Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
mard
Novice
Posts: 6
Liked: never
Joined: Jun 20, 2019 9:59 am
Full Name: Mark Diaz
Contact:

Error: Failed to enable DC SafeBoot mode

Post by mard »

6/23/2019 10:30:16 PM :: Error: Failed to enable DC SafeBoot mode Cannot execute [SetIntegerElement] method of [\\SERVERDC01\root\wmi:BcdObject.Id="{29e04330-060f-11e8-a8a4-9d3d29195e45}",StoreFilePath=""]. COM error: Code: 0xd0000022

Just wanted to seek help on this. Cannot follow on what is the resolution posted hear not much clear on my end.

veeam-agent-for-windows-f33/endpoint-do ... 44658.html

Dima P.
Product Manager
Posts: 11528
Liked: 1000 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Veeam Support Case 03618764

Post by Dima P. »

Hello Mark,

Do you have a case ID to share? Mind me asking what type of workload you are trying to protect? Do you have any antivirus software installed? Thank you in advance!

mard
Novice
Posts: 6
Liked: never
Joined: Jun 20, 2019 9:59 am
Full Name: Mark Diaz
Contact:

Re: Veeam Support Case 03618764

Post by mard »

Hi Dima,

Here is the case ID 03618764 but I think Veeam automatically closed it. I've submitted a new request via VEEAM application here is the new ID 03633889
I'm backing up a domain controller and AV installed is S1 (Sentinel One).

Best Regards,
Mark

Gostev
SVP, Product Management
Posts: 26291
Liked: 4100 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Support Case 03618764

Post by Gostev »

This looks like an environment specific issue that must be troubleshoot through debug logs by support engineers, and a webex session might be required. Since you're using the free product, your best bet is to keep opening cases until someone is available to work on it. Summers are generally more quiet from support perspective, so there are actually better chances now than during other months! Thanks.

Dima P.
Product Manager
Posts: 11528
Liked: 1000 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Veeam Support Case 03618764

Post by Dima P. » 1 person likes this post

I'm backing up a domain controller and AV installed is S1 (Sentinel One).
The conflict with antivirus filter driver should be the root cause as it blocks the ability to modify the boot record prior creating the backup. Try to disable the antivirus (and it's driver) and rerun the backup to make sure that issue is related to the antivirus. When confirmed, please raise a case with Sentinel One support. Cheers!

mard
Novice
Posts: 6
Liked: never
Joined: Jun 20, 2019 9:59 am
Full Name: Mark Diaz
Contact:

Re: Veeam Support Case 03618764

Post by mard »

Hi Dima,

Job completed without a problem. Can you clarify more what I need to raise it is the blocking of filter driver ? Only domain controllers are affected by this issue? As I have other 2012 R2 server not domain controller Veeam is working fine.

Best Regards,
Mark

Dima P.
Product Manager
Posts: 11528
Liked: 1000 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Veeam Support Case 03618764

Post by Dima P. »

Agent is modifying the boot record prior performing backup to make sure that resulting restore point is created in Directory Services Restore Mode (to load the domain controller properly during bare metal recovery). Sentinel One filter driver is blocking any modification of the boot record thus the back job fails - please ask Sentinel One support team, if possible, how to instruct filter driver to white-list Veeam Agent.

mard
Novice
Posts: 6
Liked: never
Joined: Jun 20, 2019 9:59 am
Full Name: Mark Diaz
Contact:

Re: Veeam Support Case 03618764

Post by mard »

Hi Dima,

Many thanks for your assistance.

Best Regards,
Mark

Poel
Lurker
Posts: 1
Liked: never
Joined: Sep 27, 2019 11:51 am
Full Name: Jan Van de Poel
Contact:

Re: Error: Failed to enable DC SafeBoot mode

Post by Poel »

Dear mard,

did you ever find a solution for this with Sentinel One support?
I'm facing the issue myself now on a DC with Sentinel One.

Thank you

Dima P.
Product Manager
Posts: 11528
Liked: 1000 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Error: Failed to enable DC SafeBoot mode

Post by Dima P. »

Hello Poel,

Unfortunately we do not have any ways to check if this issue has been addressed by Sentinel One team. If possible, please raise a support ticket at their side and and let us know how it goes. Thank you in advance!

terranovateam
Lurker
Posts: 1
Liked: 1 time
Joined: Feb 02, 2020 3:40 am
Full Name: Derrick Roberts
Contact:

Re: Error: Failed to enable DC SafeBoot mode

Post by terranovateam » 1 person likes this post

I use a third party managed SentinelOne. I can confirm running into this same error with a 2016 Server Essentials DC running Veeam Windows Agent and SentinelOne. SentinelOne support was able to resolve by creating an alternate group in my Dashboard for me labeled "Veeam Endpoints" and specifically set safeBootProtection to false within the exclusions of that group. Upon moving the server S1 agent into that group and subsequently rebooting the server, the "Failed to enable DC safeboot mode" error was no longer present and backup job successful. Any time I have a server with the same error, I simply move the agent into that group and all is well.

Dima P.
Product Manager
Posts: 11528
Liked: 1000 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Error: Failed to enable DC SafeBoot mode

Post by Dima P. »

Hello Derrick,

Thanks a lot for sharing this update with the community and glad to hear that there is a confirmed workaround. Cheers!

benf
Lurker
Posts: 1
Liked: never
Joined: Feb 22, 2020 6:19 pm
Full Name: Ben Filippelli
Contact:

Re: Error: Failed to enable DC SafeBoot mode

Post by benf »

Can anyone tell me where in the S1 portal the option to disable this protection? I put a server into a group, disabled all the engines, rebooted same thing. I selected the device did 'unprotect' ran the backup and it works fine.

Just to confirm this is Veeam Windows Agent running on domain controllers. Veeam seems to work fine on the hypervisor side across all systems and DC's. So its something specific to bare metal and domain controller protection. I was also given an exclusion list that I applied globally which included alot of Veeam folders and subfolders but that didn't seem to help.

Dima P.
Product Manager
Posts: 11528
Liked: 1000 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Error: Failed to enable DC SafeBoot mode

Post by Dima P. »

Ben,

So far I've only found the detailed explanation of the exclusion setup. Can you please ask for the instructions from SentinelOne team? Thanks!

CitSolution
Lurker
Posts: 1
Liked: never
Joined: Mar 27, 2020 1:06 am
Full Name: Ian Stewart
Contact:

Re: Error: Failed to enable DC SafeBoot mode

Post by CitSolution »

Found a workaround for our servers. I created a separate group in SentinelOne like mentioned before just for the affected servers at each site.

Used this info to find the correct safeBoot cmd to manually edit the Sentinel One config file.
https://documentation.solarwindsmsp.com ... _agent.htm

Config file location C:\Program Files\SentinelOne\Version x\SentinelCtl.exe
Navigate to this directory in Admin CMD. Then run this command: sentinelctl config -p agent.safeBootProtection -v false

We had tamper protection enabled, so you would throw a -k “Pass Phrase From Sentinel One Web Console Here” on the end. But the passphrase for that device wasn’t working in my case. So I turned off tamper protection for the group (only the one server was in there) and I edited the config. On the device details in Sentinel one you can go to Actions> Configuration to see the SafeBootProtection settings and confirm when it updates from True to False then re enable tamper protection.

Post Reply

Who is online

Users browsing this forum: No registered users and 9 guests