August 2025 security updates unlock a long-awaited enterprise capability: Windows Backup for Organizations is moving to broad availability, giving IT administrators direct Intune controls to restore user settings and Microsoft Store app layouts during Out‑Of‑Box Experience (OOBE). The feature, tenant-scoped and tightly integrated with Microsoft Entra identity, is designed to slash post‑reimage configuration time — and it arrives just as enterprises face the Windows 10 end‑of‑support deadline.

For more than a year, large organizations have been testing the backup and restore workflow in private preview. Now, with documentation published and the toggle appearing in Intune, Microsoft is signaling that the service is ready for production adoption, albeit with critical prerequisites and tenant‑gated rollout patterns that demand careful validation.

What the feature actually backs up (and what it ignores)

Windows Backup for Organizations is not a traditional backup tool. It captures a curated set of device settings and a manifest of Microsoft Store apps — nothing more. The goal is to accelerate the “make‑it‑mine” moment for employees unboxing a new or freshly imaged laptop.

Specifically, the backup manifest includes:

  • System and personalization settings: desktop background, color themes, taskbar configuration, and lock screen preferences.
  • Network settings: known Wi‑Fi networks (where supported by hardware), VPN profiles, and proxy configurations.
  • Accessibility options: magnification, narrator, high‑contrast themes, and closed captioning preferences.
  • File Explorer preferences: folder view options, Quick Access pins, and search settings.
  • Bluetooth pairings: a list of previously connected devices is preserved so re‑pairing is not needed during setup.
  • Microsoft Store app list: the backup records which Store apps were installed and their Start menu positions, allowing a similar layout to be restored.

The service explicitly excludes user documents, media files, and any Win32 desktop applications (MSI/EXE). It does not create a system image, back up drivers, or enable bare‑metal recovery. These omissions are by design — Microsoft wants organizations to treat this as a “settings accelerator,” not a replacement for OneDrive, endpoint backup solutions, or existing software deployment pipelines.

Why it matters now: the Windows 10 migration crunch

The timing is no coincidence. Windows 10 version 22H2 reaches end of support in October 2025. Millions of corporate devices must transition to Windows 11 in the coming months, and helpdesk tickets spike after every refresh cycle when employees discover their familiar environment is gone. By injecting a restore option directly into the OOBE enrolment flow, Microsoft aims to compress the time between “new device” and “fully productive user.”

IT leaders facing tight migration windows can use Windows Backup alongside Autopilot to decouple personalization from the base image. A user who receives a replacement laptop on Monday morning could be back to their customized layout by Monday afternoon, even if the Win32 app delivery takes another hour via Intune.

Inside the Intune controls: a step‑by‑step guide

Enabling the feature is a two‑step process, both completed inside the Microsoft Intune admin center:

  1. Create a Settings Catalog policy
    - Navigate to DevicesConfiguration profilesCreate profile.
    - Platform: Windows 10 and later.
    - Profile type: Settings Catalog.
    - Search for “Sync your settings” and enable the setting Enable Windows backup.
    - Assign the policy to the target user or device group.
    - This policy activates the client‑side backup agent.

  2. Turn on the tenant‑wide restore toggle
    - Go to DevicesEnrollmentWindowsEnrollment options.
    - Locate Windows Backup and Restore (labelled as “preview” or “GA” depending on tenant rollout stage).
    - Set Show restore page to On.
    - This toggle surfaces the restore option during OOBE for any eligible Entra‑joined device.

Only after both steps are complete will users see the “Restore from backup” screen during initial setup. The restore page appears after the user authenticates with their Microsoft Entra credentials, pulling the backup manifest stored in the organization’s tenant.

Prerequisites and the inevitable “gotchas”

Microsoft’s documentation lists six non‑negotiable requirements. Overlooking any one of them will silently break the restore flow:

  • Entra join type: Backup works on both Entra‑joined and Entra hybrid‑joined devices, but restore during OOBE is only supported on Entra‑joined devices. Hybrid‑joined devices can still back up settings but won’t see the restore option.
  • OS baseline: Windows 10 22H2 (with a minimum build specified in Microsoft’s release notes) and Windows 11 22H2 or later. Organisations still running Windows 10 21H2 or earlier builds are out of luck.
  • August 2025 security update: The Windows Backup app is bundled with this update. Without it, the restore page won’t render during OOBE. Administrators can enforce compliance by using the Intune Enrollment Status Page to block user access until the update is applied.
  • MDM policy: The Settings Catalog profile must be deployed and applied before the backup agent will run. Group Policy can also be used for domain‑joined machines, but Intune is the recommended path for cloud‑native estates.
  • Microsoft Activity Feed Service: The restore flow depends on this service to retrieve the backup manifest. If Conditional Access policies block the Activity Feed Service or the user’s Entra token is denied, the restore option will fail. IT must add the service to allow lists and test thoroughly.
  • Sovereign cloud availability: At launch, the feature is not available in GCC‑High, other sovereign clouds, or China (21Vianet). Regulated organisations must verify data residency and compliance before enabling the tenant‑wide toggle.

A pervasive challenge is tenant‑gated rollouts. Even though Microsoft labels the feature as GA in its August service notes, the “Show restore page” toggle may not appear in every Intune tenant on day one. Administrators should check their portal immediately and build contingency plans if the toggle is missing.

Operational realities: piloting and avoiding common traps

Early adopters report two recurring issues. First, Conditional Access misconfigurations are the top cause of restore failures. If the Activity Feed Service is not excluded from policies that require device compliance or Intune enrollment before authentication, OOBE can’t fetch the backup manifest. The fix is simple — create an exclusion — but the symptom (a missing restore page) is opaque.

Second, many IT teams assume the feature will handle application state. Restores will re‑pin Store apps to the taskbar and Start menu, but they will not reinstall any Win32 or custom LOB applications. Organisations must maintain their existing Intune app deployment profiles, ConfigMgr task sequences, or third‑party packaging tools alongside the backup service.

A realistic pilot design looks like this:

  1. Select a cohort of 20–30 users with varied app portfolios and heavy personalisation.
  2. Confirm their current devices meet the OS and Entra join requirements.
  3. Deploy the Settings Catalog backup policy to the pilot group only.
  4. Verify that backup artifacts are created (no admin‑visible indicator exists yet; check during restore).
  5. Reimage or reset a device, enrol via Autopilot, and document the restore experience.
  6. Validate that Conditional Access rules don’t interfere under real‑world network conditions.

Security and compliance design

Because backup data is stored within the organisation’s Entra tenant and tied to the user’s identity, the security model is inherently stronger than consumer‑grade sync. Cross‑tenant leakage is impossible: a user signing into a different Entra tenant during OOBE won’t see any restore prompt. Data is encrypted at rest and in transit using standard Azure storage encryption.

However, compliance teams must still weigh risks. The backup manifest contains information about installed apps and Wi‑Fi network names, which in some regulated industries could be considered sensitive. Sovereign cloud exclusions are a blunt instrument — organisations in GCC‑High can’t use the feature at all right now, while commercial cloud tenants in Europe or Asia‑Pacific can enable it but may need to run a DPIA if they haven’t assessed the Activity Feed Service already.

Strengths and limitations: a balanced scorecard

What Windows Backup for Organizations gets right
- Cuts helpdesk calls for “How do I get my desktop back?” after refreshes.
- Seamless integration with Intune and Autopilot — no extra agents or servers.
- Predictable, narrow scope prevents it from becoming an unmanageable migration monster.

Where it falls short
- Does nothing for user data; OneDrive Known Folder Move is still mandatory.
- Win32 apps remain a gap; reliance on other deployment tooling is unchanged.
- Tenant‑gated availability introduces uncertainty in migration planning.
- Conditional Access dependencies add a testing burden that many IT shops underestimate.

What IT leaders should do next

This feature won’t replace your existing backup strategy, but it can significantly reduce the “personalisation penalty” during a mass migration. Three actions for this week:

  • Check the tenant toggle. Log into Intune, navigate to Enrollment options, and see if the toggle exists. If not, open a support case or monitor the Message Center for staged rollout notifications.
  • Inventory your OS builds. Run a report across your estate to determine how many devices are already on the minimum required build. Plan a quality update push if coverage is below target.
  • Test Conditional Access. Create a test user with a typical set of policies and simulate an OOBE restore. If the restore page doesn’t appear, inspect the sign‑in logs for Activity Feed Service blocks.

Windows Backup for Organizations is a disciplined, enterprise‑ready answer to a very specific problem. It won’t rescue you from neglected patch management or poor app deployment practices, but it will make Windows 11 migrations feel less like a disruption and more like a routine upgrade. For organisations staring down a fleet refresh, that alone is worth the price of admission.