• Virtual machine restoration operations initiated from Cohesity fail.
• The Cohesity job logs generate the following explicit error message: Permission to perform this operation is denied.

• Standard (unencrypted) virtual machines successfully restore to the exact same vCenter and cluster without any permission errors.
• The failure is exclusively isolated to virtual machines with encryption enabled.

To resolve this issue, the vCenter administrator must update the Role-Based Access Control (RBAC) settings for the Cohesity service account to satisfy vCenter's security requirements.
Step-by-Step Instructions:

• Log in to the vSphere Client as an Administrator.
• Navigate to Administration > Access Control > Roles.
• Select the custom role currently assigned to the Cohesity service account and click Edit.
• Scroll down the privileges list and expand the Cryptographic operations category.
• Check the boxes to grant the following specific privileges:

• Encrypt New (This is the primary missing permission required to create the new encrypted VM shell)
• Add Disk
• Direct Access
• Click Save or Finish to apply the updated role.
• Retry the Cohesity restoration job. The account will now be able to successfully provision the encrypted VM shell, allocate the encrypted disks, and complete the restoration process.