Microsoft quietly shipped one of the most practical quality-of-life improvements for Cloud PC deployments in February 2026: the Windows first sign-in restore experience. It extends Windows Backup for Organizations to Windows 365 Cloud PCs, hybrid-joined devices, and multi-user machines — and if you manage endpoint fleets, this changes how you think about device provisioning and business continuity.

Here’s everything you need to know to evaluate, enable, and operationalize it.

At a Glance

What: Users can restore their Windows settings, Start menu layout, and Microsoft Store apps at first sign-in — not just during OOBE.

Why it matters: Users who skip or miss the OOBE restore prompt get a second chance. Cloud PC users get restore capability for the first time.

Key integration: Pairs with Windows 365 Reserve for rapid business continuity — users get a familiar environment on a temporary Cloud PC within minutes.

Biggest limitation: Tenant-wide toggle only. No per-group scoping. Autopilot user-driven mode required.

What Is the Windows First Sign-In Restore Experience?

Before this update, Windows Backup for Organizations only offered a restore prompt during OOBE — the out-of-box experience. If a user clicked past it or hit a network hiccup, they were out of luck. No restore, no recourse, and an IT ticket asking why their new device “doesn’t have any of my stuff.”

The first sign-in restore experience fixes this by adding a second restore opportunity at the user’s first interactive desktop sign-in. It also expands device support beyond Entra-joined physical machines to include:

  • Microsoft Entra hybrid-joined devices
  • Multi-user Windows devices
  • Windows 365 Cloud PCs (this is the big one)

One important design detail: if a user explicitly declines restore during OOBE, the system respects that choice and won’t prompt again at first sign-in. This only fires for users who missed or were unable to complete the OOBE restore.

What Gets Restored (and What Doesn’t)

This is where expectations management becomes critical. The feature restores personalization and configuration — not data.

Restored

  • Windows settings: Theme, accent colors, display scaling, accessibility options, language/input preferences, notification settings, taskbar configuration
  • Microsoft Store apps: App list and pinned positions (Store apps auto-reinstall if still available)
  • Start menu layout: Pinned apps and organization

NOT Restored

  • User files and documents — Use OneDrive Known Folder Redirection for this
  • Win32 and line-of-business apps — Deploy these through Intune app management
  • Credentials, saved passwords, MFA registrations — Users must re-authenticate and re-register authenticator apps
  • Wi-Fi passwords — Must be re-entered or pushed via Intune Wi-Fi profiles

Bottom line: This is a settings restore, not a full backup. Pair it with OneDrive KFM and Intune app deployment for a complete device transition story.

How to Enable First Sign-In Restore in Intune

Configuration requires two steps:

Step 1: Enable Windows Backup Policy

  1. In the Intune admin center, create a Settings Catalog policy (Windows 10 and later)
  2. Search for and enable the EnableWindowsBackup setting
  3. Assign the policy to your target device groups

This activates the automatic backup schedule — settings are captured approximately every 7–8 days via a CloudRestore scheduled task.

Step 2: Enable the Restore Page (Tenant-Wide)

  1. Navigate to Devices → Enrollment → Windows Backup and Restore (preview)
  2. Toggle Show restore page to On

That’s it. All eligible devices enrolled after this point will present the restore experience. You’ll need Intune Service Administrator or Global Administrator permissions to flip this toggle.

What “Eligible” Means: System Requirements

For backup:

  • Windows 10 22H2 build 19045.6216+ or Windows 11 22H2+
  • Microsoft Entra joined or Entra hybrid-joined

For restore:

  • Windows 11 only (Windows 10 does not support restore)
  • Version 22H2 build 22621.3958+, 23H2 build 22631.3958+, or 24H2 build 26100.1301+
  • Microsoft Entra joined
  • At least one successful backup profile must exist

Supported provisioning: Windows Autopilot user-driven mode only. Self-deploying mode, Device Preparation, Group Policy enrollment, co-management, and manual enrollment are all unsupported.

The Windows 365 Reserve Angle

This is where first sign-in restore gets genuinely exciting for business continuity planning.

Windows 365 Reserve (GA since November 2025) gives users up to 10 days of Cloud PC access per calendar year for scenarios where their primary device is unavailable — hardware failure, theft, shipping delays, or security incidents. It’s designed to replace expensive physical loaner pools.

Now combine that with first sign-in restore: a user’s laptop dies on Monday morning. IT provisions a Reserve Cloud PC. The user signs in, their familiar settings and apps restore automatically, and they’re productive within minutes. No manual configuration. No hours of IT setup time on a loaner laptop.

Practical tips for Reserve + Restore:

  • Pre-assign Reserve licenses to at-risk users (remote workers, executives, field staff) — Cloud PCs become eligible 7 days after license assignment
  • Reserve uses gallery images only — no custom image complexity to manage
  • Plan for MFA re-registration — users will need to re-enroll authenticator apps on the temporary Cloud PC
  • Document the workflow in your helpdesk runbook so technicians can provision Reserve Cloud PCs consistently

What IT Admins Should Know Before Deploying

The Tenant-Wide Toggle Problem

The restore experience is all-or-nothing at the tenant level. You can’t enable it for corporate devices but disable it for BYOD. You can’t scope it to specific departments. If you need differentiation, you’ll have to work around it with separate Autopilot enrollment profiles or tenant-level separation.

Sovereign Cloud Exclusion

First sign-in restore is not available in GCCH, DoD, or sovereign cloud environments (including China/21Vianet). If you’re in a regulated government environment, this feature isn’t an option yet.

Backup Data Residency

Backup data is stored in Microsoft’s cloud infrastructure based on your tenant’s geographic region. Data is encrypted in transit and at rest. If you have specific data residency requirements, verify your tenant’s region aligns with compliance obligations.

User Communication Is Non-Negotiable

The biggest risk with this feature isn’t technical — it’s expectation mismatch. Users will assume “restore” means “everything.” Communicate clearly:

  • What comes back: Settings, Store apps, Start menu
  • What doesn’t: Files, Win32 apps, passwords
  • What they need to do: Re-register MFA, re-enter Wi-Fi passwords, verify OneDrive sync is running

Practical Deployment Checklist

Here’s what I’d recommend for any organization rolling this out:

  1. Audit your fleet — Identify Windows 11 vs. 10 populations and Entra join status
  2. Enable backup policies first — Give devices at least one backup cycle (7–8 days) before enabling restore
  3. Pilot with a small group — Validate the experience with IT staff or a friendly department before tenant-wide enablement
  4. Pair with OneDrive KFM — Settings restore without file restore is incomplete
  5. Pair with Intune app deployment — Win32 apps won’t restore; they need to be pushed separately
  6. Update helpdesk documentation — Include MFA re-registration steps and “what’s not restored” FAQ
  7. Consider Reserve licensing — If you’re maintaining a loaner pool, run the cost comparison

Next Steps

The Windows first sign-in restore experience isn’t flashy, but it’s the kind of operational improvement that reduces IT tickets, accelerates device transitions, and makes Windows 365 Reserve a genuinely viable business continuity play. If you’re already managing Cloud PCs through Intune, enabling this should be near the top of your backlog.

If your organization is evaluating Windows 365, planning a Cloud PC deployment, or looking to operationalize features like Reserve and first sign-in restore, Big Hat Group can help. We offer Windows 365 training that covers these scenarios hands-on, and our consulting services can help you design and implement a Cloud PC strategy that actually works in production.

Frequently Asked Questions

What does the Windows 365 first sign-in restore experience actually restore?

It restores Windows settings and preferences (theme, accent color, accessibility, language, taskbar layout), Microsoft Store app lists with pinned positions, and Start menu configuration. It does not restore user files, Win32 applications, or saved credentials.

Does first sign-in restore work with Windows 365 Reserve?

Yes. When a user’s primary device fails and IT provisions a Windows 365 Reserve Cloud PC, the user can restore their familiar settings at first sign-in — making temporary Cloud PCs productive within minutes instead of hours.

What provisioning methods support first sign-in restore?

Only Windows Autopilot user-driven mode is fully supported. Self-deploying mode, Device Preparation, Group Policy enrollment, Configuration Manager co-management, and manual enrollment are not supported.

Can I enable first sign-in restore for specific groups instead of the whole tenant?

No. The restore toggle in Intune is tenant-wide. To differentiate, you need to use separate Autopilot enrollment profiles or tenant-level separation. There are no per-group restore controls currently.

What Windows versions are required for backup and restore?

Backup works on Windows 10 22H2 (build 19045.6216+) and Windows 11 22H2+. Restore requires Windows 11 only — version 22H2 build 22621.3958 or later, 23H2 build 22631.3958+, or 24H2 build 26100.1301+. Devices must be Microsoft Entra joined.