{"id":393,"date":"2025-11-16T17:31:22","date_gmt":"2025-11-16T17:31:22","guid":{"rendered":"https:\/\/www.lighthouse-program.com\/?p=393"},"modified":"2025-11-16T17:31:22","modified_gmt":"2025-11-16T17:31:22","slug":"lessi-learned-week-47-2025","status":"publish","type":"post","link":"https:\/\/www.lighthouse-program.com\/?p=393","title":{"rendered":"Lessi learned \u2013 week 47\/2025"},"content":{"rendered":"\n<p class=\"has-white-color has-text-color has-link-color wp-elements-643e563ba84db2cad9f62cad97a8e0b3 wp-block-paragraph\"><strong>Welcome to the \u201cLessi Learned\u201d Newsletter!<\/strong><\/p>\n\n\n\n<div style=\"height:28px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignleft size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"196\" height=\"292\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/louvre.jpg\" alt=\"\" class=\"wp-image-447\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/louvre.jpg 196w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/louvre-141x210.jpg 141w\" sizes=\"auto, (max-width: 196px) 100vw, 196px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">We all use <em>totally secure<\/em> passwords in both our private and professional lives\u2014right? But is that really the case?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Take for example the rather <em>surprising<\/em> revelations after the recent heist at the Louvre Museum in Paris: during the robbery last month, it emerged that the password for the museum\u2019s video-surveillance system was simply <strong>\u201cLOUVRE\u201d<\/strong>. (<a href=\"https:\/\/cybernews.com\/news\/louvre-password-heist\/?utm_source=lighthouse-program.com\" target=\"_blank\" rel=\"noreferrer noopener\">cybernews.com<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As if the front-door code to Fort Knox were \u201cFORT\u2009KNOX\u201d (but possibly worth a try \ud83d\ude0a ).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Incidents like this perfectly highlight why, in the new <strong>Veeam Software Appliance V13<\/strong>, the password policies based on Defense Information Systems Agency (\u201cDISA-STIG\u201d) standards <strong>cannot<\/strong> be weakened by administrators.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Is it fun, or particularly user-friendly, to be forced into complex passwords with uppercase, lowercase, numbers, and symbols? No. But as the Louvre example shows, it\u2019s absolutely essential.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I hope my \u201cLessi-learned\u201d insights from the past two weeks are interesting and useful for you\u2014thanks for reading, and happy (and safe) password-practicing!<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:50%\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-8f761849 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:17% auto\"><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/lightning.png\" alt=\"\" class=\"wp-image-297 size-full\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/lightning.png 1024w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/lightning-300x300.png 300w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/lightning-150x150.png 150w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/lightning-768x768.png 768w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/lightning-210x210.png 210w\" sizes=\"auto, (max-width: 980px) 100vw, 980px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<h1 class=\"wp-block-heading\"><strong>Newsflash<\/strong><\/h1>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"has-white-color has-text-color has-link-color wp-elements-50fa6453bfd655b16bf79d8c96cbf20b wp-block-paragraph\"><strong>New Integration: Veeam App for Microsoft Sentinel<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The <strong>Veeam App for Microsoft Sentinel<\/strong> is installed directly in the <strong>Azure Portal\u2019s Sentinel Content Hub<\/strong> and enables the integration of backup and security events from the <strong>Veeam Data Platform<\/strong> into Microsoft Sentinel.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The app ingests over <strong>300 backup and security events<\/strong>, including job failures, suspicious activity, ransomware detections, and restore operations. These events are delivered via the Veeam API or Syslog to the <strong>Log Analytics Workspace<\/strong> used by Sentinel.<\/p>\n\n\n\n<figure data-wp-context=\"{&quot;imageId&quot;:&quot;6a21349fe9657&quot;}\" data-wp-interactive=\"core\/image\" data-wp-key=\"6a21349fe9657\" class=\"wp-block-image size-full is-resized wp-lightbox-container\"><img loading=\"lazy\" decoding=\"async\" width=\"961\" height=\"457\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on--click=\"actions.showLightbox\" data-wp-on--load=\"callbacks.setButtonStyles\" data-wp-on--pointerdown=\"actions.preloadImage\" data-wp-on--pointerenter=\"actions.preloadImageWithDelay\" data-wp-on--pointerleave=\"actions.cancelPreload\" data-wp-on-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/dashboards_security_activities_syslog.png\" alt=\"\" class=\"wp-image-458\" style=\"width:589px;height:auto\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/dashboards_security_activities_syslog.png 961w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/dashboards_security_activities_syslog-300x143.png 300w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/dashboards_security_activities_syslog-768x365.png 768w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/dashboards_security_activities_syslog-210x100.png 210w\" sizes=\"auto, (max-width: 961px) 100vw, 961px\" \/><button\n\t\t\tclass=\"lightbox-trigger\"\n\t\t\ttype=\"button\"\n\t\t\taria-haspopup=\"dialog\"\n\t\t\tdata-wp-bind--aria-label=\"state.thisImage.triggerButtonAriaLabel\"\n\t\t\tdata-wp-init=\"callbacks.initTriggerButton\"\n\t\t\tdata-wp-on--click=\"actions.showLightbox\"\n\t\t\tdata-wp-style--right=\"state.thisImage.buttonRight\"\n\t\t\tdata-wp-style--top=\"state.thisImage.buttonTop\"\n\t\t>\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewBox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\" \/>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Native dashboards<\/strong> are provided in <em>Sentinel \u2192 Workbooks<\/em>, alongside <strong>analytic rules, hunting queries, and automation playbooks<\/strong> that allow actions such as restores or malware scans to be triggered directly from Sentinel.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The app is <strong>available at no additional cost<\/strong> for customers with <strong>Veeam Data Platform Advanced or Premium editions<\/strong> and can be installed via the <strong>Microsoft Marketplace<\/strong> or <strong>Sentinel Content Hub<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Want to learn more? Here are the links:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/helpcenter.veeam.com\/docs\/security_plugins_microsoft_sentinel\/guide\/intro.html?ver=1\" target=\"_blank\" rel=\"noreferrer noopener\">Veeam Helpcenter direct link<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.veeam.com\/blog\/veeam-microsoft-sentinel-backup-security-integration.html\" target=\"_blank\" rel=\"noreferrer noopener\">Veeam Blog Article<\/a><\/li>\n<\/ul>\n\n\n\n<div style=\"height:31px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div style=\"height:31px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Patch your systems!<\/h3>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Keeping your environment up to date is crucial. Here are the key updates from the past few days:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"687\" height=\"1024\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/server-patch-687x1024.jpg\" alt=\"\" class=\"wp-image-371\" style=\"width:142px;height:auto\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/server-patch-687x1024.jpg 687w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/server-patch-201x300.jpg 201w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/server-patch-768x1144.jpg 768w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/server-patch-141x210.jpg 141w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/server-patch.jpg 784w\" sizes=\"auto, (max-width: 687px) 100vw, 687px\" \/><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.veeam.com\/kb4751\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Veeam Backup for Microsoft 365 8.2 \/ KB4751<\/strong><\/a><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This release was already part of &#8220;Patch your systems&#8221; in my last newsletter. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But because of the &#8220;Files with Microsoft Purview Sensitivity Labels Are Not Accessible After Being Restored&#8221; issue it might make sense to upgrade to 8.2.0.2008 as a minimum, better to the latest build. Read more about this issue in <a href=\"https:\/\/www.veeam.com\/kb4754\" target=\"_blank\" rel=\"noreferrer noopener\">KB 4754<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Beside that it also fixes the &#8220;<em>Processing archive mailbox: username@organization.com failed with error: Mailbox is not fully configured.<\/em>&#8221; issue (read more here in <a href=\"https:\/\/www.veeam.com\/kb4787\" target=\"_blank\" rel=\"noreferrer noopener\">KB4787<\/a>). There is a good chance, that you will get rid of some errors in the console.<\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:50%\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-8f761849 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:17% auto\"><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/bulb.png\" alt=\"\" class=\"wp-image-300 size-full\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/bulb.png 1024w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/bulb-300x300.png 300w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/bulb-150x150.png 150w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/bulb-768x768.png 768w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/bulb-210x210.png 210w\" sizes=\"auto, (max-width: 980px) 100vw, 980px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<h1 class=\"wp-block-heading\"><strong>Lessons learned<\/strong><\/h1>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>My lessons learned these week<\/strong>s (and there were many of them for whatever reason):<\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"307\" height=\"205\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/no-connect-black.png\" alt=\"\" class=\"wp-image-399\" style=\"width:216px;height:auto\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/no-connect-black.png 307w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/no-connect-black-300x200.png 300w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/no-connect-black-210x140.png 210w\" sizes=\"auto, (max-width: 307px) 100vw, 307px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"has-white-color has-text-color has-link-color wp-elements-4fcdc7686d9341d4d3d0b0449e2e4d00 wp-block-paragraph\"><strong>No Connection? Check the Security Officer First!<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With the release of <strong>Veeam Software Appliance (VSA) version 13<\/strong>, Veeam also introduced its brand-new <strong>Infrastructure Appliance<\/strong>: it enables the deployment of infrastructure roles such as <strong>Proxy<\/strong> or even the <strong>Hardened Repository<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Before you can successfully connect such a Hardened Repository with the VSA, there\u2019s one small \u2014 but crucial \u2014 step you shouldn\u2019t overlook:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Under <strong>\u201cHost Management,\u201d<\/strong> make sure to <strong>complete the activation\/configuration of the \u201cSecurity Administrator\u201d role<\/strong> on your Hardened Repository.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Skip this, and you\u2019ll see a handful of cryptic errors like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Failed to connect to deployer service, host &#8216;x.x.x.x&#8217;, port &#8216;6160&#8217;<\/li>\n\n\n\n<li>Failed to check deployer service compatibility. <\/li>\n\n\n\n<li>Failed to verify the client connection token.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Once the Security Officer role is properly configured, nothing stands in the way of linking your Hardened Repository with the VSA.<\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-white-color has-text-color has-link-color wp-elements-62ae91e1258c9c040ed5791087749716 wp-block-paragraph\"><strong>How to pre-seed backup files to a Veeam Hardened Repository<\/strong><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignleft size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"328\" height=\"144\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/migrate-data.png\" alt=\"\" class=\"wp-image-403\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/migrate-data.png 328w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/migrate-data-300x132.png 300w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/migrate-data-210x92.png 210w\" sizes=\"auto, (max-width: 328px) 100vw, 328px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">When migrating <strong>existing backup chains to a new (hardened) repository<\/strong>, precision is key.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One skipped step can mean trouble for your data integrity \u2014 so here\u2019s how to do it right<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To ensure a smooth and safe migration, follow <strong>steps 1\u20135 from the official Veeam Help Center guide<\/strong> exactly as described: \ud83d\udd17 <a href=\"https:\/\/helpcenter.veeam.com\/docs\/backup\/vsphere\/backup_copy_mapping_auxiliary.html?ver=120\" target=\"_blank\" rel=\"noreferrer noopener\">Help Center Instructions<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Key points to consider:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Follow the documented procedure precisely.<\/strong> No exclusions, retention adjustments, or other deviations are permitted during the process.<\/li>\n\n\n\n<li><strong>Pause the primary backup job.<\/strong> Until the final Backup Copy Job is operational, no new backups may be created.<\/li>\n\n\n\n<li><strong>Data transfer (Step 3: \u201cTransfer\u201d).<\/strong> When moving data from an intermediate repository (for example, a USB drive) to the hardened repository, use the <strong>\u201cFile Copy\u201d<\/strong> function in the Veeam Backup &amp; Replication GUI. The entire subfolder (matching the backup job name) must be copied without any file modifications.<\/li>\n\n\n\n<li>Immutability is not active immediately after transfer. It becomes effective only once the primary backup job runs again and automatically triggers the Backup Copy Job. From that point onward, the immutable flag is applied to all newly created restore points in the chain. Existing points remain unchanged.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This ensures a clean and verifiable migration process with consistent data protection across all repositories.<\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-white-color has-text-color has-link-color wp-elements-e957d57d526e1557982cd27af2398fb1 wp-block-paragraph\"><strong>Veeam Backup for M365 &#8211; Immutability &amp; Backup Copy Jobs<\/strong><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"256\" height=\"256\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/m365-backup-immutability.png\" alt=\"\" class=\"wp-image-413\" style=\"width:174px;height:auto\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/m365-backup-immutability.png 256w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/m365-backup-immutability-150x150.png 150w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/m365-backup-immutability-210x210.png 210w\" sizes=\"auto, (max-width: 256px) 100vw, 256px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">Sometimes it\u2019s the small settings that matter most. The following is valid only for Veeam Backup for M365 installations using Object Storage as repository. To be honest, I was not aware of this little note:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>For <strong>Backup Copy Jobs<\/strong>: the <strong>immutability period<\/strong> of the target object-storage <strong>must equal<\/strong> the job\u2019s <strong>retention period<\/strong>. <a href=\"https:\/\/helpcenter.veeam.com\/docs\/vbo365\/guide\/target_backup_copy_repo.html?utm_source=lighthouse-program.com\" target=\"_blank\" rel=\"noreferrer noopener\">Veeam Helpcenter documentation<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>For <strong>primary backup jobs<\/strong>, immutability can be configured independently (it doesn\u2019t have to match retention). <a href=\"https:\/\/helpcenter.veeam.com\/docs\/vbo365\/guide\/new_ibm_configure_immutability.html?utm_source=lighthouse-program.com\" target=\"_blank\" rel=\"noreferrer noopener\">Veeam Helpcenter documentation<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Documentation in Helpcenter is clear, but easy to miss.<\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-white-color has-text-color has-link-color wp-elements-51b0f2c574662c7b550e6bcf081db273 wp-block-paragraph\"><strong>Veeam Software Appliance v13 &amp; fun with DISA-STIG, Passwords, MFA<\/strong> <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"687\" height=\"1024\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/totp-seed-687x1024.jpg\" alt=\"\" class=\"wp-image-421\" style=\"width:146px;height:auto\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/totp-seed-687x1024.jpg 687w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/totp-seed-201x300.jpg 201w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/totp-seed-768x1144.jpg 768w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/totp-seed-141x210.jpg 141w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/totp-seed.jpg 784w\" sizes=\"auto, (max-width: 687px) 100vw, 687px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">This week I spent considerable time working with the new Veeam Software Appliance (VSA) v13. One topic you simply cannot avoid in this context is hardening according to the DISA STIG.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s quite the challenge to come up with a password that meets the strict password-policy requirements. And then MFA enters the picture.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019ve already worked with the VSA, you know that you need separate users: one for host-management and another for console access to Veeam Backup &amp; Replication (VBR) itself. Although the username might be the same for both accesses, MFA must be configured individually for each of these users. That was my first \u201cLessi-learned\u201d in this context.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The second learning concerns documentation: Many organisations use a password safe for storing passwords securely and in a retrievable manner. It makes perfect sense to document the TOTP-seed as well \u2014 just in case you ever need to re-configure your authenticator app. The TOTP seed is displayed during MFA setup, alongside the QR-code.<\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-white-color has-text-color has-link-color wp-elements-e30aa356f5ac4753b8141ef1f24d6abd wp-block-paragraph\"><strong>SureBackup: VMs Fail to Start Due to Invalid Credentials<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A recent SureBackup issue revealed an unusual cause.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignleft size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"307\" height=\"205\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/power-on-surebackup.png\" alt=\"\" class=\"wp-image-416\" style=\"width:258px;height:auto\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/power-on-surebackup.png 307w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/power-on-surebackup-300x200.png 300w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/power-on-surebackup-210x140.png 210w\" sizes=\"auto, (max-width: 307px) 100vw, 307px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\"><br>Although the configuration appeared correct, the VMs inside the Veeam Data Lab would not start. All error messages pointed to invalid credentials \u2014 but not for any backup infrastructure accounts.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The issue turned out to be related to the <strong>root credentials of the Virtual Lab (Helper) appliance<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Solution: update the password in <strong>Veeam Credential Manager<\/strong> (Type: <em>SSH<\/em>, Description: <em>Helper Appliance credentials<\/em>) as described in <a href=\"https:\/\/www.veeam.com\/kb1447?utm_source=lighthouse-program.com\" target=\"_blank\" rel=\"noreferrer noopener\">Veeam KB1447<\/a>.<br>Afterward, open the <strong>Virtual Lab properties<\/strong> and click <em>Next \u2192 Next \u2192 Finish<\/em> to reapply the configuration.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I\u2019m not entirely sure <em>why<\/em> this happened (perhaps someone had modified the passwords in the Credential Manager), but it\u2019s definitely something worth noting down \u2014 just in case the same behavior shows up again.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:50%\">\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-8f761849 wp-block-group-is-layout-flex\">\n<div class=\"wp-block-media-text is-stacked-on-mobile\" style=\"grid-template-columns:17% auto\"><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/Pin.png\" alt=\"\" class=\"wp-image-298 size-full\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/Pin.png 1024w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/Pin-300x300.png 300w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/Pin-150x150.png 150w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/Pin-768x768.png 768w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/10\/Pin-210x210.png 210w\" sizes=\"auto, (max-width: 980px) 100vw, 980px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<h1 class=\"wp-block-heading\"><strong>Feature of the day<\/strong><\/h1>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">I\u2019ve always found it a bit annoying that after <strong>Instant Recovery<\/strong> operations, the <strong>vPower NFS datastores<\/strong> stay mounted on ESXi hosts \u2014 even though the recovery job is long finished. Some admins even resort to <strong>custom cleanup scripts<\/strong> just to keep their environments tidy.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"307\" height=\"205\" src=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/nfs-datastore.png\" alt=\"\" class=\"wp-image-407\" style=\"width:291px;height:auto\" srcset=\"https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/nfs-datastore.png 307w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/nfs-datastore-300x200.png 300w, https:\/\/www.lighthouse-program.com\/wp-content\/uploads\/2025\/11\/nfs-datastore-210x140.png 210w\" sizes=\"auto, (max-width: 307px) 100vw, 307px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">As it turns out, there\u2019s a <strong>hidden feature<\/strong> in Veeam that can handle this automatically.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s not enabled by default, but with two simple <strong>registry keys<\/strong>, you can make Veeam perform the unmounting process for you \u2014 clean and controlled.<\/p>\n\n\n\n<p class=\"has-white-color has-text-color has-link-color wp-elements-ddaaf357be772d48a9f387369a59427c wp-block-paragraph\"><strong>Automatically Unmount vPower NFS Datastores from ESXi Hosts<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These registry keys automate the cleanup of vPower NFS datastores, for example, after Instant Recovery operations.<br>Without them, manual cleanup or scripting is required.<\/p>\n\n\n\n<p class=\"has-white-color has-text-color has-link-color wp-elements-d17108471d4bcaf39598eeaa77ccadee wp-block-paragraph\"><strong>1. vPowerNFSUnmountDatastore (DWORD, 1)<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Purpose:<\/strong> Controls whether Veeam Backup &amp; Replication automatically unmounts the vPower NFS datastore after completing a restore operation (such as Instant VM Recovery).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Usage:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Value 1:<\/strong> Enable automatic unmounting.<\/li>\n\n\n\n<li><strong>Value 0 (or missing):<\/strong> Keep the datastore mounted after the job finishes.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How to set:<\/strong><br>Create a DWORD value named <code>VPowerNFSUnmountDatastore<\/code> under the registry path:<br><code>HKLM\\SOFTWARE\\Veeam\\Veeam Backup and Replication<\/code><br>Set the value to <code>1<\/code>.<\/p>\n\n\n\n<p class=\"has-white-color has-text-color has-link-color wp-elements-eff8e2f01dda180b6fe5131bbe8a5dd0 wp-block-paragraph\"><strong>2. vPowerNFSUnmountDatastoreRetryTimeoutMinutes (DWORD, X)<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Purpose:<\/strong> Defines the timeout (in minutes) for retrying the unmount if the first attempt fails.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Usage:<\/strong><br>The value specifies how long Veeam will keep retrying before giving up.<br>For example, <code>1<\/code> means retry unmounting for up to one minute.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>How to set:<\/strong><br>Create a DWORD value named <code>vPowerNFSUnmountDatastoreRetryTimeoutMinutes<\/code> in the same registry location and set it to the desired number of minutes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After adding or modifying these keys, <strong>restart the Veeam services<\/strong> to activate the setting.<br>From then on, Veeam will automatically take care of unmounting vPower NFS datastores \u2014 no more manual cleanup, no more leftover entries in vSphere.<\/p>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div style=\"height:39px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Thanks for reading<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">I hope you enjoyed this edition of my Lessi-Learned Newsletter. Thank you for reading!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Got feedback or something you want to see in the next edition? Leave a comment, write me on X (<a href=\"https:\/\/x.com\/lessi001\" data-type=\"link\" data-id=\"https:\/\/x.com\/lessi001\" target=\"_blank\" rel=\"noreferrer noopener\">@lessi001<\/a>) or connect at <a href=\"https:\/\/www.linkedin.com\/in\/andreas-lesslhumer-2bb2725b\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Want to get the newsletter hot off the press? Sign up for my mailing list and I\u2019ll drop a note in your inbox as soon as the latest issue is ready:<\/p>\n\n\n\n<div class=\"wp-block-noptin-email-optin is-style-noptin-flex has-black-background-color has-background has-small-font-size\"><form><div class=\"noptin-block-form-header\">\n<h2 class=\"wp-block-heading noptin_form_title\">Subscribe to the Newsletter:<\/h2>\n<\/div><div class=\"noptin-block-form-footer\"><input type=\"email\" class=\"noptin_form_input_email\" placeholder=\"Email Address\" name=\"noptin_fields[email]\" required\/><input value=\"SUBSCRIBE\" type=\"submit\" class=\"noptin_form_submit wp-element-button\"\/><\/div><div class=\"noptin-form-notice noptin-response\" role=\"alert\"><\/div><input type=\"hidden\" name=\"source\" value=\"block\"\/><\/form><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to the \u201cLessi Learned\u201d Newsletter! We all use totally secure passwords in both our private and professional lives\u2014right? But is that really the case? Take for example the rather surprising revelations after the recent heist at the Louvre Museum in Paris: during the robbery last month, it emerged that the password for the museum\u2019s [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-393","post","type-post","status-publish","format-standard","hentry","category-newsletter"],"_links":{"self":[{"href":"https:\/\/www.lighthouse-program.com\/index.php?rest_route=\/wp\/v2\/posts\/393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lighthouse-program.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lighthouse-program.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lighthouse-program.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lighthouse-program.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=393"}],"version-history":[{"count":34,"href":"https:\/\/www.lighthouse-program.com\/index.php?rest_route=\/wp\/v2\/posts\/393\/revisions"}],"predecessor-version":[{"id":480,"href":"https:\/\/www.lighthouse-program.com\/index.php?rest_route=\/wp\/v2\/posts\/393\/revisions\/480"}],"wp:attachment":[{"href":"https:\/\/www.lighthouse-program.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lighthouse-program.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lighthouse-program.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}