Merge pull request #310311 from AbhishekMallick-MS/Jan-9-2026-CVMbkp

Confidential VM backup Public preview - Doc updates

Author: JamesJBarnett

articles/backup/backup-support-matrix-iaas.md

@@ -2,7 +2,7 @@
 title: Support matrix for Azure VM backups
 description: Get a summary of support settings and limitations for backing up Azure VMs by using the Azure Backup service.
 ms.topic: reference
-ms.date: 10/27/2025
+ms.date: 01/28/2026
 ms.custom:
   - references_regions
   - linux-related-content
@@ -104,6 +104,10 @@ Azure Backup provides the following support for customers to author their own pr
 
 
 
+## Support for Confidential VM backup (preview)
+
+[!INCLUDE [Confidential VM backup support scenarios..](../../includes/confidential-vm-backup-support-matrix.md)]
+
 ## Support for agentless multi-disk crash-consistent VM backup
 
 [!INCLUDE [backup-azure-agentless-multi-disk-crash-consistent-vm-backup-support-scenarios.md](../../includes/backup-azure-agentless-multi-disk-crash-consistent-vm-backup-support-scenarios.md)]
@@ -187,8 +191,8 @@ Configure standalone Azure VMs in Windows Storage Spaces direct | Not supported.
 [Restore Virtual Machine Scale Sets](/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-orchestration-modes#scale-sets-with-flexible-orchestration) | Supported for the flexible orchestration model to back up and restore a single Azure VM.
 Restore with managed identities | Supported for managed Azure VMs. <br><br> Not supported for classic and unmanaged Azure VMs. <br><br> Cross-region restore isn't supported with managed identities. <br><br> Currently, this is available in all Azure public and national cloud regions. <br><br> [Learn more](backup-azure-arm-restore-vms.md#restore-vms-with-managed-identities).
 <a name="tvm-backup">Back up trusted launch VMs</a>    |  Supported via [Enhanced policy](backup-azure-vms-enhanced-policy.md) and [Standard policy](backup-instant-restore-capability.md). <br><br>    **Feature details**:  <br><br> - Backup of a VM with Data disks having Security Type 'TrustedLaunch' or 'ConfidentialVM' is not supported. This can happen if you attach the OS disk from a Trusted Launch as a Data disk to another VM. <br>   - Item-level restore is supported for the [applicable scenarios](#support-for-file-level-restore).      <br><br>  **Backup support via Enhanced policy**:  <br><br> - Azure portal, PowerShell, and REST API clients support trusted launch VM backup with Enhanced policy.   <br>  - The Azure portal allows you to enable backup through a [Recovery Services vault](backup-azure-arm-vms-prepare.md), the [VM management pane](backup-during-vm-creation.md#run-an-on-demand-backup-after-vm-creation), and the VM creation pane.   <br>  - Resiliency supports [backup](../resiliency/tutorial-configure-protection-datasource.md), [alerts](../resiliency/tutorial-monitor-alerts-metrics.md), and [monitoring](../resiliency/tutorial-monitor-protection-summary.md) for trusted launch VMs.    <br><br>       **Backup support via Standard policy**:    <br><br>  - CLI (version 2.73.0 and later), PowerShell (version Az 14.0.0 and later), and REST API (version 2025-01-01 and later) only support trusted launch VM backup with Standard policy.  <br>  - Trusted Launch virtual machines with standard policy use managed disk snapshots for Instant Restore. In this scenario, you incur Snapshot storage cost same as that of Enhanced policy. [Learn more](backup-instant-restore-capability.md#cost-impact).    <br><br>    Note that migration of an existing Gen2 VM (protected by Azure Backup Standard policy) to Trusted Launch VM requires first [switching to Enhanced policy](backup-azure-vm-migrate-enhanced-policy.md).
-[Back up confidential VMs](../confidential-computing/confidential-vm-overview.md) | Unsupported. <br><br>    Note that the following limited preview support scenarios are discontinued and currently not available: <br><br> - Backup of Confidential VMs with no confidential disk encryption.   <br> - Backup of Confidential VMs with confidential OS disk encryption through a platform-managed key (PMK).
-Backup of VMs with SSE and CMK encryption using HSM | Supported. <br><br> You must assign the permissions get, wrap, and unwrap key to the Key Vault to User-assigned managed identity.
+[Back up confidential VMs](../confidential-computing/confidential-vm-overview.md) | Supported (in preview). [Learn more about the supported scenarios](#support-for-confidential-vm-backup-preview).
+
 
 ## VM storage support
 

articles/backup/confidential-vm-backup.md

@@ -0,0 +1,84 @@
+---
+title: Azure Backup - Configure backup of Confidential VM using Azure Backup (preview) 
+description: Learn about backing up Confidential VM with PMK or CMK using Azure Backup.
+ms.topic: how-to
+ms.date: 01/28/2026
+ms.custom: references_regions
+ms.service: azure-backup
+author: AbhishekMallick-MS
+ms.author: v-mallicka
+---
+
+# Back up Confidential VM using Azure Backup (preview)
+
+[!INCLUDE [Confidential VM backup preview advisory.](../../includes/confidential-vm-backup-preview.md)]
+
+Azure Backup supports [Confidential Virtual Machines (CVMs)](/azure/confidential-computing/confidential-vm-overview) that provide secure backup and restore for sensitive workloads. This capability uses Azure Disk Encryption Sets (DES) with Platform Managed Keys (PMKs) or Customer Managed Keys (CMKs) to maintain data confidentiality throughout the backup lifecycle. Confidential VMs provide strong security by creating a hardware-enforced boundary between your application and the virtualization stack.
+
+This article describes how to configure and back up Confidential VM (CVM) with Platform or Customer Managed Key (PMK or CMK).
+
+## Supported scenarios for Confidential VM backup
+
+[!INCLUDE [Confidential VM backup support scenarios..](../../includes/confidential-vm-backup-support-matrix.md)]
+
+## Prerequisites
+
+Before you configure backup for CVM with CMK, ensure that the following prerequisites are met:
+
+- Register for the preview feature `RestorePointSupportForConfidentialVMV2` under the `Microsoft.Compute` provider namespace by running the following cmdlet, which is auto‑approved.
+
+   ```azurepowershell-interactive
+   Register-AzProviderFeature -FeatureName "RestorePointSupportForConfidentialVMV2" -ProviderNamespace "Microsoft.Compute" 
+
+   ```
+
+
+- Identify or create a Confidential VM (CVM) in a supported region. See the [supported regions](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=virtual-machines).
+- Identify or [create a Recovery Services Vault](backup-create-recovery-services-vault.md#create-a-recovery-services-vault) in the same region as the VM.
+
+## Create a new Confidential VM with PMK or CMK
+
+To back up a Confidential VM using Azure Backup, you must have a Confidential VM configured with PMK or CMK encryption. Azure Backup uses the Disk Encryption Set (DES) associated with your VM to maintain encryption throughout the backup and restore process.
+
+Learn how to [create a new Confidential VM with PMK or CMK](/azure/confidential-computing/quick-create-confidential-vm-portal-amd), if needed.
+
+## Assign permissions for Confidential VM backup
+
+Azure Backup requires access to the Key vault or Managed Hardware Security Module (HSM) that stores your keys. This access ensures the service can back up keys and recover them if they're deleted. When you configure backup in the Azure portal, Azure Backup automatically gets the required permissions. If you use other clients, such as PowerShell, CLI, or REST API, you must assign these permissions manually.
+
+If you're using a Key vault to store keys, [grant permission to the Azure Backup service for the backup operations](backup-azure-vms-encryption.md#provide-permissions). 
+
+To assign permissions for MHSM, follow these steps:
+
+1. In the Azure portal, go to **Managed HSM**, and then select **Local RBAC** in **Settings**.
+
+2. Select **Add** to add a *new Role Assignment*.
+
+3. Select one of the following roles:
+
+   - **Built-in roles**: If you want to use a built-in role, select the **Managed HSM Crypto User** role.
+
+   - **Custom roles**: If you want to use custom role, then *dataActions* of that role should have these values:
+
+     - **Microsoft.KeyVault/managedHsm/keys/read/action**
+     - **Microsoft.KeyVault/managedHsm/keys/backup/action**
+
+     You can create a custom role using the [Managed HSM data plane role management](/azure/key-vault/managed-hsm/role-management#create-a-new-role-definition).
+
+4. For **Scope**, select the specific key used to create Confidential VM with Customer Managed Key.
+
+   You can also select **All Keys**. 
+
+5. On the **Security principal**, select **Backup Management Service**.
+
+## Configure backup for Confidential VM
+
+Once Azure Backup has the necessary permissions, you can continue configuring backup. [Learn how to configure Azure VM backup](backup-azure-vms-enhanced-policy.md).
+
+## Next step
+
+[Restore CVM using Azure Backup (preview)](confidential-vm-restore.md).
+
+## Related content
+
+[Back up encrypted Azure virtual machines](backup-azure-vms-encryption.md).

articles/backup/confidential-vm-restore.md

@@ -0,0 +1,138 @@
+---
+title: Azure Backup - Restore Confidential VM using Azure Backup (preview)
+description: Learn about restoring Confidential VM with Platform Managed Key (PMK) or Customer Managed Key (CMK) using Azure Backup.
+ms.topic: how-to
+ms.date: 01/28/2026
+ms.custom: references_regions
+ms.service: azure-backup
+author: AbhishekMallick-MS
+ms.author: v-mallicka
+---
+
+# Restore Confidential VM using Azure Backup (preview)
+
+[!INCLUDE [Confidential VM backup preview advisory.](../../includes/confidential-vm-backup-preview.md)]
+
+This article describes how to restore Confidential VM (CVM) encrypted with Platform Managed Key (PMK) or Customer Managed Key (CMK) using Azure Backup. It covers restore scenarios based on encryption key and Disk Encryption Set (DES) states, and provides the recovery procedure for restore failures. It also provides the procedure to extract virtual machine encryption details, restore missing keys, and assign necessary permissions.
+
+Learn about the [supported scenarios for Confidential VM backup](backup-support-matrix-iaas.md#support-for-confidential-vm-backup-preview).
+
+## Restore scenarios for Confidential VM
+
+Confidential VM restore behavior depends on the state of the DES, Key Vault, and keys at the time of restore. Key restore scenarios include:
+
+- **Original Key or Key Version intact**: Restore succeeds if the original Disk Encryption Set (DES) and key remain intact.
+- **Key Rotation**: Restore succeeds when a new key version is active, provided the previous key version isn't expired or deleted.
+- **Key Change**: If the DES uses a new key, restore succeeds only if the previous key still exists; it fails if the previous key is deleted.
+- **DES or Key Deleted**: Restore fails with errors, such as `UserErrorDiskEncryptionSetDoesNotExist` or `UserErrorDiskEncryptionSetKeyDoesNotExist`. To resolve, re-create the key and DES using restored key data, then retry the restore.
+- **Input DES Provided**: If you provide a new DES created from restored key data, restore can succeed if the key and version match the ones used at backup time.
+- **Mismatched DES or Key**: Restore fails with `UserErrorInputDESKeyDoesNotMatchWithOriginalKey`. To resolve this error, restore the missing keys.
+
+Learn how to [restore missing keys for Confidential VM restore](#restore-missing-keys-for-confidential-vm-restore).
+
+## Prerequisites
+
+Before you start the Confidential VM restore process, ensure you have the recovery points available in the Recovery Services vault.
+
+## Assign permissions to DES and Confidential Guest VM Agent for restore
+
+Disk Encryption Set and Confidential Guest VM Agent need permissions on the Key Vault or Managed HSM. To provide the permissions, follow these steps:
+
+**For Key vault**: To grant permissions to the Key vault, select the message *To associate a disk, image, or snapshot with this disk encryption set, you must grant permissions to the key vault*.
+
+**For Managed HSM**: To grant permissions to the Managed HSM, follow these steps:
+
+1. Assign newly created DES with the Managed HSM Crypto User Role:
+
+   1. In the [Azure portal](https://portal.azure.com/), go to **Managed HSM** > **Settings**, and then select **Local RBAC**.
+   2. To add a new Role Assignment, select **Add**.
+   3. Under **Role**, select **Managed HSM Crypto User Role**.
+   4. Under **Scope**, select the restored key. You can also select **All Keys**.
+   5. On the **Security principal**, select *newly created DES*.
+
+2. Assign required permissions to the Confidential Guest VM Agent for booting up CVM:
+
+   1. In the [Azure portal](https://portal.azure.com/), go to **Managed HSM** > **Settings**, and then select **Local RBAC**.
+   2. To add a new Role Assignment, select **Add**.
+   3. Under **Role**, select **Managed HSM Crypto Service Encryption User**.
+   4. Under **Scope**, select the restored key. You can also select **All Keys**.
+   5. On the **Security principal**, select **Confidential Guest VM Agent**.
+
+## Restore the Confidential VM
+
+After you assign the required permissions, you can run the restore operation. [Learn how to restore an Azure VM](backup-azure-arm-restore-vms.md).
+
+## Restore missing keys for Confidential VM restore
+
+If the restore operation fails, you need to restore the PMK or CMK that Azure Backup backed up. 
+
+To restore the key using PowerShell, follow these steps:
+
+1. To select the vault containing the protected CVM + CMK, enter the resource group and name of the vault in the cmdlet, and then run the cmdlet.
+
+   ```azurepowershell
+   $vault = Get-AzRecoveryServicesVault -ResourceGroupName "<vault-rg>" -Name "<vault-name>"
+   ```
+
+2. To list all failed restore jobs from the last 7 days, run the following cmdlet:
+
+   ```azurepowershell
+   $Jobs = Get-AzRecoveryServicesBackupJob -From (Get-Date).AddDays(-7).ToUniversalTime() -Status Failed -Operation Restore -VaultId $vault.ID
+   ```
+
+   >[!Note]
+   >If you want to fetch older jobs, update the day range in the cmdlet.
+
+3. To select the failed restore job from the result and get the job details, run the following cmdlet:
+
+   *Example*
+
+   ```azurepowershell
+   $JobDetails = Get-AzRecoveryServicesBackupJobDetail -Job $Jobs[0] -VaultId $vault.ID
+   ```
+
+4. To get all the necessary parameters required for key restore from the job details, run the following cmdlet:
+
+   ```azurepowershell
+   $properties = $JobDetails.properties
+   $storageAccountName = $properties["Target Storage Account Name"]
+   $containerName = $properties["Config Blob Container Name"]
+   $securedEncryptionInfoBlobName = $properties["Secured Encryption Info Blob Name"]
+   ```
+
+5. To select the target storage account used for restore, enter its resource group in the following cmdlet, and then run the cmdlet:
+
+
+   ```azurepowershell
+   Set-AzCurrentStorageAccount -Name $storageaccountname -ResourceGroupName '<storage-account-rg >'
+   ```
+
+6. To restore the JSON configuration file containing key details for CVM with CMK, run the following cmdlet:
+
+   ```azurepowershell
+   $destination_path = 'C:\cvmcmkencryption_config.json'
+   Get-AzStorageBlobContent -Blob $securedEncryptionInfoBlobName -Container $containerName -Destination $destination_path
+   $encryptionObject = Get-Content -Path $destination_path | ConvertFrom-Json 
+   ```
+
+7. After the JSON file is generated in the destination path mentioned previously, generate key blob file from the JSON data by running the following cmdlet:
+
+   ```azurepowershell
+   $keyDestination = 'C:\keyDetails.blob'
+   [io.file]::WriteAllBytes($keyDestination, [System.Convert]::FromBase64String($encryptionObject.OsDiskEncryptionDetails.KeyBackupData)) 
+   ```
+
+8. To restore the key back in the Key Vault or Managed Hardware Security Module (HSM), run the following cmdlet:
+
+   ```azurepowershell
+   Restore-AzKeyVaultKey -VaultName '<target_key_vault_name> ' -InputFile $keyDestination
+   For MHSM Use,  
+   Restore-AzKeyVaultKey -HsmName '<target_mhsm_name>' -InputFile $keyDestination
+   ```
+
+Now, you can create a new DES with Encryption type as *Confidential disk encryption with CMK*, which should point to the restored key. This DES should have enough permissions to perform a successful restore. If you use a new Key Vault or Managed HSM to restore the key, then *Backup Management Service* has enough permissions on it. [Learn how to grant permission for Key Vault or Managed HSM access](confidential-vm-backup.md#assign-permissions-for-confidential-vm-backup).
+
+## Related content
+
+- [Support matrix for Confidential VM backup](backup-support-matrix-iaas.md#support-for-confidential-vm-backup-preview).
+- [Back up CVM using Azure Backup (preview)](confidential-vm-backup.md).

articles/backup/index.yml

@@ -65,26 +65,14 @@ landingContent:
     linkLists:
       - linkListType: whats-new
         links:
+          - text: Confidential VM backup (preview)
+            url: confidential-vm-backup.md
           - text: Threat Detection with Microsoft Defender for Cloud integration (preview)
             url: threat-detection-overview.md
           - text: Azure Files (Premium) vaulted backup
             url: azure-file-share-backup-overview.md
-          - text: Azure Elastic SAN backup (preview)
-            url: azure-elastic-storage-area-network-backup-overview.md
-          - text: SAP ASE (Sybase) database backup support
-            url: sap-ase-database-about.md        
           - text: Azure Data Lake Storage vaulted backup support
             url: azure-data-lake-storage-backup-overview.md
-          - text: Azure Files vaulted backup support
-            url: azure-file-share-backup-overview.md?tabs=vault-standard
-          - text: Azure Database for PostgreSQL - Flexible server backup support
-            url: backup-azure-database-postgresql-flex-overview.md
-          - text: Secure by default with Vault soft delete (preview)
-            url: secure-by-default.md
-          - text: WORM enabled Immutable Storage for Recovery Services vaults
-            url: backup-azure-immutable-vault-concept.md  
-          - text: Vaulted backup and Cross Region Restore support for AKS
-            url: azure-kubernetes-service-backup-overview.md          
 
   # Card
   - title: Back up Azure VMs

articles/backup/toc.yml

@@ -408,6 +408,8 @@
         href: backup-azure-vms-first-look-arm.md
       - name: Set up a vault and enable backup for Azure VMs
         href: backup-azure-arm-vms-prepare.md
+      - name: Back up Confidential VMs
+        href: confidential-vm-backup.md  
       - name: Back up encrypted Azure VMs
         href: backup-azure-vms-encryption.md
       - name: Configure app-consistent backups of Azure VMs running Linux
@@ -424,6 +426,8 @@
         href: backup-azure-arm-restore-vms.md
       - name: Recover files from Azure VM backups
         href: backup-azure-restore-files-from-vm.md
+      - name: Restore Confidential VMs
+        href: confidential-vm-restore.md  
       - name: Restore encrypted VMs
         href: restore-azure-encrypted-virtual-machines.md
       - name: Restore keys and secret for encrypted VMs