Veeam Backup & Replication

Choosing Veeam Backup & Replication is an excellent choice for a business that needs to protect both physical/virtual infrastructure and cloud workspace data. It is considered an enterprise-grade industry standard because of its deep granularity, security features, and absolute reliability.

Here is exactly how to architect your dual-cloud strategy using Veeam for both sides of your business.

1. Backing Up Physical Infrastructure & Laptops

For your local office servers, virtual machines, and employee laptops, you will use the core Veeam Backup & Replication platform utilizing its Scale-Out Backup Repository (SOBR) feature.

The Workflow:

1. Local Performance Tier: Veeam first takes a quick backup of your servers/laptops and saves it to a local storage device in your office (like a NAS or dedicated backup server). This allows for instant, 2-minute restores if someone accidentally deletes a file.

2. Cloud 1 (Capacity Tier - Wasabi or Backblaze B2): As soon as the local backup finishes, Veeam instantly copies that data to your primary cloud. This keeps your last 30–90 days of data readily available in a fast, low-cost "hot" cloud.

3. Cloud 2 (Archive Tier - AWS S3 Glacier or Azure Archive): Veeam then moves older backup chains, or mirrors the primary cloud, to your secondary cloud.

   • Critical Setting: Enable Object Lock (Immutability) on this bucket. This ensures that even if ransomware compromises your local network, the data in this second cloud cannot be deleted or modified by anyone.

2. Backing Up Cloud Workspaces (M365 / Google Workspace)

To back up your company emails, OneDrive, SharePoint, or Google Drive, you will use Veeam Data Cloud (Veeam's fully managed, cloud-to-cloud SaaS backup service).

The Workflow:

• Cloud 1 (Veeam's Azure Storage): By default, Veeam Data Cloud automatically backs up your entire Microsoft 365 or Google Workspace environment into Veeam's managed, highly secure Microsoft Azure storage buckets up to 4 times a day.

• Cloud 2 (Independent Secondary Target): To achieve your mandate of two cloud backups, you can configure Veeam to target a completely separate, secondary storage destination (such as an independent AWS S3 bucket that your company owns).

This ensures that your cloud workspace data is completely isolated from your primary Google/Microsoft ecosystem and split across two entirely different cloud infrastructure giants.

Next Steps for Deployment

1. Check Windows Versions: Ensure all employee laptops are running Windows Pro or Enterprise (Veeam agents require this for central management).

2. Provision Cloud Storage: Before configuring Veeam, you will need to open accounts with your chosen cloud providers (e.g., Wasabi for Cloud 1 and AWS for Cloud 2) so you can generate the API keys Veeam needs to send the data.

3. Set Up the Veeam Central Console: Install the Veeam Backup & Replication console on a dedicated machine or VM in your primary office to serve as the "brain" managing all your local and remote laptop agents.

1.  To manage all employee laptops centrally from your master Veeam Backup & Replication console, your machine environment must support remote management connections, administrative API calls, and silent background installations.

While the standalone, unmanaged Veeam Agent can technically run on Windows Home to back up to a local USB stick, Veeam’s central push deployment and monitoring strictly require Windows Pro, Enterprise, or Education. Windows Home is locked down by Microsoft and lacks the networking protocols Veeam requires to govern it remotely.

The following checklist details why this requirement matters, how to audit your fleet, and how to fix non-compliant devices.

🔍 Why Windows Pro/Enterprise is Required for Veeam

When you tell your Veeam server to find a laptop and back it up, Veeam uses background system mechanics that are completely missing or disabled in Windows Home:

• The ADMIN$ Share: Veeam uses this invisible administrative directory path to push down and update its backup agent installer file silently. Windows Home blocks this network path.

• Remote Registry & WMI: Veeam queries the device's hardware specs and network state using Windows Management Instrumentation (WMI). Windows Home restricts remote WMI requests.

• Local Administrator Authentication: Centralized deployment relies on passing administrative credentials over the local network to gain background installation permission—a feature restricted in Windows Home's basic security architecture.

🛠️ Step 1: How to Audit Your Fleet's Windows Versions

Before deploying Veeam, you can audit your laptops instantly rather than manually checking every single machine.

Method A: For companies using Microsoft Intune / Entra ID

1. Log into your Microsoft Intune admin center.

2. Go to Devices $\rightarrow$ Windows $\rightarrow$ Windows devices.

3. Look at the OS Edition column. Filter or sort the list to flag any machines displaying "Windows Home".

Method B: The Command Line Script (For networks without central MDM)

If you don't have an asset manager, have your IT support tech run this quick, single-line command in Windows PowerShell on any questionable laptop:

(Get-WmiObject Win32_OperatingSystem).Caption

• Expected Output: Microsoft Windows 11 Pro or Enterprise.

• Flagged Output: If it says Windows 11 Home, it will fail Veeam's central discovery scanner.

🔄 Step 2: How to Resolve Windows Home Non-Compliance

If your audit surfaces employee laptops running Windows Home, you have two remedies to choose from depending on the employee's location.

Option 1: In-Place Upgrade to Pro (Recommended)

You do not need to format the computer or wipe the employee's files. Windows can change its entire architecture code to Pro in less than 10 minutes using an explicit upgrade license key.

1. Purchase a Windows 11 Pro Upgrade License via your business Microsoft volume portal or the Microsoft Store.

2. On the employee’s machine, navigate to Settings $\rightarrow$ System $\rightarrow$ Activation.

3. Expand the Upgrade your edition of Windows menu and click Change product key.

4. Input the Pro key. The laptop will download a tiny metadata package, prompt for a single restart, and boot back up configured as a fully compliant Windows Pro device ready for Veeam.

Option 2: The "Remote Worker" Exception (Standalone Mode)

If an employee is working remotely, has low home bandwidth, or is using an unupgradable machine, you can choose to bypass central management entirely for that single device.

1. Instead of pushing the agent from the admin server, manually download the standalone Veeam Agent for Microsoft Windows directly onto that specific laptop.

2. Configure a local backup job manually on their desktop screen, pointing the backup destination directly to your Wasabi S3 cloud endpoint using the API keys generated during your storage setup.

The Tradeoff: The laptop will successfully backup to your cloud, but its status dashboard will not report back to your master Veeam dashboard. You will have to rely on local email notifications to confirm that the laptop's backups are succeeding.

2. To configure a dual-cloud architecture in Veeam Backup & Replication using Wasabi (Cloud 1) and Amazon AWS (Cloud 2), you need to provision the storage buckets and generate the precise security credentials Veeam requires.

Veeam communicates with these providers using the S3 API protocol, meaning it relies on an Access Key ID and a Secret Access Key rather than a traditional username and password.

Here is the step-by-step walkthrough to provision both cloud environments for Veeam.

☁️ Provider 1: Setting Up Wasabi (Cloud 1 - Performance Tier)

Wasabi serves as your high-speed, hot storage layer. It has no download (egress) or API request fees, making it perfect for daily Veeam backups.

Step 1: Create the Storage Bucket

1. Log into your Wasabi Management Console.

2. Click Buckets on the left menu, then click Create Bucket in the top right.

3. Bucket Name: Enter a unique, descriptive name (e.g., veeam-primary-backup-companyname).

4. Region: Select the data center closest to your physical office or servers to minimize latency.

5. Object Locking: Leave this Disabled for this specific bucket if you plan to use this strictly as a fast-recovery performance layer without immutability (or Enable it if you want dual-layer immutability).

6. Click Create Bucket.

Step 2: Create a Dedicated User and Access Keys

Never use your master Wasabi admin keys for Veeam. Create a restricted user instead.

1. Go to Users $\rightarrow$ Create User.

2. Set the username to veeam-backup-user. Under Access Type, check Programmatic (create API key). Click Next.

3. Policies: Attach the pre-defined AmazonS3FullAccess or WasabiFullAccess policy to this user so Veeam can read and write data. Click Next and then Create User.

4. Capture the Keys: A pop-up will display your Access Key and Secret Key. Click Download CSV.

   ⚠️ Critical: This is the only time you will see the Secret Key. If you close this window without saving it, you will have to delete the user and start over.

☁️ Provider 2: Setting Up AWS S3 Glacier (Cloud 2 - Immutable Archive Tier)

Amazon Web Services (AWS) will serve as your deep, immutable insurance policy. We will use AWS IAM (Identity and Access Management) to restrict Veeam's access and Object Lock to prevent ransomware from modifying your archives.

Step 1: Create the AWS S3 Bucket with Object Lock

1. Log into the AWS Management Console and navigate to the S3 Dashboard.

2. Click Create bucket.

3. Bucket name: Enter a globally unique name (e.g., veeam-immutable-archive-companyname).

4. Region: Match your Veeam/Wasabi region if possible, or pick an independent geographic region for disaster recovery isolation.

5. Object Ownership: Keep ACLs disabled (recommended).

6. Block Public Access: Ensure Block all public access is strictly Checked.

7. Bucket Versioning: Select Enable. (Note: AWS requires Versioning to be turned on before you can use Object Lock).

8. Advanced Settings: Scroll to the bottom, expand Advanced Settings, and toggle Object Lock to Enable. Check the acknowledgment box.

9. Click Create bucket.

Step 2: Configure the Default Retention (Immutability Window)

1. In your S3 bucket list, click on your newly created bucket.

2. Go to the Properties tab and scroll down to the Object Lock section. Click Edit.

3. Enable Default retention.

4. Set the mode to Compliance (this locks out everyone, including your root AWS admin account) and set the duration (e.g., 30 Days). Click Save changes.

Step 3: Create the AWS IAM User and Credentials

1. Search for and open the IAM (Identity and Access Management) dashboard in AWS.

2. Go to Users $\rightarrow$ Create user. Name it veeam-glacier-agent. Do not grant them AWS Management Console access. Click Next.

3. Under Set permissions, choose Attach policies directly.

4. Search for and select AmazonS3FullAccess. (For tighter security, you can create a custom IAM policy restricted entirely to your specific bucket ARN, but FullAccess ensures Veeam has all required bucket management APIs). Click Next, then Create user.

5. Click on your newly created veeam-glacier-agent user from the list.

6. Go to the Security credentials tab, scroll down to Access keys, and click Create access key.

7. Select Application running outside AWS as your use case. Click Next.

8. Click Create access key. Download the .csv file containing your Access Key ID and Secret Access Key.

📋 Summary of Data Needed for Veeam

Before opening your Veeam Backup & Replication console, make sure you have a notepad file ready with the following exact parameters gathered from the steps above:

With these assets prepared, you can add these to Veeam under Backup Infrastructure $\rightarrow$ Service Providers / Object Storage, plug in the keys, and Veeam will automatically map out the automated, dual-cloud synchronization pipelines.

3. To set up the Veeam Backup & Replication server as the central "brain" of your backup operations, you need to deploy the infrastructure components that allow it to coordinate local backups, push agents to remote laptops, and securely stream data out to Wasabi and AWS S3 Glacier.

Here is the deep-dive engineering guide to installing, configuring, and securing your Veeam Central Console.

🖥️ Step 1: Prepare the Host Machine (Server or VM)

Veeam handles heavy data deduplication, compression, and encryption. It should live on a dedicated physical server or a resilient Virtual Machine (VMware/Hyper-V) in your primary office. Never install it on a Domain Controller.

System Requirements for the Central Console:

• OS: Windows Server 2019 or 2022 (Recommended for production stability) or Windows 10/11 Pro (for small environments).

• CPU/RAM: Minimum 4 vCPUs and 8 GB RAM (Scale up to 16 GB if managing more than 50 laptops).

• Storage: Fast local SSD storage (100 GB+) dedicated only to the Windows OS and the Veeam configuration database.

💿 Step 2: Install Veeam Backup & Replication

1. Download the latest Veeam Backup & Replication ISO file from the official Veeam website.

2. Mount the ISO on your dedicated machine and run Setup.exe.

3. Click Install under Veeam Backup & Replication.

4. License: Upload your Veeam license file (.lic). If testing, you can proceed with the Veeam Community Edition (free for up to 10 instances/devices).

5. Program Features: Leave the defaults selected (Veeam Backup & Replication Server, Console, and Plugins).

6. System Configuration Check: The installer will audit your Windows features. If any prerequisites are missing (like .NET Framework components), click Recheck/Install to let Veeam enable them automatically.

7. Default Settings: Choose Let Veeam specify administrative settings to automatically install an embedded PostgreSQL database instance to hold your system configuration.

8. Click Install and wait for the wizard to finalize. Restart the server if prompted.

🔒 Step 3: Network & Firewall Configuration (For Remote Laptops)

For your central console to find and manage employee laptops that leave the office or work from home, it must safely communicate through your office firewall.

You must configure your office router/firewall to forward these vital ports to your Veeam Server's internal IP address:

🔒 Security Best Practice: If you do not want to expose ports to the public internet, require all remote employees to connect to the corporate VPN (e.g., OpenVPN, WireGuard, FortiClient) before their laptop can check in and run its scheduled backup.

⚙️ Step 4: Add Your Cloud Storage Accounts inside Veeam

Before creating backup jobs, you must link the Wasabi and AWS accounts you provisioned earlier.

Add Cloud 1 (Wasabi):

1. Open the Veeam Backup & Replication Console.

2. Go to Backup Infrastructure (bottom left menu) $\rightarrow$ Object Storage $\rightarrow$ Add Repository.

3. Select S3 Compatible.

4. Name: Wasabi_Hot_Cloud_Storage.

5. Service Endpoint: Enter your specific Wasabi region URL (e.g., s3.us-east-1.wasabisys.com).

6. Credentials: Click Add and type in your Wasabi Access Key and Secret Key.

7. Bucket: Select the Wasabi bucket name you created from the dropdown menu and create a folder inside it named Primary-Backups. Click Apply.

Add Cloud 2 (AWS S3 Glacier):

1. In the same menu, click Add Repository $\rightarrow$ Object Storage $\rightarrow$ Amazon S3.

2. Select Amazon S3 (or Amazon S3 Glacier directly depending on your Veeam sub-version UI).

3. Credentials: Click Add and type in your AWS IAM Access Key ID and Secret Access Key.

4. Bucket: Select your immutable AWS bucket.

5. Object Lock: Make sure you check the box that says "Make recent backups immutable for X days" and match the retention days (e.g., 30 days) you specified inside AWS. Click Finish.

🎛️ Step 5: Create a Protection Group for Laptops

To automatically push Veeam backup agents out to your employee laptops, you group them together.

1. Go to Inventory (bottom left) $\rightarrow$ Physical Infrastructure $\rightarrow$ Create Protection Group.

2. Name it Company Laptops.

3. Under Type, choose Computers backed up by Veeam Agent.

4. Under Source, you can add computers manually by typing their local IP/Hostname, or link it directly to your Active Directory or Microsoft Entra ID to discover them automatically.

5. Under Credentials, add the Windows Local Administrator account username and password that has installation rights across your fleet (this uses the ADMIN$ share mentioned in the version audit step).

6. Click Apply. Veeam will scan the network, locate the computers running Windows Pro/Enterprise, and silently push the background backup agent to them.

Now, your central console is operational, your cloud targets are mounted, and your laptops are mapped. You are completely ready to create your first backup schedule policy!