBD backup a lot over the last versions and it has much less overhead than backup from storage snapshot (BfSS). That means, for incremental backups, we often see NBD being faster because it does not have HotAdd / BfSS overhead.

Best regards
Hannes

[pexafrit]

Hello!
Thanks for merging the both requests!
I don't have any comparative data here for storage snapshot vs. vmware snaps,
but due to an error with the storage (ibm), storage snapshot was deactivated in the past.
The backups without storage snapshot feature took significantly longer.

We generally try to use the storage snapshot feature wherever possible, as it should take the load off the esx server.
Perhaps the “alternatives” have become better in the meantime ...
Thank you!

[jmbi]

Going to just add a +1 to this feature request.
We've leveraged HPE Nimble snapshots for awhile. We replicate to a remote Nimble for DR purposes. And our primary location spins the snaps off to a repo. While we haven't tried in recent years since v12 was released. Historically we saw the offloading to the storage snapshot to be more efficient than the ESXi hosts.

With Server 2025 we're beginning to roll vTPM due to the requirement.
At this point we've only begun rolling SQL servers, and we aren't doing full server backups and primarily using storage snaps and database backups using the SQL plug-in.

[HannesK]

Hello,
I deployed Windows Server 2025 without TPM and it did not complain and I added you +1 to the feature request.

Best regards
Hannes

[TWuser]

With Server 2025 we're beginning to roll vTPM due to the requirement.

Is the requirement you're talking about the ability to Hot Patch? Researching that now.

I assume having VBS enabled will become more and more common for those heavily invested in Microsoft contracts, especially with WSUS slowly exiting stage left.

[vmikhelson]

Another +1