When TPM is enabled in vCenter, the encrypted VM’s will fail to restore and power on with below errors shown in the Veeam “\Backup\SERVERNAMEHERE.Restore.log” because your TPM key is not present.
Failed to restore vm. Name: [SERVERNAMEHERE]
The virtual machine must be encrypted. (The virtual machine must be encrypted., Virtual TPM initialization failed., Module 'DevicePowerOn' power on failed. , Failed to start the virtual machine.) (Veeam.Backup.ViSoap.ViServiceFaultException)
Job Restore Task operation result: 'PowerOn failed, vmRef '4', hostRef 'ha-host'
There are two options for recovering these servers.
- If you want the machines to be included in the Cloud IBR recovery automation:
- Create a Veeam Protection Group under Inventory to push the Veeam Agent for Windows to these machines.
- Include them in the backup you send to the repository that Cloud IBR is recovering from.
- You should also move the VMware native backups of those machines to a repository that Cloud IBR is not recovering, to eliminate the errors during a recovery.
- If you want to manually recover the native VMware backups:
- Ensure that your vCenter is part of the backups you send to the repository that Cloud IBR is recovering from.
- After performing a recovery with Cloud IBR, login to your recovered vCenter and add the Cloud IBR ESXi hosts using their internal IP addresses which you can find in the ESXi console. If there were no Instant Recoveries in your environment, you’ll first need to create a VMware Port Group in the ESXi console and add it to your recovered vCenter so that it can communicate with the ESXi hosts on their internal IP addresses.
- You can now manually restore the native VMware backups to your recovered vCenter instance via the Cloud IBR VBR because your TPM key is stored within your recovered vCenter.