Welcome to the “Lessi Learned” Newsletter!
Last week, the skies over Greece went eerily empty: for several hours, the entire Greek airspace was closed due to massive interference in air traffic control communication systems.
While I happened to be flying back to Vienna at the time, fortunately already airborne and unaffected, the incident was a stark reminder that in any complex system, whether aviation or IT, clear control, visibility, and defined access are essential to prevent small issues from escalating into major disruptions.
In this edition, I highlight two features (Role‑Based Access and the Veeam Recon Scanner) which provide essential visibility and control for your critical backup and disaster recovery systems. I hope you enjoy reading the Newsletter!
Newsflash
Recon Scanner now part of Veeam Dataplatform Advanced!
The year 2026 begins with exciting news: Recon Scanner is now included in the Veeam Data Platform Advanced Edition, extending a powerful security feature that was previously available only to Premium Edition customers.
Recon Scanner is a proactive threat-detection capability that analyzes the Veeam Backup & Replication environment to identify suspicious activity and adversary techniques early. By leveraging ransomware intelligence and mapping behaviors to the MITRE ATT&CK framework, it helps security and IT teams quickly assess and prioritize potential risks.
As you can see, this enhancement clearly underscores Veeam’s commitment to embedding advanced cybersecurity into its core data protection platform. Organizations already using the Advanced Edition have a great task for the start of the new year: review the Recon Scanner documentation, enable the feature, and take advantage of the significant security improvements it provides.
Learn more about Recon Scanner here:
- https://www.veeam.com/blog/recon-scanner.html
- https://helpcenter.veeam.com/docs/coveware/userguide/overview.html
Object First acquired by Veeam
Veeam has announced the acquisition of Object First—news that marks an exciting milestone for the company. This strategic move further completes Veeam’s portfolio in this space, adding a strong, market-proven product known for its high usability and reliability.
The acquisition underscores Veeam’s commitment to delivering comprehensive, user-friendly data protection solutions that meet real-world customer needs. Exciting times lie ahead as this combination opens up new opportunities for innovation and value for customers and partners alike.
Patch your systems!
Keeping your environment up to date is crucial. Here are the key updates from the past few days:
Veeam Backup & Replication 13.0.1 Patch 1
Patch 1 for VBR 13.0.1 addresses not only four identified vulnerabilities, but also a range of issues affecting Microsoft Hyper-V, Guest Processing, Unstructured Data, Veeam Agents for Windows and Linux, Tape functionality, and additional components.
Given the security-related fixes included in this release, it is strongly recommended to apply the patch in a timely manner.
Detailed information on the resolved issues as well as the corresponding download links can be found in Veeam Knowledge Base article KB4738.
Veeam ONE 13.0.1 Patch 1
Patch 1 for Veeam ONE 13.0.1 is now available, delivering several improvements and enhancements across monitoring and reporting capabilities.
Detailed information about the new features and upgrade instructions can be found here: KB4801
Veeam Agents for Windows: 13.0.1.120 to 13.0.1.1009 Upgrade
Veeam has published KB4811, outlining critical upgrade requirements for Veeam Agent for Microsoft Windows when upgrading from build 13.0.1.120 to 13.0.1.1009.
The standard in-place upgrade is not supported for this path; the existing agent must be uninstalled prior to installation.
Please note the distinction between agent types: Protection Group–deployed agents can be reinstalled automatically during a rescan, while pre-installed agents require manual removal and redeployment.
Systems using the Veeam CBT driver will require two reboots to complete the process.
Review these requirements carefully to avoid upgrade failures and ensure uninterrupted backup operations.
Lessons learned
My lessons learned this week:
Veeam B&R 13.0.1 Patch 1 and GFS Immutability
Since v13.0.1 Patch 1 (13.0.1.1071), the immutability period for GFS restore points can be explicitly configured. For non-SOBR configurations, GFS backups are either immutable for the full GFS retention period or—if selected—only for the configured minimum immutability duration.
As noted in KB4738 (Release Notes), this patch corrects a previous enforcement issue where the setting “For the minimum immutability duration only” was not applied correctly, resulting in longer-than-intended immutability.
Important impact during upgrade:
To prevent unintended shortening of immutability for existing GFS backups, all existing Object Storage Repositories are automatically set to “For the entire duration of the retention policy” during the upgrade. New repositories are not affected. This change significantly impacts short-term restore points.
For better understanding:
If “Minimum immutability duration only = 31 days” was previously configured and short-term retention is 90 days, backups created after the patch will now be immutable for 90 days (instead of 31 days before the update).
Administrators using the minimum immutability option should review the impact and decide whether to revert the setting before running the first backup session after applying the patch.
Find more information in Veeam Helpcenter
Feature of the day
Role Based Access Control (RBAC) in Veeam v13
Imagine a company with multiple branch offices — each branch has its own small IT team or even a single admin. They should be able to run their backups independently, but must not see or interfere with the entire company’s backup environment — or act in “god‑mode” as they would if they had the Backup Administrator role.
With the enhanced RBAC in Veeam v13, this scenario becomes cleanly manageable: branch admins see only their assigned resources, create and run their backup jobs, while a central HQ admin retains visibility and control over all jobs, inventories, and restores if needed.
That’s why this is my “Feature of the Day”: RBAC in v13 addresses a very common request for granular access control, something previously possible only partially through the Veeam Enterprise Manager.
With v13’s RBAC framework, administrators can:
- Define custom roles tailored to organizational structures and responsibilities
- Specify the inventory scope for each role, including VMware or Hyper‑V hosts, virtual machines, and repositories
- Control which restore operations are allowed (e.g., Full VM Restore, Instant Recovery) and which repositories may be used
- Assign roles to users or groups, who then see only the resources explicitly allowed for their role
My Lessi-learned moment here: when assigning “Backup Jobs” in the inventory scope, it might seem that the user will gain visibility or edit rights for those jobs. In reality, this assignment only makes these jobs available as sources for Backup Copy Jobs.
Use Case from the Field: Branch‑Office Self-Service
- Branch A admin: sees only Branch A VMs and its local repository, can create backup jobs, and run restores permitted by their role
- Branch B admin: same for Branch B resources
- HQ admin: sees all branches, can start jobs, monitor progress, and perform restores company‑wide
This setup allows branch teams to operate independently while HQ retains oversight and ensures compliance.
Summary:
RBAC enforces the principle of least privilege: users get only the permissions required for their tasks, reducing risk of accidental or unauthorized changes. With v13, organizations can implement highly granular access control within the standard Veeam console, aligning operational workflows with security and compliance requirements.
Thanks for reading
I hope you enjoyed this edition of my Lessi-Learned Newsletter. Thank you for reading!
Got feedback or something you want to see in the next edition? Leave a comment, write me on X (@lessi001) or connect at LinkedIn.
Want to get the newsletter hot off the press? Sign up for my mailing list and I’ll drop a note in your inbox as soon as the latest issue is ready: