Windows Backup for Organizations Frequently Asked Questions (FAQ)

This article addresses frequently asked questions about Windows Backup for Organizations.

General questions:

• What's the difference between Enterprise State Roaming and Windows Backup for Organizations?
• Which settings are backed up?
• Why do I receive a UAC dialog showing up after restoring PC: Do you want to allow this app to make changes to your device?
• Why does the Windows Backup app show up on my device?
• Is it supported on Cloud PCs?
• Is this feature supported on non-persistent VDI environments?
• What should be used instead of Windows Backup for Organizations for non‑persistent VDIs?
• Can this feature be enabled on Windows 365 Frontline shared Cloud PCs?
• How can Windows Backup for Organizations be prevented from applying to VDI or shared Cloud PCs?
• Does this feature support cross-tenant migration?
• Can I perform backups on demand?
• Can I perform restores on demand?
• Why isn't my desktop background restored?

Back up and restore options questions

• Can I use this feature to back up and restore user data?
• Can I use this feature to back up and reinstall applications?
• Can I use this feature to back up and restore application settings?
• Can I use this feature to back up and restore Microsoft Edge settings?

Data and storage retention questions

• Is there any personal data being stored?
• Where are desktop background and lockscreen images stored?
• Where's the data stored?
• If the data is stored on the Microsoft cloud, what are the encryption methodologies followed?
• How is backup data secured, and is it accessible only within the tenant or also by Microsoft?
• Which specific GDPR and data security compliance does Microsoft adhere to?
• What is the data retention period?

General questions

What's the difference between Enterprise State Roaming and Windows Backup for Organizations?

	Enterprise State Roaming	Backup/Restore
Definition	Roaming settings refers to settings which are designed to be synchronized across devices in real-time where the user account is connected.	Device specific settings aren't designed to be synchronized across devices connected to a user account. These are used to enable backup/restore type scenarios.
Use Case	Roaming allows users to have a list of Windows settings that have been configured on a device, to roam to other devices, and have consistent settings without requiring them to configure them multiple times across devices.	Backup/Restore allows users to have a list of Windows settings that have been backed up on their device, be able to be restored on a new device. This offers a Welcome Back type experience to users, where their new PC looks like their previous PC upon initial setup.
Sync Units	Per user	Per device
Supported OS	- Windows 10, version 22H2 or later - Windows 11, version 22H2 or later	- Backup supported on Windows 10 and Windows 11 - Restore supported on Windows 11 version 22H2 or later Microsoft Entra joined only
Sync Type	Opportunistic: The setting change isn't immediately synced by per 5-10 mins to prevent quick setting switches from causing timing issue where following setting change is dismissed and wrong setting is synced.	- Backup happens automatically, and it's scheduled weekly. - Windows Backup app is also available to manually take a backup. - User can restore during OOBE only.

Which settings are backed up?

For a list of settings that are backed up, see Windows Backup for Organizations settings catalog

Why do I receive a UAC dialog showing up after restoring PC: "Do you want to allow this app to make changes to your device?"

The UAC dialog might be shown after restoring a PC from backup if the User Account Control (UAC) Prompt for Consent or Prompt for consent on the secure desktop behavior is selected. The default behavior (Prompt for consent for non-Windows binaries) won't trigger this UAC prompt. The UAC prompt is expected when the UAC behavior is modified. The only restored setting that can trigger the UAC prompt is the Set time zone automatically setting. If the setting is off, the UAC prompt can appear.

Why does the Windows Backup app show up on my device?

If the backup policy has been configured for your organization by the IT administrator, the Windows Backup app will become available once the EnableWindowsBackup policy is enabled.

Is it supported on Cloud PCs?

Yes Windows Backup is now supported on Cloud PCs. Restore is available at First sign-in after device enrollment

Is this feature supported on non-persistent VDI environments?

While the first sign-in restore experience can be enabled on non‑persistent virtual desktop infrastructure (VDI) environments, including pooled or reset‑on‑logoff deployments such as Azure Virtual Desktop (AVD), Citrix Virtual Apps and Desktops, and VMware Horizon non‑persistent pools, it's recommended to disable the feature via both backup and restore policies. In these environments, the operating system and user session are frequently reset on reboot or sign‑out. In scenarios without FSLogix or other profile roaming solutions, this reset behavior causes restored settings and applications to be discarded at the end of each session. It results in an inconsistent and unreliable restore experience. In pooled environments that already use FSLogix or profile roaming, user settings are persistently captured as part of the profile and restored on every sign‑in. In these cases, a first sign‑in restore experience provides little to no additional value, since the relevant user state is already preserved and reapplied by the existing profile solution.

What should be used instead of Windows Backup for Organizations for non‑persistent VDIs?

For non‑persistent VDI scenarios, Microsoft recommends using user state and profile roaming solutions rather than device‑based restore. Solutions such as profile containers (for example, FSLogix), network‑based profile roaming, or other VDI‑optimized personalization technologies are designed to persist user state independently of the device image. These approaches are better suited for environments where the operating system is frequently reset and user settings must be preserved across sessions.

Can this feature be enabled on Windows 365 Frontline shared Cloud PCs?

It's recommended that the first sign‑in restore experience is disabled via both backup and restore policies on Windows 365 Frontline shared Cloud PCs. These Cloud PCs are shared by design and do not maintain a consistent, per‑user Cloud PC identity, with the user experience reset after each sign‑out. Because the first sign‑in restore experience is intended for persistent Cloud PCs, enabling it in shared Frontline scenarios can result in unreliable behavior. Instead, User Experience Sync (UES) should be used to preserve and reapply user settings at sign‑in, independent of the Cloud PC lifecycle.

How can Windows Backup for Organizations be prevented from applying to VDI or shared Cloud PCs?

To prevent the first sign‑in restore experience from applying to VDI or shared Cloud PCs, administrators should explicitly exclude these environments from both backup and restore‑enabled policies. Device filters or dynamic device groups should be used to ensure that pooled, shared, or virtual desktop hosts, including Windows 365 Frontline shared Cloud PCs, do not receive restore‑enabled policies.

Does this feature support cross-tenant migration?

No. Backups are tied to the user's current tenant.

Can I perform backups on demand?

When the backup policy is enabled, backups occur automatically every eight days. You can also initiate an on demand backup manually using the Windows Backup app.

Can I perform restores on demand?

Restore is currently available during the Windows out-of-box experience (OOBE).

Why isn't my desktop background restored?

If the background image is a system image stored under %windir%\Web\, it's not restored by design. To backup background images that have been set by the user or admin, the images must not be system images and OneDrive Picture folder sync must be enabled.

Backup and restore options

Can I use this feature to back up and restore user data?

Windows Backup for Organizations is designed to back up and restore Windows settings and Microsoft Store application list. To backup user data, it's recommended to use OneDrive.

Can I use this feature to back up and reinstall applications?

Windows Backup for Organizations is designed to back up and restore Windows settings and the list of installed Microsoft Store apps only.

Can I use this feature to back up and restore app settings?

Windows Backup for Organizations currently supports backup and restore of Windows settings and the list of installed Microsoft Store apps only.

Can I use this feature to back up and restore Microsoft Edge settings?

To synchronize Microsoft Edge favorites and settings, you can configure Microsoft Edge enterprise sync.

Data storage and retention

Is there any personal data being stored?

Yes—user-specific settings are classified as personal data and are included in the backup. This data is stored in the tenant's region and handled in accordance with Microsoft's privacy and compliance standards. That includes the Microsoft Products and Services Data Protection Addendum (DPA), which outlines Microsoft's contractual commitments to data protection, privacy, and regulatory compliance across cloud services.

Where are desktop background and lockscreen images stored?

If your tenant has a OneDrive subscription, then the user's desktop and lockscreen background are stored in OneDrive.

Where's the data stored?

In the public cloud, you're prompted to select a location (shown as "Country/Region" in the admin portal) at the time of tenant creation (for example, signing up for Office 365 or Azure, or creating more Microsoft Entra instances through the Azure portal). Microsoft maps the selection to a geo-location in the exchange online cloud. This feature also supports Exchange online multi-geo capabilities if configured for the tenant. See Data Residency for Exchange Online for more information about managing your M365 Exchange Online data.

If the data is stored on the Microsoft cloud, what are the encryption methodologies followed?

Customer data stored within Microsoft's enterprise cloud services is protected using one or more forms of encryption.

Note

Multiple non-Microsoft auditors independently validate our crypto policy and its enforcement. Reports of those audits are available on the Service Trust Portal.

Microsoft provides service-side technologies that encrypt customer data at rest and in transit. For example, for customer data at rest, Microsoft Azure uses BitLocker and DM-Crypt, and Microsoft 365 uses BitLocker, Azure Storage Service Encryption, Distributed Key Manager (DKM), and Microsoft 365 service encryption. For customer data in transit, Azure, Office 365, Microsoft Commercial Support, Microsoft Dynamics 365, Microsoft Power BI, and Visual Studio Team Services use industry-standard secure transport protocols, such as Internet Protocol Security (IPsec) and Transport Layer Security (TLS), between Microsoft datacenters and between user devices and Microsoft datacenters.

For more information, see Encryption and key management overview.

How is backup data secured, and is it accessible only within the tenant or also by Microsoft?

• Microsoft implements strong measures to help protect a tenant's customer data from inappropriate access or use by unauthorized persons. This includes restricting access by Microsoft personnel and subcontractors and carefully defining requirements for responding to government requests for customer data. More details are available on the Microsoft Trust Center.
• Microsoft access is granted only when necessary, and always under strict management oversight (e.g., for legal compliance).
• Microsoft personnel may use customer data only for purposes compatible with providing you with the contracted services, such as troubleshooting and improving features like protection from malware.

Which specific GDPR and data security compliance does Microsoft adhere to?

All Microsoft 365 apps and services support compliance with EU General Data Protection Regulation (GDPR) requirements. For detailed information, see the GDPR Overview. All data handling aligns with Microsoft's privacy and compliance standards, including the Microsoft Products and Services Data Protection Addendum (DPA), which outlines Microsoft's contractual commitments to data protection, privacy, and regulatory compliance across its cloud services.

What is the data retention period?

By default, data is retained as long as it's associated with an active Microsoft account and device.

This article addresses frequently asked questions about Windows Backup for Organizations.

General questions:

• What's the difference between Enterprise State Roaming and Windows Backup for Organizations?
• Which settings are backed up?
• Why do I receive a UAC dialog showing up after restoring PC: Do you want to allow this app to make changes to your device?
• Why does the Windows Backup app show up on my device?
• Is it supported on Cloud PCs?
• Is this feature supported on non-persistent VDI environments?
• What should be used instead of Windows Backup for Organizations for non‑persistent VDIs?
• Can this feature be enabled on Windows 365 Frontline shared Cloud PCs?
• How can Windows Backup for Organizations be prevented from applying to VDI or shared Cloud PCs?
• Does this feature support cross-tenant migration?
• Can I perform backups on demand?
• Can I perform restores on demand?
• Why isn't my desktop background restored?

Back up and restore options questions

• Can I use this feature to back up and restore user data?
• Can I use this feature to back up and reinstall applications?
• Can I use this feature to back up and restore application settings?
• Can I use this feature to back up and restore Microsoft Edge settings?

Data and storage retention questions

• Is there any personal data being stored?
• Where are desktop background and lockscreen images stored?
• Where's the data stored?
• If the data is stored on the Microsoft cloud, what are the encryption methodologies followed?
• How is backup data secured, and is it accessible only within the tenant or also by Microsoft?
• Which specific GDPR and data security compliance does Microsoft adhere to?
• What is the data retention period?

	Enterprise State Roaming	Backup/Restore
Definition	Roaming settings refers to settings which are designed to be synchronized across devices in real-time where the user account is connected.	Device specific settings aren't designed to be synchronized across devices connected to a user account. These are used to enable backup/restore type scenarios.
Use Case	Roaming allows users to have a list of Windows settings that have been configured on a device, to roam to other devices, and have consistent settings without requiring them to configure them multiple times across devices.	Backup/Restore allows users to have a list of Windows settings that have been backed up on their device, be able to be restored on a new device. This offers a Welcome Back type experience to users, where their new PC looks like their previous PC upon initial setup.
Sync Units	Per user	Per device
Supported OS	- Windows 10, version 22H2 or later - Windows 11, version 22H2 or later	- Backup supported on Windows 10 and Windows 11 - Restore supported on Windows 11 version 22H2 or later Microsoft Entra joined only
Sync Type	Opportunistic: The setting change isn't immediately synced by per 5-10 mins to prevent quick setting switches from causing timing issue where following setting change is dismissed and wrong setting is synced.	- Backup happens automatically, and it's scheduled weekly. - Windows Backup app is also available to manually take a backup. - User can restore during OOBE only.

For a list of settings that are backed up, see Windows Backup for Organizations settings catalog

The UAC dialog might be shown after restoring a PC from backup if the User Account Control (UAC) Prompt for Consent or Prompt for consent on the secure desktop behavior is selected. The default behavior (Prompt for consent for non-Windows binaries) won't trigger this UAC prompt. The UAC prompt is expected when the UAC behavior is modified. The only restored setting that can trigger the UAC prompt is the Set time zone automatically setting. If the setting is off, the UAC prompt can appear.

If the backup policy has been configured for your organization by the IT administrator, the Windows Backup app will become available once the EnableWindowsBackup policy is enabled.

Yes Windows Backup is now supported on Cloud PCs. Restore is available at First sign-in after device enrollment

While the first sign-in restore experience can be enabled on non‑persistent virtual desktop infrastructure (VDI) environments, including pooled or reset‑on‑logoff deployments such as Azure Virtual Desktop (AVD), Citrix Virtual Apps and Desktops, and VMware Horizon non‑persistent pools, it's recommended to disable the feature via both backup and restore policies. In these environments, the operating system and user session are frequently reset on reboot or sign‑out. In scenarios without FSLogix or other profile roaming solutions, this reset behavior causes restored settings and applications to be discarded at the end of each session. It results in an inconsistent and unreliable restore experience. In pooled environments that already use FSLogix or profile roaming, user settings are persistently captured as part of the profile and restored on every sign‑in. In these cases, a first sign‑in restore experience provides little to no additional value, since the relevant user state is already preserved and reapplied by the existing profile solution.

For non‑persistent VDI scenarios, Microsoft recommends using user state and profile roaming solutions rather than device‑based restore. Solutions such as profile containers (for example, FSLogix), network‑based profile roaming, or other VDI‑optimized personalization technologies are designed to persist user state independently of the device image. These approaches are better suited for environments where the operating system is frequently reset and user settings must be preserved across sessions.

It's recommended that the first sign‑in restore experience is disabled via both backup and restore policies on Windows 365 Frontline shared Cloud PCs. These Cloud PCs are shared by design and do not maintain a consistent, per‑user Cloud PC identity, with the user experience reset after each sign‑out. Because the first sign‑in restore experience is intended for persistent Cloud PCs, enabling it in shared Frontline scenarios can result in unreliable behavior. Instead, User Experience Sync (UES) should be used to preserve and reapply user settings at sign‑in, independent of the Cloud PC lifecycle.

To prevent the first sign‑in restore experience from applying to VDI or shared Cloud PCs, administrators should explicitly exclude these environments from both backup and restore‑enabled policies. Device filters or dynamic device groups should be used to ensure that pooled, shared, or virtual desktop hosts, including Windows 365 Frontline shared Cloud PCs, do not receive restore‑enabled policies.

No. Backups are tied to the user's current tenant.

When the backup policy is enabled, backups occur automatically every eight days. You can also initiate an on demand backup manually using the Windows Backup app.

Restore is currently available during the Windows out-of-box experience (OOBE).

If the background image is a system image stored under %windir%\Web\, it's not restored by design. To backup background images that have been set by the user or admin, the images must not be system images and OneDrive Picture folder sync must be enabled.

Windows Backup for Organizations is designed to back up and restore Windows settings and Microsoft Store application list. To backup user data, it's recommended to use OneDrive.

Windows Backup for Organizations is designed to back up and restore Windows settings and the list of installed Microsoft Store apps only.

Windows Backup for Organizations currently supports backup and restore of Windows settings and the list of installed Microsoft Store apps only.

To synchronize Microsoft Edge favorites and settings, you can configure Microsoft Edge enterprise sync.

Yes—user-specific settings are classified as personal data and are included in the backup. This data is stored in the tenant's region and handled in accordance with Microsoft's privacy and compliance standards. That includes the Microsoft Products and Services Data Protection Addendum (DPA), which outlines Microsoft's contractual commitments to data protection, privacy, and regulatory compliance across cloud services.

If your tenant has a OneDrive subscription, then the user's desktop and lockscreen background are stored in OneDrive.

In the public cloud, you're prompted to select a location (shown as "Country/Region" in the admin portal) at the time of tenant creation (for example, signing up for Office 365 or Azure, or creating more Microsoft Entra instances through the Azure portal). Microsoft maps the selection to a geo-location in the exchange online cloud. This feature also supports Exchange online multi-geo capabilities if configured for the tenant. See Data Residency for Exchange Online for more information about managing your M365 Exchange Online data.

Customer data stored within Microsoft's enterprise cloud services is protected using one or more forms of encryption.

Note

Multiple non-Microsoft auditors independently validate our crypto policy and its enforcement. Reports of those audits are available on the Service Trust Portal.

Microsoft provides service-side technologies that encrypt customer data at rest and in transit. For example, for customer data at rest, Microsoft Azure uses BitLocker and DM-Crypt, and Microsoft 365 uses BitLocker, Azure Storage Service Encryption, Distributed Key Manager (DKM), and Microsoft 365 service encryption. For customer data in transit, Azure, Office 365, Microsoft Commercial Support, Microsoft Dynamics 365, Microsoft Power BI, and Visual Studio Team Services use industry-standard secure transport protocols, such as Internet Protocol Security (IPsec) and Transport Layer Security (TLS), between Microsoft datacenters and between user devices and Microsoft datacenters.

For more information, see Encryption and key management overview.

• Microsoft implements strong measures to help protect a tenant's customer data from inappropriate access or use by unauthorized persons. This includes restricting access by Microsoft personnel and subcontractors and carefully defining requirements for responding to government requests for customer data. More details are available on the Microsoft Trust Center.
• Microsoft access is granted only when necessary, and always under strict management oversight (e.g., for legal compliance).
• Microsoft personnel may use customer data only for purposes compatible with providing you with the contracted services, such as troubleshooting and improving features like protection from malware.

All Microsoft 365 apps and services support compliance with EU General Data Protection Regulation (GDPR) requirements. For detailed information, see the GDPR Overview. All data handling aligns with Microsoft's privacy and compliance standards, including the Microsoft Products and Services Data Protection Addendum (DPA), which outlines Microsoft's contractual commitments to data protection, privacy, and regulatory compliance across its cloud services.

By default, data is retained as long as it's associated with an active Microsoft account and device.