Hyper-V: Auto-Protect Snapshots using Orchestrator

Hyper-V out-of-the-box does not contain a method to take auto-protect snapshots. Auto-protect snapshots are snapshots taken once a day (or several times a day) for recovery purposes. These are snapshots that the administrator can always go back to if something should happen to the VM during the day. These snapshots are possible with System Center Virtual Machine Manager and System Center Data Protection Manager. This article will detail how to do it without those systems.


Before beginning, you must have the Hyper-V PowerShell module installed on your runbook servers. You activate this by selecting “Hyper-V Module for Windows PowerShell” under the “Hyper-V Management Tools” of the RSAT node of Server Manager.


In addition to this, you must have the Windows Management Framework 3.0 Windows update installed if you’re on Windows Server 2008 R2 (KB2506143). This activates PowerShell 3.0. It is available natively if you are running Windows Sever 2012.

For my runbook, I created an Orchestrator variable for the Hyper-V node name. To do this, expand the “Global Settings” node. Right-click on “Variables”, select “New”, then Variable”. Fill in the boxes accordingly, with the “Value” box being the FDQN of your Hyper-V node.

In order for this entire process to work, you must grant the Orchestrator service account the rights to create and delete Hyper-V snapshots. This account is the account that actually executes the runbook.



Here is a general picture of the runbook:


This runbook assumes that you have one Hyper-V node. I know that this is not true in most environments. For your other nodes, simply copy the runbook and change the computer name variable throughout the process. It does not matter if you migrate VM’s to another node, as long as you name the snapshots with the same format.

Monitor Date/Time

This is a very simple activity. To add it, drag the activity into your runbook from the “Scheduling” node. Double-click it to open it. I want my snapshots created every morning at 2AM, so I set the “Interval” at 2AM. You can set it according to your environment’s needs. The machines will NOT all create a snapshot at the exact same time. They will be a few seconds apart, so it will not overload your host.


Get VM Names

This step runs a simple PowerShell script to pull all of the VM names from the host. Drag a “Run .NET Script” activity from the System node. Double-click it and give the activity a name under the “General” node. Go back to the “Details” node and change the language type to PowerShell. Paste this code into the script box:

$a = @()

$vms = PowerShell {
import-module hyper-v
(get-vm –computername Hyper-V Node1 ).Name

ForEach ($vm in $vms) {
$a += $vm

Be sure to replace the blue text with the actual Hyper-V node variable by right-clicking one space to the right of -computername, selecting “Subscribe”, selecting “Variable”, and then choosing your Hyper-V node variable. The first line of this script establishes “$a” as an array. This is very important, because Orchestrator will treat each item in the array as a branch of the runbook.

Next, we must launch another PowerShell session in order to run our Hyper-V module. This is always required on Server 2012, and only required on Server 2008 R2 if you have Windows Management Framework 3.0 installed. This is required as of Orchestrator 2012 SP1 because Orchestrator runs all PowerShell commands in the PowerShell 2.0 environment, and this module is written in PowerShell 3.0. Hopefully this will no longer be the case after Microsoft releases System Center 2012 R2 in October of 2013.

This PowerShell session captures the name of all of the VM’s running on this host and puts it in the variable $vms. Next, the ForEach statement adds each name to our array as a separate item.

Finally, we must publish the array. To do that, go to the “Published Data” node, add a new item, and complete the box like this:


Remove Previous Auto-Protect Snapshot

Now, we will remove the snapshot that was taken yesterday. This step is optional. If you want to keep all of your snapshots or remove them manually, do not do this step. Add another “Run .NET Script” activity to your runbook and give it name. Select PowerShell as language again, and paste this code into the script box:

PowerShell {
import-module hyper-v
$snapname = (get-vmsnapshot -computername Hyper-V Node1 -vmname “a from “Get VM Name”” | Where-Object -FilterScript { $_.Name -like “AP*” }).Name
remove-vmsnapshot -computername Hyper-V Node1 -vmname “a from “Get VM Name”” -name “$snapname”

Again, make sure that you replace the blue “Hyper-V Node1” text with your actual variable. Replace the blue “a from “Get VM Name”” text with the published data from the “Get VM Names” activity. To do this, right-click inside of the quotes and select “Subscribe”, and then “Published Data”. Select the “a” published data to insert it. MAKE SURE THAT YOU KEEP THE OUTSIDE QUOTES (the ones not in blue). This is vital if you have spaces in the VM names.

Similar to the previous activity, this activity must be run in PowerShell 3.0 session. After that, the script stores the full name of the snapshot beginning with “AP”, or auto-protect. If you do not want your snapshot to begin with AP, change that in the next step and here. The snapshots need to all begin with the same characters for the process to function correctly. After it gets the snapshot name, it deletes the snapshot.

Take Auto-Protect Snapshot

Finally, we are going to take today’s snapshot. Add another “Run .NET Script” activity to your runbook. Give it a name, change the language to PowerShell, and paste this code in the script box:

Powershell {
$today = get-date -format s
checkpoint-vm -computername Hyper-V Node1 -vmname “a from “Get VM Name”” -snapshotname “AP_$today”

Remember to change the text in blue to their appropriate variables / published data. Again, we must execute this activity in a PowerShell 3.0 session. First, we get today’s date so that we can use it in the snapshot name. Next, we create the snapshot and give it a name of AP_<today’s date>. This is where you change AP to something else if you do not wish to use AP.


This is a simple and easy way to ensure that you have a nightly snapshot of your Hyper-V VM’s without having to buy and install Virtual Machine Manager or Data Protection Manager. I hope this can help you in your environment.



Contact Us

On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.