Critical Update: April 2018 Azure Recovery Services Agent - Immediate Action Required

Table of Contents

This document provides crucial information regarding a vital update for the Microsoft Azure Recovery Services (MARS) Agent, specifically version 2.0.9118.0. This agent, also widely known as the Azure Backup agent, is fundamental to the operation of Microsoft Azure Backup and Microsoft Azure Site Recovery (ASR), serving as the mechanism for transferring your valuable data to Azure. This update introduces new features, significant improvements, and essential fixes designed to enhance the reliability, security, and functionality of your backup and disaster recovery solutions.

If you are currently operating a version of the Microsoft Azure Recovery Services (MARS) agent older than 2.0.9083.0, immediate action is mandatory. You must promptly download and install this latest update, version 2.0.9118.0. Following the installation, it is also required that you re-register the server hosting the Azure Backup agent with Azure. Failure to perform this update and re-registration could lead to unavoidable backup and recovery failures. These potential failures are a direct consequence of the impending deprecation of Access Control Services (ACS), a legacy component being phased out by Microsoft.

Identifying servers running older versions of the MARS agent within your environment is a critical first step in this process. Microsoft provides guidance to help you efficiently pinpoint which of your servers require this urgent update. Comprehensive steps detailing the process for updating these identified servers are also available. Ensuring all your MARS agent installations are brought up to the required version is paramount for maintaining continuous and reliable backup and recovery operations to Azure.

Important Security Mandate: ACS Deprecation Impact¶

The primary driver for this mandatory update is the deprecation of Access Control Services (ACS). ACS was a cloud-based service that provided identity and access control capabilities, commonly used by older applications and services for authentication and authorization. As technology evolves and more robust, secure, and modern identity platforms like Microsoft Entra ID (formerly Azure Active Directory) become the standard, legacy systems are retired. The MARS agent, in its older iterations, relied on ACS for certain authentication processes when communicating with Azure services.

The deprecation means that Azure services will cease to accept authentication requests originating from ACS. If your MARS agent attempts to authenticate using the old ACS method after the deprecation is fully enforced, the authentication will fail. This failure directly prevents the agent from performing core functions such as initiating backups, restoring data, or even communicating its status to the Recovery Services Vault. Consequently, your backup jobs will fail, and disaster recovery capabilities through the agent will be compromised, potentially leaving your data unprotected.

Updating to MARS agent version 2.0.9118.0 (or later) replaces the reliance on ACS with modern, supported authentication mechanisms, primarily leveraging Microsoft Entra ID integration. This transition ensures that the agent can continue to securely authenticate with Azure services now and in the future. It is not merely a feature update; it is a necessary security and operational update to ensure the continuity of your backup and recovery strategy leveraging the MARS agent. Ignoring this update poses a direct risk to your data protection posture.

New Features and Enhancements¶

This critical update introduces several significant enhancements and new features that improve the functionality, security, and usability of the MARS agent. Beyond the mandatory update driven by ACS deprecation, these additions provide tangible benefits for users.

Offline Backup support for CSP subscriptions and ARM Storage Accounts¶

A major new feature in MARS Agent version 2.0.9118.0 is the introduction of support for Azure Resource Manager (ARM) Storage Accounts and Cloud Solution Provider (CSP) subscriptions within the Offline Backup workflow. The Offline Backup process is used for the initial seeding of large volumes of file-folder backup data to Azure when transferring the data over the network is impractical or too time-consuming. This process involves copying data to physical disks and shipping them to an Azure data center using the Azure Import/Export service. Previously, this workflow primarily relied on classic Azure resources.

This update modernizes the Offline Backup experience by fully integrating it with the ARM model and making it compatible with CSP subscriptions. Here are the key benefits:

• Cloud Solution Provider friendly: CSPs can now leverage the MARS Agent (stand-alone) to seed customer backup data to Azure using disks seamlessly. This removes the previous limitation that often required the creation of classic resources, which were not always straightforward or even possible within the CSP framework. The workflow is now aligned with the modern CSP business model and Azure’s current resource management paradigm. This streamlines the initial data upload process for CSP partners and their clients, facilitating easier adoption of Azure Backup services for large datasets.

• Central monitoring and management of Azure Import Jobs: With support for ARM Storage Accounts, the Offline Backup workflow now creates Azure Resource Manager Import Jobs. These jobs are centrally trackable and manageable through the new Azure portal interface. Customers using MARS Agent-based offline backup can monitor the progress of their import jobs from a single, unified “Import/Export Jobs” page within the Azure portal. This provides a much-improved user experience compared to managing classic import jobs, offering better visibility and control. Shipping details and job status can be updated and monitored directly from this central location in the portal.

• More secure access to Azure Resources: The updated workflow significantly enhances security by eliminating the reliance on the Classic Azure Publish Settings file, which contained sensitive subscription information and had broader permissions. Instead, the new process uses a secure Azure logon during the workflow setup, leveraging modern authentication mechanisms. It utilizes a Microsoft Entra application to provide secure and scoped access specifically to the Azure Import Service required for the offline seeding process. This granular, modern access method reduces the security footprint compared to the previous method, aligning with current security best practices.

It is important to note the scope of this particular feature. The new Offline Backup workflow described here is specifically for the backup of files and folders performed directly to Azure using the stand-alone MARS Agent. The Offline Backup workflows initiated through System Center Data Protection Manager (DPM) to Azure or via Microsoft Azure Backup Server (MABS) are separate and remain unchanged by this specific update to the MARS agent. Those products have their own integration points and workflows for offline seeding.

In addition to the significant enhancements to Offline Backup, the update also includes general improvements:

• System state backup and recovery success improvements: This indicates that the reliability and success rates for backing up and recovering the system state of Windows servers using the MARS agent have been enhanced. System state backups are critical for full server recovery scenarios, and improving their success ensures better disaster recovery readiness. The update likely includes fixes for known issues or edge cases that could cause failures during system state operations, making this process more robust.

• Backup and recovery success improvements for the backup of files and folders: Similar to system state, the core functionality of backing up and restoring individual files and folders has seen improvements in reliability. This could involve optimizations for handling large numbers of files, files with specific attributes, or improvements in the transfer mechanism to Azure. Increased success rates mean fewer failed backup jobs and more confidence in the recoverability of individual data points.

• Accessibility and reliability fixes and improvements: This category covers a broader range of fixes addressing general stability, performance, and user interface accessibility aspects of the MARS agent. Reliability improvements reduce the likelihood of agent crashes, hangs, or unexpected errors during operation. Accessibility fixes ensure the agent’s interface and reporting are usable by individuals with disabilities, aligning with Microsoft’s commitment to inclusive design. These general improvements contribute to a smoother and more dependable agent experience overall.

Applying the Update¶

To benefit from the new features, improvements, and critical security fixes provided in this version, you must install the latest release of the Microsoft Azure Recovery Services Agent. The update package is readily available for download directly from the Microsoft Download Center, ensuring you receive the official and verified software.

The download package is typically an executable file designed for straightforward installation. Once downloaded, you can run the installer on each server where the MARS agent is deployed. The version number for this updated release of the Microsoft Azure Recovery Services Agent is specifically identified as 2.0.9118.0. It is crucial to verify the installed version after applying the update to ensure the process was successful and the correct version is now active on your server.

For environments with multiple servers registered to one or more Recovery Services Vaults, Azure portal offers a convenient method to manage and initiate updates across your protected infrastructure. This centralized approach streamlines the update process significantly compared to manually managing each server individually.

To update multiple servers directly from the Azure portal, follow these general steps:

1. Begin by downloading the official installer package, version 2.0.9118.0, from the Microsoft Download Center onto a workstation or a central repository accessible by your servers.
2. Navigate to the specific Recovery Services Vault within the Azure portal that contains the servers you wish to update. Each vault manages a set of protected workloads and servers.
3. Within the vault’s blade in the Azure portal, locate and click on the Settings option. This section contains configuration and management tools for the vault.
4. Under the Manage section of the Settings blade, select Backup Infrastructure. This option provides details and management capabilities for the components that interact with the vault, such as backup agents and servers.
5. Within the Backup Infrastructure section, click on Protected Servers located under Management Servers. This view lists all servers that are registered with this specific Recovery Services Vault. To filter the list specifically for servers using the MARS agent, select Azure Backup Agent from the Backup Management Type filter.
6. On the resulting blade that displays your registered Azure Backup Agent servers, you can review the currently installed Agent Version for each server. Identify the servers for which the Agent version number is earlier than 2.0.9118.0. Select a server requiring the update. On the server’s detail blade that appears, click the Connect option. The portal will generate and download a Remote Desktop Connection (.rdp) file. Use this file to establish a remote session to the selected server.
7. Once connected to the server via RDP, copy the downloaded MARS Agent update installer (MARSAgentInstaller.exe) to this server. Execute the installer package on the server. The installer will guide you through the update process. After the installation is complete, it is recommended to verify the agent version through the agent console or Control Panel’s Programs and Features list to confirm that version 2.0.9118.0 is now installed.
8. Upon successful completion of the update on the first server, you can return to the Azure portal and repeat step 6 and 7 for any other servers that are running an agent version older than 2.0.9118.0. This method allows for a structured approach to updating your entire fleet of MARS agent-protected servers from a central management interface, albeit requiring individual remote connections.

Restart Information¶

The necessity of restarting the server after applying the MARS agent update depends on the version of the Windows operating system installed on the server.

If the MARS agent is installed on Windows Server 2008 (specifically SP2 and R2 SP1, regardless of the specific edition), you are required to restart the computer after applying this update. This restart ensures that all components of the updated agent are correctly initialized and running with the new code base, particularly interacting with system services that might require a reboot on these older OS versions.

For users who have installed the MARS Agent on other Windows Server versions (e.g., Windows Server 2012, 2012 R2, 2016, etc.), a restart of the computer is generally not required after applying this update. The update process is designed to replace or update files and services without necessitating a full system reboot on these more modern operating systems, allowing for minimal disruption.

It is always prudent to plan for a potential maintenance window, especially when applying updates to critical infrastructure components like backup agents, even if a restart is not explicitly listed as mandatory for your specific OS version. This allows for verification steps and provides a fallback window if unexpected issues arise.

Replacement Information¶

This update package, version 2.0.9118.0, serves as a replacement for previously released updates for the Microsoft Azure Recovery Services Agent. Specifically, it supersedes the update detailed in Knowledge Base article KB 4048992. If you have previously installed the update mentioned in KB 4048992, applying version 2.0.9118.0 will replace that older installation. It is always recommended to install the latest available version to ensure you have all cumulative fixes and features.

Installing this update eliminates the need to apply KB 4048992 separately. The new package contains all the fixes, improvements, and features introduced in KB 4048992, along with the critical ACS deprecation fixes and the new features described in this document. By applying 2.0.9118.0, you ensure your MARS agent is brought up to the most current recommended state, incorporating all necessary changes up to this release.

Prerequisites¶

Before installing this update for the MARS agent, particularly if you are using it in conjunction with System Center Data Protection Manager (SC DPM), there are specific prerequisites regarding the DPM installation itself. Ensuring your DPM environment meets these prerequisites is important for compatibility and stable operation between DPM and the updated MARS agent when backing up DPM data to Azure.

If you are utilizing System Center 2016 Data Protection Manager (SC DPM 2016), Microsoft strongly recommends that you apply Update Rollup 1 for System Center 2016 Data Protection Manager or a later Update Rollup version. Update Rollups for DPM provide cumulative fixes and improvements that can affect its interaction with agents and cloud services. Having at least Update Rollup 1 (or a subsequent one) ensures that your DPM 2016 installation is at a level known to work correctly with newer versions of the MARS agent.

Similarly, if your environment is running System Center 2012 R2 Data Protection Manager (SC DPM 2012 R2), you must apply Update Rollup 12 for System Center 2012 R2 Data Protection Manager or a later Update Rollup version. SC DPM 2012 R2 requires a higher minimum Update Rollup level to ensure compatibility with the changes and features introduced in MARS agent version 2.0.9118.0, particularly regarding cloud integration and data transfer mechanisms. Installing the required DPM Update Rollup before updating the MARS agent used by DPM for cloud backups is the recommended order to avoid potential compatibility issues.

These prerequisites are specific to scenarios where the MARS agent is being used by DPM or MABS to send data to Azure. If you are using the MARS agent as a standalone agent (directly on a server to back up its files/folders or system state to Azure without DPM/MABS), these DPM prerequisites do not apply. Always check the documentation specific to your backup architecture.

Verifying the Update¶

Once the MARS agent update process is complete on a server, it is crucial to verify that the new version, 2.0.9118.0, has been successfully installed. This verification step confirms that the critical ACS deprecation fix and other improvements are now active.

The most straightforward way to verify the version is to open the Microsoft Azure Backup agent console on the server. The version number is typically displayed prominently within the console, often in the ‘About’ section or on the main dashboard. Alternatively, you can check the list of installed programs on the server via the Control Panel or the “Apps & features” section in Windows Settings. Look for “Microsoft Azure Recovery Services Agent” and confirm the version number listed is 2.0.9118.0 or higher. Successful verification provides assurance that the server is protected against the ACS deprecation and benefits from the latest enhancements.

Potential Considerations and Best Practices¶

When planning and executing this update, consider scheduling it during a maintenance window, especially for critical servers, even if a reboot is not required for your OS. This minimizes potential impact on running services, although MARS agent updates are generally non-disruptive to server operations outside of backup/restore activities.

Ensure you have a backup strategy in place before applying any update, though this MARS agent update is generally low-risk. Having recent backups stored safely is always a fundamental principle of data protection.

Keep track of which servers have been updated, especially in large environments. Leveraging the Azure portal’s “Protected Servers” view, as described in the update steps, is an excellent way to monitor the agent versions across your infrastructure registered to a specific vault.

The shift to ARM storage accounts and the new Azure Import Service workflow for offline backup aligns with Microsoft’s long-term strategy for Azure. Familiarizing yourself with the Azure portal’s Import/Export Jobs section will be beneficial if you utilize offline seeding.

Summary of Key Benefits in 2.0.9118.0:

Feature/Improvement	Benefit
ACS Deprecation Fix	Ensures continued functionality and prevents backup/recovery failures after ACS is retired.
Offline Backup for CSP & ARM Storage	Enables modern offline seeding, CSP compatibility, ARM integration, and centralized portal management.
Improved Security for Offline Backup	Replaces Classic Publish Settings file with secure Azure logon and Microsoft Entra App for Import Service.
System State Backup/Recovery Enhancements	Increases reliability and success rates for critical system state operations.
File/Folder Backup/Recovery Enhancements	Improves reliability for core file and folder backup/restore tasks.
Accessibility and Reliability Fixes	Enhances overall agent stability, performance, and usability.
Supersedes KB 4048992	Contains all previous fixes and features.

This update is not optional; it is a mandatory step to ensure the continued operation of your Azure Backup and Azure Site Recovery using the MARS agent. Plan your update strategy and execute it promptly to avoid disruption.

We strongly encourage all users of the Microsoft Azure Recovery Services Agent to prioritize this update. If you have any questions or encounter issues during the update process, please consult the official Microsoft documentation and support resources. Sharing your experiences or questions in the comments below can also help the community.