Azure Backup: the System State protection in the Cloud

The ability to protect the System State of Windows Server machines directly in Azure using the Azure Backup Agent was recently included. This feature was in preview for a few months and now it is available to be used in production environments. In this article I'll show you how you can protect with Azure Backup the System State of the machines, analyzing the characteristics and the benefits brought by this new feature.

The Azure Backup Agent allows you to save files, folders and thanks to the incorporation of the System State are covered by the protection of Windows Server machines the following components:

  • Boot files, including system files, and all files protected by Windows File Protection (WFP).
  • Active Directory and Sysvol (on domain controllers).
  • The registry.
  • IIS metabase (on Web Server IIS machines): includes IIS configurations and web sites hosted by the web server.
  • Database cluster (on cluster nodes).
  • Certificate Services (on the certification authority).
  • Information about the Performance counters.
  • Component Services Class registration database.

Thanks to the incorporation of the System State, Azure Backup becomes ideal for protection strategies of Active Directory, File Server and IIS Web Server.

Figure 1 – Protection of System State in Azure

This solution is supported starting with Windows Server 2008 R2 to Windows Server 2016.

To enable this type of protection is necessary to create within the subscription Azure a Recovery Service Vault, install the Azure Backup Agent on Windows Server machine and complete its registration by following the steps shown in the following diagram:

Figure 2 - Activation steps for the protection with Azure Backup

By accessing the Azure portal and selecting the Recovery Service Vault, within which you want to include the protection, in the Backup section appears the possibility of protecting the System State for workloads running On-Premises:

Figure 3 – Selection of System State as a component to be protected

By selecting the button "Prepare Infrastructure" it lists the necessary steps to protect the System State of the machines:

Figure 4 – Steps for preparing the infrastructure

From the panel above you need to download the Recovery Service Agent installation setup and the Vault credentials.

The installation of the agent (MARSAgentInstaller.exe) is very fast and consists of the following steps:

Figure 5 - Selecting the installation folder and the cache location

In the cache location it is advisable to have as free space at least 5% of protected data.

Figure 6 – Configuration of proxy system for Internet access

Figure 7 – Check the requirements and installation

Figure 8 – Initiation of the process of registration with the Recovery Service Vault

Figure 9 – Selection of login credentials to the vault

Figure 10 - Generate and save the passphrase

The Passphrase is used to encrypt and decrypt the backups, it is never sent to Azure, it is not recoverable in any way by Microsoft support personnel and it is essential to be able to perform restore operations, so you must keep it very carefully.

Figure 11 – Registration successfully

From Microsoft Azure Backup console, you can schedule a backup and for servers, in the selection of items to protect, there is the System State:

Figure 12 - Selection of the System State Protection

Figure 13 - Settings on the frequency of the backup

Figure 14 - Definition of the retention rules

Figure 15 - Final Step, activation of the System State backup

System State protection can also be automated with PowerShell. You also have the possibility to consult easily the backup jobs directly from the Azure portal, and you can configure notifications to be notified in case of failure of protection jobs.

The offsite backups is ensured with this solution without investing in infrastructure costs and saving time in operational activities. It is also good to keep in mind that the cost of this solution are really beneficial, in fact, typically the size of the System State for a single machine is significantly less than 50 GB then the System State protection pricing level falls within the lower cost band specified for the instances protected with Azure Backup. For more details on the cost of the solution you can consult the Azure Backup pricing page. No cost for any restore operations is also required.


The System State for Windows Server machines is a critical component that should be saved for a proper and effective strategy to protect its infrastructure. Azure Backup due to its defined approach cloud-first extend their potential enabling you to protect the System State of the machines easily, securely and with low costs. To try Azure Backup and other Azure services you can create a Azure free Account.