Access to Hyper-V or Veeam B&R Components Fails After DCOM Hardening is Enabled
Cause
After June 8, 2022, DCOM connections to Hyper-V, Veeam Backup & Replication, and other Windows-based servers may be impacted by the DCOM hardening policy activated after the deployment of the Microsoft CVE-2021-26414 security update.
The possibly affected products are:
- Veeam Backup & Replication — operations involving Hyper-V infrastructure may fail with the error:
Failed to call RPC function 'HviCreateVmRecoverySnapshot'
- Veeam Agent for Microsoft Windows — connection to Hyper-V infrastructure fails with error:
Failed to connect to cluster 'CLUSTERNAME.contoso.com'.
- Veeam ONE — connection to Hyper-V and Veeam Backup & Replication infrastructures fails with the error:
System.UnauthorizedAccessException:'Access denied. (Exception from HRESULT : 0x80070005 (E_ACCESSDENIED))'
- Veeam Recovery Orchestrator — connection to Veeam Backup & Replication fails with the error:
Failed to connect to the server. Specified user is invalid or does not have enough permissions on the server.
Challenge
| Update Release | Behavioral Change |
| June 8, 2021 | Hardening changes are disabled by default but with the ability to enable them using a registry key. |
| June 14, 2022 | Hardening changes are enabled by default but with the ability to disable them using a registry key. |
| March 14, 2023 | Hardening changes are enabled with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment. |
Veeam Products are ready for this change and use Packet Integrity DCOM authentication level. However, if the underlying Windows operating systems lack the required security updates, this will result in different authentication levels used for DCOM connections and cause authentication failures. For example, one windows machine may have the hardening changes disabled because it doesn't have the update installed, and the other windows machine has the DCOM hardening enabled because the update is installed.
When these DCOM authentication failures occur, Event# 10036 will appear, showing the following message:
Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application
Solution
The Veeam software is ready for this DCOM change and uses Packet Integrity DCOM authentication; the underlying Windows OS must be updated to support this change.
To resolve these issues, ensure all Windows-based servers have installed the DCOM Hardening update. See the list at the bottom of this article:
Notes:
- These updates may be listed as optional and may have been ignored by Windows or WSUS systems. In such a situation, the update must be deployed manually.
- This issue may affect older Windows operating system, but the update to resolve the issue may not be available without ESU.
- For environments where Veeam Backup & Replication was deployed on an older operating system no longer supported by the latest version of Veeam Backup & Replication (e.g., Server 2008 R2), please review: KB1803: How to Upgrade Legacy Veeam Backup Server
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Thank you!
Your feedback has been received and will be reviewed.
KB Feedback/Suggestion
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Thank you!
Your feedback has been received and will be reviewed.