Challenge

Cause

Solution

To resolve the issue, apply the hotfix as follows:

1. Download the hotfix.
2. Stop the Veeam Agent for Microsoft Windows service (VeeamEndpointBackupSvc) and exit the Veeam Agent tray application.
3. Rename the following files: 
   • C:\program files\Veeam\Endpoint Backup\Veeam.Backup.Core.dll into Veeam.Backup.Core_old.dll
   • C:\program files\Veeam\Endpoint Backup\x86\VeeamAgent.exe into VeeamAgent_old.exe
   • C:\program files\Veeam\Endpoint Backup\x64\VeeamAgent.exe into VeeamAgent_old.exe
4. Go to the folder where the downloaded hotfix is located (step 1).
5. Copy the files from the hotfix archive to the C:\program files\Veeam\Endpoint Backup. 
   • If you are working with the x64 OS, copy the Veeam.Backup.Core.dll file and all files from the ForX64OS folder.
   • If you are working with the x86 OS, copy the Veeam.Backup.Core.dll file and all files from the ForX86OS folder.
6. Start the Veeam Agent for Microsoft Windows service (VeeamEndpointBackupSvc) and the Veeam Agent tray application.

More Information

[[DOWNLOAD|DOWNLOAD HOTFIX|https://veeam.com/download_add_packs/backup-agent-windows/kb3139]]

MD5: 932fd6a11e3e6af71b3b0866587b1549
SHA-1: 4c59bd38f550d0a02b639f0d41a951ed5c802ead

Challenge

Solution

1. Open the command prompt using local admin account and navigate to the directory with the Veeam.Backup.Service.exe file:

   cd "C:\Program Files\Veeam\Backup and Replication\Backup

2. Execute this command to change installation ID and database instance UID of the backup server:

   Veeam.Backup.Service.exe /newInstallationId

More Information

Challenge

Cause

What’s New:

• Alarm for detecting unsupported Veeam Backup & Replication server configurations.

Enhancements:

Usage Reporting

• Usage reporting data for Veeam Backup & Replication servers v9.5 U4 located in time zones with more than 8 hours difference is now included in the report with the auto-approve function. 

Backup reporting

• Reports generation performance has been improved. 

Monitoring

• “Management agent connection” alarm is not triggered when a Cloud Connect server is rebooted. 

Management Agent

• Authentication between management agents and Veeam Service Provider Console has been improved. 

RESTful APIs v3

• Date format in "/licensing/reports/" GET request has been changed to “yyyy-MM”.  
• Report generation parameters have been simplified for licensing/reports/ methods: report interval is used instead of report generation date.

 
Resolved issues:

• "Protected computers" and "Protected VMs" widgets in the Overview tab do not account for the default RPO period of 30 days.  
• Filtering by company/reseller name does not work on the Failover Plans tab. 
• When using “Select All” checkbox on the Backup Jobs -> Computers tab, job actions are applied to all managed Agents regardless of selected filters. 
• Under certain conditions, the "Unrecognized Guid format" error message is displayed on the Companies tab.
• Under certain conditions, “Object reference not set to an instance of an object” error message is displayed on the Backup Jobs tab. 

• Under certain conditions, the Veeam Service Provider Console service fails to start. 

• If a company is removed from the configuration, error message “Usage data for sites <Site name> was not included in this report due to a data collection failure. Please collect usage details and report correct numbers manually in order to stay compliant with licensing rules.” is displayed in the usage report. 
• Usage Report generation fails if there are several Veeam Backup & Replication servers with the same installation ID. 
• Usage Report shows incorrect data if there are several Veeam Backup & Replication servers with the same database instance ID. 
• Usage Report always shows “Standard” license edition when using Veeam Backup Enterprise Manager.

• “Immediate backup copy job state” alarm is triggered for deleted VMs.
• “Workstation/Server agent backups stored in cloud repository” alarms may be triggered incorrectly. Veeam Backup & Replication v10 CP2 installation is required.

• Manually created invoices are sent to managed companies automatically, even if scheduling is disabled. 

• Under certain conditions, /v2/backupRepositories get method returns incorrect "freeSpace" data.
• /v2/backupRepositories get method can take a considerable amount of time for execution.
• /v2/failoverPlans get method fails with “Object reference not set to an instance of an object” error message. 

• Limit/offset parameters are not working correctly for /protectedWorkloads/virtualMachines get request.

• Description for retention and database clean-up events is missing.

• When using Custom Fields in ConnectWise Manage, billing synchronization fails with “Addition object is invalid” error message. 

• Under certain conditions, ConnectWise Automate plugin status is switching from  “Healthy” to “Error” state.

Solution

1. Back up the VSPC database.
2. Execute VSPC.ApplicationServer.x64_4.0.0.4911.msp as administrator on the VSPC server, or run this cmdlet as administrator:

   msiexec /update c:\VSPC.ApplicationServer.x64_4.0.0.4911.msp /l*v C:\ProgramData\Veeam\Setup\Temp\VSPCApplicationServerSetup.txt

3. Execute VSPC.WebUI.x64_4.0.0.4911.msp as administrator on the VSPC UI (IIS) server, or run this cmdlet as administrator:

   msiexec /update c:\VSPC.WebUI.x64_4.0.0.4911.msp /l*v C:\ProgramData\Veeam\Setup\Temp\VSPCWebUI.txt

4. Execute VSPC.ConnectorService.x64_4.0.0.4911.msp  as administrator on the VSPC server, or run this cmdlet as administrator:

   msiexec /update c:\VSPC.ConnectorService.x64_4.0.0.4911.msp > /l*v C:\ProgramData\Veeam\Setup\Temp\ConnectorService.txt

More Information

Challenge

Solution

1. Use the following JSON to create an IAM Policy using the following instructions from the How to create IAM Policy article. These permissions will allow Veeam Backup for AWS service to perform operations required:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "ssm:SendCommand",
                   "ssm:GetCommandInvocation",
                   "sqs:ListQueues",
                   "sqs:CreateQueue",
                   "sqs:SetQueueAttributes",
                   "sqs:ReceiveMessage",
                   "sqs:DeleteMessage",
                   "sqs:DeleteQueue",
                   "ec2:DescribeRegions",
                   "ec2:DescribeAccountAttributes",
                   "ec2:DescribeAvailabilityZones",
                   "ec2:DescribeRouteTables",
                   "ec2:DescribeSecurityGroups",
                   "ec2:DescribeVpcs",
                   "ec2:DescribeVpcEndpoints",
                   "ec2:DescribeSubnets",
                   "ec2:DescribeInstances",
                   "ec2:DescribeInstanceAttribute",
                   "ec2:RunInstances",
                   "ec2:StopInstances",
                   "ec2:TerminateInstances",
                   "ec2:ModifyInstanceAttribute",
                   "ec2:DescribeKeyPairs",
                   "ec2:CreateKeyPair",
                   "ec2:DeleteKeyPair",
                   "ec2:DescribeVolumes",
                   "ec2:CreateVolume",
                   "ec2:AttachVolume",
                   "ec2:DetachVolume",
                   "ec2:DeleteVolume",
                   "ec2:DescribeSnapshots",
                   "ec2:CreateSnapshot",
                   "ec2:CreateSnapshots",
                   "ec2:DeleteSnapshot",
                   "ec2:ModifySnapshotAttribute",
                   "ec2:CreateTags",
                   "ec2:DescribeImages",
                   "iam:CreateRole",
                   "iam:DeleteRole",
                   "iam:CreateInstanceProfile",
                   "iam:ListAttachedRolePolicies",
                   "iam:ListInstanceProfilesForRole",
                   "iam:AddRoleToInstanceProfile",
                   "iam:RemoveRoleFromInstanceProfile",
                   "iam:AttachRolePolicy",
                   "iam:PutRolePolicy",
                   "iam:PassRole",
                   "iam:DetachRolePolicy",
                   "iam:DeleteRolePolicy",
                   "iam:ListRolePolicies",
                   "iam:DeleteInstanceProfile",
                   "iam:GetRole",
                   "iam:GetInstanceProfile",
                   "ebs:ListChangedBlocks",
                   "ebs:ListSnapshotBlocks",
                   "kms:ListKeys",
                   "kms:ListAliases",
                   "kms:GetKeyPolicy",
                   "kms:ReEncryptTo",
                   "kms:ReEncryptFrom",
                   "kms:DescribeKey",
                   "ec2:GetEbsDefaultKmsKeyId",
                   "kms:CreateGrant",
                   "servicequotas:ListServiceQuotas",
                   "ec2:DescribeTags",
                   "ec2:DescribeInstanceStatus",
                   "ec2:StartInstances",
                   "sqs:SendMessage",
                   "sts:GetSessionToken",
                   "ebs:ListChangedBlocks",
                   "ebs:ListSnapshotBlocks",
                   "ec2:DescribeVolumeAttribute",
   		"iam:GetContextKeysForPrincipalPolicy",
   		"iam:SimulatePrincipalPolicy"
               ],
               "Resource": "*"
           }
       ]
   }

2. Navigate to Roles.
3. Choose Create role.
4. Select the type of the trusted entity Another AWS Account.
5. In the Account ID field, enter the ID of your Backup Account (you can get this number in the AWS console of the Backup Account, in My Account located in the top-right menu).
6. Select the Require external ID checkbox and enter a pass phrase to raise the level of security for the role.
7. Click Next: Permissions.
8. In the filter policies search box, enter the name of the policy created in the Step 1.
9. In the first column, select the policy.
10. Click Next: Tags.
11. Enter tagging info if needed and click Next: Review.
12. Assign a name to the IAM Role. This name will be used in Veeam Backup for AWS (e.g. vb4aws_workers_role).
13. Click Create role.
14. Once the role is created, you will be able to see it in the list of available roles.

Challenge

Cause

Solution

To resolve the issue, apply the hotfix as follows:

1. Download the hotfix.
2. Stop the Veeam Agent for Microsoft Windows service (VeeamEndpointBackupSvc) and exit the Veeam Agent tray application.
3. Rename the following files: 
   • C:\program files\Veeam\Endpoint Backup\Veeam.Backup.Core.dll into Veeam.Backup.Core_old.dll
   • C:\program files\Veeam\Endpoint Backup\x86\VeeamAgent.exe into VeeamAgent_old.exe
   • C:\program files\Veeam\Endpoint Backup\x64\VeeamAgent.exe into VeeamAgent_old.exe
4. Go to the folder where the downloaded hotfix is located (step 1).
5. Copy the files from the hotfix archive to the C:\program files\Veeam\Endpoint Backup. 
   • If you are working with the x64 OS, copy the Veeam.Backup.Core.dll file and all files from the ForX64OS folder.
   • If you are working with the x86 OS, copy the Veeam.Backup.Core.dll file and all files from the ForX86OS folder.
6. Start the Veeam Agent for Microsoft Windows service (VeeamEndpointBackupSvc) and the Veeam Agent tray application.

More Information

[[DOWNLOAD|DOWNLOAD HOTFIX|https://veeam.com/download_add_packs/backup-agent-windows/kb3139]]

MD5: 932fd6a11e3e6af71b3b0866587b1549
SHA-1: 4c59bd38f550d0a02b639f0d41a951ed5c802ead

Challenge

Solution

1. Open the command prompt using local admin account and navigate to the directory with the Veeam.Backup.Service.exe file:

   cd "C:\Program Files\Veeam\Backup and Replication\Backup

2. Execute this command to change installation ID and database instance UID of the backup server:

   Veeam.Backup.Service.exe /newInstallationId

More Information

Challenge

Cause

What’s New:

• Alarm for detecting unsupported Veeam Backup & Replication server configurations.

Enhancements:

Usage Reporting

• Usage reporting data for Veeam Backup & Replication servers v9.5 U4 located in time zones with more than 8 hours difference is now included in the report with the auto-approve function. 

Backup reporting

• Reports generation performance has been improved. 

Monitoring

• “Management agent connection” alarm is not triggered when a Cloud Connect server is rebooted. 

Management Agent

• Authentication between management agents and Veeam Service Provider Console has been improved. 

RESTful APIs v3

• Date format in "/licensing/reports/" GET request has been changed to “yyyy-MM”.  
• Report generation parameters have been simplified for licensing/reports/ methods: report interval is used instead of report generation date.

 
Resolved issues:

• "Protected computers" and "Protected VMs" widgets in the Overview tab do not account for the default RPO period of 30 days.  
• Filtering by company/reseller name does not work on the Failover Plans tab. 
• When using “Select All” checkbox on the Backup Jobs -> Computers tab, job actions are applied to all managed Agents regardless of selected filters. 
• Under certain conditions, the "Unrecognized Guid format" error message is displayed on the Companies tab.
• Under certain conditions, “Object reference not set to an instance of an object” error message is displayed on the Backup Jobs tab. 

• Under certain conditions, the Veeam Service Provider Console service fails to start. 

• If a company is removed from the configuration, error message “Usage data for sites <Site name> was not included in this report due to a data collection failure. Please collect usage details and report correct numbers manually in order to stay compliant with licensing rules.” is displayed in the usage report. 
• Usage Report generation fails if there are several Veeam Backup & Replication servers with the same installation ID. 
• Usage Report shows incorrect data if there are several Veeam Backup & Replication servers with the same database instance ID. 
• Usage Report always shows “Standard” license edition when using Veeam Backup Enterprise Manager.

• “Immediate backup copy job state” alarm is triggered for deleted VMs.
• “Workstation/Server agent backups stored in cloud repository” alarms may be triggered incorrectly. Veeam Backup & Replication v10 CP2 installation is required.

• Manually created invoices are sent to managed companies automatically, even if scheduling is disabled. 

• Under certain conditions, /v2/backupRepositories get method returns incorrect "freeSpace" data.
• /v2/backupRepositories get method can take a considerable amount of time for execution.
• /v2/failoverPlans get method fails with “Object reference not set to an instance of an object” error message. 

• Limit/offset parameters are not working correctly for /protectedWorkloads/virtualMachines get request.

• Description for retention and database clean-up events is missing.

• When using Custom Fields in ConnectWise Manage, billing synchronization fails with “Addition object is invalid” error message. 

• Under certain conditions, ConnectWise Automate plugin status is switching from  “Healthy” to “Error” state.

Solution

1. Back up the VSPC database.
2. Execute VSPC.ApplicationServer.x64_4.0.0.4911.msp as administrator on the VSPC server, or run this cmdlet as administrator:

   msiexec /update c:\VSPC.ApplicationServer.x64_4.0.0.4911.msp /l*v C:\ProgramData\Veeam\Setup\Temp\VSPCApplicationServerSetup.txt

3. Execute VSPC.WebUI.x64_4.0.0.4911.msp as administrator on the VSPC UI (IIS) server, or run this cmdlet as administrator:

   msiexec /update c:\VSPC.WebUI.x64_4.0.0.4911.msp /l*v C:\ProgramData\Veeam\Setup\Temp\VSPCWebUI.txt

4. Execute VSPC.ConnectorService.x64_4.0.0.4911.msp  as administrator on the VSPC server, or run this cmdlet as administrator:

   msiexec /update c:\VSPC.ConnectorService.x64_4.0.0.4911.msp > /l*v C:\ProgramData\Veeam\Setup\Temp\ConnectorService.txt

More Information

Challenge

Cause

Solution

To resolve the issue, apply the hotfix as follows:

1. Download the hotfix.
2. Stop the Veeam Agent for Microsoft Windows service (VeeamEndpointBackupSvc) and exit the Veeam Agent tray application.
3. Rename the following files: 
   • C:\program files\Veeam\Endpoint Backup\Veeam.Backup.Core.dll into Veeam.Backup.Core_old.dll
   • C:\program files\Veeam\Endpoint Backup\x86\VeeamAgent.exe into VeeamAgent_old.exe
   • C:\program files\Veeam\Endpoint Backup\x64\VeeamAgent.exe into VeeamAgent_old.exe
4. Go to the folder where the downloaded hotfix is located (step 1).
5. Copy the files from the hotfix archive to the C:\program files\Veeam\Endpoint Backup. 
   • If you are working with the x64 OS, copy the Veeam.Backup.Core.dll file and all files from the ForX64OS folder.
   • If you are working with the x86 OS, copy the Veeam.Backup.Core.dll file and all files from the ForX86OS folder.
6. Start the Veeam Agent for Microsoft Windows service (VeeamEndpointBackupSvc) and the Veeam Agent tray application.

More Information

[[DOWNLOAD|DOWNLOAD HOTFIX|https://veeam.com/download_add_packs/backup-agent-windows/kb3139]]

MD5: 932fd6a11e3e6af71b3b0866587b1549
SHA-1: 4c59bd38f550d0a02b639f0d41a951ed5c802ead

Challenge

This KB article provides a list of all versions of Veeam Backup & Replication and the respective build numbers.


The latest version of Veeam Backup & Replication can always be found at https://www.veeam.com/download-version.html

Solution

The following table lists Veeam Backup & Replication versions and their build numbers. Also provided is a link to the specific version release notes.

Challenge

Cause

Solution

To resolve the issue, apply the hotfix as follows:

1. Download the hotfix.
2. Stop the Veeam Agent for Microsoft Windows service (VeeamEndpointBackupSvc) and exit the Veeam Agent tray application.
3. Rename the following files: 
   • C:\program files\Veeam\Endpoint Backup\Veeam.Backup.Core.dll into Veeam.Backup.Core_old.dll
   • C:\program files\Veeam\Endpoint Backup\x86\VeeamAgent.exe into VeeamAgent_old.exe
   • C:\program files\Veeam\Endpoint Backup\x64\VeeamAgent.exe into VeeamAgent_old.exe
4. Go to the folder where the downloaded hotfix is located (step 1).
5. Copy the files from the hotfix archive to the C:\program files\Veeam\Endpoint Backup. 
   • If you are working with the x64 OS, copy the Veeam.Backup.Core.dll file and all files from the ForX64OS folder.
   • If you are working with the x86 OS, copy the Veeam.Backup.Core.dll file and all files from the ForX86OS folder.
6. Start the Veeam Agent for Microsoft Windows service (VeeamEndpointBackupSvc) and the Veeam Agent tray application.

More Information

[[DOWNLOAD|DOWNLOAD HOTFIX|https://veeam.com/download_add_packs/backup-agent-windows/kb3139]]

MD5: 932fd6a11e3e6af71b3b0866587b1549
SHA-1: 4c59bd38f550d0a02b639f0d41a951ed5c802ead

Challenge

This KB article provides a list of all versions of Veeam Backup & Replication and the respective build numbers.


The latest version of Veeam Backup & Replication can always be found at https://www.veeam.com/download-version.html

Solution

The following table lists Veeam Backup & Replication versions and their build numbers. Also provided is a link to the specific version release notes.

Challenge

Cause

Solution

• Additional Hypervisor support vSphere 6.7. VMware vSphere 4.0 and later (including vSphere 6, vSphere 6.5, vSphere 6.7, vSphere 6.7 U1, vSphere 6.7 U2 and vSphere 6.7 U3) 
• Monitoring SQL Transaction Log Backup Job. Veeam MP separately monitors SQL Transaction Log Backup jobs running inside backup jobs with the enabled application-aware processing option. For this purpose, Veeam MP includes a new Veeam SQL Transaction Log Backup Jobs view and Veeam Backup: SQL Transaction Log Job Status monitor.
• Improved performance of Morning Coffee Dashboards. In previous versions, Morning Coffee Dashboards tended to load slowly for large-scale environments. In Veeam MP 8.0 Update 6, the performance of Morning Coffee Dashboards has been significantly improved.
• A new metric for Veeam VMware Collector. Due to the Ops Mgr Health Service (Monitoring Agent Service) limitations that appear when a Veeam VMware Collector processes a large amount of data, it is required to distribute monitoring load among multiple Veeam VMware Collectors in large environments. To assess the monitoring load on Veeam VMware Collectors more precisely, Veeam MP provides a new % Object Monitoring Load metric.

• No monitoring for Hyper-V hosts that exceeded the license limit. Veeam MP license limits the number of Hyper-V hosts enabled for monitoring in Ops Mgr. Earlier, if the number of licensed Hyper-V hosts was exceeded and new hosts were added to the Ops Mgr infrastructure, Ops Mgr automatically stopped monitoring the old infrastructure and started monitoring the newly added hosts. In Veeam MP 8.0 Update 6, the issue was resolved, and Ops Mgr continues monitoring the old infrastructure.
• Ops Mgr event log shows excessive BackupCopyJobSessionFinished events. In previous versions, the Ops Mgr event log contained a large number of 3101 events caused by errors in the backup copy job status collection process. In Veeam MP 8.0 Update 6, the issue was resolved.

• Collector Autodeploy limitations. If you use the Collector Auto-Deployment feature to automatically deploy Veeam VMware Collectors on Management Servers, keep in mind that it will install clear 8.0 version without patches. When the installation completes, run the ISO\Update\VeeamMP80_Update6.exe installation file on each Veeam Collector to install patches.  
• Veeam MP for Hyper-V stops collecting storage metrics. If storage migrates to another volume, the storage performance collection will halt and Veeam MP will stop collecting the following metrics: Storage IOPS, Storage KB Total/sec, Storage Flush Count and Storage Error Count. Note that this issue does not affect migration between hosts. To work around the issue, restart the Ops Mgr agent after storage migration.

More Information

Challenge

Cause

When adding an Organization there are 11 Verification checks that happen. Below lists each of the verification and what it means if it fails.
Note: Any permissions changes in Office 365 Online may take 15-60 minutes to apply.

1. Connection to Microsoft Graph: This meaning can change based on if you are using Modern authentication or Basic authentication.
    
   • Modern authentication: This would mean that the Application ID and secret failed to authenticate.
     • Make sure the Application ID and Secret were properly entered
     • Check the Application APIs from the "Azure AD Application" section below
     • Try generating a new Application Secret from Azure AD
        
   • Basic authentication: This would mean that your username does not have permissions to authenticate with the Microsoft Graph Online.
     • If your Organization is Federated try creating a new cloud user account from Microsoft Azure AD for authentication.
     • Make sure that the user belongs to the Organization.
     • Check that user has all permissions assigned from the above SharePoint and Exchange section
        
2. Connect to EWS: This is a connection to the Exchange Web Service.
    
   • Modern authentication: This uses a dual authentication leveraging the Application ID and Username.
     • For the Application ID check in Microsoft Azure AD that the correct APIs were assigned as Application and not Delegated.
     • For the Username check Microsoft Exchange Admin center that all permissions have been assigned to the user as documented below.
        
   • Basic authentication:
     • For the Username check Microsoft Exchange Admin center that all permissions have been assigned to the user as documented below.
        
3. Connection to PowerShell: This step checks that we can connect to Exchange Online PowerShell. Only the username is used for this verification. Require AllowBasicAuthPowershell and AllowBasicAuthWebServices to be allowed in the group policy this user is added to.
    
   • In Azure AD check Conditional Access- Polices for anything blocking legacy authentication and make sure the service account is being excluded from these policies: https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies
      
4. Check through PowerShell to see if the policies are allowed for the user:
   • Connect to Exchange Online PowerShell module: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps
   • Next you will run the "Get-AuthenticationPolicy" command. If there is a blank return then there is no policy in place.
   • If the current policy does not have true for AllowBasicAuthPowershell and AllowBasicAuthWebService contact your Domain admins to update the policy with the following Microsoft Document
   • https://docs.microsoft.com/en-us/powershell/module/exchange/organization/set-authenticationpolicy?view=exchange-ps
      
5. Check Exchange plan and SharePoint plan: If either of these fail then your plan cannot automatically identified as Valid. Use the below KB to add the proper plans to your configuration
    
   • Service plan is not found when adding Office 365 organization: https://www.veeam.com/kb2946
      
6. Check Required cmdlets access: related to Exchange Online.
    
7. Check Mailbox Search role: related to Exchange Online.
    
8. Check ApplicationImpersonation role: related to Exchange Online.
    
9. Check that the user has been properly added to the role group with all necessary permissions as shown above in the Exchange section
    
10. Check SharePoint Online Administrators role: This refer the SharePoint Administrator role that you assign to the user in the Admin Center.
     
    • Refer to the SharePoint section above and make sure that the service has the SharePoint Administrator role assigned
       
11. Check LegacyAuthProtocolsEnabled: This is a setting in SharePoint Admin center to enable legacy Authentication.
     
    • Refer to the SharePoint section above to Allow Apps that don't use modern authentication.
    • “Unauthorized” error is thrown by SharePoint Online and/or OneDrive for business backup jobs: https://www.veeam.com/kb2714

Solution

This section will provide details on configuring permissions.

These links can be used to skip to the specific section.

Exchange
SharePoint
User App Password
Azure AD Application

Exchange

 Configuring Permissions for Exchange (on-premises or Online):

• Login to the Exchange Admin Center: https://outlook.office365.com/ecp/
• Select Permissions and add a New Role Group
  
• Create your role Group:
  • Name your role group appropriately (Example: VBO Permissions)
  • Add Roles:
    • ApplicationImpersonation
    • View-Only Configuration
    • View-Only Recipients
    • Mailbox Search
    • Mail Recipients
  • Add the Veeam Service account under Members
  • and Save
    

SharePoint

Configuring Permissions for SharePoint Online

• Add the SharePoint Administrator Role to user In Azure Admin Center: https://admin.microsoft.com/
   
• Select: [Users] > [Active Users] >  Select the Backup Service account
  
  
   
• Allow Apps that don't use modern authentication In the SharePoint Admin Center:
  https://<ORGNAME>-admin.sharepoint.com/
   
• Select: [Access control] > [Apps that don't use modern authentication] > [Allow Access]
  
  
  

User App Password

Configuring user App Password:

• Set up user to leverage Multi Factor Authentication: https://account.activedirectory.windowsazure.com/UserManagement/MultifactorVerification.aspx?
   
• Select: [Service account] > [Enable]
  
  
   
• Once the account have been enabled for Multi-factor authorization you will need to sign-in with the service account and follow the steps for configuring Multi Factor authentication.
   
• Generate an application password for the user: https://portal.office.com/account/#security
   
• Select: Additional security verification> Create and manage app password:
  
  
   
• Or Directly to Application Password: https://account.activedirectory.windowsazure.com/AppPasswords.aspx
   
• Select 'Create'
  
  
   
• Name App Password:
  
  
   
• Copy App Password because it will no longer be available once you close the window:
  
  

Azure AD Application

• Register a new App in Azure AD: https://aad.portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade Can also be found under: All services> App Registrations-

• Name the Application, add Redirect URL (URL does not need to be real. Example: "http://localhost/"), and Click Register

• Select API permissions and Add permission. Please keep in mind that all permissions must be added as Application permissions and not Delegated permissions

• First API will be at the top of the page: Microsoft Graph> Application Permissions

• Check Directory.Read.All and Group.Read.All then select Add permissions.
  Directory.Read.All permission is required to read organization and users’ properties. Group.Read.All is required to read groups properties and membership.

• If you’re going to use application certificates, second API will be halfway down the page: SharePoint > Application Permissions

• Check Sites.Fullcontrol.All and User.Read.All. Then select Add permission.
  Sites.Fullcontrol.All is required to read sites content. User.Read.All is required to read user profiles.

• Last API is also required only if using application certificates. It will be at the bottom of the page Under Supported legacy APIs: Exchange> Application Permissions.

• Check full_access_as_app. Then select Add Permission.
  full_access_as_app is required to read mailboxes content.

• After all APIs have been added you will need to Grant consent:

• Select Certificates & secrets and New client Secret

• Add a Description> Choose Expiration> Add

• Copy Secret Value because it will no longer be available once you close the window:

• Locate Application ID: Overview> Application (client) ID

Challenge

• In Surebackup, the Virtual Lab proxy appliance routes network traffic between isolated and production networks.
• In Multi-OS File Level Restore, the proxy appliance mounts virtual machine disks.
• In Cloud Connect Replication, the network extension appliances route traffic between tenant networks and service provider networks.

Solution

• To set the password for Surebackup (Virtual Lab) and Multi-OS FLR appliances, edit the record with the description “Helper appliance credentials”.
• To set the password for network extension appliances, edit the record with the appropriate description: “Tenant-side network extension appliance credentials” or “Provider-side network extension appliance credentials”. Only Cloud Connect Service Providers can set the password for provider-side appliances.

Challenge

• You want to backup or restore instances with encrypted volumes.
• You receive one of the following errors while working with encrypted volumes:

1. Encrypted snapshots with EBS default key cannot be shared
2. The default encryption key in the <name> region of your service account is aws/ebs. Snapshots encrypted with aws/ebs cannot be shared
3. User arn:aws:sts::<AccountId>:role/<RoleName> is not authorized to use resource arn:aws:kms:<RegionName>:<AccountId>:key/<keyID> (Actions: kms:<ActionName>)

Solution

• The set of permissions required for cryptographic operations
• How to allow an IAM Role to use the CMK
• Default Encryption Key of the region and how to change it

The set of permissions required for cryptographic operations

"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: <accountid>:role/<rolename>"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:: <accountid>:role/<rolename>""
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

How to allow an IAM Role to use the CMK

• Using the AWS Management Console default view
• Using the AWS Management Console policy view

Using the AWS Management Console default view

1. Open the AWS Key Management Service (AWS KMS) console.
2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
3. To view the Encryption Keys in your account that you create and manage, in the navigation pane choose Customer managed keys.
4. In the list of CMKs, choose the Alias or Key ID of the CMK that you want to edit
5. To add Key Users, use the controls in the Key users section of the page.

Using the AWS Management Console policy view

1. Open the AWS Key Management Service (AWS KMS) console.
2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
3. To view the Encryption Keys in your account that you create and manage, in the navigation pane choose Customer managed keys.
4. In the list of CMKs, choose the Alias or Key ID of the CMK that you want to edit.
5. In the Key Policy section, you might see the Key Policy document. This is Policy View.
   Or, if you created the CMK in the AWS Management Console, you will see the Default View with sections for Key Administrators, Key Deletion, and Key Users. To see the key policy document, choose Switch to policy view.
6. Click Edit to start editing. After making changes, click Save.

Default Encryption Key of the region and how to change it

1. Open the Amazon Console at https://console.aws.amazon.com/ec2/. 
2. To change the AWS Region, use the Region selector in the upper-right corner of the page.
3. Choose EBS Encryption in the Account attributes section.
4. Click Manage and select the new Default Encryption key from the drop-down list.
5. Finish editing by clicking Update EBS Encryption.

Error: Encrypted snapshots with EBS default key cannot be shared

 
Error: The default encryption key in the <name> region of your service account is aws/ebs. Snapshots encrypted with aws/ebs cannot be shared.

Error: User arn:aws:sts::<AccountId>:role/<RoleName> is not authorized to use resource arn:aws:kms:<RegionName>:<AccountId>:key/<keyID> (Actions: kms:<ActionName>)

Challenge

Cause

Solution

• 10 (build 10.0.0.750)
• 9.5 Update 4a (build 9.5.4.4587)

More Information

Challenge

Cause

Solution

• 10 (build 10.0.0.750)
• 9.5 Update 4a (build 9.5.4.4587) 

More Information

Challenge

This KB article was created to document how to create a case with Veeam Support via the customer portal.

Note:  In order to create a support case for Veeam Endpoint Backup, open the application and choose "Support" tab. 

In order to open a new case you must be designated as a Case Administrator. For more information on how to setup Case Administrators review  https://www.veeam.com/kb2211 .

Solution

Any information you can provide regarding the issue you are experiencing could have a significant impact on how fast the issue is diagnosed and resolved. You will be asked to provide the following information:

• Issue description, impact on your system and business operations, issue severity, and the exact text of error messages and diagnostic details.
• Steps to reproduce the problem, known workarounds
• Contact number where you can be reached
• Best time to reach you, and contact method (i.e. email/phone)

1. Go to https://my.veeam.com  (or directly to our customer portal  https://my.veeam.com/#/open-case/step-1 )
2. Enter your credentials and click Sign In

3. Click on "Open Case" button in the menu on the left side. Please note that you must be a Case Administrator or License Administrator to submit a case via the Portal. If you aren't currently a Case Administrator or License Administrator, please follow this guide to learn how to become one for your Account or call us if you have an urgent issue. 
4. Choose a Case Type. Technical is for Break-fix issues or any kind of technical questions related to Veeam products. Licensing covers any licensing or related questions and General Inquiry is for feedback or issues related Veeam websites and services, not products. 
5. On the left side of the page you need to fill in all the required details. Please remember to include the exact error message that is occurring. Screenshots inclusion can often help expedite resolution.

6. After clicking "Next" you will be taken to a page listing several KB articles that may be related to your issue. To continue with case creation, please click "Next" again.
7. On the next page you will be asked to add attachments to your case. It is imperative that you provide diagnostic logs when creating a case so that Veeam Support may best assist you.
   •Select the bucket relative to your region.
   •For cases relating to Veeam Backup & Replication please review this article for details on how to collect logs: https://www.veeam.com/kb1832
   •For cases related to Veeam Agent for Windows please review this article for details on how to collect logs: https://www.veeam.com/kb2404
8. On the last page of case creation you will have an opportunity to review all details provided and provide specific contact details. If you have a direct number you can reached at please consider adding it at this point.

After you have created a case you will be contacted within the time set forth in the SLA agreement for the severity you specified.
Veeam's severity system operates similar to the DEFCON system, lower number=high priority.



To view your Production Licenses or discover what email is assigned as the License Administrator please click here: https://my.veeam.com/#/licenses/production

More Information

Challenge

Cause

Solution

Challenge

Cause

Solution