Do GMSA Accounts work with Windows Agent Backups?

[EcoboostPerformance]

Hello everyone,

I have a question regarding the use of Group Managed Service Account (GMSA) accounts with Windows Agent Backups. Specifically, I'm wondering if GMSA accounts can be used to authenticate backups made with the Windows Agent. (or just vmware)

I tried to add one a server in an existing protection group today and could not select the account (it was not present in the list) even after following the instructions to add it.

Thanks in advance,

Ryan

[Mildur]

Hi Ryan

No, today gMSA works for VM backups only.
Agent Management still requires credentials. If you don't want to store credentials in the backup server, you can use protection group with pre-installed agents, in case you don't want to store credentials in the backup server.

Best,
Fabian

[EcoboostPerformance]

Hi Fabian,

Thank you for letting me know that gMSA accounts only work with VM backups and not with Agent Management. I appreciate the clarification.

I was wondering if it would be possible to feature request the ability to use gMSA accounts with Agent Management in a future version of Veeam Backup? This would be helpful for those who want to use GMSA accounts to reduce management complexity and increase their security posture.

Thank you again for your response.

Best regards,
Ryan

[Mildur]

Hi Ryan

Of course.
We count your vote as a +1 for gMSA and agent backups.

Best,
Fabian

[VAAirGap706]

I also would like to add a Feature Request for the ability to use gMSA accounts with Agent based backups. Our IT Security team does not want Domain Admin service accounts whenever possible. Trying to backup Domain Controllers and SubCA's require DA accounts for the Application Aware backup.

Thanks and I hope this gets worked out in a new release of v.12.

Best,
Matt

[Marco31]

I implemented gMSA Accounts for the backups of my Windows VM Guests, to avoid having an Account with local admin rights on my VMs where passwords must be changed manually. But unfortunately, gMSA Accounts are not supported for Server-Managed Backups of Windows Agents.
Is there any chance to have this function in future releases? Pre-Installed Agents in protection groups are a workaround, but have some restrictions compared to Server-Managed Agent backups.

[Mildur]

Hello Marco

Today it's not possible to use gMSA for Veeam Agents.
We may introduce gMSA support (or certification based authentication) in a future version. But no promises today about an ETA or targeted version. Your vote for this request is counted.

Workaround today as mentioned by you:
- "protection group with pre-installed agents"

Best,
Fabian

[aschmieg]

Add my vote to the feature request of GMSA for agent backups. Specifically app aware backup of domain controllers on physical hardware.
This workaround does not work on Windows Core OS.

[EricinIT]

+1

[MoritzG-Seidemann]

Another vote from me

[Sloan]

Add my vote to the feature request of GMSA for agent backups. Specifically app aware backup of domain controllers on physical hardware.

We need this feature too as we try/need to get rid of service accounts with stored passwords and for the foreseeable future, physical domain controllers are a requirement in our environment.

[raortiz]

Hello,

I would like to submit a feature request regarding the use of Group Managed Service Accounts (gMSA) in Veeam Backup & Replication. (Case # 08104102)

Current behavior:
At the moment, gMSA can be used for Guest Processing (application-aware processing), but it cannot be used for agent management tasks such as:
- Adding machines to Protection Groups
- Deploying and managing Veeam Agents
- Connecting to managed-by-agent machines

In these scenarios, Veeam requires traditional credentials (username + password), which prevents us from fully leveraging gMSA.

Use case:
In our environment, we manage:
- Physical machines
- Virtual machines in third-party VMware environments (no vCenter access)

Therefore, we rely heavily on:
- Protection Groups
- Agent-based backups

Our goal is to:
- Eliminate stored passwords in the backup server
- Use gMSA exclusively for authentication
- Follow security best practices (password rotation, minimal exposure, no credential storage)

Current limitation:
Even when using:
- Pre-installed agents
- Certificate-based authentication

Veeam still requires credentials at some stage, or the workflow becomes difficult to manage at scale.

Feature request:
We would like to request full support for gMSA in:
1. Protection Groups (agent management)
2. Agent deployment and communication
3. Managed by agent jobs (without requiring stored credentials)

Ideally:
- Veeam should be able to use gMSA for remote management tasks
- Or provide a fully password-less architecture based on gMSA and certificates

Benefits:
- Improved security (no stored credentials)
- Alignment with modern Windows security practices
- Better compliance with enterprise policies (PAM, zero-trust, etc.)
- Reduced operational overhead (no password rotation issues)

Conclusion:
gMSA support is already partially implemented (Guest Processing), but extending it to agent management would significantly improve security and usability for environments that rely on Protection Groups.

Thank you for considering this request

[Mildur]

Hi Raquel

Please try our deployment kits (v13 feature). Deployment kits use certificate based authentification instead of credentials.

I believe it will solve your request.

Best,
Fabian

[pcaille]

+1

[Mildur]

Hi pcaille

Please try the new deployment kits (v13 feature). Deployment kits use certificate based authentification instead of credentials.

Best,
Fabian