Operational Defect Database
BugZero found this defect 563 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Veeam | kb4376
Access to Hyper-V or Veeam B&R Components Fails After DCOM Hardening is Enabled
Last update date:
12/14/2023
Affected products:
Veeam Backup & Replication
Veeam ONE
Veeam Agent for Microsoft Windows
Veeam Management Pack for Microsoft System Center
Veeam Recovery Orchestrator
Affected releases:
ALL
Fixed releases:
No fixed releases provided.
Description:
Challenge
After June 14, 2022, DCOM connections to Hyper-V, Veeam Backup & Replication, and other Windows-based servers may be impacted by the DCOM hardening policy activated after the deployment of the Microsoft CVE-2021-26414 security update. Below are examples of errors that may be shown by Veeam products affected by this: This list of examples errors is not exhaustive, others may exist. It is critical to focus on checking for Windows Event ID 10036. Veeam Backup & Replication — operations involving Hyper-V infrastructure may fail with the error: Failed to call RPC function 'HviCreateVmRecoverySnapshot' Failed to connect to cluster <clustername> Failed to create Hyper-V Cluster Wmi utils: Access denied or timeout expired. Check if you have local administrator privileges on computer '<clustername>'. Possible reason: Specified host is not a cluster node. Failed to connect to host vmhost2 Access denied or timeout expired. Check if you have local administrator privileges on computer '<hostname>'. Possible reasons: 1. Invalid credentials. 2. Specified host is not a Hyper-V server.
Cause
The situation is caused by the Microsoft Windows DCOM connections hardening. Shown below is Microsoft's timeline for deployment of this new hardening policy.
Solution
All Veeam products are ready for this DCOM change and use Packet Integrity DCOM authentication; the underlying Windows OS must be updated to support this change. To resolve these issues, ensure all Windows-based servers have installed the DCOM Hardening update. See the list at the bottom of this article: KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414). The updates listed on that page may have been rolled in to future updates, check Windows DCOM Server Security Feature Bypass CVE-2021-26414 for more information. Notes: These updates may be listed as optional and may have been ignored by Windows or WSUS systems. In such a situation, the update must be deployed manually. This issue may affect older Windows operating system, but the update to resolve the issue may not be available without ESU. For environments where Veeam Backup & Replication was deployed on an older operating system no longer supported by the latest version of Veeam Backup & Replication (e.g., Server 2008 R2), please review: KB1803: How to Upgrade Legacy Veeam Backup Server
