BugZero | Veeam BugID kb4456 - WDAC Supplemental Policy for Veeam Backup & Replic...

Veeam - Defect ID: kb4456

WDAC Supplemental Policy for Veeam Backup & Replication Components on Azure Stack HCI

Veeam - Defect ID: kb4456

WDAC Supplemental Policy for Veeam Backup & Replication Components on Azure Stack HCI

Last updated on June 17th, 2025

BugZero Risk Score
9.8 High

Overall: 9.8

Severity: 10.0

Community: 8.7

What is the BugZero Risk Score?

Veeam Integration

Learn more about where this data comes from

Veeam Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: Issue
Status: Solved
Views: 56

Description

Challenge

When attempting to add an Azure Stack HCI OS cluster or node to Veeam Backup & Replication, the following error occurs: Your organization used Device Guard to block this app. Contact your support person for more info. Failed to start service 'VeeamDeploySvc'. Host: 'x.x.x.x'. Failed to start deployment service on the target host

Cause

By default, Azure Stack HCI OS 23H2 and newer has Windows Defender Application Control (WDAC) enabled and running in the enforcement mode. WDAC is a software-based security layer that reduces the attack surface by enforcing an explicit list of software that is allowed to run. WDAC limits the applications and the code that can run on the core platform. To allow third-party non-Microsoft signed software to run on Azure Stack HCI nodes, a WDAC supplemental policy provided by the third-party software vendor must be installed.

Solution

Veeam Backup & Replication WDAC Supplemental Policy Deployment Download the Policy XML Package from the Download Information section below. Copy the policy XML file to a location on the CSV (Cluster Shared Volume) shared by the nodes. Deploy the policy using Add-ASWDACSupplementalPolicy cmdlet.This can also be done using the latest version of Windows Admin Center.

Download Information

Download Policy XML Filename: KB4456-VBR-AZHCI-supplemental-policy-1.0.0.4.zip Updated: 2025-03-27 MD5: C745A895B1C706AF5D1454DFD37278E8 SHA1: 3B01D9569A35DC93EFEC771E43936930DA743B99

More Information

Windows Defender Application Control for Azure Stack HCI (preview) Manage Windows Defender Application Control for Azure Stack HCI, version 23H2 KB4047: Veeam Support for Azure Stack HCI

Change history

No changes to display

2025-06-17 Added: 12.2, 12.3.1, 12.3, 12.1, 12.3.2

Top Veeam Defects

9.9Defect ID: kb4168
VeeamCDP I/O filter cannot be installed "Error: the operation is not allowed in the current state"
9.9Defect ID: kb1174
RPC function call failed. The RPC server is unavailable. w/ Application-Aware Processing
9.9Defect ID: kb4185
"Access is Denied." When Using a Local Account to Add a Windows Machine to Veeam Backup & Replication
9.8Defect ID: kb4815
Restore to Google Compute Engine Fails with API Errors When Using Helper Appliance
9.8Defect ID: kb1914
“Invalid Credentials” Error Adding a Hyper-V Host Using a Local Account

Ready to prevent the next vendor outage?

Get a demo

Veeam - Defect ID: kb4456

WDAC Supplemental Policy for Veeam Backup & Replication Components on Azure Stack HCI

Veeam - Defect ID: kb4456

WDAC Supplemental Policy for Veeam Backup & Replication Components on Azure Stack HCI

Last updated on June 17th, 2025

BugZero Risk Score9.8 High

Bug Details

Challenge

Cause

Solution

Download Information

More Information

Links

Top Veeam Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
9.8 High