Windows settings backup policy is becoming a new default

🚨 The Signal: Windows 11, version 26H2 will default to enabling settings backup for unmanaged devices. This enhances resilience but requires security teams to verify data handling and compliance for sensitive information stored in backups.

The Impact

Unmanaged Windows 11 devices will automatically back up settings, creating a data exposure risk if not properly governed by security teams.

  • Security Teams: Risk of unapproved data storage in cloud backups.
  • Compliance Officers: Need to verify backup data location and retention policies.
  • IT Admins: Must ensure existing Intune/GPO policies override new defaults.
  • End Users: Personal settings backed up, potentially including sensitive configurations.

The Action

  1. Review existing Intune/Group Policy Objects for Windows settings backup policies.
  2. Explicitly configure backup policies (enabled or disabled) via Intune/GPO to override the default.
  3. Assess data classification and sensitivity of settings included in Windows backups.
  4. Update data retention and disposal policies to include Windows settings backups.
  5. Communicate backup policy changes to users and IT support staff.

Domain: Intune · Impact: medium · Workload: Intune · Essential Eight: Regular Backups · ISM: ISM-1511, ISM-1515, ISM-1705, ISM-1706, ISM-1707, ISM-1708, ISM-1810, ISM-1811, ISM-1812, ISM-1813, ISM-1814