Guide to Configuring Windows Backup for Organizations via Intune

If your organization is planning a massive PC hardware refresh or migrating users to newer builds of Windows 11, you know that preserving user settings and app configurations can be a significant headache.

Microsoft recently introduced Windows Backup for Organizations, an enterprise-grade feature designed to streamline device transitions. By preserving user settings, preferences, and Microsoft Store app configurations directly to the cloud, it helps IT admins transition toward a fully cloud-first approach to managing devices.

In this technical guide, we’ll walk through the system requirements, how the backup and restore processes work, and provide a step-by-step guide on how to configure this feature using Microsoft Intune.

What is Windows Backup for Organizations?

Windows Backup for Organizations is an opt-in, cloud-based feature disabled by default. When enabled by an IT administrator, the feature routinely (every eight days) backs up user preferences, system settings, and the list of installed Microsoft Store apps.

When a user signs into a new or wiped PC during the Out-Of-Box Experience (OOBE) or upon their first sign-in post-enrollment, they are prompted with a seamless restore experience. Within minutes, their new workstation feels just like their old one.

System Requirements

Before diving into Intune, ensure your devices meet the following prerequisites. Keep in mind that this feature is not currently available for GCCH/Sovereign clouds or in China.

Backup Requirements

To successfully back up user settings, devices must be Microsoft Entra Joined or Microsoft Entra Hybrid Joined, and users must sign in with their Entra ID.

Supported Windows versions include:

• Windows 10, version 22H2 (build 19045.6216 or later)
• Windows 11, version 22H2 (build 22621.5768 or later)
• Windows 11, version 23H2 (build 22631.5768 or later)
• Windows 11, version 24H2 (build 26100.4946 or later)

Restore Requirements

To restore settings during device setup (OOBE) or first sign-in:

• Windows 11, version 24H2 build 26100.7922 or later
• Windows 11, version 25H2 build 26200.7922 or later
• The device has already completed enrollment
• The user signs-in for the first time after enrollment
• The user has at least one backup profile
• Must be Microsoft Entra joined or Microsoft Entra Hybrid joined
• Devices generally need to be running up-to-date builds of Windows 11 22H2/23H2/24H2 (ensure the “Install Windows quality updates” policy is enabled so OOBE can grab the latest patches!).

Configuring Windows Backup via Intune

Because Windows Backup for Organizations is disabled by default, we need to explicitly enable both the Backup and Restore policies. Note: Never mix GPO and CSP (Intune) policies for this feature, as it can lead to unexpected conflicts.

Step 1: Enable the Backup Policy

We will use the Settings Catalog in Intune to enable the backup process.

1. Navigate to the Microsoft Intune admin center.
2. Go to Devices > Configuration profiles > Create profile.
3. Select Windows 10 and later for the platform, and Settings catalog for the profile type.
4. Name your profile (e.g., Config - Windows Backup Enablement).
5. In the Settings picker, search for Sync your settings.
6. Navigate to the category: Administrative Templates\Windows Components\Sync your settings.
7. Select Enable Windows Backup and set the toggle to Enabled.
8. Assign the policy to your targeted user or device groups.

Note: Once this policy applies, backups will automatically occur every 8 days. Users can also manually force a backup by searching for “Windows Backup” in the Start Menu.

Step 2: Enable the Restore Policy

To allow users to retrieve their data, you must enable the Restore policy. Intune offers two ways to do this, depending on whether you want to target the tenant broadly during OOBE, or target specific groups post-enrollment.

Option A: Tenant-Wide Enrollment Policy (Recommended for OOBE) This policy ensures the restore capability is available on the machine immediately during the Out-Of-Box Experience. It applies to all devices enrolling in your tenant. (Requires Intune Service Administrator or Global Administrator roles)

1. In the Intune admin center, go to Devices > Enrollment > Windows Backup and Restore.
2. Under Show restore page, toggle the setting to On.
3. Click Save.

Option B: Targeted Device Configuration Policy (Post-Enrollment) If you prefer standard assignment targeting, you can push a device configuration policy. It will apply during regular policy refresh intervals.

1. Go to Devices > Configuration profiles > Create profile (Platform: Windows 10 and later, Profile Type: Settings catalog).
2. Search for Windows Backup And Restore.
3. Select the setting Enable Windows Restore and set it to Enabled.
4. Assign this to your target groups.

Known Gotchas and Considerations

When implementing this in a production environment, keep an eye out for these potential roadblocks:

• Conditional Access Interference: If you have strict Conditional Access policies restricting cloud apps, users might get a “You can’t get there from here” error during restore. To fix this, create a custom CA policy that explicitly allows the Microsoft service App ID (d32c68ad-72d2-4acb-a0c7-46bb2cf93873) so the restore flow can proceed.
• Hyper-V / Virtual Machine MFA Issues: If your organization enforces Phishing-Resistant MFA (PRMFA) via Entra ID authentication strengths, users might struggle to authenticate during OOBE in a VM environment. Microsoft recommends using a Temporary Access Pass (TAP) for authentication in these edge cases.

Wrapping Up

By configuring Windows Backup for Organizations, IT admins can significantly reduce the friction of hardware refresh cycles. Users can securely back up their settings and seamlessly transition to a new device without placing a single IT helpdesk ticket for missing preferences or apps.