There is a known issue with SentinelOne Agent 23.2.3.358 installed on a domain controller, which causes backups in Veeam for those machines to fail. The following error is displayed:

Error

Processing SERVER Error: VSSControl: -805306334 Backup job failed. Cannot create a shadow copy of the volumes containing writer's data. Cannot prepare the [NTDS] data to a subsequent restore operation. Cannot process NTDS data. Updating BCD failed. Cannot execute [SetIntegerElement] method of [\\SERVER\root\wmi:BcdObject.Id="{cd12ab87-1a23-12f3-ba7c-dc9876b01357}",StoreFilePath=""]. COM error: Code: 0xd0000022

This is caused by the boot protection feature of SentinelOne. One possible workaround is to disable this until a fix can be provided by either Veeam or SentinelOne.

1. In the SentinelOne console, look up the passphrase for the machine. You'll need it to perform local changes.
2. Log on to the machine itself, open an elevated Command Prompt or Powershell and run the following:

   cd "C:\Program Files\SentinelOne\Sentinel Agent 23.2.3.358"
   .\SentinelCtl.exe config safeBootProtection false -k "PASSPHRASE"

3. Not sure whether a reboot is required: I performed a restart of the machine immediately after changing.