Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Windows Backup for Organizations is an enterprise-grade feature designed to streamline device transitions by securely preserving user settings and Microsoft Store app configurations. Whether upgrading from Windows 10 or refreshing PCs, it delivers a consistent user experience and enhances business continuity through robust backup and rapid recovery capabilities.
Objectives of Windows Backup for Organizations:
- Help organizations accelerate PC refresh cycle or the transition to Windows 11 or deploying AI-powered PCs.
- Allow organizations to transition to a cloud-first approach for managing devices and user settings.
System requirements
The following sections list the requirements to use Windows Backup for Organizations.
Backup requirements
The backup feature is available to users signed in with Microsoft Entra ID on devices that meet the following requirements:
- Windows 10, version 22H2 build 19045.6216 or later
- Windows 11, version 22H2 build 22621.5768 or later
- Windows 11, version 23H2 build 22631.5768 or later
- Windows 11, version 24H2 build 26100.4946 or later
- Must be Microsoft Entra joined or Microsoft Entra hybrid joined
Restore requirements
The restore feature is available on devices that meet the following requirements:
- Windows 11, version 22H2 build 22621.3958 or later
- Windows 11, version 23H2 build 22631.3958 or later
- Windows 11, version 24H2 build 26100.4770 or later
- The user has at least one backup profile
- If Autopilot is used, the profile must be configured to use user-driven mode, not self-deploying mode
- Must be Microsoft Entra joined
Tip
If devices are running a build older than July 2025, ensure the Install Windows quality updates policy is enabled. This allows devices to receive the latest quality updates and use the restore feature.
Cloud and regional availability
This feature is not currently available for GCCH/Sovereign clouds or China/21Vianet.
How it works
Windows Backup for Organizations is an opt-in feature and is disabled by default. To use this feature, an IT administrator must first configure backup and restore policies.
Backup process
The backup and restore process is designed to be seamless and user-friendly. The following steps outline the backup process:
- An administrator configures the policy settings for backup.
- The backup scheduled task runs every eight days automatically, during which the user settings, preferences, and the list of installed Microsoft Store apps are backed up.
- Alternatively, users can initiate a backup manually by searching for the Windows Backup app in the Windows search box, and selecting Back up.
Restore process
The restore process can currently be initiated during the out-of-box experience (OOBE) when a user signs in with their Microsoft Entra ID account. The following steps outline the restore process:
- An administrator enables the restore policy setting, which is disabled by default.
- The user turns on a new or reimaged device and begins the OOBE process.
- During OOBE, the user signs in with the same work or school account (Entra ID) that was used during the backup flow.
- After the sign in screen, the restore page appears. The user can choose to restore a backup profile from a previous device or to configure the device as new.
- To restore settings and Microsoft store apps (if any) from a previous device, the user selects the device and then selects Continue.
- The remaining OOBE process is the same as the standard OOBE process.
- Once the OOBE is complete and the user reaches the desktop, any previously backed-up user settings and Microsoft Store apps are automatically restored.
Configure Windows Backup for Organizations
Windows Backup for Organizations must be configured before it can be used. The configuration process involves setting up backup and restore policies for devices to enable the feature.
Backup configuration
The following instructions provide details about how to configure your devices. Select the option that best suits your needs.
Intune
CSP
GPOImportant
This feature is currently rolling out and might not yet be visible in all Intune tenants. If the setting isn't showing in your tenant, check back later—it will appear once the rollout reaches your environment. In the meantime, you can configure devices using a custom policy using the settings described in the CSP tab.
To learn more, see Service information for Microsoft Intune release updates.
To configure devices with Microsoft Intune, create a Settings catalog policy and use the following settings:
| Category | Setting name | Value |
|---|---|---|
| Administrative Templates\Windows Components\Sync your settings | Enable Windows Backup | Enabled |
Assign the policy to a group that contains as members the devices or users that you want to configure.
Once the backup policy is applied to the device, the backup occurs automatically every eight days.
Note
You can control which settings are backed up by configuring the backup policy settings. For more information, see Windows Backup for Organizations policy settings.
Restore configuration
By default, the restore option is disabled. To enable the restore option during the out-of-box experience (OOBE), you must configure the restore policy.
The following instructions provide details about how to configure your devices. Select the option that best suits your needs.
Important
This feature is currently rolling out and might not yet be visible in all Intune tenants. If the setting isn't showing in your tenant, check back later—it will appear once the rollout reaches your environment.
To learn more, see Service information for Microsoft Intune release updates.
For devices managed by Intune, you can configure a policy applied at the tenant level. The tenant policy:
- Is required to enable the restore option during OOBE.
- Is only applied at enrollment time, and any changes to its configuration doesn't apply to devices already enrolled in Intune.
To configure the Intune tenant-level policy:
- Sign in to the Microsoft Intune admin center.
- Select Devices > Enrollment > Windows Backup and Restore.
- Under Show restore page, select On to enable the restore option during OOBE.
- Select Save to apply the changes.
Note
Restore setting configuration in enrollment requires Intune Service administrator or Global administrator roles.
Conditional Access policy interference
If conditional access is enabled for cloud applications, it might prevent the Microsoft Entra user from obtaining an access token, resulting in the following error.
| Error title | Error description |
|---|---|
| You don't have access to this | Your sign-in was successful but you don't have the permissions to access this resource. |
| You can't get there from here | This application contains sensitive information and can only be accessed from: Devices or client applications that meet Contoso engagement compliance policy. If this is a personal device, you can choose to let Contoso manage your device by going to Settings > Accounts > Access work or school and clicking on Connect. When you're done come back and try again. |
To fix this error, you'll need to create a custom policy that allows the Microsoft service (app id: d32c68ad-72d2-4acb-a0c7-46bb2cf93873) to enable the restore flow to proceed.
Verify that the app id is listed in the custom policy before you proceed further.
PRMFA/Hyper-V virtual machine authentication
A user might encounter a Phishing-Resistant Multifactor Authentication (PRMFA) prompt during OOBE for the restore experience app (74d197dc-b84d-4d43-a1b2-b5bf3bb91c11) under the following circumstances:
- Your organization enforces PRMFA through an Entra ID authentication strength policy.
- You have excluded the Microsoft Intune apps (
0000000a-0000-0000-c000-000000000000andd4ebce55-015a-49b5-a083-c84d1797ae8c) from that policy. - User enrolls a device during OOBE without using a strong authentication method.
Tip
In VM scenarios (e.g., Hyper‑V), PRMFA is difficult to perform during OOBE, consider Temporary Access Pass (TAP) for authentication.
User experience
Once the feature is enabled, users can manage their backup settings directly through Settings by navigating to Accounts > Windows backup.
- To disable backup of preferences, the user can turn off the Remember my preferences toggle.
- To disable backup of the list of installed Microsoft Store apps, the user can turn off the Remember my apps toggle.
Note
These toggles control both Windows Backup for Organizations and Enterprise State Roaming, and they're only actionable if IT Admins enabled either backup or roaming: if none of these are enabled by IT Admins, the toggles are grayed out and not actionable.
The settings category toggles under Remember my preferences can be used to control which settings are included in backups.
Administrators can prevent users from modifying the Windows backup options using policy settings.
Turn off Windows Backup and delete user data
The following instructions provide details about how to configure your devices. Select the option that best suits your needs.
Important
This feature is currently rolling out and might not yet be visible in all Intune tenants. If the setting isn't showing in your tenant, check back later—it will appear once the rollout reaches your environment. In the meantime, you can configure devices using a custom policy using the settings described in the CSP tab.
To learn more, see Service information for Microsoft Intune release updates.
To configure devices with Microsoft Intune, create a Settings catalog policy and use the following settings:
| Category | Setting name | Value |
|---|---|---|
| Administrative Templates\Windows Components\Sync your settings | Enable Windows Backup | Disabled |
Assign the policy to a group that contains as members the devices or users that you want to configure.
Once the backup policy is disabled, the schedule backup doesn't run anymore.
The data that is already backed up can be viewed/deleted from the organization tenant's data store.
To view, export, and delete data:
- Prerequisites: For request authorization, follow Get access on behalf of a user to consent to the relevant permissions and acquire access token for the requests.
- To read and export data, see Get windowsSetting.
- The permission
UserWindowsSettings.Read.Allis required.
- The permission
- To delete backup profiles, see Delete windowsSetting.
- The permission
UserWindowsSettings.ReadWrite.Allis required.
- The permission
Provide feedback
If you encounter any issues or have feedback, whether it's to report a bug or share suggestions, you can submit this form. Our team reviews submissions weekly, and the more details you provide, the faster we can act. If we need more information, we follow up via email.