When backing up VMs that have been enabled with vTPM (recommended for Windows 11 Guest OS), the backup may fail with the message "Error downloading config files"
This can occur if the backup solution user ID is assigned a vCenter role other than the 'Administrator' role. 

ESXi 6.7
ESXi 7.x
ESXi 8.x

After a VM has configured with vTPM support, the configuration files on the VM are encrypted by the vCenter using the configured KMS. 
For vTPM only configurations, only the config files are encrypted. The vTPM VM's vmdk disks are not encrypted unless other actions are taken to encrypt the entire VM.

Web UI shows VM Details show VM encryption is in use:

A VADP backup of a vTPM/encrypted VM will fail with an error message "Error downloading config files" unless the vCenter role assigned to the user ID for backup solution is configured with specific cryptographic privileges.

Verify the vCenter Role assigned to the backup user ID has the following cryptographic privileges:

• In vCenter Web UI, navigate to 'Administration | Roles'


• Verify/Add the following cryptographic permissions for the backup ID's assigned role as needed:
  
  
  
  
  • Cryptographic Operations > Direct Access
  
  
  • Cryptographic Operations > Encrypt
  
  
  • Cryptographic Operations > Add Disk
    
    
    
    
    • This privilege is needed for hot-add VADP backup solutions. The backup software must also support encryption of the proxy VM. Verify VADP encrypted backup compatibility with the backup solution vendor as needed.
    
    
    
    
  
  
  • Cryptographic Operations > Register VM
    
    
    
    
    • This privilege is needed to restore an encrypted VM.
    
    
    
    
  
  
  
  

•  VADP backup requirement documentation:  Virtual Machine Encryption Interoperability | Miscellaneous Limitations in vSphere Virtual Machine Encryption
  
  • Only VADP backups are supported for encrypted VM backups including vTPM enabled VMs.
  • VADP Proxy must be encrypted for VADP hot-add solutions.
     
• Recommended for encrypted VMs: 
  • Test to verify both backup and restore operations can be completed successfully for vTPM/encrypted VMs.  Be sure to include testing in other environments that VMs may need to be restored.
    
    
• Note:  Review the requirements for the KMS configuration's backup and availability should encrypted VMs need to be restored to any other vCenter environment(s).
  • Documentation Links:
    • • vSphere Documentation:  Configuring and Managing vSphere Native Key Provider
      • VMware Blog: vSphere Native Key Provider (NKP) Questions & Answers 
      • vSphere Documentation: Enable Virtual Trusted Platform Module for an Existing Virtual Machine