Tuesday, September 30, 2025

Regkey of the Month: October

Visually classify your environment

How to Configure a Custom Banner in Veeam Backup & Replication Console

Have you ever logged into a critical system and wished there was an immediate, unmistakable visual indicator of the environment's security level or purpose? For system administrators managing multiple Veeam environments—such as production, test, HQ, branch-office, and highly classified systems—a simple, consistent warning or label can be a lifesaver.

This post walks you through implementing the Classified Stripe feature in Veeam Backup & Replication (VBR), allowing you to display a custom text banner prominently across all connected consoles.

The use case: The Need for Immediate Context ⚠️

In environments where multiple VBR servers exist for different purposes (e.g., development/test, federal compliance, or critical production), administrative mistakes can happen. Accidentally performing a destructive action on a production server when you thought you were on a test box is a nightmare scenario.

The Veeam Classified Stripe (described in KB4458) is a powerful, yet simple, security feature designed to solve this by providing a persistent, configurable text banner at the top of the VBR console. This banner acts as an immediate visual cue, helping administrators identify the security level or nature of the Veeam Backup Server they are connected to, thus reducing the risk of administrative errors.

The Solution: The Classified Stripe Feature

The solution is to enable a specific set of registry values on the Veeam Backup Server. Once enabled, this banner will appear not only on the server's local console (in Windows based deployments) but also on every remote Veeam Backup & Replication Console that connects to it.

 

The feature requires configuring three main registry values: one to enable the stripe, one to set the text message, and an optional one to define the background color.

How to Implement the Banner 💻

The following steps and registry details must be applied on the Veeam Backup Server itself.

The first mandatory step is to activate the banner. Herefore, create a key named UIClassifiedMode and set the value to 1.

  • Path: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\ 
  • Name: UIClassifiedMode (DWORD 32 Bit)  
  • Default Value: 1 (decimal)


With only this key, the default message "CONFIDENTIAL" is shown in a banner which had a default dark red background.

To set your own message in the banner, you should create a second key.

  • Path: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\ 
  • Name: UIClassifiedStripeText (String Value (REG_SZ)
  • Value: THIS IS MY TEXT FOR THE BANNER

 

Optional you can set the background color. Default, the stripe uses a dark red background. You can customize the color using a hexadecimal color code (the preceding hash sign must be included in the value)

You can find an easy to use ColorWheel to hex-value here.

  • Path: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\ 
  • Name: UIClassifiedStripeBackgroundColor (String Value (REG_SZ)
  • Value: #008000 (this value represents dark green)

Example:

To create a banner that says "DEV/TEST - DO NOT USE FOR PROD" with a light yellow/orange background (#FFCC00), you could run the following three PowerShell commands on the Veeam Backup Server:

# 1. Enable the stripe
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'UIClassifiedMode' -Value "1" -PropertyType DWORD -Force

# 2. Set the custom text
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'UIClassifiedStripeText' -Value "DEV/TEST - DO NOT USE FOR PROD" -PropertyType String -Force

# 3. Set the background color to light yellow/orange
New-ItemProperty -Path 'HKLM:\SOFTWARE\Veeam\Veeam Backup and Replication\' -Name 'UIClassifiedStripeBackgroundColor' -Value "#FFCC00" -PropertyType String -Force

Hey regkey-man, how do we do this on JeOS based VBR deployments ?

image of registry cartoon

The new appliance based VBR deployments are using JeOS (Just Enough OS) which is based on Rocky Linux with some specific tweaking and further hardening. So there is no such thing as a registry.

Don't be afraid, all your registry tweaks are not gone. They're just located in config files.

 

Applying Custom Settings in Veeam Software Appliance (VSA)

Custom settings (like the banner settings discussed above) are applied by editing configuration files within the VSA environment. These configuration files correspond directly to the Windows Registry keys used in Veeam Backup & Replication (VBR) on a Windows server.

To access and modify these files, you must use the Veeam Host Management Console Web UI. Within the console, you navigate to Logs and Services and then select Host Configuration. This interface allows you to search for and manage the configuration files.

The recommended process for implementing a custom setting is:

  •     Export the existing configuration file
  •     Modify the exported file by adding the necessary settings under the correct section.
  •     Import the modified configuration file back into the VSA.

Important remarks:

I always use Notepad++ to edit this type of files since the LF and CR/LF may vary between Linux and Windows environments.

If the Security Officer role is enabled, importing an updated configuration file will require approval from the Security Officer before the changes take effect. If no security officer role is defined during the setup, the changes are applied immediately.

Configuration File Structure

The VSA configuration files use a structure with sections denoted in square brackets (e.g., [root]). A section header corresponds to a specific subkey within the original Windows Registry path. 

For example, in the /etc/veeam/veeam_backup_and_replication.conf file:

The section header [root] is the equivalent of the primary registry key: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\.

A section header like [API] corresponds to the subkey HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\API\.

To apply the custom banner settings (e.g., UIClassifiedMode, UIClassifiedStripeText, UIClassifiedStripeBackgroundColor), you would add the corresponding values directly under the [root] section of the primary configuration file.

Registry Key to Configuration File Overview

The list below provides an overview of common Windows Registry keys and their corresponding configuration files in the Veeam Software Appliance.

Windows Registry Key                                                                    Veeam Software Appliance Configuration File 

HKLM\SOFTWARE\Veeam\Veeam Backup and Replication          /etc/veeam/veeam_backup_and_replication.conf
HKLM\SOFTWARE\Veeam\Veeam Mount Service                         /etc/veeam/veeam_mount_service.conf
HKLM\SOFTWARE\Veeam\Veeam Backup Catalog                       /etc/veeam/veeam_backup_catalog.conf
HKLM\SOFTWARE\Veeam\Veeam Threat Hunter\                         /etc/veeam/veeam_threat_hunter.conf

Final Thoughts 💭

While the Classified Stripe feature is simple to implement, its value in a large or complex IT infrastructure is significant. This small, persistent visual element adds a crucial layer of operational safety and compliance:
Minimizing Errors: It forces administrators to confirm the context of the server, especially when juggling multiple remote console connections.

Compliance: For environments requiring strict classification markings (e.g., government, finance), the stripe helps meet internal policy requirements by clearly labeling the system's data sensitivity.
 

Organizational Clarity: You can use it to display maintenance warnings, security classifications ("NIS2 compliancy," "PCI DATA"), or just simple reminders ("DR SITE").

Implement this feature today to enhance security, reduce administrative mistakes, and bring operational clarity to your Veeam infrastructure!

Posted by at
Subscribe to: Posts (Atom)