/
/

How to Run a Quarterly Backup Audit Using Only Built-In Windows Tools

by Stela Panesa, Technical Writer
How to Run a Quarterly Backup Audit Using Only Built-In Windows Tools blog banner image
How to Run a Quarterly Backup Audit Using Only Built-In Windows Tools blog banner image

Key Points

  • Build an Audit Checklist: Establish a formal quarterly framework that validates backup job success logs, data retention policy alignment, 3-2-1 strategy compliance, and manual recovery success.
  • Streamline Log Extraction: Use optimized native PowerShell cmdlets to query the local Application Event Log for the Microsoft-Windows-Backup provider, exporting results to a centralized CSV file to minimize server resource strain.
  • Validate with Sandbox Restores: Perform at least one manual restore of files or directories into an isolated virtual machine or sandbox environment each quarter to verify data integrity and record recovery speeds.
  • Audit Retention and Off-site Controls: Scan target storage pathways with native file system commands to track data age, ensuring long-term historical compliance while identifying gaps in off-site replication.
  • Isolate the Audit Trail: Secure all exported compliance evidence by immediately transferring CSV logs off the local machine to a secure, write-once directory or a centralized MSP documentation platform to prevent tampering during a network compromise.
  • Drive QBR Remediation: Centralize audit records, trend analysis, and policy exceptions into a master spreadsheet to generate executive summaries for Quarterly Business Reviews (QBRs) and cyber insurance renewals.

Backup management is one of the most important responsibilities of MSPs, but many organizations lack the budget or justification to invest in dedicated third-party backup auditing tools.

The good news is that there are no-cost frameworks you can use each quarter to confirm that backups are working successfully, meeting data retention policy requirements, and can be restored when needed.

In this guide, we’ll show you how to conduct quarterly backup audits using only native utilities and basic scripts. Keep reading to learn more about the importance of conducting backup audits. This approach supports compliance, cyber insurance readiness, and verification of your 3-2-1 backup strategy without additional software.

Reduce time spent on validating backup health and retention.

Explore NinjaOne Backup monitoring

A practical guide to performing quarterly backup audits using native tools and basic scripting

Although third-party auditing tools can be helpful, you don’t necessarily need them to conduct backup audits. You can use built-in Windows tools and basic scripts to validate backup health, retention, and off-site protection.

Step 1: Create a quarterly backup audit checklist

Start by creating a quarterly backup audit checklist that covers each major validation area:

  • Backup Job Success: Review backup logs from the past 90 days and note any failed or missed jobs.
  • Retention Policy Compliance: Check if the backup’s data retention periods match their respective policy (for example, 30, 90, or 365 days).
  • Off-site & Immutable Copies: Make sure the backups adhere to the 3-2-1 rule:
    • 3 copies of data
    • 2 different media types
    • 1 off-site or immutable copy supported by off-site backup solutions
  • Manual Restore Test: Test the usability of the backups by performing at least one manual restore.
  • Exception Logging: Note any anomalies or deviations from your backup policies.

Use tools like Excel and Notion to create a templated checklist you can use every quarter.

Step 2: Use built-in tools to extract backup status

Collecting backup logs can be time-consuming, so to speed up the process, you can use command-line tools or native PowerShell commands to automate the extraction.

Examples

(A) Windows Server Backup

Get-WinEvent -LogName Application |

Where-Object {$_.ProviderName -eq "Microsoft-Windows-Backup"} |

Select TimeCreated, Message |

Export-Csv "C:\BackupAudit\EventLog.csv" -NoTypeInformation

This script collects Windows backup-related events from the local machine and saves them into a CSV file, which you can consolidate for a centralized review or audit.

Automating this step improves audit consistency and frees up time to strengthen backup coverage and off-site backup solutions.

⚠️Important: You must execute this script on all endpoints that use Windows Backup.

📝 Editor’s Note on Performance: When writing or running extraction scripts for the Windows Application Log, ensure the script is optimized to filter events before loading them into the server’s local memory. Standard filtering can heavily tax system resources on older or busy production servers. Remember that native Windows logging only tracks built-in features like Windows Server Backup; if your fleet uses separate platforms, your tracking methods will need to target those specific software log channels instead.

Step 3: Perform a manual restore validation

Aside from ensuring that your backup jobs are running, you must also verify that they’re usable. You can do this by restoring a few files or directories for each quarter:

  1. Restore a file or folder to a sandbox VM or isolated environment.
  2. Measure the restore time and check the file’s integrity.
  3. Document any errors or complications you encounter. Take screenshots and attach them to your quarterly audit summary.

Step 4: Validate retention and off-site compliance

Use scripts or manual inspection to comply with your data retention policy:

Get-ChildItem "\\backupserver\archive" -Recurse |

Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-90)}

This PowerShell command scans the \\backupserver\archive directory and filters out all the files and folders that haven’t been modified in the last 90 days. The result is a list of outdated items you can use to determine which files can be archived or deleted.

To check off-site backup solutions, verify the availability of cloud backups (e.g., Azure and AWS), offsite NAS, or external drives.

🔒 The Immutability Reality Check: While native Windows tools are excellent for verifying file creation dates and matching them against your retention schedules, standard Windows network shares and file systems cannot create true, un-deletable “immutable storage.” To fully satisfy the “1” in your 3-2-1 strategy against modern ransomware, these native Windows checklist audits should eventually point toward hardware-isolated or cloud-object-locked repositories that prevent administrative deletion.

Mark which systems meet the 3-2-1 backup strategy using a dashboard and highlight any gaps you find.

Step 5: Track trends and exceptions in a spreadsheet

Once you’ve gathered all the necessary backup logs and validation results, you can begin creating a centralized audit log to monitor backup health. It should include separate tabs for a system’s:

  • Backup Job Status: Indicate the system’s name, the last completed backup job, and success/failure results.
  • Retention Compliance: Compare target data retention to actual retention to ensure compliance.
  • Restore Test Results: Include the test time, success rate, and any issues encountered during the test.
  • Trend Analysis: Use conditional formatting to highlight trends over time (for example, ✅ = Passed, ⚠️ = Warning, ❌ = Failed) and small line charts to demonstrate backup health per client or site.

Step 5b: Secure your audit evidence

An audit log is only useful if it can be trusted. If a cyberattacker compromises a network, their first move is often to delete backup infrastructure and wipe event logs to hide their tracks.

  • Do not leave your exported audit CSV files sitting on the local drive of the production servers you just scanned.
  • Do automate the transfer of these audit summaries to a secure, write-once directory, an off-site repository, or ingest them directly into your central MSP documentation platform so the evidence is tamper-proof.

Step 6: Deliver client-friendly summary reports

Finally, present your audit findings to your clients in the form of a summary report.

The document should include:

  • A one-page executive summary highlighting key findings, risks, and recommendations
  • A chart showing backup job success rates by system
  • A brief note on the restore test outcome
  • Any remediation or follow-up actions (such as retention updates and schedule adjustments)

These reports can be a valuable addition to your Quarterly Business Reviews (QBRs), allowing you to reinforce the value your MSP delivers.

What are backup audits?

Backup audits objectively examine an organization’s data backup and recovery strategies. They help ensure that the organization’s backup procedures are aligned with its policies and compliant with industry standards and regulations.

More importantly, backup audits assess the effectiveness of your backup strategies against threats such as ransomware and hardware failure.

There are three types of data backup audits:

  • First-party Audit: An internal audit review conducted by the firm’s IT or security team
  • Second-party Audit: An external audit performed by a party connected to the organization, such as a client
  • Third-party Audit: An independent audit done by an external firm with no ties to the organization

Quarterly data backup audits play a crucial role in ensuring the effectiveness of an organization’s backup and recovery systems. It allows you to identify gaps in their backup coverage and ensure compliance with data retention policies.

While conducting regular audits alone cannot fully prevent data loss, they provide reassurance that you have valid, restorable backups that you can use when it matters most.

Quarterly backup audits made easier with NinjaOne

NinjaOne Backup can help streamline the audit process by:

  • Using monitoring alerts to flag backup job failures ahead of audits
  • Exporting activity logs from backup tools integrated with NinjaOne
  • Building snapshot dashboards of backup health over time for QBRs

This enables MSPs to validate retention, restore capability, and off-site backup solutions without investing in separate auditing software.

Gain visibility into backup performance with centralized reporting and dashboards.

See how NinjaOne Backup simplifies operations

Conduct comprehensive backup audits without third-party auditing tools

Just because you don’t have paid auditing tools at hand doesn’t mean you can’t conduct recurring backup audits anymore.

By creating a low-cost auditing framework and leveraging native tools like PowerShell, you can improve your MSP’s data protection strategies and enhance client trust without investing in additional software.

Related topics:

FAQs

Quarterly backup audits demonstrate to insurers and clients that your MSP has a reliable, well-documented data backup and recovery process, which could help you get lower premiums and better terms.

As mentioned earlier, a comprehensive quarterly backup audit checklist verifies backup job success, retention compliance, and restore reliability.

Data backups must be tested through restore validation, which involves restoring files to an isolated environment and checking their integrity. Running regular restore tests ensures that your backups are usable.

The 3-2-1 rule is a data backup strategy that involves keeping three copies of your data, storing them in two different types of storage media, and placing one copy in an off-site location.

Quarterly backup reports do not always require formal third-party audits. However, they should be reviewed internally for accuracy and completeness. In regulated industries or cyber insurance assessments, documented reviews or independent audits may be required to validate compliance with data retention policies and backup standards.

While there’s no universal law that mandates data backup and recovery, most businesses back up their data because it’s essential for preventing potential data loss caused by hardware failure, human error, and cyberattacks.

Additionally, several industry-specific regulations require specific types of data to be backed up and protected from accidental loss. These standards include HIPAA and GDPR.

No. Native Windows file systems and standard network shares do not natively support true data immutability. To achieve genuine immutable storage that protects against ransomware deletion, you must utilize cloud storage with Object Lock capabilities, specialized Linux hardened repositories, or dedicated backup appliances.

You can audit Windows Server Backup by querying the Windows Application Event Log specifically for the “Microsoft-Windows-Backup” provider. To keep server performance high, the query should be designed to filter the log at the provider level before extracting the dates and success messages into your quarterly compliance report.

You might also like

Ready to simplify the hardest parts of IT?

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).