Error: Failed to enable DC SafeBoot mode

[mard]

6/23/2019 10:30:16 PM :: Error: Failed to enable DC SafeBoot mode Cannot execute [SetIntegerElement] method of [\\SERVERDC01\root\wmi:BcdObject.Id="{29e04330-060f-11e8-a8a4-9d3d29195e45}",StoreFilePath=""]. COM error: Code: 0xd0000022

Just wanted to seek help on this. Cannot follow on what is the resolution posted hear not much clear on my end.

veeam-agent-for-windows-f33/endpoint-do ... 44658.html

[Dima P.]

Hello Mark,

Do you have a case ID to share? Mind me asking what type of workload you are trying to protect? Do you have any antivirus software installed? Thank you in advance!

[mard]

Hi Dima,

Here is the case ID 03618764 but I think Veeam automatically closed it. I've submitted a new request via VEEAM application here is the new ID 03633889
I'm backing up a domain controller and AV installed is S1 (Sentinel One).

Best Regards,
Mark

[Gostev]

This looks like an environment specific issue that must be troubleshoot through debug logs by support engineers, and a webex session might be required. Since you're using the free product, your best bet is to keep opening cases until someone is available to work on it. Summers are generally more quiet from support perspective, so there are actually better chances now than during other months! Thanks.

[Dima P.]

I'm backing up a domain controller and AV installed is S1 (Sentinel One).

The conflict with antivirus filter driver should be the root cause as it blocks the ability to modify the boot record prior creating the backup. Try to disable the antivirus (and it's driver) and rerun the backup to make sure that issue is related to the antivirus. When confirmed, please raise a case with Sentinel One support. Cheers!

[mard]

Hi Dima,

Job completed without a problem. Can you clarify more what I need to raise it is the blocking of filter driver ? Only domain controllers are affected by this issue? As I have other 2012 R2 server not domain controller Veeam is working fine.

Best Regards,
Mark

[Dima P.]

Agent is modifying the boot record prior performing backup to make sure that resulting restore point is created in Directory Services Restore Mode (to load the domain controller properly during bare metal recovery). Sentinel One filter driver is blocking any modification of the boot record thus the back job fails - please ask Sentinel One support team, if possible, how to instruct filter driver to white-list Veeam Agent.

[mard]

Hi Dima,

Many thanks for your assistance.

Best Regards,
Mark

[Poel]

Dear mard,

did you ever find a solution for this with Sentinel One support?
I'm facing the issue myself now on a DC with Sentinel One.

Thank you

[Dima P.]

Hello Poel,

Unfortunately we do not have any ways to check if this issue has been addressed by Sentinel One team. If possible, please raise a support ticket at their side and and let us know how it goes. Thank you in advance!

[terranovateam]

I use a third party managed SentinelOne. I can confirm running into this same error with a 2016 Server Essentials DC running Veeam Windows Agent and SentinelOne. SentinelOne support was able to resolve by creating an alternate group in my Dashboard for me labeled "Veeam Endpoints" and specifically set safeBootProtection to false within the exclusions of that group. Upon moving the server S1 agent into that group and subsequently rebooting the server, the "Failed to enable DC safeboot mode" error was no longer present and backup job successful. Any time I have a server with the same error, I simply move the agent into that group and all is well.

[Dima P.]

Hello Derrick,

Thanks a lot for sharing this update with the community and glad to hear that there is a confirmed workaround. Cheers!

[benf]

Can anyone tell me where in the S1 portal the option to disable this protection? I put a server into a group, disabled all the engines, rebooted same thing. I selected the device did 'unprotect' ran the backup and it works fine.

Just to confirm this is Veeam Windows Agent running on domain controllers. Veeam seems to work fine on the hypervisor side across all systems and DC's. So its something specific to bare metal and domain controller protection. I was also given an exclusion list that I applied globally which included alot of Veeam folders and subfolders but that didn't seem to help.

[Dima P.]

Ben,

So far I've only found the detailed explanation of the exclusion setup. Can you please ask for the instructions from SentinelOne team? Thanks!

[CitSolution]

Found a workaround for our servers. I created a separate group in SentinelOne like mentioned before just for the affected servers at each site.

Used this info to find the correct safeBoot cmd to manually edit the Sentinel One config file.
https://documentation.solarwindsmsp.com ... _agent.htm

Config file location C:\Program Files\SentinelOne\Version x\SentinelCtl.exe
Navigate to this directory in Admin CMD. Then run this command: sentinelctl config -p agent.safeBootProtection -v false

We had tamper protection enabled, so you would throw a -k “Pass Phrase From Sentinel One Web Console Here” on the end. But the passphrase for that device wasn’t working in my case. So I turned off tamper protection for the group (only the one server was in there) and I edited the config. On the device details in Sentinel one you can go to Actions> Configuration to see the SafeBootProtection settings and confirm when it updates from True to False then re enable tamper protection.

[knightrider64]

I am in the same boat, Server 2012 R2 domain controller with VBR V11a, the Answers from CitSolution and info from terranovateam did the trick for me without even having to reboot the server. I used the sentinelctl commands and referenced the internal S1 knowledgebase as well. One thing to note is that they said that if you disable safebootprotection, it will void their ransomware warranty.

[Nodnarb]

Hi all,

I recently had a similar problem (Veeam case #05377961) and wanted to add my solution here in case Googling brought anyone else this way.

My error was: Error: Failed to disable DC SafeBoot mode Cannot get [BcdObject.Id="{9dea862c-5cdd-4e70-acc1-f32b344d4795}",StoreFilePath=""] object. COM error: Code: 0x80041010

We do not use SentinelOne, however.

The agent log on the server contained the lines below:

Code: Select all

[12.04.2022 19:05:34] <01> Info     Trying to backup system volume to temp file on dc
[12.04.2022 19:05:34] <01> Info     Enabling AD safe boot mode
[12.04.2022 19:05:34]      Info     <10e8>     Enabling AD SafeBoot mode
[12.04.2022 19:05:34]      Info     <10e8>             Connecting to WMI namespace.
[12.04.2022 19:05:34]      Info     <10e8>             Connecting to WMI namespace.. Ok.
[12.04.2022 19:05:34]      Info     <10e8>             Enabling DC SafeBoot mode
[12.04.2022 19:05:34]      Info     <10e8>                 UpdateSafeBootForAllLoaders registry value is not set. Using default value: false
[12.04.2022 19:05:34]      Info     <10e8>             Enabling DC SafeBoot mode. Failed.
[12.04.2022 19:05:34]      Info     <10e8>     Enabling AD SafeBoot mode. Failed.
[12.04.2022 19:05:34] <01> Info     Disabling AD safe boot mode
[12.04.2022 19:05:34]      Info     <10e8>     Disabling AD SafeBoot mode
[12.04.2022 19:05:34]      Info     <10e8>             Connecting to WMI namespace.
[12.04.2022 19:05:34]      Info     <10e8>             Connecting to WMI namespace.. Ok.
[12.04.2022 19:05:34]      Info     <10e8>             Disabling DC SafeBoot mode
[12.04.2022 19:05:34]      Info     <10e8>                     Loading original SafeBoot values from file [C:\ProgramData\Veeam\Endpoint\Backup\bcdorig.xml]
[12.04.2022 19:05:34]      Info     <10e8>                     Loading original SafeBoot values from file [C:\ProgramData\Veeam\Endpoint\Backup\bcdorig.xml]. Failed.
[12.04.2022 19:05:34]      Warning  <10e8>                 Unable to read original SafeBoot values.
[12.04.2022 19:05:34]      Warning  <10e8>                     Cannot load the specified XML file: [C:\ProgramData\Veeam\Endpoint\Backup\bcdorig.xml].
[12.04.2022 19:05:34]      Warning  <10e8>                     COM error: The system cannot locate the resource specified.
 Code: 0x1
[12.04.2022 19:05:34]      Info     <10e8>                 UpdateSafeBootForAllLoaders registry value is not set. Using default value: false
[12.04.2022 19:05:34]      Info     <10e8>             Disabling DC SafeBoot mode. Failed.
[12.04.2022 19:05:34]      Info     <10e8>     Disabling AD SafeBoot mode. Failed.

After various troubleshooting steps, I used a tool called WMI Explorer to compare WMI entries between the problem server (below, right) to another machine. Notice how the "BCD" entries were simply gone from the server when comparing a search side-by-side.



To fix it, I opened an Administrator command prompt and CD'd to c:\windows\system32\wbem. Running the command "mofcomp bcd.mof" fixed the issue. Re-running the search in WMI Explorer found the BCD entries just like it did on the comparison machine. The Veeam job then successfully ran.

I have no idea how the BCD entries disappeared from WMI in the first place, but I hope this helps someone.

[Dima P.]

Hello Brandon,

Thank you for sharing the solution with the community!

[mcbsys]

This error is suddenly back. Disabling SentinelOne safeBootProtection works around it, but voids the ransomware warranty.

I buy SentinelOne from Pax8. According to Pax8 support:

SentinelOne is aware of this issue and their Dev team is working to have a permanent fix in a future update. It is related to the DC safe boot protections implemented in agent version 23.2.3.358 and this causes Veeam to fail. As of this time, they have not provided a specific ETA or version that this is expected.

They have advised two workarounds in the meantime:

1. Disabling safe boot protection
2. Downgrading your affected agents to the previous version: 23.1.5.886"

[rmatt]

I have recently come across this issue, after speaking with SentinelOne Support the following solution was provided and fixed the problem:

1. On the Endpoint where the Veeam agent is installed, open CMD as Admin and change the directory to: C:\Program Files\SentinelOne\SentinelOne Agent version\

2. Run the following command:

Code: Select all

sentinelctl config antiTamperingConfig.allowSignedKnownAndVerifiedToSafeBoot true -k "passphrase"

The passphrase can be retrieved from within the SentinelOne portal: Sentinels > Select Endpoint > Actions > Agent Actions > Show Passphrase.

3. Once the command has run, make sure this configuration is True by running the following command:

Code: Select all

sentinelctl config antiTamperingConfig.allowSignedKnownAndVerifiedToSafeBoot

The output should be True.

4. Reboot the Endpoint for the changes to apply. After the machine has restarted, the Veeam Backup should now run successfully.

[kobus78]

2024/01/04 18:05:10 :: Error: Failed to enable DC SafeBoot mode
Cannot execute [SetIntegerElement] method of [\\ServerDC\root\wmi:BcdObject.Id="{a9f0ac72-2858-11ee-b090-a6ba3ee88b41}",StoreFilePath=""].
COM error: Code: 0xd0000022

Run into the same issue all of a sudden after running SentinelOne for a few months.
I had Sentinel Agent 23.1.5.886 installed. So downgrading to this version wasn't an option, nor seems it a solution to the problem anymore.

So I've updated the agent to the latest version 23.3.3.264

I still followed the instructions from matt, but my backup is still failing.

The only workaround left is to disable SafeBoot completely (if you are willing to run the risk).

[Dima P.]

Kobus,

Is it possible to open the case with SentinelOne team? Possibly they've prepared a fix for this issue or can provide a workaround for a new SentinelOne agent version? Thank you!

[mcbsys]

My SentinelOne vendor (Pax8) advised me that the "interoperability issue with Veeam" is resolved in 23.3, and in fact the release notes state as much (ID WIN-40598). I'm not sure what "interoperability issue" that is referring to, but after upgrading to 23.3.3.264 on a Server 2022 domain controller, I am again getting Veeam event 191:

Error: Failed to enable DC SafeBoot mode Cannot execute [SetIntegerElement] method of [\\MCB-DC\root\wmi:BcdObject.Id="{some guid}",StoreFilePath=...

On 10/23/2023, I downgraded to 23.1.5.886 to solve this, and it's been fine with that version. After downgrading S1 again, the Veeam backup worked.

[mcbsys]

Update: Pax8 advised me to use the command line to mitigate the issue, as @rmatt suggested, or to use this Policy override:

{
"antiTamperingConfig": {
"allowSignedKnownAndVerifiedToSafeBoot": true
}
}

With the policy override in place, I re-upgraded SentinelOne to 23.3.3.264 and no longer receive the DC Safeboot error.

[stanislavbaran]

Hello,

we have had the same issue on our 2022 DC with Veeam (Version 12).
Affected versions:
From 23.2 +
Following resolved the problem:

sentinelctl config antiTamperingConfig.allowSignedKnownAndVerifiedToSafeBoot true -k "PASSPHRASE"
sentinelctl config vssConfig.excludedVssWriters "" -k "passphrase"
sentinelctl config vssConfig.vssProtection true -k "passphrase"
sentinelctl unload -a -k "passphrase"
sentinelctl load -a

Happy fixing!.

[kobus78]

Thanks for the above Stanislav.
Unfortunately still doesn't work. Even rebooted the server as well.

I'll have to log a call through my 3rd party provider for this as well then.

I thought your fix would have helped me, since the Veeam job fails when trying to create the VSS snapshot.

[RobMiller86]

We are still dealing with this too. Sometimes it works, and sometimes it does not. S1 has been a real pain with backing up DCs. I'm dealing with 1 DC now that throws this no matter what I do:

Failed to prepare guest for hot backup. Details: VSSControl: -805306334 Backup job failed.
Cannot create a shadow copy of the volumes containing writer's data.
Cannot prepare the [NTDS] data to a subsequent restore operation.
Cannot process NTDS data.
Updating BCD failed.
Cannot execute [SetIntegerElement] method of [\\SERVERNAME\root\wmi:BcdObject.Id="{cd0922c3-4ef8-11ee-9786-8af7d491816a}",StoreFilePath=""].
COM error: Code: 0xd0000022

Will be opening an S1 ticket I guess to see what they say.

[kobus78]

I've spoken to my 3rd Party supplier. Since v23.3 is not GA for them, they can't even log a ticket to speed up the process in getting this resolved.
They however also confirmed that according to the release notes the "interoperability" issue with Veeam is resolved. They also questioned which "interoperability" issue(s) they have fixed - there were no specifics around it.

[SomewhereinSC]

This issue randomly popped up on me today... Microsoft Server 2019 Standard, Active Directory Server with all the FSMO roles, SentinelOne installed 23.2.3.358
Failed backup, error message here
1/23/2024 7:22:02 AM :: Error: Failed to enable DC SafeBoot mode Cannot execute [SetIntegerElement] method of [\\AMBIOAD3\root\wmi:BcdObject.Id="{28a56f6f-7697-11eb-8339-2cea7f8ef680}",StoreFilePath=""]. COM error: Code: 0xd0000022

I did try the mofcomp bcd.mof solution (listed above) on my server, retested and backup failed the same way.
Contacted my S1 provider.

[SomewhereinSC]

Future searchers my S1 provider had me run the following to correct the issue
On the endpoint on which the backup is failing, open CMD as Admin.
1. Go to: C:\Program Files\SentinelOne\SentinelOne Agent version
2. Run: sentinelctl config antiTamperingConfig.allowSignedKnownAndVerifiedToSafeBoot true -k "passphrase"
3. To make sure this configuration is True: sentinelctl config antiTamperingConfig.allowSignedKnownAndVerifiedToSafeBoot
1. The output should be True.
4. Reboot the machine.
5. After the machine is fully loaded, run Veeam Backup again.
After getting the long a$$ passphrase this ran and updated to true, then the Veeam job worked.