Backup & Recovery Guide

This comprehensive guide covers all aspects of backing up and recovering your Microsoft Intune configurations using TenuVault. Learn how to configure automated backups, perform manual operations, and restore configurations when needed.

Table of Contents

• Understanding TenuVault Backups
• Automated Backup Configuration
• Manual Backup Operations
• Backup Monitoring
• Recovery Procedures
• Selective Restoration
• Backup Management
• Disaster Recovery Planning

  Understanding TenuVault Backups

  What Gets Backed Up

  TenuVault performs comprehensive backups of your entire Intune configuration:

  Device Management

• Device Configuration Profiles: All platform-specific settings
• Compliance Policies: Device compliance rules and actions
• Device Restrictions: Security and feature restrictions
• Email Profiles: Exchange and email client configurations
• VPN Profiles: VPN connection settings
• Wi-Fi Profiles: Wireless network configurations
• Certificate Profiles: SCEP, PKCS, and trusted certificates

  Application Management

• App Protection Policies: MAM policies for all platforms
• App Configuration Policies: Managed app configurations
• Mobile Apps: App definitions and deployment settings
• App Categories: Custom app categorizations
• iOS App Provisioning: Provisioning profiles
• Android Enterprise: Work profile configurations

  Windows Management

• Windows Autopilot Profiles: Deployment profiles
• Enrollment Status Pages: OOBE configurations
• Windows Update Rings: Update deployment settings
• Windows Feature Updates: Feature update policies
• Windows Quality Updates: Quality update expedite policies
• Administrative Templates: Group Policy settings

  Security Management

• Security Baselines: Microsoft security baselines
• Attack Surface Reduction: ASR rules and policies
• Endpoint Protection: Antivirus and firewall settings
• Disk Encryption: BitLocker and FileVault policies
• Account Protection: Windows Hello and password policies

  Enrollment

• Enrollment Restrictions: Device type and limit restrictions
• Terms and Conditions: User acceptance requirements
• Enrollment Page Configurations: Company Portal branding
• Device Categories: Custom categorization options

  Scripts and Automation

• PowerShell Scripts: Windows 10/11 scripts
• Shell Scripts: macOS and Linux scripts
• Proactive Remediations: Detection and remediation scripts
• Custom Attributes: Inventory collection scripts

  What Doesn't Get Backed Up

  Understanding exclusions is important:

  Excluded by Design

• User and group objects (managed in Azure AD)
• Device objects and inventory
• Actual application binaries (only metadata)
• Conditional Access policies (separate backup recommended)
• Azure AD configuration (outside Intune scope)

  Temporary/Dynamic Data

• Report data and analytics
• Audit logs and events
• Temporary certificates
• Device check-in status
• Real-time compliance state

  Backup Format and Structure

  File Organization

/tenant-id/
  /2024/
    /01/
      /15/
        /backup-20240115-020000/
          ├── metadata.json
          ├── device-configurations/
          │   ├── windows-profiles.json
          │   ├── ios-profiles.json
          │   └── android-profiles.json
          ├── compliance-policies/
          ├── app-protection/
          ├── applications/
          ├── autopilot/
          ├── scripts/
          └── security-baselines/

Metadata File

json
{
  "backupId": "guid",
  "timestamp": "2024-01-15T02:00:00Z",
  "tenantId": "tenant-guid",
  "tenantName": "Contoso Corp",
  "version": "1.0",
  "policies": {
    "deviceConfiguration": 45,
    "compliancePolicies": 12,
    "appProtection": 8
  },
  "status": "success",
  "duration": "00:05:23",
  "size": "15.3 MB"
}

Automated Backup Configuration

Setting Up Scheduled Backups

Creating a Schedule

1. Navigate to Schedule Settings - Go to Tenants → Select tenant - Click "Backup Schedule" tab - Click "Create Schedule"

2. Configure Frequency Hourly Backups (High-change environments) - Interval: Every 1, 2, 4, 6, or 12 hours - Start time: Beginning of chosen hour - Best for: Development/testing environments

Daily Backups (Recommended for most) - Time: 2:00 AM local time (default) - Days: All days or weekdays only - Best for: Production environments

Weekly Backups (Stable environments) - Day: Sunday (recommended) - Time: 3:00 AM local time - Best for: Rarely changing configs

Monthly Backups (Archive purposes) - Day: First Sunday of month - Time: 4:00 AM local time - Best for: Long-term compliance

3. Advanced Schedule Options - Backup Window: Maximum duration allowed - Retry Policy: Number of retry attempts - Retry Delay: Wait time between retries - Timeout: Maximum execution time - Priority: High/Normal/Low

Schedule Management

Modifying Schedules

1. 1Locate existing schedule
2. 1Click "Edit" button
3. 1Adjust settings as needed
4. 1Save changes (takes effect next cycle)

   Pausing Schedules

• Toggle "Active" switch to pause
• Useful during maintenance windows
• Retains configuration for easy resume

  Schedule Conflicts

• Queues overlapping backups
• Prioritizes based on settings
• Sends alerts for persistent conflicts

  Backup Scope Configuration

  Selecting What to Backup

  Full Backup (Default)

• Includes all policy types
• Complete configuration snapshot
• Largest storage requirement
• Recommended for disaster recovery

  Selective Backup

Device Configurations
Compliance Policies
Applications
Scripts (exclude if sensitive)
Autopilot (exclude if unchanged)

Incremental Backup

• Only changed policies since last backup
• Reduces storage and time
• Requires full backup baseline
• Best for frequent backups

  Exclusion Rules

  Create rules to exclude specific items:

  By Name Pattern

• Exclude: -test, -dev
• Include only: PROD-*

  By Policy Type

• Exclude all iOS if Windows-only

  By Modification Date

• Exclude unchanged >30 days

  By Assignment

• Exclude unassigned policies

  Manual Backup Operations

  Triggering On-Demand Backups

  Quick Backup

1. 1From Dashboard, locate tenant card
2. 1Click "Backup Now" button
3. 1Uses default configuration
4. 1Starts immediately

   Custom Backup

5. 1Navigate to Backups section
6. 1Click "New Manual Backup"
7. 1Configure options:

1. 1Click "Start Backup"

   Backup Options

   Validation Level

• Quick: Basic syntax checking
• Standard: Policy relationship validation
• Comprehensive: Full integrity checking

  Compression

• None: Fastest, largest files
• Standard: Balanced (default)
• Maximum: Slowest, smallest files

  Encryption

• At-rest: Azure Storage encryption
• Additional: Customer-managed keys
• Archive: Additional password protection

  Monitoring Manual Backups

  Real-time Progress

• Progress percentage
• Current operation
• Policies processed counter
• Estimated time remaining
• Live log streaming

  Completion Notification

• Portal notification
• Email alert (if configured)
• Teams/Slack webhook
• API callback

  Backup Monitoring

  Dashboard Monitoring

  Backup Health Widget

• Last 24h success rate
• Active backup indicator
• Next scheduled backup
• Storage trend graph

  Tenant Status Cards

• Last backup status
• Time since backup
• Configuration drift indicator
• Quick action buttons

  Backup History

  List View Features

• Sortable columns
• Status filtering
• Date range selection
• Search by description
• Bulk operations

  Status Indicators

• Success: Completed without issues
• Warning: Completed with non-critical issues
• Failed: Did not complete
• Running: Currently executing
• Cancelled: Manually stopped

  Alerts and Notifications

  Alert Configuration

• Backup failures
• Long-running backups (>30 min)
• Storage quota warnings
• Schedule misses
• Validation failures

  Notification Channels

• Email (individual or distribution list)
• SMS (critical alerts only)
• Microsoft Teams
• Slack
• Webhook (custom integration)

  Recovery Procedures

  Full Restoration

  When to Use Full Restore

• Disaster recovery scenario
• New tenant setup from template
• Complete rollback requirement
• Migration to new environment

  Full Restore Process

  1. Select Backup

2. Choose Target - Same tenant (overwrite) - Different tenant (migration) - Test tenant (validation)

3. Configure Options - Mode: - Overwrite: Replace existing - Merge: Add missing only - Create New: Suffix with timestamp - Assignments: - Preserve existing - Restore original - Remove all

4. Pre-Restore Validation - Compatibility check - Conflict detection - Impact analysis - Required permissions verification

5. Execute Restore - Review summary - Acknowledge warnings - Start restoration - Monitor progress

6. Post-Restore Verification - Policy count validation - Assignment verification - Functionality testing - User acceptance

Point-in-Time Recovery

Selecting Recovery Point

1. 1Use timeline view
2. 1Select specific date/time
3. 1Preview configuration state
4. 1Compare with current

   Recovery Strategies

   Last Known Good

• Automatically identifies last successful state
• Skips failed or partial backups
• Recommended for quick recovery

  Specific Date

• Choose exact backup point
• Useful for compliance requirements
• Allows pre-incident recovery

  Before Change

• Identify when change occurred
• Select backup immediately before
• Perfect for rollback scenarios

  Selective Restoration

  Policy-Level Restoration

  Selecting Policies

1. 1Open backup details
2. 1Navigate to policy category
3. 1Select individual policies:

Restoration Options

Replace Existing

• Overwrites current policy
• Maintains policy ID
• Preserves assignments
• Updates modification timestamp

  Create as New

• Creates duplicate with suffix
• New policy ID generated
• No assignments initially
• Allows side-by-side comparison

  Skip if Exists

• Only creates missing policies
• No modifications to existing
• Safe for partial recovery
• Useful for template application

  Granular Recovery

  Configuration-Level Restore

1. Select policy for partial restore

1. 1Choose configuration sections:

3. Preview changes: - Current vs. restore comparison - Highlighted differences - Impact assessment

4. Apply selectively: - Confirm each change - Skip unwanted modifications - Maintain audit trail

Bulk Restoration

Batch Processing

1. Create Restoration Set - Add policies to basket - From multiple backups if needed - Save as template

2. Configure Batch Options - Naming convention - Assignment handling - Conflict resolution - Order of operations

3. Execute Batch - Parallel processing - Progress per item - Automatic retry on failure - Detailed log generation

Backup Management

Storage Management

Retention Policies

Automatic Retention Configure lifecycle rules:

• Hot tier: 0-30 days (immediate access)
• Cool tier: 31-90 days (occasional access)
• Archive tier: 91+ days (rare access)
• Delete after: 365 days (configurable)

  Manual Retention Override

• Permanent retention
• Extended retention
• Early deletion
• Legal hold

  Storage Optimization

  Deduplication

• Identifies duplicate policies
• Stores single copy with references
• Reduces storage by 40-60%
• Transparent to restore process

  Compression Settings

• Policy-level compression
• Batch compression for archives
• Selective compression by type
• Real-time vs. post-process

  Cleanup Operations

• Remove orphaned files
• Purge failed backup attempts
• Archive old validations
• Compress log files

  Backup Verification

  Automated Verification

  Scheduled Validation

• Daily integrity checks
• Weekly restoration tests
• Monthly full validation
• Annual disaster recovery drill

  Validation Types

• Checksum verification
• Format validation
• Relationship integrity
• Restore simulation

  Manual Verification

  On-Demand Testing

1. 1Select backup for verification
2. 1Choose validation depth:

3. Review results: - Pass/fail status - Issue details - Remediation suggestions - Certification report

Export and Archive

Exporting Backups

Export Formats

• Native JSON (full fidelity)
• CSV (tabular data)
• XML (integration-friendly)
• PDF (documentation)

  Export Destinations

• Local download
• Azure Blob Storage
• OneDrive/SharePoint
• Network share
• SFTP server

  Long-term Archival

  Archive Strategy

• Monthly snapshots to archive tier
• Yearly backups to immutable storage
• Compliance copies to separate region
• Encrypted archives to cold storage

  Archive Access

• Request restoration (4-12 hours)
• Temporary rehydration
• Bulk retrieval options
• Priority retrieval (additional cost)

  Disaster Recovery Planning

  Creating a DR Plan

  Documentation Requirements

  Recovery Objectives

• RTO (Recovery Time Objective): Maximum downtime
• RPO (Recovery Point Objective): Maximum data loss
• Priority Order: Which policies first
• Dependencies: External requirements

  Runbook Creation

1. 1Incident declaration process
2. 1Team notification procedures
3. 1Backup validation steps
4. 1Restoration sequence
5. 1Verification checkpoints
6. 1User communication plan

   Testing Disaster Recovery

   DR Drill Planning

   Quarterly Tests

• Restore to test tenant
• Validate critical policies
• Measure recovery time
• Document issues found

  Annual Full Test

• Complete environment restore
• Include all stakeholders
• Simulate various scenarios
• Update procedures based on results

  Test Scenarios

  Scenario 1: Accidental Deletion

• Single policy deleted
• Restore within 1 hour
• Minimal impact

  Scenario 2: Mass Corruption

• Multiple policies affected
• Identify last good backup
• Restore within 4 hours

  Scenario 3: Complete Loss

• Entire tenant compromised
• Full restoration required
• 8-hour recovery window

  Scenario 4: Ransomware

• Policies encrypted/modified
• Isolate and assess
• Restore from immutable backup

  Recovery Procedures

  Emergency Recovery Steps

  1. Assessment (0-30 minutes)

2. Preparation (30-60 minutes) - Validate backup availability - Prepare restoration environment - Communicate timeline - Begin documentation

3. Restoration (1-4 hours) - Execute restoration plan - Monitor progress - Address issues - Validate completeness

4. Verification (4-6 hours) - Test restored policies - Confirm functionality - User acceptance testing - Sign-off procedures

5. Post-Recovery (6-8 hours) - Document lessons learned - Update procedures - Archive incident data - Schedule review meeting

Best Practices

Backup Best Practices

• Test restores monthly
• Maintain 3-2-1 backup rule
• Document all procedures
• Automate where possible
• Monitor continuously

  Recovery Best Practices

• Practice makes perfect
• Keep runbooks updated
• Maintain contact lists
• Have rollback plans
• Learn from incidents

  Troubleshooting

  Common Backup Issues

  Backup Failures

• Check authentication status
• Verify permissions
• Review API throttling
• Check storage availability
• Examine error logs

  Slow Backups

• Assess network connectivity
• Check API rate limits
• Review backup scope
• Optimize scheduling
• Consider incremental backups

  Common Recovery Issues

  Restoration Failures

• Verify target permissions
• Check policy compatibility
• Review conflict resolution
• Validate backup integrity
• Examine detailed logs

  Partial Restorations

• Identify missing dependencies
• Check assignment groups
• Verify feature availability
• Review regional restrictions
• Consult compatibility matrix

  Summary

  Effective backup and recovery with TenuVault requires:

• Regular automated backups
• Periodic restoration testing
• Clear disaster recovery plans
• Proper backup management
• Continuous monitoring

  With these practices in place, you can confidently protect your Intune environment and quickly recover from any incident.

  ---

  Continue to the Drift Detection Guide to learn about monitoring configuration changes, or review the Best Practices Guide for optimization recommendations.