Complete Guide to Windows Backup and Restore in Microsoft Intune (Windows 11)

In-Depth Guide: Configuring Windows Backup and Restore with Microsoft Intune

Ensuring seamless protection and recovery of user data is a top priority for IT teams. Microsoft Intune’s Windows Backup and Restore feature (currently in preview) for Windows 11 offers a unified, cloud-based solution that automatically captures files, app data, Wi-Fi profiles, and personalization settings—and then restores them during device setup. This in-depth guide covers architecture, configuration, monitoring, and best practices to help you deploy a robust backup strategy across your organization.

---

1. Architecture and Key Components

Windows Backup and Restore in Intune leverages several Microsoft services:

• Intune Configuration Profiles host backup/restore policies and target devices.
• Azure AD/Microsoft Account ties backups securely to the user’s identity.
• Cloud Files Service stores encrypted snapshots of user data and settings.
• Device Scheduled Tasks on Windows 11 handle backup execution and restoration.

The feature works end-to-end:

1. Intune pushes a policy enabling backup and restore.
2. A CloudRestore scheduled task on each device runs backups every eight days.
3. During Out-of-Box Experience (OOBE) after reset or on new hardware, the device checks for existing backups linked to the signing-in user.
4. Users choose to restore apps, settings, and files seamlessly from the cloud snapshot.

---

2. Preparing Your Environment

Before enabling the feature:

• Confirm all Windows 11 devices are enrolled in Intune and hybrid Azure AD–joined or Azure AD–joined.
• Verify Azure AD users have the necessary Microsoft or work account licenses to access cloud storage.
• Ensure adequate cloud storage allocation under your tenant’s licensing and storage plans.
• Communicate with stakeholders; inform pilot users about the upcoming backup and restore workflow.

---

3. Enabling Backup and Restore in Intune

1. Sign into Microsoft Intune Admin Center.
2. Navigate: Devices → Device onboarding → Enrollment → Windows.
3. Select Windows Backup and Restore (preview).
4. Under Scope tags, choose appropriate tags for delegated management.
5. Set Show restore page to On—this displays the restore option during OOBE.
6. Assign the profile to All users or a pilot security group.
7. Click Save.

This policy deploys within minutes. Devices check-in and download the configuration, creating the local scheduled tasks.

---

4. Understanding Device-Side Components

On each Windows 11 PC, two scheduled tasks appear under Task Scheduler Library → Microsoft → Windows → CloudRestore:

• CloudRestoreBackup
  • Triggers every eight days.
  • Invokes the BackupEngine service to collect files from known user folders, Wi-Fi profiles, registry settings for personalization, and app data defined by Microsoft.
  • Encrypts data locally using TPM-protected keys, then uploads to the cloud.
• CloudRestoreRestore
  • Idle until OOBE.
  • Listens for device‐setup events.
  • When a user signs in with a backed-up account, it presents the restore UI and invokes the RestoreEngine to pull data from the cloud snapshot.

Reviewing these tasks and their last run times helps troubleshoot issues or confirm backups are working.

---

5. Testing the End-User Experience

Run through this workflow on a test device:

1. Allow the backup task to complete (or trigger manually via Task Scheduler).
2. Open Settings → Accounts → Windows backup to verify backup status and last run time.
3. Reset the device or start a new Windows 11 setup.
4. Sign in with the same Azure AD or Microsoft account.
5. When prompted, select Restore from backup.
6. Observe files, apps, Wi-Fi networks, and personalization restored automatically.

The process takes minutes and significantly cuts deployment time compared to manual migrations.

---

6. Monitoring and Compliance Reporting

Intune provides built-in monitoring:

• Go to Devices → Monitor → Backup and Restore.
• View device list showing backup status (Enabled/Disabled), last backup time, and any errors.

For deeper analytics:

1. Enable the Intune Data Warehouse.
2. Export the CloudRestoreBackupDeviceStatus table into Azure Log Analytics.
3. Build a Workbook dashboard showing compliance trends, failures by device model, and backup size metrics.
4. Configure alerts for failed backups older than eight days, triggering email or Teams notifications for remediation.

---

7. Advanced Configuration and Best Practices

• Selective Restore: Customize which folders or app data categories to include by editing CSP settings in the Settings Catalog.
• Security: Require TPM 2.0 and BitLocker encryption to ensure local snapshots and restore operations are protected.
• Scope Tags and RBAC: Use Intune scope tags to delegate policy management to regional or departmental admins.
• Pilot and Rollout Strategy: Start with a small user group. Validate performance impacts, storage usage, and user feedback before broad deployment.
• Storage Planning: Monitor cloud storage consumption; implement retention policies to clean older snapshots.

---

8. Limitations and Considerations

• Not supported in Government Community Cloud (GCC) or DoD tenants.
• Preview features may change—review Microsoft’s Intune roadmap regularly.
• Network bandwidth can affect backup duration; consider off-peak backup windows via custom schedules.

---

9. Conclusion

Microsoft Intune’s Windows Backup and Restore preview provides a powerful, automated way to safeguard user environments and accelerate device setups. By understanding its architecture, enabling policies correctly, and implementing thorough monitoring, IT teams can deliver a reliable, self-serving recovery experience for Windows 11 users—cutting downtime and support overhead.