Veeam 11 PowerShell in highsecurity/locked down environment

[gekken]

Hi

I'm trying to run Veeam 11 powershell in a highsecurity/lockeddown environment where we are allowed to run only signed powershell scripts. (and this is not a subject for change).

When I try to run "import-module veeam.backup.powershell" it throws an error about veeam.backup.powershell.types.ps1xml not beeing signed. I have tried to sign this file my our own cert (https://docs.microsoft.com/en-us/powers ... rshell-7.1), but still no go. I have also tried to sign all other .ps1xml/.ps1d and so on, but still no luck in running Veeam PS cmdlets.

Any good ideas anyone?? (except that Veeam should sign their ps code as most other vendors do ).

/GK

[oleg.feoktistov]

Hi Geir,

A good one, thanks! Reproduced in my lab and brought it up internally. Will update this thread once I have the answer.

Best regards,
Oleg

[gekken]

Hi Oleg

I can inform that I have temporarily solved the issue by signing the .ps1xml files correctly by using my internal CA. However it would be great if you guys would do this out of the box .

I guess you have the overview, but the files I signed was; initialize-veeamtoolkit.ps1, Veeam.backup.powershell.psd1, veeam.backup.powershell.format.ps1.xml, veeam.backup.powershell.types.ps1xml.

Thanks for the reply.

/GK

[oleg.feoktistov]

Hi Geir,

Thanks for your update! I also shared this info in our internal discussion.

Best regards,
Oleg

[oleg.feoktistov]

This is confirmed as a bug. Should be fixed in vNext. Anybody wishing to get a fix on that earlier, please, submit a support case and ask for a private fix referencing this forum topic. Thanks!

[NielsIT]

Hi,

will this be added to the Community Edition aswell? Any estimates on the timeframe?

Thanks

[oleg.feoktistov]

Hi Niels,

It is not related to licensing, so should work with our powershell module in any VBR edition. The fix is planned for v12, no ETA on it yet.

Thanks,
Oleg

[NielsIT]

Hi,

do you know if this will come to Veeam for Office365 also?

Thanks
Niels

[oleg.feoktistov]

Not sure, I think you should ask in the relevant forum. Thanks!

[birdwaffle]

I see that the script is now signed by Veeam, but I still get an error.

Using v12, if I set the execution policy to AllSigned,

Code: Select all

PS C:\Windows\system32> set-executionpolicy -scope 'LocalMachine' 'allsigned'

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A
PS C:\Windows\system32> get-executionpolicy -scope LocalMachine
AllSigned
PS C:\Windows\system32>

I get the message that the publisher is untrusted.

Code: Select all

PS C:\Windows\system32> disconnect-vbrserver

Do you want to run software from this untrusted publisher?
File C:\Program Files\Veeam\Backup and Replication\Console\Veeam.Backup.PowerShell.types.ps1xml is published by
CN=Veeam Software Group GmbH, O=Veeam Software Group GmbH, L=Baar, S=Zug, C=CH and is not trusted on your system. Only
run scripts from trusted publishers.
[V] Never run  [D] Do not run  [R] Run once  [A] Always run  [?] Help (default is "D"):

It seems to fix this, Veeam would have to provide their code signing certificate (public key) and the installer would have to install the certificate in the local machine store under "Trusted Publishers". Since we don't have this certificate, we cannot not install it manually either.

Veeams code signing cert is currently:

Code: Select all

PS C:\Windows\system32> Get-AuthenticodeSignature 'C:\Program Files\Veeam\Backup and Replication\Console\Veeam.Backup.PowerShell.types.ps1xml' | fl


SignerCertificate      : [Subject]
                           CN=Veeam Software Group GmbH, O=Veeam Software Group GmbH, L=Baar, S=Zug, C=CH
                         [Issuer]
                           CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                         [Serial Number]
                           0663DB68D1713219E69112010936FDA3
                         [Not Before]
                           2/7/2022 12:00:00 AM
                         [Not After]
                           3/28/2025 11:59:59 PM
                         [Thumbprint]
                           93E8E786F02642CD359B0E46BEC03A6ACB1C554E

If I replace this signature with my own, will this break anything in Veeam? Does Veeam internally use this file: Veeam.Backup.PowerShell.types.ps1xml and if so, does it verify the signture?