Setting Up Veeam Backup Enterprise Manager
- What Enterprise Manager Actually Does
- Do You Actually Need It?
- Requirements and Sizing
- Deployment Options: Windows vs Linux VSA
- Installing on Windows
- Installing on Linux (VSA)
- Connecting Backup Servers
- Roles, Accounts, and Restore Scope
- SAML Authentication
- Key Management Setup
- Notifications and Reporting
- Upgrading from v12
What Enterprise Manager Actually Does
Veeam Backup Enterprise Manager is the federation layer for multi-server VBR deployments. If you have a single backup server protecting one site, you do not need it. If you have two or more backup servers - or if you need centralized RBAC, self-service restore for application teams, password loss protection, or centralized licensing visibility - Enterprise Manager is what ties everything together.
At its core, EM does five things. It federates multiple VBR servers under a single web UI so you can see job status, restore points, and infrastructure health across all of them from one place. It provides role-based access control with restore scope limiting - you can give a SQL DBA the ability to restore files from their own VMs without being able to touch anything else. It hosts the encryption key management infrastructure that backs password loss protection. It provides centralized license management and usage reporting, which matters if you are reporting to a customer or managing VUL consumption across a distributed environment. And in v13 it exposes a REST API that allows programmatic management of jobs, restore operations, and encryption passwords across all connected backup servers.
Do You Actually Need It?
Run Enterprise Manager if any of these apply to your environment: you have more than one VBR backup server, you need to delegate restore rights to non-admin users, you have job-level encryption enabled and want password loss protection, you need SAML-based SSO for the backup management web UI, or you need centralized license reporting across sites.
Skip it if you have a single backup server with no delegation requirements and you are managing encryption passwords manually with no recovery need. EM adds infrastructure overhead - another server to maintain, patch, and back up. Only run it when the operational value outweighs that overhead.
Enterprise Manager is an optional component. It is not required to run VBR. But once you enable job-level encryption on any backup server that is connected to EM, those encrypted backups get password loss protection automatically via the EM public key. If you later disconnect from EM or shut it down without exporting keysets, you lose the recovery path for those backups. Plan EM deployment and continuity before you start encrypting jobs at scale.
Requirements and Sizing
The hardware requirements for Enterprise Manager are not heavy, but they are not trivial either. The numbers below are from the official v13 system requirements documentation.
| Component | Requirement |
|---|---|
| CPU | x86-64 processor |
| RAM (Windows install) | 8 GB minimum |
| RAM (Linux VSA) | 16 GB minimum (VSA includes VBR server components) |
| Disk - Windows install | 2 GB for product installation plus sufficient space for guest file system catalog from connected backup servers |
| Disk - Linux VSA | Two disks required: OS/software disk plus a separate data disk. See VSA sizing docs for exact data disk sizing based on retention policy. |
| Network to backup servers | 1 Mbps minimum. Slow or unstable links degrade EM data collection performance. |
| OS - Windows install | Windows Server 2019, 2022, or 2025. Same supported versions as VBR itself. |
| OS - Linux VSA | Veeam Software Appliance (VSA) - a Veeam-provided Linux appliance image, not a general-purpose Linux OS install. |
| Database - Windows install | PostgreSQL (recommended for v13) or Microsoft SQL Server. Cloud-hosted database services (e.g. Amazon RDS) are not supported. |
| Browser (web UI) | Firefox, Google Chrome, or Microsoft Edge - latest version. |
For Windows deployments, deploy EM on a dedicated VM rather than on the same machine as a VBR backup server. Putting both on the same host creates a single point of failure for both backup operations and the management plane. The VM footprint is small - 2 vCPU and 8 GB RAM covers most environments.
Deployment Options: Windows vs Linux VSA
In v13, Enterprise Manager can run on Windows Server (the traditional deployment path from previous versions) or on the Veeam Software Appliance - the same hardened Linux-based appliance used for VBR itself. This is a new option in v13 and it changes the deployment conversation.
The Windows deployment is the path most teams upgrading from v12 will take. You install the EM setup wizard from the same ISO as VBR, point it at an existing SQL Server or PostgreSQL instance, configure a service account, and it is up in 11 wizard steps. The guest file system catalog data lands on the Windows filesystem. Updates are managed through standard Windows patching and Veeam update mechanisms.
The Linux VSA deployment runs EM on the same hardened appliance base as the v13 VBR Linux installer. You deploy the VSA from ISO or OVA, select Enterprise Manager during setup, and it installs with a minimal attack surface - no unnecessary Windows services, no RDP by default, access via the Host Management Console. The tradeoff is that the VSA image is Veeam-maintained, not a general Linux install you can configure freely, and storage layout requires two separate disks configured during initial setup.
For greenfield v13 deployments where the rest of your VBR infrastructure is already on the Linux VSA, deploying EM on VSA as well is the cleaner choice. For teams upgrading from v12 with an existing Windows-based EM, staying on Windows is perfectly valid - there is no functional difference between the two deployment platforms once EM is running.
You can migrate an existing Windows-based Enterprise Manager deployment to a Linux VSA using the documented migration path at helpcenter.veeam.com/docs/vbr/em/em_migration_windows_to_linux.html. This is a supported operation in v13, not a rebuild-from-scratch scenario. EM configuration, keyset data, and backup server connections all migrate across.
Installing on Windows
The Windows installation wizard runs 11 steps. Here is what to have ready before you start: a service account with local administrator rights on the EM server, a PostgreSQL or SQL Server instance accessible from the EM server, and the Veeam license file if you are installing the license at this point (you can also add it post-install).
Launch, Select Product, Accept License
Mount the Veeam ISO and run the installer. At the component selection screen choose Veeam Backup Enterprise Manager. Accept the license agreements for EM and any prerequisite components that the installer identifies.
Provide License File
Supply your Veeam license file here, or skip and add it later from the EM web UI under Configuration > Licensing. If you are managing VUL consumption centrally through EM, get the license in place before you connect backup servers - EM uses the license to track and report consumption across all connected VBR instances.
Install Missing Software
The wizard checks for prerequisites and installs anything missing. This typically includes Visual C++ Redistributable and Microsoft System CLR Types for SQL Server if using a SQL Server database backend. Both are bundled in the setup package. Let the installer handle these - do not pre-install different versions manually.
Review Default Installation Settings
Check the installation path. The default is C:\Program Files\Veeam\Backup and Replication\Enterprise Manager. If your C: drive is tight, change this now. You cannot move the installation directory post-install without reinstalling.
Specify Service Account
Enter the service account credentials. This account needs local administrator rights on the EM server. Use a dedicated service account - do not use a personal admin account or the built-in Administrator. The account needs to be able to log on as a service, which the installer will configure automatically.
Specify Database Server
Point the wizard at your PostgreSQL or SQL Server instance. For v13, PostgreSQL is the recommended database engine. If you are using an existing SQL Server instance already hosting a VBR configuration database, you can host EM in a separate database on the same instance - just give it a distinct database name. Cloud-hosted database services including Amazon RDS are not supported.
Data Locations and Service Ports
Step 9 sets the location for the guest file system catalog data - the index data pulled from connected backup servers. This directory grows based on how many backup servers are connected and your index retention settings. Put it on a volume with room to grow. Step 10 confirms the service port; the default is 9080 for HTTP and 9443 for HTTPS. Change these only if you have a port conflict - most environments leave them at default.
Begin Installation
Review the summary and click Install. Installation typically takes 5 to 10 minutes. When it completes, access the EM web UI at https://<EM_server>:9443. Log in with the service account credentials or a local administrator account on the EM server.
Installing on Linux (VSA)
The Linux VSA path deploys Enterprise Manager as part of the Veeam Software Appliance, the same hardened image used for the VBR Linux appliance. You can deploy from ISO or OVA. The 10-step wizard runs in a text-based console during initial system configuration, not through a GUI installer.
Mount ISO and Select Product
Mount the Veeam v13 ISO to your VM. Boot from it. At the product selection screen, choose Enterprise Manager. This is the key difference from a standard VSA deployment where you would choose VBR - selecting Enterprise Manager here installs EM on the appliance instead.
Begin Installation and Accept License
Confirm the installation type and accept the license agreements. The installer writes the appliance OS and EM software to the primary disk.
Hostname, Network, and Time
Set the hostname for the EM appliance. This becomes the DNS name your backup servers and administrators will use to reach EM - set it correctly the first time. Review network settings and configure the IP address, subnet, gateway, and DNS. Set the server time zone and NTP source. Time synchronization matters for certificate validity and audit log accuracy.
Host Administrator and Security Officer Accounts
Configure two distinct accounts. The Host Administrator account manages the appliance operating system through the Host Management Console - network settings, updates, OS-level tasks. The Security Officer account has additional privileges for security-sensitive operations within EM. These are separate roles with different access scopes. Do not use the same credentials for both - separating them maintains the security role separation the appliance is designed for.
Finish Configuration
Review the summary and confirm. The appliance finalizes setup and boots into the running EM service. Access the Host Management Console at the IP you set during network configuration. Access the EM web UI at https://<EM_hostname>:9443.
The VSA deployment requires two separate disks configured before installation - one for the OS and software, one for data (catalog index, database). If you deploy from OVA, review the OVA configuration before powering on and ensure the second disk is attached with adequate capacity. Trying to add the data disk after initial configuration is completed requires a reinstall.
Connecting Backup Servers
Once EM is installed, the first configuration task is connecting your VBR backup servers. In the EM web UI, go to Configuration > Backup Servers and click Add. Enter the backup server hostname or IP, credentials, and click Connect.
EM establishes a TLS connection to the backup server and begins pulling data. The initial data collection pull can take several minutes for large environments with many jobs and restore points. You can monitor collection progress from the backup server entry in the EM console.
Each backup server you add gets a server role configured. The available roles are Standard (full management access from EM), and options to scope what EM can see and manage on that server. For most deployments, leave the default role in place. Role scoping matters in multi-tenant or managed service scenarios where you want EM to federate servers but limit which jobs and data are visible to specific EM user accounts.
EM and the VBR backup server must be running the same major version. You cannot connect a v12 backup server to a v13 Enterprise Manager or vice versa. In mixed-version environments during an upgrade rollout, plan the EM upgrade first, then upgrade backup servers. EM is always upgraded before the backup servers it manages.
Roles, Accounts, and Restore Scope
Enterprise Manager has four built-in roles. The Portal Administrator has full access to all EM functionality including configuration, job management, and user administration. The Portal User can view backup infrastructure and initiate restore operations within their assigned restore scope. The Restore Operator is a read-only role focused specifically on restore operations. The Portal Reporter has read-only access to dashboards and reports.
The restore scope is the part of this configuration that matters most for day-to-day operations. When you assign a user the Portal User role, you also define their restore scope - which VMs, which machines, or which folders they are permitted to restore from. A SQL DBA can have restore access scoped to their specific VMs only, with no visibility into other backup data. This is the feature that makes self-service restore viable in environments where you cannot give application teams full Veeam console access.
Configure accounts and roles under Configuration > Roles and Users. Add the Active Directory user or group, assign the role, and then define the restore scope. The restore scope can be specified by vCenter folder, resource pool, host, VM name, or by individual VM selection across all connected backup servers.
For file-level restore and application item restore (SQL, Exchange, SharePoint), additional permissions beyond the basic role assignment are required. Specifically, you need to configure which file system paths and application objects the user can restore from. This is configured separately from the VM-level restore scope under Configuration > Roles and Users > <user> > File and Application Item Restore Permissions.
SAML Authentication
Enterprise Manager supports SAML 2.0 for single sign-on through an external identity provider. In v13 the documented IdP path is Active Directory Federation Services (AD FS), but any SAML 2.0-compliant IdP works with the same configuration pattern.
To configure SAML, go to Configuration > SAML Authentication. Download the EM service provider metadata XML from that page and import it into your IdP to register EM as a trusted service provider. Then take the IdP metadata XML and import it back into EM. Once both sides are configured and the SAML handshake is tested, users can authenticate to the EM web UI via their IdP credentials rather than local EM accounts.
SAML authentication in EM applies to the web UI only. The EM REST API uses token-based authentication separate from SAML. If you are integrating EM into an automation pipeline via the REST API, configure API credentials independently of any SAML setup.
Key Management Setup
If you covered the encryption article in this series, you already know the role Enterprise Manager plays in password loss protection. This section covers the EM-side configuration tasks specifically.
When EM is first installed, it generates an initial encryption keyset. This keyset consists of a public/private key pair. The public key is distributed to all connected backup servers and embedded in encrypted backup files, enabling password loss recovery. The private key stays on the EM server.
The key management workflow lives under Configuration > Key Management. From there you can generate new keysets, activate a keyset (making it the current public key pushed to backup servers), set retention for old keysets, and export keysets to a file for offsite storage.
Verify the Active Keyset
After connecting your backup servers, confirm there is an active keyset under Configuration > Key Management. If EM was freshly installed, an initial keyset was auto-generated. Check its status - it should show as Active. If no active keyset exists, generate one and activate it before any encrypted jobs run.
Export the Active Keyset
Select the active keyset and click Export. Set a password to protect the export file - this password is required to import the keyset for recovery. Store the exported file somewhere separate from the EM server. A hardware security module, encrypted offline media, or a separate secrets vault are all appropriate. A file share on the same datacenter network is not.
Configure Keyset Retention
Under Configuration > Key Management, set the retention period for inactive keysets. Old keysets must be retained long enough to cover all backup chains that were encrypted while that keyset was active. If your backup retention is 90 days, retain old keysets for at least 90 days past the date you activated a replacement. Deleting an old keyset before all backups encrypted under it have expired means those backups lose their password recovery path.
Back up Enterprise Manager itself. The EM configuration backup contains the keyset data and all configuration. If you lose the EM server and have no backup - and no exported keyset - you lose the ability to recover encrypted backups via password loss protection. EM configuration backups should be encrypted and stored separately from the EM server. Treat the EM configuration backup password with the same care as your most critical recovery credential.
Notifications and Reporting
Enterprise Manager's notification system covers job results, restore operations, licensing thresholds, key management events, and update availability. Configure the mail server under Configuration > Notifications > Mail Server Settings. EM supports SMTP with basic authentication, Microsoft 365 OAuth (requiring an Azure app registration), and Google Workspace OAuth (requiring a Google Cloud Console app registration).
Once the mail server is configured, enable the notification categories relevant to your environment. At minimum, enable notifications for job failures and license alerts. If you are using EM for encryption key management, enable key management notifications - these alert you when a keyset is nearing expiry or when a password recovery request is submitted by a connected backup server.
For reporting, the EM dashboard provides a real-time view of job status and infrastructure health across all connected backup servers. Reports can be exported to PDF or Microsoft Excel from the Reports tab. The audit report under Configuration > Backup Servers > Audit Reports logs all operations performed through EM including restore initiations, job modifications, and configuration changes - this is the audit trail most compliance frameworks will ask for.
Upgrading from v12
If you are running Enterprise Manager v12 on Windows and upgrading to v13, the upgrade wizard handles the migration in 7 steps. The prerequisites are that your VBR backup servers are already upgraded to v13 (or at minimum v12.3.1 build 12.3.1.1139 before starting the EM upgrade), and that the EM server OS is on a supported Windows Server version.
Before starting the upgrade, export your active keyset and confirm you have a current EM configuration backup. These are the two recovery assets that cannot be recreated if something goes wrong mid-upgrade.
Run the upgrade wizard from the v13 ISO. It detects the existing v12 EM installation, steps through license acceptance and prerequisite checks, then upgrades the EM software in place. Configuration, keyset data, backup server connections, roles and accounts, and SAML settings all carry over. No manual reconfiguration is needed post-upgrade in a standard upgrade scenario.
Upgrade Enterprise Manager before upgrading the VBR backup servers it manages. EM must be the same version or newer than the connected backup servers. If you upgrade backup servers first and they report into an older EM, EM will have compatibility issues collecting data from those servers until EM is also upgraded.
If you want to migrate from a v12 Windows EM to a v13 Linux VSA deployment, the documented path is to upgrade the Windows EM to v13 first, then use the Windows-to-Linux migration procedure. You cannot migrate directly from v12 to a v13 VSA in a single step.
- Installed Veeam Backup Enterprise Manager on Windows (11-step wizard) or Linux VSA (10-step wizard)
- Connected backup servers and confirmed initial data collection
- Configured roles and accounts with restore scope for delegated self-service restore
- Set up SAML authentication for SSO integration with your identity provider
- Verified the active encryption keyset and exported it to a secure offsite location
- Configured keyset retention to cover all active backup chain lifespans
- Enabled notifications for job failures, license alerts, and key management events
- Confirmed EM itself is being backed up with an encrypted configuration backup
Enterprise Manager is infrastructure that most people set up once and then mostly forget about - right up until they need it. The two moments it becomes critical are when a delegated user needs to restore something without waiting for the backup admin, and when an encryption password is lost and someone needs to recover data. Both of those scenarios require EM to be healthy, connected, and holding a valid keyset. Getting the installation right matters less than getting the ongoing maintenance right: back EM up, export keysets regularly, and treat it like the critical piece of recovery infrastructure that it is.