Intune Backups – Part 2: User Data

by

Following on from the previous post on environment backup, how we’re going to look at the users own data.

I’m sure we’re all following the 3-2-1 rule for our infrastructure, but what about user data on the device. We now have wonderfully cloud managed devices which can be remotely rebuilt to users in the comfort of their own homes with just the click of a button and very little IT input. But, what happens when the user calls and asks “where are my Outlook email addresses?”, “what’s happened to that crucial spreadsheet saved on my desktop” or “where has the smiley face gone from Word?”.

Obviously this can be done the old fashioned way where a tech connects to the machine, manually grabs everything they find, backs up, rebuilds and then restores, but this kind of defeats the point of cloud management, they might as well be dropping it off for a good old re-image.

Thankfully we have options…

Comics Club is back! – Dundee Comics Creative Space

First up, start with the obvious one, deploy OneDrive for Business with Known Folder Move and Silent Enable

This will capture their Desktop, Documents and Pictures which is a good start!

You’ll also notice I have an exclusion in there, this is for .lnk files to stop the situation where you move computers and end up with multiple Teams icons amongst others.

So, what can we do to catch more data?

Next up, we welcome Enterprise State Roaming.

Navigate to the Entra Portal and expand Devices and click on All Devices

Click Enterprise State Roaming and turn it on, it’s literally that easy!

This adds the backup of the following:

https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settings-reference

Getting better, but we’re still missing some things and now we’re out of in-built tools so we’re going to have to go custom.

For this I’m using an old-school Batch script as I’ve found they play better with OneDrive Files on Demand

We have 4 scripts in total, one for backup, one for restore, one to run it silently and the final one to configure the backups on the device.

Backup Script

Update – 13/01/23 – Following on from the ASR fun, it now grabs start menu entries as well

Available here

This captures

  • Desktop
  • Music
  • Documents
  • Email Signatures
  • Outlook Auto Entries
  • Favourites
  • Links
  • Excel and Word Startup Files
  • PST Files (in localappdata)
  • Word Normal.Dor
  • Office UI Settings
  • Chrome Bookmarks
  • Sticky Notes
  • Output of mapped drives
  • Start Menu icons (All Users)
  • Start menu icons (current user)

These are all exported into a newly created backup folder in the users OneDrive folder

Invis Script

Available here

No-one wants the users to see our magic, so this runs the batch script silently

Set WshShell = CreateObject("WScript.Shell")
WshShell.RUN "cmd /c c:\backup-restore\backup.bat", 0

Restore Script

Available here

Basically, does the opposite of the backup

Deployment Script

Finally, this PowerShell script puts it all together and is the only one you need to deploy to your Intune Environment.

This grabs the above scripts and exports them into c:\backup-restore

##Download Backup Script
$backupurl="https://raw.githubusercontent.com/andrew-s-taylor/public/main/Batch%20Scripts/backup.bat"
$backupscript = "c:\backup-restore\backup.bat"
Invoke-WebRequest -Uri $backupurl -OutFile $backupscript -UseBasicParsing

##Download Restore Script
$restoreurl="https://raw.githubusercontent.com/andrew-s-taylor/public/main/Batch%20Scripts/NEWrestore.bat"
$restorescript = "c:\backup-restore\restore.bat"
Invoke-WebRequest -Uri $restoreurl -OutFile $restorescript -UseBasicParsing

##Download Silent Launch Script
$launchurl="https://raw.githubusercontent.com/andrew-s-taylor/public/main/Batch%20Scripts/run-invisible.vbs"
$launchscript = "c:\backup-restore\run-invisible.vbs"
Invoke-WebRequest -Uri $launchurl -OutFile $launchscript -UseBasicParsing

It then creates a scheduled task to run the run-invisible.vbs file on user login

##Create scheduled task
# Create a new task action
$taskAction = New-ScheduledTaskAction -Execute 'c:\backup-restore\run-invisible.vbs' 

##Create Trigger (login)
$taskTrigger = New-ScheduledTaskTrigger -AtLogOn

# Register the new PowerShell scheduled task

#Name it
$taskName = "UserBackup"

#Describe it
$description = "Backs up User profile to OneDrive"

# Register it
Register-ScheduledTask `
    -TaskName $taskName `
    -Action $taskAction `
    -Trigger $taskTrigger `
    -Description $description

Whilst not perfect, between these three tools, the majority of user data should be safely backed up.

In the next post, we will look at backing up the Intune environment itself…

Leave a Comment