🛡️ Essential 8 Guide

Backups of data, applications and settings are synchronised to enable restoration to a common point in time.

Summary

Backups of data, applications and settings are synchronized to enable restoration to a common point in time, supporting consistent recovery after data loss or disruption. Implement this requirement using Azure Backup to take application-consistent snapshots for synchronised restore points.¹[^9]

Justification

A synchronised restore point is critical for recovery because:

• Application consistency ensures that database engines (SQL Server, Exchange) are in a clean transaction state at the restore point, preventing data corruption or log replay failures during recovery.
• Cross-resource synchronisation means that if multiple services need to be restored (e.g., a web application + its database), they are brought back to the same moment in time, avoiding referential integrity failures or split-brain states.
• Ransomware recovery requires restoring to a pre-infection point across all affected systems simultaneously; uncoordinated restore points leave infected fragments in the environment.

Recovery Point Objective (RPO) guidance:

Test restore procedures at least quarterly to validate that the backup is restorable and that the synchronised restore point is usable across all dependent services.

Design Decision

[!NOTE] The Azure Backup service will be used to take application-consistent snapshots for synchronised restore points. This approach will be aligned with the control description to enable restoration to a common point in time.

Prerequisites

• Permissions/Roles:
  • An Intune service administrator must sign in to the Microsoft Intune admin center to configure backup policies. ¹
• Dependencies:
  • Target devices must be Windows 10 and later. ¹
  • Devices must be enrolled in Microsoft Intune and managed by Intune (typically Entra ID joined or hybrid Azure AD joined). ¹
  • Access to the Microsoft Intune admin center for configuring backup settings. ¹
  • Create a Settings Catalog policy to enable Windows backup under the Intune configuration workflow. ¹
  • Follow the Enrollment path for Windows Backup and Restore in Intune to enable backup and restoration capabilities. ¹

Implementation Steps

Use Azure Backup for application-consistent snapshots

• Automated backups are disabled by default. ²

1. Enable Azure Backup on all supported resources (VMs, SQL Server, Azure Files, and Azure Disks) to capture application-consistent snapshots for Windows workloads and file-system backups for Linux, aligning with business requirements.[^9]

2. Configure backup frequency and retention to support synchronised restore points; set hourly backups for high-churn data and longer retention per compliance requirements.[^9]

3. Enable instant restore capability for Windows backups to allow rapid recovery from snapshot-based restore points.[^9]

4. Configure backup windows to minimize performance impact and ensure backups complete before the next cycle.[^9]

5. For Azure Arc-enabled SQL Server deployments, configure backups at the instance level to cover all databases; if you also configure database-level backups, note that database-level settings take precedence over instance-level settings.²

6. Validate that backups create a common point in time across resources to enable restoration to a synchronised restore point. Where applicable, test restoration as part of disaster recovery exercises.¹[^9]

[!NOTE] This approach aligns with guideline requirements for synchronised backups and restores across data, applications, and settings. ¹

OneDrive Known Folder Move (KFM) — Workstation Data and Settings Backup

For workstations, the primary mechanism for backing up user data, desktop content, and application settings is OneDrive Known Folder Move (KFM), also called Folder Backup. KFM silently redirects and syncs three Windows known folders — Desktop, Documents, and Pictures (including Screenshots and Camera Roll) — to the user’s OneDrive for Business storage in near real-time.

Why KFM satisfies the synchronised restore point requirement:

Microsoft Purview retention policies on KFM files:

Files stored in OneDrive for Business (including KFM-synced folders) can have Microsoft Purview retention policies and retention labels applied. When a retention policy is active:³

• A copy of each modified or deleted file is preserved in the site’s hidden Preservation Hold library for the configured retention period — independently of whether the user empties the recycle bin.
• Files can be retained for months, years, or indefinitely depending on your regulatory obligations (e.g., PSPF record-keeping, APS archives, AFDA Express class schedules).
• Retained versions are recoverable by a site collection admin even after the 93-day recycle bin period has elapsed.
• This makes KFM + Purview retention a compliant, point-in-time historical archive for all files in backed-up known folders.

Deploying KFM via Intune (Settings Catalog):

1. In the Microsoft Intune admin center, navigate to Devices > Configuration profiles > Create profile.
2. Select Platform: Windows 10 and later, Profile type: Settings catalog.
3. Search for the OneDrive category and add the following settings:⁴
   • Silently move Windows known folders to OneDrive (KFMSilentOptIn) — set to Enabled; enable sub-settings for Desktop, Documents, and Pictures.
   • Prevent users from redirecting their Windows known folders to their PC (KFMBlockOptOut) — set to Enabled (locks KFM on; prevents users from redirecting back to local disk).
4. Provide your Tenant ID in the KFMSilentOptIn setting.
5. Assign the profile to the device group covering all workstations.

[!NOTE] KFM does not backup application install data or application settings stored outside the known folders (e.g., %AppData%, %ProgramData%). For full application settings backup on workstations, supplement with Windows Backup for Organisations (via Intune Settings Catalog) or, for VDI environments, FSLogix Profile Containers (see below).

FSLogix Profile Container Backup — VDI and Azure Virtual Desktop Environments

For Azure Virtual Desktop (AVD) and traditional VDI environments, user profiles (Desktop, AppData, application settings, browser state, Outlook cache) are stored in FSLogix Profile Containers — VHD/VHDX files mounted at login from Azure Files or Azure NetApp Files shares. Backing up these containers provides a synchronised restore point for the full application and settings layer.

Recommended backup architecture:⁵

[!IMPORTANT] If OneDrive KFM is deployed for AVD users, files in the known folders are backed up independently via OneDrive — meaning the FSLogix profile container only needs to protect the application settings and AppData portion (not user documents). This significantly reduces the backup size and can allow use of a separate, less expensive backup frequency for the Office Data Folder Container (ODFC) which holds cached Teams/Outlook data that can be rebuilt from Exchange Online.⁵

Steps to configure Azure Backup for FSLogix profile containers on Azure Files:⁶

1. In the Azure portal, create or open a Recovery Services vault in the same region as your Azure Files storage account.
2. In the vault, select Backup > Azure Files (Azure Storage) as the workload.
3. Select the storage account hosting the FSLogix profile share.
4. Create a backup policy specifying:
   • Backup tier: Snapshot (daily) for rapid recovery; optionally Vault-Standard for long-term / cross-region retention.
   • Schedule: Daily at a time when no active user sessions are open (e.g., 2:00 AM).
   • Retention: Configure daily, weekly, monthly and yearly retention to match organisational requirements.
5. Select the file share(s) containing FSLogix containers and confirm protection.
6. To restore: navigate to Protected items > Azure Storage (Azure Files) > select the share > File Recovery (item-level, for individual VHD/VHDX files) or Restore Share (full share restoration to original or alternate location).

Microsoft 365 Backup for OneDrive for Business

Microsoft 365 Backup is a first-party backup-and-restore service for OneDrive for Business, SharePoint Online, and Exchange Online managed from the Microsoft 365 admin center. It provides fast, admin-managed point-in-time restore with an RPO of 10 minutes for the most recent 14 days, making it the most granular backup available for user data stored in OneDrive.

Recovery Point Objective (RPO) by age:⁷

Key capabilities:

• Full OneDrive account restore — rolls back the entire OneDrive (all files, folders, and OneDrive-scoped metadata) to a selected point in time. Can be restored to the original URL (replaces current content) or a new URL (non-destructive roll-forward restore).
• Granular file/folder restore (preview) — browse a restore point’s folder hierarchy and select specific files and folders to restore — without overwriting the rest of the user’s OneDrive.
• Express restore points — pre-indexed snapshots that restore significantly faster than standard restores for large OneDrive accounts.
• Append-only backup storage — backup blobs cannot be overwritten by a ransomware attack or compromised admin; the backup data is immutable until explicitly offboarded.⁸
• GCC not supported — Microsoft 365 Backup is not currently available for Government Community Cloud (GCC) tenants.

Steps to configure and restore OneDrive accounts with Microsoft 365 Backup:⁸⁷

1. In the Microsoft 365 admin center, navigate to Settings > Microsoft 365 Backup.
2. Enable OneDrive backup and select the accounts to protect (individual accounts or all accounts).
3. Microsoft 365 Backup begins capturing restore points automatically at 10-minute intervals for the first 14 days.
4. To restore a full OneDrive account:
   • On the Microsoft 365 Backup page, in the OneDrive section, select Restore.
   • Select the account(s) to restore and select the date and time to restore from. Choose an express restore point for fastest recovery.
   • Choose the restore destination: Replace accounts with backups (in-place overwrite) or Create new SharePoint sites and restore to them (new URL — recommended for ransomware recovery to avoid overwriting currently healthy data).
   • Review and select Restore OneDrive accounts.
5. To restore specific files or folders (granular restore):
   • Select Restore > Restore specific files or folders.
   • Select the protected account, choose the restore date, then browse the folder hierarchy to select the files/folders to restore.
   • Select Start restoration.

[!NOTE] Microsoft 365 Backup maintains backup data within the Microsoft 365 data trust boundary and honours your tenant’s data residency configuration. The service complements (but does not replace) OneDrive versioning and Files Restore — which are always available for user-initiated recovery without admin involvement.

Additional related information

• Windows Backup for Organizations overview provides restore process details and configuration steps for Windows backup across devices and Entra ID integration Windows Backup for Organizations overview

• Dynamics 365 Database point-in-time restore provides self-service PITR guidance for restoring ERP data to a prior point in time Database point-in-time restore
• OneDrive Known Folder Move (KFM) explains how to silently redirect Desktop, Documents, and Pictures to OneDrive for Business via Intune or Group Policy, providing near-continuous user data backup with 500-version history and 30-day Files Restore Redirect and move Windows known folders to OneDrive ⁴
• Microsoft Purview retention for SharePoint and OneDrive explains how retention policies preserve modified and deleted files in the Preservation Hold library, enabling point-in-time retrieval well beyond the default 93-day recycle bin period Learn about retention for SharePoint and OneDrive ³
• Overview of Microsoft 365 Backup covers the architecture, RPO tables (10-minute for 0–14 days), express restore points, immutable append-only backup storage, and restore fidelity for OneDrive for Business, SharePoint, and Exchange Overview of Microsoft 365 Backup ⁸
• Restore data in Microsoft 365 Backup describes full account restore, granular file/folder restore (preview), destination options (in-place vs. new URL), and the express restore workflow for OneDrive for Business Restore data in Microsoft 365 Backup ⁷
• Business continuity and disaster recovery options for FSLogix covers the range of FSLogix profile container recovery models, including the role of OneDrive KFM in eliminating the need for profile-level data backup in AVD environments Business continuity and disaster recovery options for FSLogix ⁵
• About Azure Files backup describes snapshot and vault-standard backup tiers for Azure Files shares, which is the primary storage backend for FSLogix profile containers, covering ransomware defence, cross-region recovery, and item-level restore About Azure Files backup ⁶