Backup of Windows 10 PC with server-managed Agent


Userlevel 7
Badge +4

Hello community,


I don’t know if this is common knowledge (I guess all the hardcore Windows Admins hanging around here know this), but I think I share this, nevertheless.

I have tried to back up a Windows 10 PC with a server managed VEEAM agent for the first time today (up to now there were Windows Server only). In this environment is no Windows Domain present, local users on all systems only.

When I tried to connect to the Windows 10 PC from my VEEAM Server to create a managed server the connection was refused. No specific error message, it just failed… 
OK, I tried to ping the PC and to connect to it, all ok. Then I tried an administrative share and it failed, too. So, it seems not to be a VEEAM Problem, but a Windows problem…

I did some internet research and found that the Windows administrative shares are not accessible by local accounts over the network since Windows Vista. OK, this is some time, but… when do you do such a thing?

After some more reading I finally found the solution. You have to set the following registry key:

Registrykey = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Keyname     = LocalAccountTokenFilterPolicy Datatype    = DWord (32 Bit) Value       = 1 (hex)

After the registry key was set the connection from the VEEAM Server to the PC worked without problem and I was able to create a managed server and a backup job for it.

The job ran successful and the processing rate was very good for a  1 GB Network – 117 MB/sec average speed…

I just tried this procedure with a Windows Server afterwards and it works, too. I think this could be useful when there is no domain available in a disaster situation and you have some files to backup or restore urgently.

It is perhaps not the smartest thing to activate by default because there could be some security issues. But in an emergency, it is good to know.

So, I hope I could tell at least some people here something that they didn’t know before…. I did learn something new today 😊


5 comments

Userlevel 7
Badge +7

I just tried this procedure with a Windows Server afterwards and it works, too

So that was the case with a server OS as well? Wow that I did not realize that. I guess this is again Microsoft trying to protect us from ourselves :). Registry changes tend to help solve that all the time.

Anyways, great to know this as I am sure this will come up.

 

 

Userlevel 7
Badge +4

Yes, the administrative shares are not accessible with a local account with Windows Server 2021 R2, 2016, 2019, too.

I don't have any other versions available. But when it is true that the change was with Windows Vista, then the corresponding server version should be 2008…. and the last version without this change 2003.

Userlevel 6
Badge +3

Hi Joe,

this registry keyis also stated in the BP guide here: https://bp.veeam.com/vbr/VBP/Security/hardening_backup_repository_windows.html#disable-remote-rdp-services

Almost always applies to using local administrative accounts to utilize admin$ when they are not in the domain.

 

Note: UAC affects connections for nondomain/local user accounts. If you connect to a remote computer using a nondomain/local user account included in the local Administrators group of the remote computer, then you must explicitly grant remote DCOM access, activation, and launch rights to the account. User Account Control (UAC) access-token filtering can affect which operations are allowed or what data is returned. Under UAC, all accounts in the local Administrators group run with a standard user access token, also known as UAC access-token filtering.

Userlevel 7
Badge +4

OK, thank you @falkob.

I did not find this document… Super that it is officially documented. :thumbsup_tone2:

Userlevel 6
Badge +3

Yeah I really love that BP guide, because there is almost everything documented from real-world scenarios. But again, nice sharing !

Comment