Impact of Microsoft KB5025885 Secure Boot Patch for CVE-2023-24932 on Veeam Recovery Media

[Dima P.]

Hello folks,

We are reviewing if the KB actually affects the recovery to a Hyper-V host. So far we have not seen any issues caused by agent recovery to Hyper-V but we will continue this investigation. Thank you!

UPDATE: Recovery of the agent backup to a Hyper-V VM is unaffected by this Security Patch.

[sykerzner]

When we need to take a new Full after the revocations, will an Active Full be needed, or Synthetic Full be enough?

[Mildur]

Hello SYK

The active full backup is required to collect the new files for the automatic recovery media creation within the Veeam backup console. If you don't run an active full, those recovery media files won't be collected and you cannot create a working recovery media in the Veeam console for that machine.

As a workaround, you can create the recovery media manually directly on the machine with the following application:
"C:\Program Files\Veeam\Endpoint Backup\Veeam.Endpoint.RecoveryMedia.exe"

Best,
Fabian

[sykerzner]

For VMs, is it clear if we'd need a Active Full after the mitigations for the backup to be bootable?

The Veeam article is clear about WAS, that we'd need an active full to get a updated Recovery Image https://www.veeam.com/kb4452

[BackupBytesTim]

You would need a new backup, yes. Assuming your VM has Secure Boot enabled in either Hyper-V or VMWare then a pre-update backup would fail to boot after recovery, the same as a physical computer.

Veeam recommends a new Active Full backup. I assume that's worth doing then, but I don't actually understand what would be collected in an Active Full backup that wouldn't be collected in an incremental backup. To my knowledge either would only collect data from the hard drive, so any Windows files that change on the hard drive would be collected with an Active Full backup or an Incremental backup, but unless someone explains otherwise I'm assuming we'll need new Active Full backups. Though that's easier for my environment where we don't have any single drives larger than 1 TB that would need to be backed up again like that, noting non-boot drives shouldn't need a new Active Full.

Can someone at Veeam clarify what's collected in an Active Full backup that wouldn't be included in an incremental backup for this case? Or is this just going off the general recommendation from Veeam that we perform Active Full backups periodically regardless of other factors?

Edit: Rereading Fabian's last post, I believe the recommendation may actually be to perform a new Active Full backup only because the bootable recovery media is generated from the backup file contents, so the Active Full backup is required to create bootable recovery media, not to actually boot the restored backup after the update. Does that sound accurate?

[Gostev]

That is correct.

[BackupBytesTim]

To clarify, it's the statement that the Active Full is required only to generate new recovery media, that's accurate. So with updated recovery media, we can still boot new backups that are just incremental?

So unless we need to generate device-specific recovery media for each computer system there's no need to do a new Active Full everywhere, in the sort of scenario where we have many devices with identical hardware and normally don't generate recovery media for each individual device.

[Gostev]

@Dima P. please confirm.

[Dima P.]

Hi folks,

You would need a new backup, yes. Assuming your VM has Secure Boot enabled in either Hyper-V or VMWare then a pre-update backup would fail to boot after recovery, the same as a physical computer.

This recommendation it's not related to the source machine type i.e. physical or virtual machine. Instead it's required for any agent-based backup made with Veeam Agent for Windows.

Can someone at Veeam clarify what's collected in an Active Full backup that wouldn't be included in an incremental backup for this case? Or is this just going off the general recommendation from Veeam that we perform Active Full backups periodically regardless of other factors?

Without starting a new backup chain machine wont boot after bare metal recovery. New backup chain should contain unmodified boot partition and volume with patched OS, as theses two 'components' are required to boot the machine. Due to the nature of the MS security patch incrementals or synthetic full backup from incremental does not boot.

Edit: Rereading Fabian's last post, I believe the recommendation may actually be to perform a new Active Full backup only because the bootable recovery media is generated from the backup file contents, so the Active Full backup is required to create bootable recovery media, not to actually boot the restored backup after the update. Does that sound accurate?

1. Recovery media recreation is required to make Recovery Media bootable.
2. Active full / new backup chain is required to make the backups bootable after bare metal recovery is performed.

[Surfy]

Hi!

I don´t know if i have understood everything correctly.
I have some physical Machines where i use Veeam Agent.
I´ve i understand correctly,ive i have a machine where no secure boot ist activated, i have to do nothing.
I´ve secure is activated, i should first install the KB5025885 Patch, than create a new Veeam Boot Media and than make a Active Full Backup.
Is that right until here?

Apart from that I have a server installation of Veeam Backup and Replication 11, a Hyper-V Host and some Windows Server VMs.
In this szenario i have to do nothing i´ve secure boot is not activated on the VMs.
I´ve secure Boot is activated on the Guest VMs, i can make the update on the Guests first, then create new Active Full Backups.
Nothing else.

I´ve i must restore an older Backup (Before the Patch was installed) its possible to disable Secure Boot on the restored image and it should work.

did I understand all of this correctly?

Bestreg
Erich

[BackupBytesTim]

I have some physical Machines where i use Veeam Agent.
I´ve i understand correctly,ive i have a machine where no secure boot ist activated, i have to do nothing.
I´ve secure is activated, i should first install the KB5025885 Patch, than create a new Veeam Boot Media and than make a Active Full Backup.
Is that right until here?

If Secure Boot is disabled, then you are correct that you shouldn't have to do anything. Just to be sure, you may want to double check that though as any new computer system in the past several years likely had it enabled by default even if you didn't specifically enable it.

If Secure Boot is activated, install the update, then do a new Active Full Backup, then create Veeam Recovery Media. My understanding is that the Agent retrieves data from the last Active Full backup rather than the current environment on the computer to create Recovery Media, so you need to do the Active Full Backup first. Perhaps someone from Veeam can clarify that behavior?

Apart from that I have a server installation of Veeam Backup and Replication 11, a Hyper-V Host and some Windows Server VMs.
In this szenario i have to do nothing i´ve secure boot is not activated on the VMs.
I´ve secure Boot is activated on the Guest VMs, i can make the update on the Guests first, then create new Active Full Backups.
Nothing else.

If Secure Boot is not activated on the VMs, that is correct, you shouldn't have to do anything.

If you have Secure Boot enabled on some VMs or choose to enable it later on a VM where it currently is disabled, you will need new Active Full backups after installing the update.

You shouldn't need recovery media for any virtual machine restores as they're restored by the VBR server so there's no need to boot from the recovery media.

I´ve i must restore an older Backup (Before the Patch was installed) its possible to disable Secure Boot on the restored image and it should work.

If you need to restore an old backup, from before the update, you can disable Secure Boot on the computer (physical or virtual) to enable the computer to boot from the restored backup.

[Surfy]

Thank you very much!

[Surfy]

i have 2 more questions.
In addition to the Veeam B&R server, I installed Veeam Agent for Windows on the Hyper-V host.
The host and the VMs are backed up periodically here.
Secure Boot is not activated on the Hyper-V host (Server 2022).
On 2 VMs on the host, Secure Boot is enabled. Do I need to create a new Rescue Disk on the host and a new Active Full Backup?
Or could I just leave everything as is and in the event of a total loss of the Hyper-V host I could restore the host (without Secure Boot) and the VMs (partially with Secure Boot) regardless of whether the MS patch was installed on the VMs or not?

[BackupBytesTim]

You shouldn't need a new Recovery Media or a new Active Full Backup of the host unless you plan on enabling Secure Boot in the future.

In the event of a total loss of the host, you shouldn't have any problems restoring the host's existing backup with whatever existing Recovery Media you have as long as Secure Boot stays disabled. The VMs with Secure Boot enabled will need to have new backups if you want to restore them with Secure Boot enabled, if you disable Secure Boot you should be able to restore pre-update backups, but then you'll need to do a new Active Full backup if you want to enable Secure Boot again after the update is installed.

If the update is not installed then it doesn't matter whether Secure Boot is enabled or not as to whether the backups will boot. The only time an issue can occur is if both Secure Boot is enabled and the update is installed.

[Surfy]

Thanks!!
is it necessary to run the script mentioned in this kb after installing the Microsoft patch? https://www.veeam.com/kb4452 ?

[BackupBytesTim]

Assuming you are referring to the Microsoft Support page which is linked in that Veeam KB article, then you would need to do so at this time to ensure the Windows Recovery Environment is updated. I assume that will eventually be not required, but for right now that seems to be what Microsoft says to do. I assume by the time the boot revocations are enforced automatically by Microsoft it will get updated automatically, but for now it does seem that running the script manually is required for anyone who chooses to manually enable the boot revocations.

[bdg0296]

I'm assuming this is still an issue? Because I am unable to boot off of freshly created USB boot media with Veeam on multiple windows 10 machines.

I'm asking because https://www.veeam.com/kb4452 says "new deployments no action required" but I am still unable to boot from the USB boot media.

I was also unable to boot using the method described in this thread to update the wim file and recreating the boot media as I got the same error:

The operating system couldn't be loaded because the kernel is missing or contains errors.

File: \windows\system32\ntoskrnl.exe
Error code: 0xc000a004

[BackupBytesTim]

That sounds like an unrelated issue, but you can test by disabling the Secure Boot option in your computer's UEFI settings. If that does not resolve the issue, then it's definitely unrelated. If that does resolve the issue then it could be related, but there are other things to check as well.

[bdg0296]

I did try disabling secure boot and it didn't fix the problem. It's also happening on different model Dell computers

[BackupBytesTim]

Did you also manually apply the revocations as described in section 3 "APPLY the revocations" of the "Deployment guidelines" section?

If you did, then your issue could be related. If you did not, then as the revocation policies are not applied automatically as of today, then your issue is probably different.

[Dima P.]

Hello Brian,

Please open a support case and share the case id with us. Thank you!

[sykerzner]

Hi
For a Veeam Agent backups job. After the revocations have been applied, and we have an local Active Full, do any Copy Jobs also need active fulls?

[Dima P.]

Hi SYK,

Yes, please push the Active Full for the backup copy jobs too. Thank you!

[BackupBytesTim]

I am curious, the entire time this thread has been going on I've accepted Veeam's stated solution about Active Full backups, but I actually don't understand why that's needed.

If something changes on the hard drive (such as the installed Windows image) that gets collected in an incremental backup like normal, does it not? Is there some parts of the hard drive that an incremental backup ignores and so an Active Full backup is required?

[matthewr]

I'm assuming this is still an issue? Because I am unable to boot off of freshly created USB boot media with Veeam on multiple windows 10 machines.

I'm asking because https://www.veeam.com/kb4452 says "new deployments no action required" but I am still unable to boot from the USB boot media.

I was also unable to boot using the method described in this thread to update the wim file and recreating the boot media as I got the same error:

The operating system couldn't be loaded because the kernel is missing or contains errors.

File: \windows\system32\ntoskrnl.exe
Error code: 0xc000a004

Did you manage to resolve this? I am seeing the same error on my Dell laptop. I am able to boot Windows install media (i.e. an ISO created with MediaCreationTool22H2.exe), so the error seems specific to the Veeam recovery media.

[Dima P.]

matthewr,

Have you patched the recovery media? Thank you!

[trunks403]

Hello,

I am getting the same error ntoskrn.exe when booting from the recovery image
I followed following instuction but still getting the same

------------------------------------------------------------------------------------------------------------------------------------------------

download from https://support.microsoft.com/en-us/top ... 3eb56fb589 the correct script file
download from https://www.catalog.update.microsoft.co ... =Safe%20OS the correct .cab file for the OS
run the script (optionally with the path manually provided via command and not via input
checking the output, the WinRE.wim file should be patched
run the new media creation with update WinRE.wim file inside
test the media
then run a full backup, just in case of


But still getting the same error when booting