Windows

Veeam Agent for Windows -- Managed Deployment, Protection Groups, and Policy-Based Coverage at Scale

Eric Black

Eric Black

7 min read
Veeam v13 Veeam Agent Windows Protection Groups Managed Deployment Backup Policy Physical Servers

Veeam v13 Series | Component: Veeam Agent for Windows, VBR v13 | Audience: Sysadmins, Infrastructure Engineers

Most environments have physical servers. File servers, domain controllers, application servers, or workstations that aren't virtualized and never will be. VBR protects VMs natively but for physical Windows machines, Veeam Agent for Windows is the mechanism. Standalone works fine when you're touching a handful of machines directly. Once you're past that, managed deployment through VBR's protection groups is the right path: agents deploy automatically, policies apply centrally, and new machines joining the domain get picked up and protected without anyone touching them individually.

This covers the full managed deployment workflow: protection group types and when to use each, the difference between backup jobs and backup policies, agent deployment and the two deployment methods, Active Directory driven dynamic scoping, and the PowerShell automation for agents at scale.

1. Protection Groups: The Core Concept

A protection group is a container in VBR that defines a scope of computers to protect. Everything managed agent related in VBR starts with a protection group. The group defines which computers are in scope, how VBR discovers them, and whether VBR deploys the agent automatically or expects it to be pre installed. Backup jobs and policies then reference protection groups rather than individual machines.

Protection Group TypeScopeDynamic?Best For
Individual computersSpecific machines you name explicitlyNoSmall environments without AD, or specific machines that need different backup settings from everything else
Active Directory objectsDomain, OU, group, or specific AD computersYesDomain joined environments. New machines added to the OU or group are automatically discovered and protected on the next rescan.
CSV fileMachines listed in a text or CSV file on the VBR serverYes (file driven)Environments without AD, or machines managed by another tool that can export a machine list.
Pre installed agentsAny machine that connects using a certificate generated for the protection groupYes (certificate driven)Environments where network restrictions prevent VBR from deploying agents, or where agents are deployed via third party tools like SCCM or Intune.
Cloud machinesAmazon EC2 or Azure VM instancesYesCloud VMs where agent based backup via cloud API is needed instead of host level backup.

2. Backup Jobs vs Backup Policies

This distinction matters and it's the thing that trips people up most when first setting up managed agents. There are two job types and they work differently.

  • Backup job managed by the backup server: VBR orchestrates the backup centrally, like a VM backup job. The job runs on schedule from the VBR server. The agent on the protected computer participates but VBR drives it. This is the right choice for servers with permanent, reliable connectivity to VBR: physical servers in the same datacenter, always-on infrastructure, failover clusters.
  • Backup policy managed by Veeam Agent: VBR pushes the policy configuration to each agent, then the agent runs the backup independently on the local machine. The agent reports results back to VBR. This is the right choice for machines with intermittent connectivity: laptops, workstations, remote machines that aren't always online when VBR would try to run a job.

Machines in pre installed agent protection groups can only use backup policies, not backup jobs managed by the server. That's by design: if VBR doesn't have direct administrative access to deploy the agent, it also can't orchestrate the backup centrally. The agent has to manage itself.

3. Setting Up an Active Directory Protection Group

  1. In VBR, go to Inventory, then Physical and Cloud Infrastructure, and click Add Protection Group.
  2. Name the group and select Microsoft Active Directory objects as the type.
  3. Provide domain credentials with rights to connect to AD and to install software on the target computers (local administrator on each machine, or a domain admin account).
  4. Add the AD objects to include in scope: domain, OU, group, or specific computers. For dynamic coverage of all servers in a specific OU, add the OU. New computers added to that OU will appear in VBR on the next rescan cycle.
  5. On the Options step, configure the rescan schedule (how often VBR checks for new computers in the scope) and whether to automatically deploy the agent on newly discovered computers. If automatic deployment is enabled, VBR pushes the agent installer silently on the next rescan after discovery.
  6. Optionally exclude specific computers or OUs that shouldn't be in scope. SQL clusters, domain controllers, or machines managed by a different team can be excluded here rather than needing a separate protection group.
AD-based protection groups are dynamic by nature. When a computer joins an OU that's in scope, it gets discovered and protected automatically on the next rescan. When a computer is removed from AD or moves to an excluded OU, VBR marks it as removed from the protection scope. The agent on the machine keeps running until the machine is explicitly removed from the Veeam inventory, but the VBR job or policy stops targeting it. This behavior is intentional: it prevents inadvertent backup loss if a computer is accidentally removed from AD.

4. Pre Installed Agent Deployment

In environments where VBR can't push the agent directly (network segmentation, security restrictions, machines managed by SCCM or Intune), the pre installed agent pattern works differently. VBR generates a setup package that includes the agent installer and a configuration file with a certificate. You deploy the package through whatever software distribution tool you already use. The agent installs, reads the configuration file, and connects back to VBR using the certificate. VBR sees it appear in the protection group inventory automatically.

  1. Create a protection group of type "Computers with pre installed backup agents."
  2. After creating the group, VBR generates a setup package. Download it from the protection group properties.
  3. Deploy the setup package to target computers through SCCM, Intune, Group Policy software installation, or manual installation.
  4. After the agent installs and the configuration file is applied, each machine connects to VBR and appears in the protection group on the next polling cycle.

5. PowerShell for Agent Management at Scale

PowerShell: Report on agent protection group coverage and job status
Connect-VBRServer -Server "vbr-server.domain.local"

# Get all protection groups and their computer counts
Get-VBRProtectionGroup | ForEach-Object {
    $grp = $_
    $computers = Get-VBRDiscoveredComputer -ProtectionGroup $grp
    [PSCustomObject]@{
        GroupName     = $grp.Name
        Type          = $grp.Type
        ComputerCount = $computers.Count
        Unprotected   = ($computers | Where-Object { $_.BackupStatus -eq 'Unprotected' }).Count
        Protected     = ($computers | Where-Object { $_.BackupStatus -eq 'Protected'   }).Count
    }
} | Format-Table -AutoSize

# Find unprotected computers across all protection groups
$unprotected = Get-VBRDiscoveredComputer | Where-Object { $_.BackupStatus -eq 'Unprotected' }
if ($unprotected) {
    Write-Host "`nUnprotected computers:"
    $unprotected | Select-Object Name, ProtectionGroupName, LastSeen | Format-Table -AutoSize
}

# Get agent backup job results for the last 24 hours
$cutoff = (Get-Date).AddHours(-24)
Get-VBRJob | Where-Object { $_.TypeToString -like '*Agent*' } | ForEach-Object {
    $job = $_
    $result = $job.GetLastResult()
    $lag = if ($job.LatestRunLocal) { 
        [math]::Round(((Get-Date) - $job.LatestRunLocal).TotalHours, 1) 
    } else { 999 }
    [PSCustomObject]@{
        JobName    = $job.Name
        LastResult = $result
        LagHours   = $lag
        Status     = if ($result -eq 'Success' -and $lag -lt 25) { 'OK' } else { 'CHECK' }
    }
} | Format-Table -AutoSize

Disconnect-VBRServer

Key Takeaways

  • Protection groups are the foundation. Everything managed agent related starts there. Define the scope in the protection group and let backup jobs or policies reference the group rather than managing individual machines.
  • Active Directory protection groups are dynamic. Computers added to an in-scope OU get discovered and protected automatically on the next rescan. No manual job reconfiguration needed when the environment grows.
  • Backup jobs managed by the server suit always-on infrastructure. Backup policies managed by the agent suit laptops, workstations, and remote machines with intermittent connectivity. Computers in pre installed agent protection groups can only use policies, not server managed jobs.
  • In environments where VBR can't push agents (network restrictions, SCCM managed endpoints), use pre installed agent protection groups. VBR generates a setup package with a certificate. Deploy it via whatever distribution tool you already have. The agent connects back to VBR automatically.
  • The Unprotected computer status in VBR means a computer was discovered in a protection group but has no backup job or policy covering it. Review unprotected computers in your protection groups regularly. Discovery without protection is not coverage.

Read more