Resolving VSS Errors: Veeam AD Backups failing with SentinelOne
Veeam application-aware backups of Active Directory domain controllers can fail when SentinelOne blocks the VSS and BCD operations Veeam needs for NTDS-aware snapshots. These failures usually appear as VSS errors and “Updating BCD failed” or similar messages in Veeam job logs. In this guide, we shall discuss the “Resolving VSS Errors: Veeam AD Backups failing with SentinelOne”. Please, see Volume Shadow Copies: How to configure VSS on Windows Server, and How To Fix “Startup Repair Couldn’t Repair Your PC.
I am sharing this fix with the community on the procedure I followed to resolve the failure of the Application Aware backup post-installation of Sentinel One.
Please, see A-Z on Veeam Data Cloud: Workload Enrollment and Onboarding, A real case of Internal Sabotage and Recovery, and Set up Veeam Backup for Microsoft Azure.
VSS Symptoms and Error Messages
When SentinelOne interferes with AD-aware backups, some of the below are usually observed but not limited to the below:
- Veeam job status: “Failed” or “Warning” specifically on domain controllers. While other servers back up fine.
- Application-aware processing error like: “Cannot create a shadow copy of the volumes containing writer’s data. Cannot prepare the [NTDS] data for a subsequent restore operation.”
- Errors mentioning BCD or VSS, for example: “Updating BCD failed… COM error: Code: 0xd0000022” or generic “VSSControl” errors.
Please, see
Exception procedure S1 VSS SafeBOOt Tamper Protection
To fix this, you, open Administrative CMD and navigate to the path below.
cd "C:\Program Files\SentinelOne\Sentinel Agent your-version"Then run the below commands
sentinelctl unprotect -k "<passphrase>"
sentinelctl config -p agent.vssConfig.enableResearchDataCollectorVssWriter -v false -k""PASSPHRASE"
sentinelctl config -p agent.vssConfig.vssProtection -v false
sentinelctl config -p agent.vssSnapshots -v false
sentinelctl config -p agent.safeBootProtection -v false -k "PASSPHRASE"
sentinelctl config antiTamperingConfig.allowSignedKnownAndVerifiedToSafeBoot true -k "PASSPHRASE"Please, see how to Install Veeam ONE and Add VBR: Fix failed to connect to VBR, and how to Fix Error 1069: Windows could not start the Veeam backup service on local computer.
Delete shadow
To clean up stale or corrupted VSS snapshots before rerunning the Veeam job. You can use DiskShadow on the affected server.
diskshadow
list shadows all
delete shadows all
ExitWhere the diskshadow opens the DiskShadow utility, and the list shadows all shows all existing shadow copies so you can confirm what will be removed.
The delete shadows all deletes all VSS shadow copies for all volumes on this server. Run this only during a maintenance window, as it removes all existing VSS restore points. While, the exit closes DiskShadow.
Please, see how to Activate Full-Screen (Kiosk Mode) in Internet Explorer, Veeam Enterprise Manager setup and User Role management, and Building VIHR: Ransomware-Proof Repository with Veeam JeOS.
Re-enable protection
When you are done with troubleshooting and Veeam backups are running correctly, turn full protection back on with the following command.
sentinelctl protect -k "<passphrase>"I hope you found this blogpost on Resolving VSS Errors: Veeam AD Backups failing with SentinelOne very useful. Please, feel free to leave a comment below.
