Windows Backup for Organizations overview

Windows Backup for Organizations is an enterprise-grade feature designed to streamline device transitions by securely preserving user settings and Microsoft Store app configurations. Whether upgrading from Windows 10 or refreshing PCs, it delivers a consistent user experience and enhances business continuity through robust backup and rapid recovery capabilities.

Objectives of Windows Backup for Organizations:

• Help organizations accelerate PC refresh cycle or the transition to Windows 11 or deploying AI-powered PCs.
• Allow organizations to transition to a cloud-first approach for managing devices and user settings.

System requirements

The following sections list the requirements to use Windows Backup for Organizations.

Backup requirements

The backup feature is available to users signed in with Microsoft Entra ID on devices that meet the following requirements:

• Windows 10, version 22H2 build 19045.6216 or later
• Windows 11, version 22H2 build 22621.5768 or later
• Windows 11, version 23H2 build 22631.5768 or later
• Windows 11, version 24H2 build 26100.4946 or later
• Must be Microsoft Entra joined or Microsoft Entra hybrid joined

Restore requirements during device setup (OOBE)

The restore feature is available during OOBE on devices that meet the following requirements:

• Windows 11, version 22H2 build 22621.3958 or later
• Windows 11, version 23H2 build 22631.3958 or later
• Windows 11, version 24H2 build 26100.4770 or later
• The user has at least one backup profile
• If Autopilot is used, the profile must be configured to use user-driven mode, not self-deploying mode
• Must be Microsoft Entra joined

Tip

If devices are running a build older than July 2025, ensure the Install Windows quality updates policy is enabled. This allows devices to receive the latest quality updates and use the restore feature.

Restore requirements during first sign-in

• Windows 11, version 24H2 build 26100.7922 or later
• Windows 11, version 25H2 build 26200.7922 or later
• The device has already completed enrollment
• The user signs-in for the first time after enrollment
• The user has at least one backup profile
• Must be Microsoft Entra joined or Microsoft Entra Hybrid joined

Tip

If devices are running a build older than March 2026, ensure the Install Windows quality updates policy is enabled. This allows devices to receive the latest quality updates during out-of-box experience and use the restore feature.

Cloud and regional availability

This feature is not currently available for GCCH/Sovereign clouds or China.

How it works

Windows Backup for Organizations is an opt-in feature and is disabled by default. To use this feature, an IT administrator must first configure backup and restore policies.

Backup process

The backup and restore process is designed to be seamless and user-friendly. The following steps outline the backup process:

1. An administrator configures the policy settings for backup.
2. The backup scheduled task runs every eight days automatically, during which the user settings, preferences, and the list of installed Microsoft Store apps are backed up.
3. Alternatively, users can initiate a backup manually by searching for the Windows Backup app in the Windows search box, and selecting Back up.

Restore process

The restore process for a device can be initiated at the time of device enrollment during the out-of-box experience (OOBE) or during first sign-in after the device has completed enrollment when a user signs in with their Microsoft Entra ID account. The following steps outline the restore process:

1. An administrator enables the restore policy setting, which is disabled by default via Group Policy or MDM

2. The user signs in during OOBE or first sign-in with the same work or school account (Entra ID) that was used during the backup flow

3. After the sign in screen, the restore page appears. The user can choose to restore a backup profile from a previous device or to configure the device as new.

4. To restore settings and Microsoft store apps (if any) from a previous device, the user selects the device and then selects Continue.

5. The device completes the setup process and any previously backed-up user settings and Microsoft Store apps are automatically restored.

Configure Windows Backup for Organizations

Windows Backup for Organizations must be configured before it can be used. The configuration process involves setting up backup and restore policies for devices to enable the feature.

Backup configuration

The following instructions provide details about how to configure your devices. Select the option that best suits your needs.

Intune

To configure devices with Microsoft Intune, create a Settings catalog policy and use the following settings:

Category	Setting name	Value
Administrative Templates\Windows Components\Sync your settings	Enable Windows Backup	Enabled

Assign the policy to a group that contains as members the devices or users that you want to configure.

CSP

You can configure devices with the Policy CSP.

Setting
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/SettingsSync/EnableWindowsbackup - Data type: string - Value: <enabled/>

GPO

To configure a device with group policy, use the Local Group Policy Editor. To configure multiple devices joined to Active Directory, create or edit a group policy object (GPO) and use the following settings:

Group policy path	Group policy setting	Value
Computer Configuration\Administrative Templates\Windows Components\Sync your settings	Enable Windows Backup	Enabled

Group policies can be linked to domains or organizational units, filtered using security groups, or filtered using WMI filters.

Once the backup policy is applied to the device, the backup occurs automatically every eight days.

Note

You can control which settings are backed up by configuring the backup policy settings. For more information, see Windows Backup for Organizations policy settings.

Restore configuration

By default, the restore option is disabled. For Microsoft Entra joined devices and Microsoft Entra Hybrid joined devices enrolled in Intune, you can use Intune policies to manage Windows Backup for Organizations:

There are two different ways to enable and configure Restore policy in Intune:

Option 1: Enrollment policy

• Is a tenant-wide policy only applied at device enrollment and ensures the policy is available on the machine in time for the OOBE restore experience. Any changes to the enrollment policy configuration don't apply to devices already enrolled in Intune. This tenant-wide policy is applied before standard MDM policy configurations take effect.
• It applies to all devices getting enrolled in Intune.

The following instructions provide details about how to configure your devices. Select the option that best suits your needs.

Intune

To configure the Intune tenant-level policy:

1. Sign in to the Microsoft Intune admin center.
2. Select Devices > Enrollment > Windows Backup and Restore.
3. Under Show restore page, select On to enable the restore option during OOBE.
4. Select Save to apply the changes.

Note

Restore setting configuration in enrollment requires Intune Service administrator or Global administrator roles.

CSP

You can configure devices with the WindowsBackupAndRestore CSP. To enable the restore option during OOBE device enrollment, you can use the following OMA-URI:

Setting
- OMA-URI: ./Device/Vendor/MSFT/WindowsBackupAndRestore/EnableWindowsRestore - Data type: boolean - Value: True

Note

If your organization uses an MDM provider other than Microsoft Intune, configure this CSP as part of your standard Windows MDM onboarding XML. To learn more, see XML Provisioning Schema.

GPO

This policy isn't available in GPO.

Option 2: Policy applied after device enrollment

• A device configuration policy that is applied after device enrollment. Any changes to the policy are applied to the devices during regular policy refresh intervals.

The following instructions provide details about how to configure your devices. Select the option that best suits your needs.

Intune

To configure devices with Microsoft Intune, create a Settings catalog policy and use the following settings:

Category	Setting name	Value
Administrative Templates\Windows Components\Sync your settings	Enable Windows Restore	Enabled

Assign the policy to a group that contains as members the devices or users that you want to configure.

CSP

You can configure devices with the WindowsBackupAndRestore CSP. To enable the restore option during regular policy refresh intervals, you can use the following OMA-URI:

Setting
- OMA-URI: ./Device/Vendor/MSFT/WindowsBackupAndRestore/EnableWindowsRestore - Data type: boolean - Value: True

GPO

To configure a device with group policy, use the Local Group Policy Editor. To configure multiple devices joined to Active Directory, create or edit a group policy object (GPO) and use the following settings:

Group policy path	Group policy setting	Value
Computer Configuration\Administrative Templates\Windows Components\Sync your settings	Enable Windows Restore	Enabled

Group policies can be linked to domains or organizational units, filtered using security groups, or filtered using WMI filters.

Policy conflicts from multiple policy sources

Windows Backup for Organizations can be configured by GPO or CSP, but not a combination of both. Avoid mixing GPO and CSP policy settings for Windows Backup for Organizations, as it can lead to unexpected results.

Conditional Access policy interference

If conditional access is enabled for cloud applications, it might prevent the Microsoft Entra user from obtaining an access token, resulting in the following error.

Error title	Error description
You don't have access to this	Your sign-in was successful but you don't have the permissions to access this resource.
You can't get there from here	This application contains sensitive information and can only be accessed from: Devices or client applications that meet Contoso engagement compliance policy. If this is a personal device, you can choose to let Contoso manage your device by going to Settings > Accounts > Access work or school and clicking on Connect. When you're done come back and try again.

To fix this error, you'll need to create a custom policy that allows the Microsoft service (app id: d32c68ad-72d2-4acb-a0c7-46bb2cf93873) to enable the restore flow to proceed. Verify that the app id is listed in the custom policy before you proceed further.

PRMFA/Hyper-V virtual machine authentication

A user might encounter a Phishing-Resistant Multifactor Authentication (PRMFA) prompt during OOBE for the restore experience app (74d197dc-b84d-4d43-a1b2-b5bf3bb91c11) under the following circumstances:

• Your organization enforces PRMFA through an Entra ID authentication strength policy.
• You have excluded the Microsoft Intune apps (0000000a-0000-0000-c000-000000000000 and d4ebce55-015a-49b5-a083-c84d1797ae8c) from that policy.
• User enrolls a device during OOBE without using a strong authentication method.

Tip

In VM scenarios (e.g., Hyper‑V), PRMFA is difficult to perform during OOBE, consider Temporary Access Pass (TAP) for authentication.

User experience

Once the feature is enabled, users can manage their backup settings directly through Settings by navigating to Accounts > Windows backup.

• To disable backup of preferences, the user can turn off the Remember my preferences toggle.
• To disable backup of the list of installed Microsoft Store apps, the user can turn off the Remember my apps toggle.

Note

These toggles control both Windows Backup for Organizations and Enterprise State Roaming, and they're only actionable if IT Admins enabled either backup or roaming: if none of these are enabled by IT Admins, the toggles are grayed out and not actionable.

The settings category toggles under Remember my preferences can be used to control which settings are included in backups.

Administrators can prevent users from modifying the Windows backup options using policy settings.

Turn off Windows Backup and delete user data

The following instructions provide details about how to configure your devices. Select the option that best suits your needs.

Intune

To configure devices with Microsoft Intune, create a Settings catalog policy and use the following settings:

Category	Setting name	Value
Administrative Templates\Windows Components\Sync your settings	Enable Windows Backup	Disabled

Assign the policy to a group that contains as members the devices or users that you want to configure.

CSP

You can configure devices with the CSP.

Setting
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/SettingsSync/EnableWindowsbackup - Data type: string - Value: <disabled/>

GPO

To configure a device with group policy, use the Local Group Policy Editor. To configure multiple devices joined to Active Directory, create or edit a group policy object (GPO) and use the following settings:

Group policy path	Group policy setting	Value
Computer Configuration\Administrative Templates\Windows Components\Sync your settings	Enable Windows Backup	Disabled

Group policies can be linked to domains or organizational units, filtered using security groups, or filtered using WMI filters.

Once the backup policy is disabled, the schedule backup doesn't run anymore.

The data that is already backed up can be viewed/deleted from the organization tenant's data store.

To view, export, and delete data:

• Prerequisites: For request authorization, follow Get access on behalf of a user to consent to the relevant permissions and acquire access token for the requests.
• To read and export data, see Get windowsSetting.
  • The permission UserWindowsSettings.Read.All is required.
• To delete backup profiles, see Delete windowsSetting.
  • The permission UserWindowsSettings.ReadWrite.All is required.

Provide feedback

If you encounter any issues or have feedback, whether it's to report a bug or share suggestions, you can submit this form. Our team reviews submissions weekly, and the more details you provide, the faster we can act. If we need more information, we follow up via email.