Access to Hyper-V or Veeam B&R Components Fails After DCOM Hardening is Enabled

KB ID: 4376
Product: Veeam Agent for Microsoft Windows
Veeam ONE
Veeam Backup & Replication
Veeam Management Pack for Microsoft System Center
Published: 2022-11-04
Last Modified: 2022-11-04
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Challenge

After June 8, 2022, DCOM connections to Hyper-V, Veeam Backup & Replication, and other Windows-based servers may be impacted by the DCOM hardening policy activated after the deployment of the Microsoft CVE-2021-26414 security update.

The possibly affected products are:

  • Veeam Backup & Replication — operations involving Hyper-V infrastructure may fail with the error:
    Failed to call RPC function 'HviCreateVmRecoverySnapshot'
    
  • Veeam Agent for Microsoft Windows — connection to Hyper-V infrastructure fails with error:
    Failed to connect to cluster 'CLUSTERNAME.contoso.com'.
    
  • Veeam ONE — connection to Hyper-V and Veeam Backup & Replication infrastructures fails with the error:
    System.UnauthorizedAccessException:'Access denied. (Exception from HRESULT : 0x80070005 (E_ACCESSDENIED))'
    

Cause

The situation is caused by the Microsoft Windows DCOM connections hardening:
June 8, 2021 Hardening changes are disabled by default but with the ability to enable them using a registry key.
June 14, 2022 Hardening changes are enabled by default but with the ability to disable them using a registry key.
March 14, 2023 Hardening changes are enabled with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

Veeam Products are ready for this change and use Packet Integrity DCOM authentication level. However, if the underlying Windows operating systems lack the required security updates, this will result in different authentication levels used for DCOM connections and cause authentication failures. For example, one windows machine may have the hardening changes disabled because it doesn't have the update installed, and the other windows machine has the DCOM hardening enabled because the update is installed.

When these DCOM authentication failures occur, Event# 10036 will appear, showing the following message:

Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application

Solution

To resolve these issues, ensure that all Windows-based servers have the DCOM Hardening update installed. See the list at the bottom of this article:


Note: These updates may be listed as optional and may have been ignored by Windows or WSUS systems. In such a situation, the update must be deployed manually.

More Information

Veeam acknowledges that there is a registry value noted on KB5004442 that allows the DCOM hardening policy to be temporarily disabled. While the registry value may resolve the DCOM authentication conflict causing errors in Veeam, we strongly advise against implementing this workaround. The Veeam software is ready for this DCOM change and uses Packet Integrity DCOM authentication, it is the underlying Windows OS that must be updated to support this change.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.