Microsoft Just Flipped the Switch: Windows 11 26H2 Backup Is ON by Default – Here’s What Security Teams Must Do Now + Video

Listen to this Post

Featured Image

Introduction:

Microsoft has confirmed a seismic shift in Windows endpoint resilience with the upcoming release of Windows 11 version 26H2: the Windows settings backup policy will be enabled by default on eligible Microsoft Entra joined or hybrid-joined devices. Previously an opt‑in feature requiring explicit administrative configuration, this change transforms backup from a discretionary tool into a standard operating system baseline. While the move aims to simplify recovery after system resets, device replacements, or upgrades, it introduces fresh considerations for security and compliance teams who must now actively manage what settings are synchronized, where they are stored, and how access is protected.

Learning Objectives:

  • Understand the scope, eligibility criteria, and exceptions of the new default‑on backup policy in Windows 11 26H2.
  • Learn how to audit, explicitly disable, or granularly control backup settings using Group Policy, Microsoft Intune, and registry configurations.
  • Master the security and compliance implications of automatic settings synchronization, including data sovereignty and restoration governance.

You Should Know:

  1. Decoding the Default‑On Backup Policy: What Actually Changes

Starting with Windows 11 version 26H2, the Windows Settings Backup and Restore feature (formerly known as Windows Backup for Organizations) will automatically activate on eligible devices where the backup policy is in a Not Configured state. This default‑on behavior applies only to systems that meet three conditions: they run Windows 11 26H2, are located in countries or regions not regulated by the EU Digital Markets Act (DMA), and do not reside in sovereign or restricted cloud environments. Devices in EU markets, by contrast, are exempt from this automatic enablement due to DMA compliance requirements.

Crucially, Microsoft has preserved administrative sovereignty: any explicit configuration—whether enabling or disabling the policy—takes precedence over the default. Restore functionality remains entirely opt‑in and admin‑managed, meaning that while backups happen automatically, restoration still requires deliberate administrative action. The feature captures essential system elements including application settings, user preferences, and the list of installed Microsoft Store applications, enabling smoother device transitions and faster recovery from failures.

Step‑by‑Step: Auditing Your Current Backup Policy Status

Before 26H2 deployment reaches your environment, audit which devices already have the policy configured:

1. Via Group Policy Management Console (GPMC):

  • Open `gpmc.msc` and navigate to your domain’s Group Policy Objects.
  • Locate policies that configure Computer Configuration > Administrative Templates > Windows Components > Sync your settings.
  • Check the Do not sync setting—if Enabled, backup is explicitly disabled; if Disabled or Not Configured, the default‑on behavior will apply in 26H2.

2. Via Registry (Local Machine):

  • Open Registry Editor (regedit.exe) and navigate to:
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client
    
  • Look for values that control synchronization behavior. The absence of explicit policy keys indicates a Not Configured state.

3. Via Microsoft Intune (Endpoint Manager):

  • Navigate to Devices > Configuration profiles and review policies targeting the Settings Catalog or Administrative Templates.
  • Search for “Sync your settings” to identify any explicit enable/disable assignments.

4. Via PowerShell (Query Current State):

Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Backup\Client" -ErrorAction SilentlyContinue

An empty result suggests the policy is not explicitly set, meaning the default‑on behavior will engage post‑26H2 upgrade.

  1. Taking Control: Explicitly Disabling or Restricting Backup via Group Policy and Intune

For organizations that must opt out of automatic backup—whether due to data sovereignty, privacy policies, or compliance frameworks—Microsoft provides clear mechanisms to override the default.

Step‑by‑Step: Disable Backup Entirely via Group Policy

1. Open the Group Policy Management Console (`gpmc.msc`).

  1. Create a new GPO or edit an existing one targeting Windows 11 26H2 devices.
  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > Sync your settings.

4. Locate the policy Do not sync.

  1. Set it to Enabled. This turns off and disables the Remember my preferences switch on the Accounts > Windows backup page in Settings.
  2. Link the GPO to the appropriate Organizational Unit (OU) and enforce as needed.
  3. Run `gpupdate /force` on target machines to apply the setting immediately.

Step‑by‑Step: Disable via Microsoft Intune (MDM)

  1. In the Microsoft Intune admin center, go to Devices > Configuration profiles > Create profile.
  2. Select Windows 10 and later as the platform and Settings catalog as the profile type.
  3. Click Add settings and search for “Sync your settings”.
  4. Locate Do not sync and toggle it to Enabled.
  5. Assign the profile to the desired device groups and deploy.

Step‑by‑Step: Granular Control – Disable Specific Sync Categories

If you wish to allow backup but restrict sensitive categories, configure individual policies:

| Setting | GPO Path | CSP OMA‑URI |

||-|-|

| Disable Accessibility sync | Computer Configuration > Administrative Templates > Windows Components > Sync your settings > Do not sync accessibility settings | `./Device/Vendor/MSFT/Policy/Config/SettingsSync/DisableAccessibilitySettingSync` |
| Disable App sync | Computer Configuration > Administrative Templates > Windows Components > Sync your settings > Do not sync Apps | `./Device/Vendor/MSFT/Policy/Config/ADMX_SettingSync/DisableApplicationSettingSync` |
| Disable Password sync | Computer Configuration > Administrative Templates > Windows Components > Sync your settings > Don’t sync passwords | (Configure similarly via policy) |

Registry‑Based Override (for standalone or unmanaged devices):

To disable backup via registry:

Key: HKLM\Software\Policies\Microsoft\Windows\SettingSync
Value: DisableSettingSync (REG_DWORD)
Data: 1 (disable) or 0 (enable)

Alternatively, to suppress backup monitoring notifications:

Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
Value: DisableMonitoring (REG_DWORD)
Data: 1
  1. Security and Compliance Implications: What Gets Synced and Where It Goes

The default‑on backup policy automatically synchronizes user settings and Microsoft Store app lists to the cloud—specifically, to the user’s Microsoft Entra (formerly Azure AD) account storage. This raises several critical security considerations:

  • Data Residency and Sovereignty: Organizations in non‑EU regions must verify that their cloud storage complies with local data protection regulations. The policy exempts sovereign and restricted cloud environments, but standard commercial clouds may store data across regional data centers.

  • Synchronized Settings Inventory: The backup captures: application settings (including those from Win32 and UWP apps), user preferences (desktop themes, language settings, browser favorites if using Microsoft Edge), and the list of installed Microsoft Store applications. Passwords and Wi-Fi credentials are not automatically synced unless explicitly allowed via separate policy configurations.

  • Restore Governance: While backup is automatic, restore remains admin‑controlled. This is a deliberate security boundary: restoration of settings to a new or reset device requires explicit administrative action, preventing unauthorized recovery of sensitive configurations.

  • Attack Surface Considerations: Automatic backup increases the volume of data transmitted and stored in the cloud. Security teams should review:

  • Whether backup data is encrypted at rest and in transit (Microsoft uses standard encryption protocols).
  • Whether the backup storage account is subject to the same conditional access policies as other corporate data.
  • Whether backup data could inadvertently expose internal application paths or naming conventions.

Step‑by‑Step: Audit What Is Currently Being Synced

  1. On a Windows 11 26H2 device, open Settings > Accounts > Windows backup.
  2. Review which toggle switches are active: Remember my preferences, Remember my apps, and Accessibility.
  3. Click Manage backup to see detailed categories and storage usage.
  4. For enterprise visibility, use Microsoft Entra audit logs to track backup‑related activities:

– Navigate to Microsoft Entra admin center > Identity > Monitoring & health > Audit logs.
– Filter by activity: “Windows settings backup” or “Backup configuration change”.

4. Validating the Default‑On Experience Before Wide Deployment

Microsoft has made the default‑on behavior available in the Windows Insider Program Experimental channel starting July 2026, with broad effect expected at general availability later in the year. Security teams should leverage this preview window to test the feature in a controlled environment.

Step‑by‑Step: Test the Default‑On Backup in a Sandbox

  1. Enroll a test device in the Windows Insider Program Experimental channel (Build 26300.8772 or later).
  2. Ensure the device is Microsoft Entra joined or hybrid joined.
  3. Confirm the backup policy is in a Not Configured state (no explicit GPO or Intune assignment).

4. Upgrade to Windows 11 26H2 and observe:

  • The backup toggle in Settings > Accounts > Windows backup should be ON by default.
  • The Remember my preferences switch should be enabled.
  1. Trigger a backup by signing out and back in, or by manually clicking Back up now.
  2. Verify that settings are successfully synchronized to the user’s Entra account.
  3. Perform a test reset or reimage of the device and confirm that settings restore automatically upon user sign‑in (restore remains opt‑in, so ensure restore policies are also configured if testing full recovery).

Cloud Rebuild: A Companion Recovery Innovation

Alongside the backup policy change, Microsoft is introducing Cloud rebuild in the Windows Recovery Environment (WinRE). This new recovery option restores a Windows 11 PC to a clean, known‑good state by downloading the target Windows image and device drivers directly from Windows Update—even when the OS won’t boot. To access it:
– Boot into WinRE (e.g., by interrupting startup three times).
– Select Troubleshoot > Recovery and uninstall > Cloud rebuild.
– Connect to a network (wired Ethernet or Wi‑Fi) and confirm the target build.

This capability complements the backup policy by providing a complete recovery workflow: backup protects settings, Cloud rebuild restores the OS image.

5. Linux and Cross‑Platform Considerations for Hybrid Environments

While the backup policy is Windows‑specific, organizations operating hybrid Linux‑Windows environments should consider how settings synchronization interacts with cross‑platform identity management.

Step‑by‑Step: Monitor Windows Backup Activity from a Linux SIEM

If your security operations center (SOC) uses a Linux‑based SIEM (e.g., Elastic Stack, Splunk on Linux), you can ingest Windows event logs related to backup activities:

  1. On Windows endpoints, enable Audit Policy for Detailed Tracking > Audit Process Creation and Object Access.
  2. Forward Windows Event Logs (specifically Microsoft‑Windows‑SettingSync/Operational and Microsoft‑Windows‑Backup/Operational) to your Linux SIEM using WinRM or Sysmon.
  3. Use `powershell` remoting from Linux to query backup status across Windows hosts:
    pwsh -Command "Invoke-Command -ComputerName <target> -ScriptBlock { Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\Backup\Client' }"
    
  4. Alternatively, use Azure CLI from Linux to query Intune policy assignments:
    az rest --method GET --uri "https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations" --query "value[?contains(displayName, 'Backup')]"
    

Linux Commands for Backup Monitoring (Cross‑Platform)

  • Check backup policy via registry from Linux (using reglookup or chntpw):
    reglookup -H /mnt/windows/Windows/System32/config/SOFTWARE "Microsoft\Windows\CurrentVersion\WindowsBackup"
    
  • Monitor network traffic for backup uploads (identify backup endpoints):
    sudo tcpdump -i any -1 'host .backup.windows.com'
    

6. Mitigating Risks: Best Practices for Security Teams

Given the default‑on nature of the policy, security teams should adopt a proactive governance framework:

  1. Inventory and Classify: Identify all Entra‑joined devices that will receive 26H2. Classify them by data sensitivity and regulatory requirements.
  2. Define Explicit Policy: For high‑security or regulated environments, explicitly disable backup via GPO/Intune before 26H2 deployment. For lower‑risk environments, explicitly enable with granular controls.
  3. Review Conditional Access: Ensure that backup data storage (Microsoft Entra account storage) is covered by Conditional Access policies, including MFA and location‑based restrictions.

4. Monitor and Alert: Set up alerts for:

  • Backup policy changes (Event ID 4701 – Policy change).
  • Large‑scale backup activity spikes (potential data exfiltration).
  • Failed backup attempts (indicating possible connectivity or permission issues).
  1. User Training: Educate users on what settings are backed up and how restoration works. Emphasize that restore operations require IT assistance to prevent unauthorized recovery attempts.

Step‑by‑Step: Deploy a Backup Policy Monitoring Dashboard

  1. Use Microsoft Sentinel or Azure Monitor to ingest Windows backup logs.
  2. Create a KQL (Kusto Query Language) query to visualize backup status across devices:
    Event
    | where Source == "Microsoft-Windows-SettingSync"
    | where EventID == 701 (backup started) or EventID == 702 (backup completed)
    | summarize count() by Computer, bin(TimeGenerated, 1h)
    | render timechart
    
  3. Set up automated responses: if a device shows backup disabled without an approved exemption, trigger a remediation playbook to re‑enable or investigate.

7. The Restoration Conundrum: Why Restore Remains Admin‑Only

A critical nuance often overlooked is that while backup is default‑on, restore is not. This design choice reflects a sound security principle: preventing unauthorized or accidental restoration of settings that could reintroduce misconfigurations, malware‑persistence mechanisms, or insecure preferences. Restoration requires explicit administrative action, typically through the Settings app or via MDM‑initiated restore policies.

Step‑by‑Step: Enable Restore for Authorized Scenarios

If your organization wants to allow self‑service restore for users:

  1. Via Intune: Create a configuration profile that enables the restore policy.

– Navigate to Devices > Configuration profiles > Create profile.
– Select Settings catalog and search for “Restore”.
– Enable Allow restore of Windows settings and assign to targeted user groups.
2. Via Group Policy: Navigate to Computer Configuration > Administrative Templates > Windows Components > Sync your settings > Allow restore of Windows settings and set to Enabled.

3. Via Registry:

Key: HKLM\Software\Policies\Microsoft\Windows\SettingSync
Value: EnableRestore (REG_DWORD)
Data: 1 (enable) or 0 (disable)

Remember: enabling restore does not automatically enable backup—but with backup now default‑on, enabling restore completes the full recovery workflow.

What Undercode Say:

  • Default does not mean ungovernable. The shift to default‑on backup is a resilience improvement, but security teams must treat it as a new baseline to actively manage, not a set‑and‑forget feature.
  • Visibility is the new control. Understanding what settings are synchronized, where they are stored, and who can restore them is paramount. Organizations that fail to audit their backup policy status may inadvertently expose sensitive configuration data to cloud storage without proper oversight.
  • Restore governance is the true security boundary. Keeping restore admin‑only while making backup automatic is a thoughtful compromise—it reduces user friction for backups while maintaining strict control over recovery actions.
  • The EU exemption highlights regulatory influence. The DMA carve‑out demonstrates how regional regulations are shaping even core Windows features. Multinational organizations must account for these regional differences in their deployment strategies.
  • Test before you trust. The Experimental channel preview offers a critical window to validate behavior, test integrations, and refine policies before 26H2 reaches general availability. Waiting until deployment risks unexpected disruptions.

Prediction:

  • +1 The default‑on backup policy will significantly reduce helpdesk tickets related to lost settings and user preferences after device resets, improving overall end‑user productivity and satisfaction.
  • +1 Over the next 12–18 months, Microsoft will likely expand the scope of automatically backed‑up settings to include more application‑specific configurations, further streamlining device transitions.
  • -1 Organizations that fail to audit and explicitly configure backup policies may face unintended data sovereignty violations, particularly if backup data crosses regional boundaries without proper legal basis.
  • -1 The default‑on behavior could create a false sense of security—IT teams might assume full system state is backed up, when in reality only user settings and Store app lists are captured, not user data files or system state.
  • +1 The introduction of Cloud rebuild alongside default backup positions Windows 11 26H2 as the most recoverable Windows version to date, potentially reducing average recovery times from hours to minutes.

▶️ Related Video (66% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky