Compliance Analzyer - GMSA rotation

[TWuser]

I'm trying to get the Security & Compliance Analyzer happy, and it's complaining about:
"Credentials and encryption passwords should be rotated at least annually"

I have rotated normal passwords and encryption keys. What remains are 1 GMSA and the 4 "root" passwords created by Veeam (provider-side network extension, Tenant-side network extension, Azure helper appliance, and Helper applianced creds).

I have other VBR servers passing the Analyzer without changing the 4 passwords, so I have to assume the Analyzer is failing because of the GMSA.

GMSA's are rotated every 30 days already, why does Veeam flagging a GMSA? Is it just a bug?

Bug or not, what's the best way to fix?

[david.domask]

Hi TWuser,

The "Last Edit" date is what's checked for all client secrets as described here, so please check each of the credentials sections listed there for passwords that haven't been edited in 365 days. If all have been updated since then as best you can tell, please open a Support Case and allow Veeam Support to review the situation.

Please share your case number if you end up creating a case, thanks!

[TWuser]

The whole point of GMSA's is that they rotate their own password on the backside, and Veeam never has a password to "rotate". There is no password to edit in Veeam.

I found a workaround so won't be opening a ticket - if you edit the description and save it, it will pass the Security Analyzer. This does nothing for security and is just a workaround for what could be considered a reporting bug.