Access to Hyper-V or Veeam B&R Components Fails After DCOM Hardening is Enabled
| KB ID: | 4376 |
| Product: | Veeam Agent for Microsoft Windows Veeam ONE Veeam Backup & Replication Veeam Management Pack for Microsoft System Center |
| Published: | 2022-11-04 |
| Last Modified: | 2022-11-04 |
Challenge
After June 8, 2022, DCOM connections to Hyper-V, Veeam Backup & Replication, and other Windows-based servers may be impacted by the DCOM hardening policy activated after the deployment of the Microsoft CVE-2021-26414 security update.
The possibly affected products are:
- Veeam Backup & Replication — operations involving Hyper-V infrastructure may fail with the error:
Failed to call RPC function 'HviCreateVmRecoverySnapshot'
- Veeam Agent for Microsoft Windows — connection to Hyper-V infrastructure fails with error:
Failed to connect to cluster 'CLUSTERNAME.contoso.com'.
- Veeam ONE — connection to Hyper-V and Veeam Backup & Replication infrastructures fails with the error:
System.UnauthorizedAccessException:'Access denied. (Exception from HRESULT : 0x80070005 (E_ACCESSDENIED))'
Cause
| June 8, 2021 | Hardening changes are disabled by default but with the ability to enable them using a registry key. |
| June 14, 2022 | Hardening changes are enabled by default but with the ability to disable them using a registry key. |
| March 14, 2023 | Hardening changes are enabled with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment. |
Veeam Products are ready for this change and use Packet Integrity DCOM authentication level. However, if the underlying Windows operating systems lack the required security updates, this will result in different authentication levels used for DCOM connections and cause authentication failures. For example, one windows machine may have the hardening changes disabled because it doesn't have the update installed, and the other windows machine has the DCOM hardening enabled because the update is installed.
When these DCOM authentication failures occur, Event# 10036 will appear, showing the following message:
Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application
Solution
To resolve these issues, ensure that all Windows-based servers have the DCOM Hardening update installed. See the list at the bottom of this article:
Note: These updates may be listed as optional and may have been ignored by Windows or WSUS systems. In such a situation, the update must be deployed manually.
More Information
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.