How to protect AHV VM with vTPM enabled

I would suggest reading this page as it is the Veeam help guide for AHV - Welcome to Veeam Backup for Nutanix AHV - Veeam Backup for Nutanix AHV User Guide

Thank @Chris.Childerhose 

I already searched in the guide for how-to without success.

Did you try searching Google as well or even the Nutanix forums?

Sorry but I don’t use Nutanix so trying to help guide.

Hi @Chris.Childerhose 

Thank you so much for taking time to help me. I really appreciate that.

I tried to google and search in R&D without success too. All about Vmware.

If you have support with Nutanix maybe contact them also?

I will check. However, I looking for Veeam guidelines for backup AHV VMs with vTPM enabled.

Ok then maybe post over at the Veeam Forums or search there to see if there are people with the same questions.

R&D Forums (veeam.com)

I will.

Thank you @Pybarra 

Product Manager from Nutanix here.

I’m looking into enhancements that allow backup of vTPM-enabled AHV VMs. I’d like to understand more details about how Veeam users would use backup/restore of vTPM-enabled AHV VMs. If you would benefit from such an enhancement, please share these details:

• Customer organization name (company name)
• What use case is using vTPM? In particular...
  • Is vTPM to be used just to satisfy Windows 11 hardware requirement, or another use case where no data stored in vTPM (i.e. vTPM just used for generating keys/numbers, not storing)?
  • Is vTPM to be used for BitLocker (and not Nutanix encryption)?
  • Is there some other application/use case for storing data in vTPM that is critical? (Please share details)
• Do you have a single Prism Central, or multiple Prism Centrals?
  • Would you need to back up from a cluster within one Prism Central and restore to a cluster in a different Prism Central?
• Is an external key manager being used for backup-related encryption keys? (Which key manager?)
  • Do you need an external key manager to be used for storing the Nutanix encryption keys that are used to encrypt the vTPM backup data?
• Business impact on the customer if backup/restore vTPM is not supported.
• Business impact on the customer if backup/restore of vTPM data is not supported.

Hey Joshua,

Thanks for looking into this. We desperately need a way to backup our vTPM enabled servers with Veeam. Otherwise it renders the Veeam backup product mostly useless for us.

• Our vTPM use case.
  • We use Microsoft credential guard to protect our production Windows servers. Windows Credential guard leverages the TPM to store admin users credentials in a secure space outside of the OS rather than running memory that is highly vulnerable to attack. 
• We use Prism Central. 
  • Recovery Points feature in Prism Central does not work at all when vTPM is enabled on a VM. In our case, the Nutanix Veeam backup proxy leverages PC recovery points for backup jobs and this is why they fail.
• We do not store backup keys in vTPM.

This seems to be a Nutanix issue with recovery points for vTPM as we can make AHV/Prism VM snapshots on the hosts with no issues. If the Veeam AHV backup product had an option to use host based snapshots rather than Prism Central recovery points then we could still use the Veeam backup. 

Removing the vTPM on our production systems is not an option as it would greatly reduce our IT security posture. At this point if the problem is not resolved early in 2024 then we will start look to for other backup solutions to better fit our needs.

Same problems as PearceH. Urgent