Platform: Windows
Article ID: m0052Last Modified: 04-Dec-2025

Object Lock (Immutability)

This chapter is intended to describe Object Lock Immutability support for backup plans in new backup format. For information on how Object Lock (Immutability) is supported for Microsoft 365 / Google Workspace backup, refer to the following article.

This chapter covers the following topics:

About Object Lock (Immutability)

Object Lock (Immutability) is a feature that locks backup datasets for a period specified by GFS retention policy. Within this period, backup data is kept unmodified.

Object Lock (Immutability) is supported by the following storage providers:

The Object Lock (Immutability) feature is linked with the GFS retention policy. If the Immutability is applied along with GFS settings, full backups that are subject to the GFS retention policy become immutable for the GFS keeping period.

For example, if in a backup plan you enable weekly and monthly GFS keeping periods, and then enable Immutability, it means that all weekly and monthly backups selected by the GFS keeping period assignment mechanism will be locked on backup storage and cannot be deleted nor modified.

Object Lock (Immutability) is available for plans in the new backup format (NBF) only

| Top |

Retention Modes for Immutable Data

Generally, two object lock retention modes are supported for immutable storage:

  • Governance mode (default). In Governance mode, protected objects in backup storage are locked (users cannot overwrite or delete an object version or alter its lock settings using Management Console or Backup Agent). These objects can only be deleted using cloud storage provider tools. By design, when you create a destination bucket using the Management Console, the Governance mode is used for all destination buckets with Immutability enabled.

  • Compliance mode. In Compliance mode, protected objects in backup storage are locked completely (users cannot overwrite or delete an object version or alter its lock settings using Management Console or Backup Agent). These objects cannot be deleted until their retention period defined in the GFS retention policy settings ends. Management Console or Backup Agent provide no option to switch Object Lock retention mode for existing destination buckets with Object Lock enabled. If you need to use the Compliance mode for the case, you can check this option with MSP360 support.

Use the Object Lock (Immutability) feature with extreme caution. Once a backup data becomes immutable in Compliance mode, there is no way to delete them from the storage until the specified GFS keeping period expires except for the storage account termination. Incorrect settings can cause high storage bills

| Top |

Allow 'Manage Object Lock (Immutability)' Permission for Your Administrators

If you intend to delegate the Immutability management to your administrators, grant the appropriate permission for them. To do this, proceed as follows:

  1. Open the Management Console.
  2. In the Organization menu, select Administrators.
  3. Click Edit or Add Administrator to create a new one.
  4. Switch to the Permissions tab.
  5. Find the Object Lock (Immutability) option, then select the appropriate checkbox.

  1. Click Save.

| Top |

Allow Object Lock (Immutability) for Storage Account

Consider that the Object Lock (Immutability) option currently must be allowed by means of Management Console. Default Object Lock (Object Lock (Immutability) options enabled directly by means of management web consoles belonging to backup storage providers (AWS S3, Wasabi, BackBlaze)) cannot be currently supported.

If you need to comply with the regulations, maintenance or legal requirements, or anything else that requires an immutable backup dataset, enable this feature for an appropriate storage account.

If you do not have any storage destinations with the allowed Object Lock (Immutability), you can create a new destination bucket in Management Console. You can use also an existing bucket with Object lock (Immutability enabled through Management Console).

To use the Object Lock (Immutability) feature, appropriate permission must be granted to the account used for backup storage connection. For example, for S3 destinations, GetBucketObjectLockConfiguration permission must be granted

Disable Object Lock (Immutability) for Storage Account

If you change the GFS policy or disable the Object Lock (Immutability), all backups locked with the Object Lock (Immutability) will be kept for the period specified in the GFS retention policy settings.

If you need to suspend or terminate immutable backup keeping, proceed as follows:

  1. Open the Management Console.
  2. In the Storage > Storage Accounts select the required account.
  3. Click the number of backup destinations in theDestinations column, to view a list of backup destinations.

  1. Click the edit destination icon to edit an existing destination.

  1. In the Edit destination dialog, clear the Enable Object Lock (Immutability) checkbox.

Note that after you disable Object Lock (Immutability), you will not be able to create new backup plans with the selected storage account and enable Object Lock (Immutability). Also, all backup plans that have Object Lock (Immutability) enabled will be terminated with an appropriate error. To avoid these errors, disable the Object Lock (Immutability) feature manually in the plans where you no longer need this feature

  1. Click Save.

| Top |

Enable Object Lock (Immutability) in Backup Plans

For security reasons, the Object Lock (Immutability) option cannot be enabled or edited in Backup Agent

To enable Object Lock (Immutability) in backup plans via Remote Management, proceed as follows:

  1. Open the Management Console.
  2. In the Computers menu, find the required computer, then click on the computer name.
  3. In the side panels navigate to the Backup plans tab.
  4. Edit the required backup plan or create a new one. Remember that the backup plan must be in the new backup format.
  5. On the Where to back up step of the backup wizard, select the storage account with the Object Lock (Immutability) feature supported.
  6. Follow the backup wizard to the Retention Policy step.
  7. Enable the Archive Backups, Grandfather-Father-Son (GFS), then specify the GFS keeping periods according to your requirements. If you already have the GFS policy configured, skip this step.

If the Object Lock (Immutability) is not available (for example, it is not enabled for the selected backup destination bucket), you will see the following warning:

  1. Select the Prevent backups created according to GFS policy from deletion) checkbox.
  2. Confirm the feature enabling.

  1. Follow the backup wizard steps to save the backup plan configuration.

| Top |

https://git.cloudberrylab.com/egor.m/doc-help-mbs.git
Production