Hello,
We are using on-prem VBR - Veeam backup for Entra ID.
With v13, the support for Microsoft Intune is added - thanks.
But it is not clear what intune policies are supported.
I have a case # 08103892 which can be checked for additional details.
This link - https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13
lists the properties that are supported for Intune, listed with character sequence A - B, then C - E, so on.
But these are the properties that are supported, not the policy type.
If I take the first four from that list – I have pasted them below, how do I check if these policy types are supported?
I continue to search with the name but it is not easy.
For example, when I search for BitLocker, I see few properties listed which start with BitLocker – so I assume this is supported.
But I do not find anything for the first three – for properties, that start with this name. Does this mean it is not supported?
-Administrative templates
-Attack Surface Reduction Rules
-BIOS configurations and other settings
-BitLocker
This is not easy to do and not a conclusive way to get a confirmation of what is supported and what is not.
-
sumeet
- Service Provider
- Posts: 277
- Liked: 54 times
- Joined: Apr 23, 2021 6:40 am
- Full Name: Sumeet P
- Contact:
-
BenjaminPetersen
- Veeam Software
- Posts: 6
- Liked: 1 time
- Joined: Nov 14, 2022 5:34 pm
- Full Name: Benjamin Petersen
- Contact:
Re: EntraID backup - what Intune policy types are supported
The way VBR v13 handles Intune backup is property-by-property rather than by policy type — so to check coverage, find the underlying Graph property names for your policy type and look them up in the supported properties list.
For your four examples:
BitLocker — covered (bitLockerEnabled, bitLockerEncryptDevice etc. are all in the A–B section).
Attack Surface Reduction — partial, some Defender properties are there but not all.
Administrative Templates — not supported. These use the groupPolicyConfiguration Graph endpoint rather than deviceConfiguration, so they don't appear in the list at all.
BIOS Configurations — not supported, nothing listed.
Conditional Access policies are a separate object type with their own coverage section in the docs, so check those independently if they're relevant.
If Administrative Templates and BIOS are important to you, worth raising as a feature request.
Hope that helps.
Ben
For your four examples:
BitLocker — covered (bitLockerEnabled, bitLockerEncryptDevice etc. are all in the A–B section).
Attack Surface Reduction — partial, some Defender properties are there but not all.
Administrative Templates — not supported. These use the groupPolicyConfiguration Graph endpoint rather than deviceConfiguration, so they don't appear in the list at all.
BIOS Configurations — not supported, nothing listed.
Conditional Access policies are a separate object type with their own coverage section in the docs, so check those independently if they're relevant.
If Administrative Templates and BIOS are important to you, worth raising as a feature request.
Hope that helps.
Ben
-
sumeet
- Service Provider
- Posts: 277
- Liked: 54 times
- Joined: Apr 23, 2021 6:40 am
- Full Name: Sumeet P
- Contact:
Re: EntraID backup - what Intune policy types are supported
Hi Ben,
I asked my client to provide all the policy types that they have and the list is below.
I'm not sure I understand what you mean by "Intune backup is property-by-proerty" because in restore tab of Microsoft Intune, I see a column for type - https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13
So I assume the backup has type details.
Because trying to match the property for each of the policy type below - isn't that very lengthy and not easy.
Not sure how will I even do this?
Policy type :::::
SCEP certificate
Microsoft Defender Antivirus exclusions
Settings catalog
Kiosk
Delivery optimization
Custom
Device restrictions
Domain join
BIOS configurations and other settings
Windows health monitoring
Properties catalog
Administrative templates
Edition upgrade and mode switch
Endpoint protection
Trusted certificate
Wi-Fi
Wi-Fi import
Email
Device features
VPN
Shared multi-user device
Security Baseline for Windows 10 and later (Version 23H2)
Windows Firewall Rules
Local admin password solution (Windows LAPS)
Local user group membership
Attack Surface Reduction Rules
Microsoft Defender Antivirus
Endpoint detection and response
BitLocker
Windows Firewall
I asked my client to provide all the policy types that they have and the list is below.
I'm not sure I understand what you mean by "Intune backup is property-by-proerty" because in restore tab of Microsoft Intune, I see a column for type - https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13
So I assume the backup has type details.
Because trying to match the property for each of the policy type below - isn't that very lengthy and not easy.
Not sure how will I even do this?
Policy type :::::
SCEP certificate
Microsoft Defender Antivirus exclusions
Settings catalog
Kiosk
Delivery optimization
Custom
Device restrictions
Domain join
BIOS configurations and other settings
Windows health monitoring
Properties catalog
Administrative templates
Edition upgrade and mode switch
Endpoint protection
Trusted certificate
Wi-Fi
Wi-Fi import
Device features
VPN
Shared multi-user device
Security Baseline for Windows 10 and later (Version 23H2)
Windows Firewall Rules
Local admin password solution (Windows LAPS)
Local user group membership
Attack Surface Reduction Rules
Microsoft Defender Antivirus
Endpoint detection and response
BitLocker
Windows Firewall
-
BenjaminPetersen
- Veeam Software
- Posts: 6
- Liked: 1 time
- Joined: Nov 14, 2022 5:34 pm
- Full Name: Benjamin Petersen
- Contact:
Re: EntraID backup - what Intune policy types are supported
“Thanks for clarifying your list. The main reason is that Veeam does not back up entire Intune policy types wholesale — instead, coverage is based on the individual Microsoft Graph properties within those policies.
You can verify support by looking up the underlying setting names (as shown in Intune or via Graph) against the Supported Properties list in our docs.
If a property is listed, we back it up and can restore it; if it’s not, it currently isn’t covered. The “Type” column in the UI is just a category label; it doesn’t imply 100% coverage of all policy settings for that type.
The simplest approach is to map each policy type to its settings via Graph schema for Intune and cross-check with our supported property set. AI might be able to line that up for you faster than manually checking at human speed.
You can verify support by looking up the underlying setting names (as shown in Intune or via Graph) against the Supported Properties list in our docs.
If a property is listed, we back it up and can restore it; if it’s not, it currently isn’t covered. The “Type” column in the UI is just a category label; it doesn’t imply 100% coverage of all policy settings for that type.
The simplest approach is to map each policy type to its settings via Graph schema for Intune and cross-check with our supported property set. AI might be able to line that up for you faster than manually checking at human speed.
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 199 guests