Feature request - Allow remote console to be updated when using privilege escalation

[jasonede]

This has come out of case #07936432 where I've been assured that this is by design and not a bug.

We utilise Microsoft LAPS so that by default no-one has an administrator account. Some users can look up their local admin password (which cycles) so that they can use this to install/update software if needed.

The Veeam remote console for version 13 can be installed by run as administrator and putting in the password ok.

However, if the VBR servers have updated (upgraded to the latest 13.0.1.1071, but when downloading console from web interface of server it still gives the older 13.0.1.180) then when you try to connect it says you need to update to the latest version. Clicking on upgrade brings up the prompt for administrator credentials (as expected) to update. After supplying these details then the console hangs for around 5 minutes before saying "Failed to update the backup console: Failed to deliver update specification to backup server".

If you run the console as administrator (and supply correct credentials) then when you click on connect for the VBR server it says "Microsoft Edge can't read and write to it's data directory c:\Users\Administrator\AppData\Local\Veeam\Backup\ConsoleLauncher_Elevated\EBWebView"

The only method that works is to log off as the normal user and log on as the local administrator user and then update the console and then switch back to the normal user and it connects.

Please can this this be fixed so either supplying the password when requested or using the run as administrator option works to upgrade the console.

[david.domask]

Hi jasonede,

Give me a bit of time to check the situation internally -- I understand what Support is telling in your case, but I think some additional review is warranted as agreed such a setup is fairly common to have "on-demand" administrator access as opposed to full local admin access with regards to the Remote Console specifically.

Long-term though this will be a self-resolving issue as our goal is to get everything 100% in the WebUI.

[jasonede]

Thank you. I admit I was a little confused myself about this.

[MarktheSpark]

I can second jasonede experience, it matches 100% what I see.

[david.domask]

To follow up on this, we will be addressing some of the issues related to the Remote Console update procedure in our next updates, specifically for environments with situations like LAPS or "on-demand" administrator access.

Appreciate the feedback and patience on this matter -- the changes are meant to address situations involving on-demand admin access, so please keep in mind some scenarios may still require review.

[jasonede]

Below is what I was told by support.

The console update process requires the user to be logged in as a local administrator. Supplying admin credentials via UAC or using 'Run as administrator' does not grant the necessary session-level privileges for the update to succeed.

To update the console, log off and log in using a local administrator account, then launch the Veeam Backup Console and allow the update to complete. After the update, standard users can connect unless further updates are required.
If updating all machines manually is not scalable, consider deploying the console update centrally using a software deployment tool that runs with elevated privileges under a local administrator account. This approach is required for environments with LAPS or similar security policies.
The error 'Failed to deliver update specification to backup server' and the named pipe errors are direct results of insufficient session-level permissions. Only a full local administrator session can complete the update workflow.
The Microsoft Edge/WebView data directory error when running as administrator is a known side effect of launching the console outside a full local administrator session. This does not occur when logged in as local administrator.

I think this is being addressed. Along with this I've also noticed that if any plugins are updated on the VBR server it seems that the console has to update before it will connect and no option to postpone. This could potentially make it hard to maintain in an RMM environment unless console builds were provided for every patch and private fix, which I don't think is realistic.