Veeam Update In Silent Mode Fails When Running As SYSTEM

I’ve recently been doing a bunch of Veeam Backup & Replication 12.3 upgrades and have tried pushing them out via our RMM using Veeam’s silent mode. This involves providing an XML config file and running a special Veeam.Silent.Install.exe installer.

Our RMM, like most others, runs in the SYSTEM context, so you can imagine my surprise when the Veeam upgrade failed and this was in the log file:

<unattendedInstallationResult>
  <events>
    <event id="103" title="Invalid launch conditions.">
      <description><![CDATA[Unable to start the setup: the current account does not have Local Administrator privileges.]]></description>
    </event>
  </events>
</unattendedInstallationResult>

The fix

If you’re here just looking for a solution, in your RMM PowerShell script:

• Create a local admin account
• Create a scheduled task using schtasks.exe to run the Veeam silent installer under the context of the newly created local admin account with /RL HIGHEST.
• Run the scheduled task, wait for the Veeam.Silent.Install process to no longer be running
• Clean up after yourself; delete the scheduled task, delete the local admin

You can of course use an existing local admin account, this way was just easier for me as we manage multiple customers - it meant I didn’t need to provide credentials for each client.

But why?

My curiosity got the better of me and I ended up spending a bit of time looking at why Veeam would error out when running as SYSTEM. I loaded up ILSpy and went searching.

In the Veeam.Setup.Common.Foundation assembly I found a class called VmAdminLaunchCondition which had a Check method:

// Veeam.Setup.Common.Foundation.VmAdminLaunchCondition
using System.Security.Principal;

public LaunchConditionResult Check(IMessageHandler messageHandler)
{
	using WindowsIdentity windowsIdentity = WindowsIdentity.GetCurrent();
	if (null != windowsIdentity.User && windowsIdentity.User!.IsWellKnown(WellKnownSidType.LocalSystemSid))
	{
		messageHandler.ProcessError("Unable to start the setup: the current account does not have Local Administrator privileges.");
		return LaunchConditionResult.Error;
	}
	if (new WindowsPrincipal(windowsIdentity).IsInRole(WindowsBuiltInRole.Administrator))
	{
		return LaunchConditionResult.Continue;
	}
	messageHandler.ProcessError("Unable to start the setup: the current account does not have Local Administrator privileges.");
	return LaunchConditionResult.Error;
}

The key is the first if statement, we can test it with PowerShell running as SYSTEM via PSExec:

PS C:\> whoami
nt authority\system

PS C:\> $Identity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
PS C:\> $Identity.User.IsWellKnown([System.Security.Principal.WellKnownSidType]::LocalSystemSid)
True

There we have it. The Veeam installer is specifically looking for the SYSTEM account and returning an error to the caller. I’m not sure if this is a bug or on purpose, but if it’s on purpose the error message could be more helpful (“running as SYSTEM is not supported” or some equivalent.).