Enable Windows Backup and Restore using Intune

Photo of author
Jatin Makhija
0

In this blog post, I’ll show you how to enable Windows Backup and Restore using Intune. Windows Backup for Organizations is a new feature announced in public preview with the Intune 2508 service release. It lets you centrally enable cloud backup of Windows settings and gives users the option to restore those settings during the out-of-box experience (OOBE).

About Windows Backup and Restore Feature

  • Backup Windows settings: Windows Backup saves Windows settings, including Personalization, System, list of Installed Microsoft store apps, Bluetooth & devices, Network & Internet, Accounts, Time & language, Gaming, Accessibility (vision, hearing, interaction), Privacy & security, and File Explorer preferences. It doesn’t backup your files, apps or any data saved in your hard drives. It will only backup settings to your tenant data store.

Backups auto-run every 8 days; user can also trigger one in the Windows Backup app. It saves the user settings, preferences data to the organization’s tenant data store. If you do not want certain settings to be included in the backup, you can configure it via Intune.

Below is a quick overview of the Settings Catalog policy for Windows Backup. Continue reading for more details.

Profile typeCategorySettingStatus
Settings Catalog

(SettingsSync Policy CSP | Microsoft Learn)		Administrative Templates\Windows Components\Sync your settings categoryEnable Windows BackupDisabled (default)

Enabled (To enable Windows backup)
  • Restore is a tenant-wide setting in Intune. When you turn it on (Intune admin center > Devices > Enrollment > Windows > Enrollment options > Windows Backup and Restore > Show restore page = On), it applies to all users. This setting is disabled by default. After it’s enabled, users who sign in during OOBE with the same Entra ID that already has a backup will see the Restore page and can restore those settings.

Because Restore requires an existing backup, configuring Windows Backup policy in the Settings catalog is a prerequisite. Restore operation happens only during OOBE/device enrollment, therefore if a device is already enrolled, it won’t be impacted by the changes in the restore policy.

Use Cases for Windows Backup and Restore

  • Windows migration projects (Windows 10 to Windows 11): When you are migrating all users from Windows 10 to Windows 11, Windows back up and restore could be useful as it could speed up the transition by moving all Windows settings seamlessly.
  • When resetting a device: When you perform a reset and user sign-in during the OOBE using the same Entra ID which was used for backup. Users will see a restore page to restore their windows settings.

Prerequisites

There are different prerequisites for enabling backup and using restore functionality. Ensure that you go through both sections to understand the requirements before setting up these options on Intune admin center.

To Backup Windows Settings

  • Microsoft Entra joined or Microsoft Entra hybrid joined devices.
  • Running a supported Windows 10 version 22H2 or Windows 11 version 22H2 or later.
  • August 2025 Windows security update or newer. This update includes Windows Backup app for backing up Windows settings and list of Microsoft Store apps.
  • Backup policy created and assigned via Intune or GPO.

To Restore Windows Settings

  • Device must be Microsoft Entra joined (restore isn’t available on hybrid join).
  • Intune service administrator or Global administrator rights. (to set Show restore page to On).
  • Devices are running Windows 11, version 22H2 or later.
  • August 2025 Windows security update or newer applied before OOBE.
  • Same Entra ID account is required for restoration which was used for backup.
  • Restore is shown during OOBE only. Autopilot must be user-driven (not self-deploying / pre-provisioned/white-glove). Autopilot Reset, manual enrollment, Group Policy enrollment, and co-management enrollments aren’t supported.
  • User must have at least one prior backup (policy-enabled) tied to the same Entra ID.

Step 1: Enable Windows Backup

Create an Intune device configuration settings catalog policy to enable Windows backup. Let’s take a look at the steps:

  • Sign in to Intune admin center > Devices > Windows > Configuration > Create > New Policy.
  • Platform: Windows 10 and later
  • Profile type: Settings catalog
  • Click Create.
  • On the Basics tab, provide a Name and Description of the policy and click Next. For example: Enabling Windows Backup.
  • On Configuration settings tab, click on + Add settings and use the Settings picker to search using Sync your settings keyword and select Administrative Templates\Windows Components\Sync your settings category. Then select Enable Windows Backup and use the toggle switch to enable this setting.
Enable Windows Backup Intune policy
  • Scope tags (optional): A scope tag in Intune is an RBAC label you add to resources (policies, apps, devices) to limit which admins can see and manage them. For more Information, read: How to use Scope tags in Intune.
  • Assignments: Assign the policy to Entra security groups that contain the target users or devices. As a best practice, pilot with a small set first; once validated, roll it out more broadly. For guidance on assignment strategy, see Intune assignments: User groups vs. Device groups.
  • Review + create: Review the deployment summary and click Create.

For Entra hybrid joined devices, you can also use a GPO setting to enable Windows backup. Create a new GPO and navigate to Computer Configuration\Administrative Templates\Windows Components\Sync your settings. Double-click on Enable Windows Backup and set its status to Enabled to enable Windows backup. Link it to Workstations OU. Please note, if a user wants to restore the backed up Windows settings, it will require an Entra joined device.

Enable Windows Backup GPO setting

Step 2: Enable Restore Setting (Tenant-Wide)

The next step is to enable the restore page, so users can restore settings during enrollment. Follow the steps below to turn on the restore option. Please note, this is a tenant-wide setting and applies to all users by default. You cannot scope it to a specific group, user, or device. However, you can turn it off anytime.

  • Sign in to the Intune admin center > Devices > Enrollment > Windows > Enrollment options > Windows Backup and Restore. You will get three options in the drop-down, Not configured, On and Off. Default state is Not configured.
Windows Backup and Restore settings under Enrollment options
  • Use the drop-down next to Show restore page and set it to On.
Set Show restore page to On
  • After you click Save, Last modified date is displayed, and Assigned to is set to All users. Assigned to value can’t be changed because it’s a tenant-wide setting. You can turn it off for all users by setting Show restore page to Off. This change won’t affect existing users or devices; for future device enrollments, users won’t see the restore page for restoring Windows settings.
Last modified date and Assigned to option

End User Experience (Backup)

Let’s look at what happens on the device once a Settings Catalog policy is applied to enable Windows Backup.

  • Sign in to one of the target Windows device.
  • Open the Settings app > Accounts > Windows backup.
  • On the top right hand corner, you can verify that the App list and user Preferences are backed up.
End User Experience Windows Backup

Windows Backup app, which enables backup and restore for organizations, is installed on Windows 11 devices with the August 2025 Windows security update. It’s a Microsoft Store app and can be found at C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy location.

Once you enable backup, a scheduled task is created to back up settings automatically, so there’s no need to open the app and run manual backups. You can search for the app in Start menu, If you do not find the app, then open a PowerShell console and run the following command, it will open Windows backup app.

explorer.exe shell:appsFolder\MicrosoftWindows.Client.CBS_cw5n1h2txyewy!WindowsBackup

Below is a screenshot of the Windows Backup app. It shows that all Windows and user settings are backed up. Click Don’t back up to close without running a backup; if you select Continue, another backup will start.

Clicking Don’t back up does not change the Intune policy or the scheduled task that runs every eight days. If you take another backup using Continue, it will run a backup but will not change the Intune policy or the scheduled task, which will still run at its next scheduled time and back up Windows settings as configured.

Windows Backup App

End User Experience (Restoration)

Restore process works during OOBE when a user signs in using their Entra ID credentials. Below are the high level steps for the restoration process.

  1. Enable Windows Backup Policy is applied, and a backup is completed at least once.
  2. Restore page is enabled (tenant-wide): Step 2 in this blog post.
  3. User Powers On the new device and goes through the OOBE process.
  4. User will sign in to the device using the same Entra ID credentials which were used for backup.
  5. User will get a restore page similar to below to select from the backup’s for restoration.
End User Experience Windows Backup Restoration
  1. A user can click on More options to show any additional backups. If a user has multiple devices and backup is running on all of their devices, they may get those devices in the list. User can select the device and click on Continue to proceed with the restoration.

Windows Backup for Organizations Limitations

Below are the list of items which are not backed up by Windows backup for Organizations. For complete list of settings, refer to the link: Windows Backup for Organizations settings catalog.

  • User files such as Documents, Desktop, Pictures, Downloads.
  • Installed applications and their state. Only an optional list of Microsoft Store apps can be captured for restore to the Start menu, not the apps or their data.
  • Wi-Fi networks and passwords, and language preferences/dictionary.
  • Windows update settings.
Windows Backup for Organizations Limitations

Troubleshooting

  • Open Event viewer on the target device and navigate to Application and Services logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin.
  • You will find that the settings catalog policy to enable Windows backup has been applied. This is the Event ID 814. If you are unable to find it, filter the logs using event ID 814.

MDM PolicyManager: Set policy string, Policy: (EnableWindowsBackup), Area: (SettingsSync), EnrollmentID requesting merge: (41897FF5-0189-445C-9EA8-F85F109C908C), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0).

EnableWindowsBackup Event log

EnableWindowsBackup Intune Policy Event Viewer
  • Enabling Windows backup creates a Scheduled task on the target device under Task scheduler > Microsoft > Windows > CloudRestore > Backup. Double-click to open the Backup task and click go to the Trigger tab where you will find that the backup job runs every 8 days.
Windows backup task scheduler task

Get_Win_Backup_Scheduled_Task.ps1

You can also get the scheduled task details using a PowerShell script: Get_Win_Backup_Scheduled_Task.ps1.

Windows Backup Scheduled task Powershell script

Turning Off Windows Backup

If you want to turn off Windows Backup for the same users or devices where it’s already enabled, edit the existing Intune policy and set Enable Windows backup to Off. Alternatively, create a new Settings Catalog policy that disables Windows Backup and assign it to the target group to turn it off on selected devices. Ensure that a device is not a part of both the Enable Windows backup and Disable Windows backup policies.

Once you disable Windows Backup, the scheduled backup task in Task Scheduler will no longer run, and data that has already been backed up will remain available to view/delete from your organisation’s tenant store.

Turning Off Windows Backup Intune

Same goes for GPO as well, If you have used GPO to enable Windows backup. Edit the GPO, Set Enable Windows backup policy setting to Disabled.

PathGPO settingValue
Computer Configuration\Administrative Templates\Windows Components\Sync your settingsEnable Windows BackupDisabled

Final Notes

Windows Backup for organisations backs up Windows settings only; it doesn’t back up files, apps, or user data. Think of it as a fast-track to restore the device experience, not the content, during migrations, resets, or break/fix scenarios.

For a complete recovery strategy, pair it with OneDrive Known Folder Move (for Documents, Desktop, Pictures), app redeployment via Intune/WinGet, and your existing data-protection solutions (e.g., M365/SharePoint backups). Roll it out in a pilot, communicate clearly to users what is and isn’t included, and monitor results to validate the restore experience during OOBE. Used this way, Windows Backup reduces setup time and user friction while your enterprise backup and app-management tools handle the rest.

Leave a Comment

Step-by-Step guides for Setup/Troubleshooting/Configuration solutions on Intune, Microsoft 365, Powershell, Windows, Azure, and other Cloud technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Let's Connect!