Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
techgirl
Enthusiast
Posts: 28
Liked: 1 time
Joined: Feb 19, 2017 3:30 pm
Contact:

VAW and Bitlocker due to Office 365 AzureAD

Post by techgirl »

AzureAD join for Office 365 automatically enables Bitlocker.
Does VAW still work for UNATTENDED backup and FLR from a NAS share?

VAW is scheduled to do daily backups on 2 PC which are not bitlockered.
We choose "file level" backup of the "Users" folder only due to space.
Each is backed up to a separate password protected share on the NAS.
If needed, we can retrieve single files or folders using FLR to same PC or restore entire "Users" folder if moved to a new PC.

Now adding a new PC which is Bitlockered and have these questions:
1- I saw the KB article mentions unlocking first to do perform backups. Does this means that we can only perform on-demand (manual) backups in VAW on the bitlockered PC?

2 - The KB article only mentions VOLUME level restore. Can you confirm if file level restore is possible?

3- Does the fact that 2 backups on the NAS disk are unencrypted and one is encrypted cause any issue ? i.e. Is it possible to have all 3 PC use the NAS still to backup to their respective "shared folders" or is it the case that EACH Bitlockered PC is expected to be backed up to its own personal disk because it now would be personally locked/encrypted ?

4 - AzureAD admin console records the BL decryption key. Is this all that is needed to restore selected files back to the SAME PC?

5- What about restoring files to a DIFFERENT PC (in the case of an unfixable crash) - do we need just the key from the old PC?

6- If I understand, if we create a Veeam Recovery media USB, it would also contain the key? Can it be used to restore individual files or only if doing VOLUME level? Can it only be used on the very same PC that created it? Or it can be used in a replacement PC to transfer the user's files in case of a unfixable crash?
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: VAW and Bitlocker due to Office 365 AzureAD

Post by HannesK »

Hello,
thanks for reaching out

1: could you maybe provide a link? I use Bitlocker and agent for Windows since day1 on my laptop and almost never started the backup manually
2: yes, you can do file level restore
3: no issues expected. you can store encrypted or unencrypted backups in the same folder - I see no issues there
4: no - the backups are not encrypted with bitlocker
5: no - the backups are not encrypted with bitlocker
6: no - the backups are not encrypted with bitlocker

Best regards,
Hannes
techgirl
Enthusiast
Posts: 28
Liked: 1 time
Joined: Feb 19, 2017 3:30 pm
Contact:

Re: VAW and Bitlocker due to Office 365 AzureAD

Post by techgirl »

https://helpcenter.veeam.com/docs/agent ... tml?ver=30
"BitLocker encrypted volumes (both source and target) must be unlocked at the moment when Veeam Agent for Microsoft Windows starts the backup operation. "
"If the volume added to the backup scope is locked at the moment of backup, the backup job will be unable to process it and will fail."

And then it shows a popup asking for acknowledgement in order to proceed.... I read this as meaning it requires manual intervention? Am I misinterpreting ?
SnakeSK
Service Provider
Posts: 43
Liked: 5 times
Joined: Feb 09, 2019 5:06 pm
Contact:

Re: VAW and Bitlocker due to Office 365 AzureAD

Post by SnakeSK »

Unlocked means that if bitlocker asks for password, you have to supply it, if you can browse the filesystem it is already unlocked
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: VAW and Bitlocker due to Office 365 AzureAD

Post by HannesK »

if you can browse the filesystem it is already unlocked
yes, that's the point. I automatically unlock my drives which is probably the reason why I never saw the mentioned dialog boxes.
techgirl
Enthusiast
Posts: 28
Liked: 1 time
Joined: Feb 19, 2017 3:30 pm
Contact:

Re: VAW and Bitlocker due to Office 365 AzureAD

Post by techgirl »

AH! So the situation/dialog to unlock the source drive would just never come up if VAW is running in Windows on the same drive being backed up. i.e. laptop with a single hard drive. If VAW is installed on that drive and is able to run to perform the backup, the drive is unlocked.

Manual intervention to provide a password for the source drive can only ever be an issue if VAW is not running on the same drive.

If VAW is running on the same drive, the backup can not possibly be encrypted.

To maintain the BL encryption on the backup, VAW would need to be run from a separate drive, and it can only possibly make a Volume level backup.
Post Reply

Who is online

Users browsing this forum: No registered users and 27 guests