Windows Backup for Organizations GA: Intune Managed OOBE Restore on Entra PCs

Microsoft has moved its enterprise-focused Windows backup into production: Windows Backup for Organizations is now generally available and included in the August/September 2025 servicing wave, giving IT teams a built-in, Intune-manageable path to capture user settings, preferences and Microsoft Store app manifests and restore them during device enrollment (OOBE) on Microsoft Entra–joined devices.

Background / Overview​

Windows Backup for Organizations started as an evolution of the consumer settings-sync experience and was announced for enterprise testing during Microsoft’s preview cycles in 2024–2025. The GA declaration appears in Microsoft’s August 26, 2025 product notes and accompanying KB rollout messaging, where the feature is described as an enterprise-grade backup and restore capability intended to reduce downtime during device refreshes and Windows 11 migrations.
The feature is surfaced to administrators through Microsoft Intune as a tenant-level setting. Administrators must enable backup policies and, separately, the tenant-wide restore option to expose a restore page during Out‑Of‑Box Experience (OOBE) enrollment. By design the capability is opt-in for organizations and disabled by default until an admin turns on the relevant Intune settings.

---

What Windows Backup for Organizations actually does​

At a high level, the product focuses on restoring the experience of a user on a new or reimaged device rather than providing full file system disaster recovery. Its core responsibilities are:

• Preserve and restore system and personalization settings (File Explorer preferences, desktop options, accessibility settings, known Wi‑Fi networks where supported, and similar configuration state).
• Capture a manifest of Microsoft Store apps and the intent for Start-menu placement so that the restored device mirrors the prior Start layout (this does not reinstall Win32/MSI/EXE applications).
• Schedule automatic backups and allow manual backups from the device UI. Backups run on a recurring schedule (documentation specifies an automatic run approximately every eight days) and users can also initiate a backup via the Windows Backup app.

Key restrictions and clarifications:

• It is not a full disk image or file-level backup — documents, user file stores and non-Store Win32 apps are outside the scope. Organizations still need OneDrive, file-server backup, or third-party endpoint backup solutions for complete data protection.
• Restores are executed during the OOBE flow and require the user to sign in with the same Entra ID account used for the backup. The restore option is shown only during enrollment on qualifying Windows 11 devices.

---

System requirements and availability​

Microsoft’s documentation sets specific prerequisites for backup and restore:

• Devices must be Microsoft Entra joined or hybrid-joined. The restore experience requires a device to be Entra‑joined at the time of OOBE.
• Supported OS baselines (examples from Microsoft Learn): Windows 10 version 22H2 (with a minimum build), and Windows 11 versions 22H2, 23H2, and 24H2 — with particular build thresholds for restore capabilities listed in the Intune guidance. Administrators must verify that devices meet the documented minimum builds before relying on OOBE restore.
• The August 2025 optional/preview update (packaged as KB5064080 in Microsoft’s rollout) includes the organizational backup binaries; the feature is also exposed through later cumulative updates. In short, the restore path depends on having appropriate servicing updates applied before OOBE.

Availability notes:

• The capability is rolling out and gated by tenant/region in some cases; not every tenant will see the restore toggle simultaneously. Administrators should verify visibility in their Intune tenant.
• Microsoft has stated the feature is not supported in some sovereign/isolated clouds or scenarios (for example, certain government clouds and 21Vianet environments have specific exclusions in early rollouts).

---

Where backups are stored — data residency and encryption​

Microsoft’s documentation and public messaging specify that the backup artifacts for enterprise tenants are stored in Microsoft’s cloud and mapped to the tenant’s data geography. Specifically:

• Backups for Windows Backup for Organizations are stored in the Exchange Online cloud mapped to the tenant’s chosen Country/Region at tenant creation (this mapping follows the same tenant affinity model used across Microsoft 365 services). Administrators can view their tenant data location in the Tenant Admin Center.
• Microsoft says customer content is protected with one or more forms of encryption and that enterprise cloud services apply encryption at rest (platform-level and application-level encryption) and TLS-based encryption in transit. Microsoft’s broader cloud encryption guidance describes BitLocker for volume encryption, service-level encryption, Azure/Office 365 service encryption options and customer-managed key capabilities.
• Microsoft also emphasizes limited, auditable access by Microsoft personnel — engineers are granted access only when necessary (for troubleshooting or legally compelled disclosure), and access is governed and logged. That control model is standard across Microsoft business cloud services.

Caveat / verification note: Microsoft’s public materials assert multi-layer encryption and strict access controls for the stored data. However, the product-level documentation does not publish the complete internal key-handling topology or per-feature key provenance for Windows Backup artifacts; enterprises with specific compliance or regulatory demands should treat the “multiple layers of encryption” claim as a high-level assurance and verify contract-level controls (DPA, contractual commitments, or customer-managed key options) directly with Microsoft for their tenant.

---

How to enable and manage (Intune + Entra controls)​

The management model is deliberately tenant-scoped and Intune-centric:

• Administrators enable backup by creating or editing a Settings Catalog device configuration in Microsoft Intune and toggling the Windows backup setting. The restore UX is a separate, tenant-wide setting in the Enrollment options that must be turned on to surface the restore page during OOBE. Only Intune Service Administrators or Global Administrators can enable the tenant-wide restore toggle.

Recommended administrative checklist before enabling broadly:

• Validate that target devices meet Microsoft’s minimum OS build and servicing requirements.
• Confirm devices are Microsoft Entra joined or hybrid-joined as appropriate.
• Pilot the restore flow with representative users (Autopilot user‑driven OOBE) — note that some Autopilot modes (self-deploying, pre-provisioned) and certain enrollment methods are not supported for restore.
• Review Conditional Access and network allowances for Microsoft Activity Feed and Intune endpoints to avoid enrollment-time failures.

---

Operational benefits for migrations and device refresh​

For enterprises planning large-scale Windows 11 upgrades or device refreshes ahead of Windows 10 end-of-support, this capability promises clear operational advantages:

• Reduced help-desk churn: restoring personalization and app manifests during OOBE cuts the manual reconfiguration time users otherwise need after a reimage.
• Faster user productivity: users hit the desktop with familiar settings and Start layout, which reduces training and onboarding friction on replacement hardware.
• Simplified lifecycle orchestration: Intune-managed, tenant-level controls let administrators gate the restore experience centrally rather than relying on device-level user effort.

---

Critical limitations and risks — what IT must plan for​

While the feature fills a clear gap for settings continuity, it is important to be explicit about what Windows Backup for Organizations does not cover and the operational risks it introduces:

• Not a substitute for full backup and disaster recovery: it does not capture user documents, enterprise file shares, or non‑Store apps — you’ll still need a full endpoint backup or server backup strategy for compliance and DR.
• Restore is OOBE‑only and tied to Entra identity: organizations with non-standard enrollment flows, shared devices, or non‑Entra identities cannot use the restore page. This makes it ill-suited as a universal recovery tool in heterogeneous environments.
• Bandwidth and OOBE time: performing restores (and Microsoft’s new option to install quality updates during OOBE) can lengthen provisioning time and create bandwidth spikes during mass enrollments. Plan Delivery Optimization, pre-caching, or image staging for large fleets.
• Sovereign cloud and regional availability: some government and sovereign clouds may not initially support the feature; confirm availability for tenants in restricted geographies before committing to a migration plan.
• Microsoft access and compliance: while Microsoft documents strict access controls, organizations with highly prescriptive regulatory needs (for example, explicit key custody requirements or immutability) should confirm whether the service meets those requirements or whether a third-party backup solution with customer-managed keys and air‑gap retention is required. The general “multiple layers of encryption” statement is credible but not a replacement for contractual and operational verification.

---

Deployment blueprint — a practical step-by-step plan​

• Inventory: map devices by OS version/build, enrollment state (Entra joined vs hybrid), and Autopilot configuration. Record which devices will be eligible for OOBE restore.
• Pilot ring: enable backup for a small set of pilot users and enable the tenant-level restore only in a dedicated pilot tenant or pilot group. Validate successful backups, restore fidelity (settings and Store app manifest), and end-to-end OOBE behavior.
• Network simulation: model OOBE bandwidth and Delivery Optimization/WSUS pre-caching needs for the anticipated rollout window. Include ESP timeouts and conditional access rules in the simulation.
• Compliance and security review: confirm data residency mapping in tenant admin center, review DPA terms, and evaluate whether Customer Key or other Purview controls are required for your compliance posture. If necessary, contact Microsoft for contract-level clarifications.
• Staged rollout: expand pilot rings progressively. Keep rollback images and recovery playbooks current; combined SSU+LCU packages can complicate rollback, so maintain tested offline images.
• Operationalize support: update helpdesk scripts to explain what is restored, what isn’t, and the expected user actions during OOBE. Provide fallback paths for users with complex Win32 app requirements.

---

Security and privacy analysis​

Strengths:

• Having backups tied to the Entra identity reduces the risk of mis-restores across tenants and simplifies the permission model. Intune tenant-level controls centralize governance.
• Microsoft’s cloud encryption posture (platform and service-side encryption, and options supporting customer-managed keys for broader Microsoft 365 workloads) provides a strong baseline for many enterprises.

Concerns and mitigations:

• The product stores backup artifacts within the tenant’s Exchange Online mapping. Organizations with strict data‑sovereignty or key-custody requirements should validate whether the default storage model and key management options satisfy those requirements; if not, consider third-party backup solutions that offer immutability, air‑gapped storage or customer-held keys.
• Access by Microsoft personnel is limited and audited, but any cloud service where engineers can escalate access introduces a surface that must be considered in high-assurance environments. Mitigation: contractual controls, audit logs, and data residency controls, plus using customer-managed keys where supported.
• Restore during OOBE implies the identity and enrollment flow are critical recovery controls; an attacker who controls or compromises identity paths could affect restore outcomes. Ensure strong identity protections (MFA, Conditional Access, Privileged Identity Management) are in place.

---

Marketplace context — where this fits vs third‑party options​

Windows Backup for Organizations is complementary to existing endpoint and M365 backup solutions rather than a replacement for them. It’s optimized for reducing user friction during provisioning and reimaging, not for long‑retention, point‑in‑time recovery of mailboxes, SharePoint/OneDrive content, or tenant-level identity object preservation. Organizations that require:

• Point-in-time mailbox restores, long retention or immutable backups for compliance; or
• Tenant-level capture of identity objects, role assignments and fine-grained Office 365 artifact retention

should continue to evaluate third‑party enterprise backups alongside this new native capability. Third‑party vendors traditionally offer richer retention, immutability, and cross-workload restore granularity that enterprise compliance programs often demand.

---

Verdict: who should adopt and when​

Windows Backup for Organizations is a practical, low-friction tool for enterprises that need fast, repeatable restore of user personalization and Microsoft Store app layouts during large-scale Windows 11 deployments or device refresh cycles. It is particularly attractive for organizations using Intune, Microsoft Autopilot (user-driven mode), and Entra identity as the enrollment control plane.
Adopt early if:

• You manage large fleets with consistent Intune/Entra practices and need to reduce helpdesk time for provisioning.
• You rely primarily on Microsoft Store apps and value restoring Start layout and personalization over full app reinstalls.

Defer or augment with third‑party solutions if:

• Your compliance profile demands customer‑held keys, long-term immutability, or offline/air-gapped retention.
• Your environment relies heavily on Win32 applications, server images or file-level disaster recovery; Windows Backup for Organizations is not a complete DR replacement.

---

Closing summary​

Microsoft’s general availability of Windows Backup for Organizations is a meaningful operational tool for enterprises migrating users to Windows 11 or refreshing fleets: it reduces reconfiguration time, restores familiar user experiences during OOBE, and centralizes control through Intune and Entra. The feature is tied to Intune-managed, Entra-joined devices and stores backup artifacts in Exchange Online in the tenant’s mapped region, protected by Microsoft’s multi-layer encryption practices and governed by Microsoft’s access controls. Administrators should pilot carefully, verify build and enrollment prerequisites, plan for network/load impacts during OOBE, and complement this capability with comprehensive file- and tenant-level backup strategies where regulatory, retention or immutability requirements exist.
For organizations choosing to adopt, the immediate priorities are: validate device build baselines, run pilots with Intune tenant toggles, confirm data residency and compliance posture, and ensure identity/security hygiene to protect the restore path. These steps will let IT teams get the productivity upside without exposing the organization to unanticipated operational or compliance risks.

---

Source: Windows Report Microsoft Announces General Availability of 'Enterprise-grade' Windows Backup