Windows Defender Application Control (WDAC) Supplemental Policy for Veeam Backup & Replication 12 Components Running on Azure Stack HCI 22H2

KB ID: 4456
Product: Veeam Backup & Replication | 12
Published: 2023-06-06
Last Modified: 2023-06-06
mailbox
Get weekly article updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.

Cheers for trusting us with the spot in your mailbox!

Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest

error icon

Oops! Something went wrong.

Please try again later.

Veeam Backup & Replication Version Requirement
The solution documented in this article requires at least Veeam Backup & Replication 12 P20230412.

Challenge

When attempting to add an Azure Stack HCI OS 22H2 cluster or node to Veeam Backup & Replication, the following error occurs:

Your organization used Device Guard to block this app. Contact your support person for more info.
Failed to start service 'VeeamDeploySvc'. Host: 'x.x.x.x'.
Failed to start deployment service on the target host
Error

Cause

By default, the Azure Stack HCI OS 22H2 Supplemental Package has Windows Defender Application Control (WDAC) enabled and running in the enforcement mode. WDAC is a software-based security layer that reduces the attack surface by enforcing an explicit list of software that is allowed to run. WDAC limits the applications and the code that can run on the core platform.

To allow third-party non-Microsoft signed software to run on Azure Stack HCI nodes, a WDAC supplemental policy provided by the third-party software vendor must be installed.

Solution

Veeam Backup & Replication WDAC Supplemental Policy Deployment

The supplied XML policy is already linked to an Azure Stack HCI base WDAC policy {A6368F66-E2C9-4AA2-AB79-8743F6597683}

  1. Download the Policy XML Package from the Download Information section below.
  2. Execute the following command to Convert the XML policy to a binary format:
ConvertFrom-CIPolicy c:\wdac\VBR12CP2-AzHCI22H2-supplemental-policy.xml c:\wdac\VBR12CP2-AzHCI22H2-supplemental-policy.bin
  1. Deploy the policy.

    Policy files must have the nomenclature {PolicyID}.cip and are stored in C:\Windows\System32\CodeIntegrity\CiPolicies\Active\

    The PolicyID is found within the source XML file. The PolicyID for the attached file is 48D8AD47-2B5F-4134-8C68-C320DC2D116A, so the policy file name must be named {48D8AD47-2B5F-4134-8C68-C320DC2D116A}.cip

    Use the following command to copy the binary formatted policy to the destination:
Copy-Item -Path c:\wdac\VBR12CP2-AzHCI22H2-supplemental-policy.bin -Destination "C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{48D8AD47-2B5F-4134-8C68-C320DC2D116A}.cip"
  1. To activate the supplemental policy, either reboot the machine or invoke the code integrity policy refresher tool. The tool will try to activate all policies in the active policy folder:
Invoke-WDACRefreshPolicyTool

Alternatively, you can use the RefreshPolicy.exe tool:

C:\wdac\RefreshPolicy.exe
Rebootless ConfigCI Policy Refreshing Succeeded!

 

  1. Check Events in the Application and Services Logs > Microsoft > Windows > CodeIntegrity > Operational event log to determine if the policy has been activated:

Download Information

Download Policy XML

Filename: KB4456-VBR12CP2-AzHCI22H2-supplemental-policy.zip
Updated: 2023-06-06

MD5: 2C4BD78B026CC9EDFD17329A24AD2588
SHA1: 25385654BCFC9E704034AA64BEAFB3AA7727CE75

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Spelling error in text

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

Oops! Something went wrong.

Please try again later.

You have selected too large block!

Please try select less.

KB Feedback/Suggestion

This form is only for KB Feedback/Suggestions, if you need help with the software open a support case

By submitting, you are agreeing to have your personal information managed in accordance with the terms of Veeam's Privacy Notice.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Verify your email to continue your product download
We've sent a verification code to:
  • Incorrect verification code. Please try again.
An email with a verification code was just sent to
Didn't receive the code? Click to resend in sec
Didn't receive the code? Click to resend
Thank you!

Thank you!

Your feedback has been received and will be reviewed.

error icon

Oops! Something went wrong.

Please try again later.