Hey everyone, welcome back! In this blog, we’re diving into the new-Microsoft feature for enterprise IT: Windows Backup for Organisations.
If you’re managing Windows 10 or 11 devices and planning migrations from Windows 10 to 11, tackling refreshes, or just want a smoother user experience—then this is one you probably want to be aware of and actually use. One of the key benefits here is that it will help your migration be that little bit quicker and easier for end users, which depending on your user environment may be a big help and can be configured and deployed using Microsoft Intune and Windows Group Policy. There is also the added benefit that this can reduce helpdesk tickets for personalisation issues. This is an opt-in option though, so it does need to be configured before users can benefit.
Let’s be clear this is not the traditional Windows Backup feature available on Windows devices and accessed for users on personal Windows devices. There are however a good set of settings available for backup.
Take a look at the official list of settings here Microsoft – Backup for Organisations
Let’s look a bit deeper at what Windows Backup for Organisations is ?
Windows Backup for Organisations is a cloud-first, enterprise grade backup solution built into Windows 11 and supported versions of Windows 10. It will backup:
- User settings
- Microsoft Store app configurations
- Personalisation preferences
Think it’s worth noting also this isn’t about backing up all files or Win32 third-party apps. It’s about streamlining device transitions to Windows 11 right now and reducing downtime during resets, migrations, or upgrades.
The official Microsoft statement is – “It’s especially useful for organizations moving from Windows 10 to Windows 11 or deploying AI-powered PCs. Think of it as a way to give users a familiar experience, even on a brand new device.”
There are Two factors I want to highlight from this:
- Why is it classed as enterprise grade?
When speaking to a customer recently about the functionality I was asked this specific question. These are a few responses you can use:
It has Entra-ID Integration
- Backups are tied to the user’s Entra ID identity.
- This allows seamless restoration across devices during Out-of-Box Experience (OOBE).
- Ensures secure, identity-based access to backup data.
Uses Policy Based Management via Intune
- IT admins can centrally configure backup and restore policies using Microsoft Intune.
- Enables enforcement of backup settings across all managed devices.
- Supports Settings Catalog, CSPs, and Group Policy for hybrid environments.
Backup is Automatic and Scheduled Backups
- Devices automatically back up every 8 days, reducing reliance on manual processes.
- But users can also trigger backups manually via the Windows Backup app.
Can enable Restore During OOBE
- Users signing into a new or reset device can restore settings and apps during setup. This is a great benefit.
- This minimises downtime and improves user experience during device refreshes or migrations.
App and Preference Continuity
- Restores Microsoft Store apps, personalization settings, and system preferences.
- Ensures a consistent experience across devices without needing full image backups.
Scalability and Cloud-Native Design
- Built on Microsoft’s cloud infrastructure, making it scalable for large organizations.
- No need for on-prem backup servers or third-party agents.
Security and Compliance
- Backup data is stored securely in the Microsoft cloud, adhering to enterprise-grade compliance standards.
- Admins retain control over what is backed up and restored.
You might also be thinking, hasn’t this been done already?
It’s absolutely right to ask this question. Many IT pros are saying Windows Backup for Organisations feels like a rebranded Enterprise State Roaming (ESR). BUT While they share similarities, there are also key differences as shown below.
Windows Backup for Organisations vs Enterprise State Roaming
| Feature | Enterprise State Roaming (ESR) | Windows Backup for Organizations |
| Purpose | Sync user settings across devices | Backup and restore user settings during device transitions |
| Scope | Basic personalisation and Windows settings | Broader settings + Microsoft Store app list |
| Trigger | Real-time sync (every 5–10 mins) | Scheduled backup (every 8 days) or manual |
| Restore Experience | No restore UI; sync happens silently | Restore UI during OOBE (Out-of-Box Experience) |
| Admin Control | Azure AD + GPO | Intune, GPO, CSP |
| Supported OS | Windows 10/11 | Backup: Windows 10/11; Restore: Windows 11 only |
| User Experience | Syncs settings across devices | “Welcome back” experience on new device |
| Store App List | Not included | Included and repopulated on Start menu |
| Credential Sync | Limited, policy-dependent | Integrated if allowed by policy |
| Visibility | No user-facing app | Windows Backup app available to users |
So yes there are similarities for sure however you also get – Restore UI during OOBE / Microsoft Store App List Backup / ESR doesn’t back up apps / Scheduled and Manual Backups / Intune Integration / Broader Settings Coverage. In this sense you could think of Windows Backup for Organisations as ESR 2.0 with a UI, app support, and admin control.
Pre-requisites to deploy
It’s definitely taking note of the requirements to deploy to your devices. Essentially you get Backup and Restore with Windows 11 and just backup options with Windows 10. Users must have Entra ID accounts and be signed in as Entra-joined or Entra Hybrid-joined for Backup and it’s only available to Entra-Joined devices for Restoring.
Backup requirements
- Windows 10, version 22H2 build 19045.6216 or later
- Windows 11, version 22H2 build 22621.5768 or later
- Windows 11, version 23H2 build 22631.5768 or later
- Windows 11, version 24H2 build 26100.4946 or later
Restore requirements
- Windows 11, version 22H2 build 22621.3958 or later
- Windows 11, version 23H2 build 22631.3958 or later
- Windows 11, version 24H2 build 26100.1301 or later
- The user has at least one backup profile
- If Autopilot is used, the profile must be configured to use user-driven mode, not self-deploying mode
Setup with Intune – Let’s walk through how to set this up in Intune. There are two main configuration parts:
1. Enable Backup Policy
- Go to Devices > Configuration > Create Policy
- Platform: Windows 10 and later
- Profile type: Settings Catalog
- Search for Sync your settings
- Enable Windows Backup
There are other settings available in your search as you see below but only the one highlighted is necessary. You then need to exit this pane by clicking the Cross (Top right). Personally I think there should be a ‘Close’ button for this UI. You now have the feature added , but not yet enabled so go ahead and switch the setting chosen on, manually.
Click through and select your choices for ‘Scope Tags’ and then ‘Groups’. I’ve selected a User group so users are provided with the policy if they have multipole windows devices. Review and ‘Create’ the policy. You should see the policy you create appear in the configuration list of policies.
2. Enable Restore Policy (Tenant-wide)
The second step here relates to the new restore capability. To enable using Intune:
- Go to Devices > Enrollment > Windows Backup and Restore
- Set Show restore page to On
This ensures users see the restore option during OOBE when signing into a new or reimaged device. You’ll notice it shows “All Users” and this is still in preview at the time of writing so check back in your tenant regularly for updates.
Once configured, a task schedule is setup on the Windows device for backups to run automatically every 8 days, or users have the option to trigger them manually via the Windows Backup app. Within task scheduler find ‘CloudRestore’ for details
In my experience the policies are deployed fairly quickly which for me was around 7 minutes.
An alternative way could be using Configuration service provider (CSP) through another 3rd-party MDM solution. In this situation you can configure using:
For backup:
OMA-URI – ./Device/Vendor/MSFT/Policy/Config/SettingsSync/EnableWindowsBackup
Data Type: String Value: <enabled>
For restoration:
OMA-URI – ./Device/Vendor/MSFT/WindowsBackupAndRestore/EnableWindowsRestore
Data Type: Boolean Value: True
–
What does this look like in Intune Admin and on a device ?
Good question: When logged on to your Windows PC which is Entra-joined or Hybrid-joined this is the experience you should see. Here’s the Windows settings pane below.
The backup controls can be access through Settings > Accounts > Windows Backup when enabled You’ll also see toggles for:
- Remember my preferences
- Remember my apps
These control what gets backed up. And yes, admins can lock these down via policy. Subcategory toggles allow granular control over specific setting types.
In this blog I did also want to cover the user experience with an OOBE restore. Please check back for the additional info which I will add in once completed. During OOBE, users signing in with their Entra ID will see a restore page. They can pick a previous device and restore settings and apps seamlessly
So if you’re looking for user experience continuity, Windows Backup for organisations is your best option here. But if you need file-level recovery, stick with OneDrive or Endpoint Backup.
Some other considerations being experienced
The Backup data created will exist in the organisation’s tenant – And will remain until explicitly deleted. As an IT Pro / Admin user you can manage this data through Microsoft Graph API endpoints.
(CA) Conditional access integration
Some organisations using Conditional Access policies have experienced authentication failures during restore operations.
Virtual machine testing / deployments
Its possible Phishing-resistant Multifactor Authentication (PRMFA) policies could interfere with the restore process on Hyper-V and similar virtualised scenarios.
Thanks
Thanks for reading through. If you found this helpful please drop me a comment, and if you’re rolling this out in your org, let me know how it’s going—I’d love to hear your experience.