Microsoft is altering how Windows Backup behaves on organization-managed PCs across most of the world. In a policy shift that took effect recently, the feature that automatically saves Windows settings and Microsoft Store app lists to the cloud will now be disabled by default when IT administrators leave the corresponding policy setting at "Not Configured." For devices managed via Group Policy, Intune, or other MDM platforms, this means a more conservative baseline for data saved outside the EU.
The change flips a longstanding behavior where leaving the policy unconfigured effectively enabled backup, allowing Windows to silently sync a user's pinned taskbar items, known Wi‑Fi networks, and other personalizations to their Microsoft account. Now, admins who haven't explicitly turned the feature on or off will find it off by default—unless their devices fall under the European Union's regulatory umbrella, where the default remains unchanged due to GDPR considerations.
What Actually Changed
Under the hood, the policy in question controls the modern Windows Backup experience that arrived with Windows 11 and has since been backported to Windows 10 (version 22H2 and later). The specific Group Policy or MDM setting is named "Turn off Windows Backup" and can be found under Computer Configuration\Administrative Templates\Windows Components\Windows Backup or via the Intune settings catalog.
Historically, the three possible states for this policy were:
- Enabled: Windows Backup is turned off entirely. Users cannot back up settings or apps.
- Disabled: Windows Backup is allowed for the device.
- Not Configured: The device defaulted to allowing Windows Backup—i.e., it behaved the same as Disabled.
Now, for organization-managed devices outside the EU, Not Configured will be treated the same as Enabled. That is, when no explicit choice is made, Windows Backup is silently blocked. The change does not affect:
- Personal, non-managed devices.
- Devices in the EU, where regulatory requirements keep the legacy default.
- The "Windows Backup" consumer app or its ability to back up files, folders, and system images to OneDrive.
Microsoft has not issued a formal blog post or public advisory about the change. Instead, documentation for MDM policy CSPs and Group Policy administrative templates has been updated to reflect the new behavior. The reversal first became visible in the 23H2 policy definitions, though it is unclear exactly when it rolled out to managed endpoints.
What It Means for You
For IT Administrators
The biggest impact is on organizations that relied on the old "Not Configured" default to let users benefit from settings and app backup. If you haven't explicitly set the "Turn off Windows Backup" policy to Disabled, Windows will now prevent any backup of those items. This might frustrate employees who move to a new PC and expect their taskbar layout, accessibility settings, or Microsoft Store app list to roam automatically.
Concretely, if your organization uses Windows Hello for Business, allows personal Microsoft account sign-in on work devices, or plans to roll out Windows 11 24H2 with the new Outlook and AutoPilot provisioning, you should review your current policy configuration immediately. The change affects both cloud-only and hybrid-joined devices.
For End Users on Managed PCs
If you sign into a work or school PC and notice that your previously synced settings aren't appearing—or that the "Windows Backup" option in the Settings app is grayed out—your organization may have left the policy unconfigured after this change. You can still manually back up some items via the OneDrive sync client, but app lists and certain Windows settings will no longer follow you across devices unless your admin flips the switch.
For Home and Unmanaged PC Users
Nothing changes. Personal devices that aren't enrolled in MDM or joined to a domain remain unaffected by the policy. Windows Backup on consumer PCs continues to back up settings, credentials, and Store apps when you sign in with a Microsoft account, unless you explicitly turn it off.
How We Got Here
Microsoft first introduced the modern Windows Backup framework in Windows 11, expanding it to Windows 10 in early 2023. The goal was to simplify PC migration and make the move from an old device to a new one as seamless as possible. Users could restore their entire digital environment—apps, settings, even pinned taskbar buttons—just by signing in.
But enterprises raised concerns. By default, organization-managed PCs were "phone home" for backup purposes even when admins hadn't decided if they wanted that data flowing to Microsoft's cloud. With heightened focus on data residency, GDPR, and the EU's Schrems II ruling, leaving a broad data-sharing feature on by default became a liability for Microsoft's corporate customers.
The EU's more stringent privacy framework likely explains why the default remains unchanged there. For the rest of the world, Microsoft appears to have decided that a privacy-first stance—off by default—aligns better with enterprise expectations. This mirrors similar shifts in Windows 11, like the gradual removal of the public-facing "timeline" feature and stricter default settings for diagnostic data collection.
It's also worth noting that Microsoft has been iterating on Windows Backup policies for months. In late 2023, a separate policy was added to control whether users could see the Windows Backup app at all. The current change seems to be the next logical step: if an admin hasn't decided, the safest answer is to not back up anything.
What to Do Now
If you manage Windows devices in an organization outside the EU, take these steps today:
- Audit your current policy posture. Check Group Policy Objects, Intune settings catalogs, or ConfigMgr baselines for the "Turn off Windows Backup" setting. Identify any scope where the policy is set to "Not Configured."
- Decide on your backup strategy. Do you want users to be able to back up their Windows settings and Store app lists? If yes, you must now explicitly set the policy to Disabled. If you prefer to keep backup off, you can leave it at Not Configured (which now means off) or explicitly set it to Enabled for clarity.
- Update your GPOs and Intune profiles. For Intune, create a Settings Catalog profile, add "Turn off Windows Backup" from the
WindowsBackupcategory, and set it to Block (which corresponds to Enabled) or Not configured (off by default now). For on-premises GPOs, download the latest administrative templates (.admx) for Windows 11 23H2 or later, and update your policies accordingly. - Communicate with users. If you're disabling backup, let employees know that settings won't roam. If you're enabling it, remind them that data is stored in their Microsoft account and may be subject to your organization's data governance policies.
- Test on a pilot group before broad deployment. Validate that the new behavior matches your intent on Windows 10 22H2, Windows 11 21H2, and later builds.
For devices in the EU, the legacy default applies, meaning "Not Configured" still enables backup. If that doesn't align with your compliance requirements, you should set the policy to Enabled explicitly to block backup across your fleet.
Outlook
This is unlikely to be the last privacy-focused adjustment Microsoft makes to Windows Backup. With the Copilot+ PC wave and an increasing number of AI-powered personalization features, the line between user convenience and corporate data control will keep blurring. Expect more granular policies that let you choose exactly which components roam—and possibly a wider distinction between work and personal accounts on managed devices. For now, the message is clear: when it comes to enterprise backup, silence is no longer consent. Set your policies explicitly or accept the new, more guarded default.