Along with the manual information on the service, there’s an old video which might help the setup.
Duplicati Tutorial 02 Install Duplicati as a Service (specifics might be outdated, or maybe debated)
Also:
[SOLVED] Is it ok that I see 5 processes of Duplicati in Windows Task manager?
image at top is similar to what your Task Manager would show for SYSTEM service and a user
running TrayIcon (preferably in --no-hosted-server mode, otherwise you’ll have two servers).
Your separation aim makes setup a bit more complicated, but I’m not sure I totally understand it especially when a VM is thrown into the mix. Are you trying to give VM user access to host disk, controlled by ACLs? For a file-level backup of files inside VM, Duplicati must run there, but a file destination would need to be accessible by Duplicati. You can go to a network destination where
network is between the VM and its host. That would mean malware in the VM would need to find equivalent access in order to destroy backup. It’s possible, but less risky than open file access…
How to protect network-based backups is discussed in many other topics with no perfect answer.
EDIT:
While Windows can run a variety of network servers, perhaps you could consider access by SMB, basically continuing with your current username and password scheme, but using as it’s intended, however I’m not well equipped to solve issues if any arise, and I’m not sure how separation works.
I think things like drive letter mappings are per user login session, however Duplicati started as the
user at their login probably shares their login session. Duplicati run as service would probably not, however SMB from a service is sometimes difficult because it’s not quite a normal user situatation.