KB5064080 August 2025 Preview: Windows 11 23H2 Enterprise Backup & Management

Microsoft has published a non‑security preview update for Windows 11, version 23H2 — KB5064080 — delivered as an optional Release Preview package that bundles a set of targeted reliability fixes, a servicing‑stack refresh, and an enterprise‑facing capability that Microsoft calls Windows Backup for Organizations. ethe Release Preview Channel to stage near‑final cumulative updates before they go broadly to production. These preview releases are intended to surface last‑mile regressions and give IT administrators a controlled environment to validate fixes and new management capabilities. The August preview identified by KB5064080 focuses primarily on quality improvements and device‑management scenarios rather than on consumer feature additions.
Two servicing realities frame this updateLCU packaging** — Microsoft bundles the latest Servicing Stack Update (SSU) with the Latest Cumulative Update (LCU) to improve installation reliability. That approach reduces installation failures but complicates rollback because SSUs are effectively non‑removable once applied.

• Security timing and lifecycle — Microsoft reiterated thates are moving through servicing milestones (for example, some 22H2 SKUs are nearing end‑of‑servicing windows), and there is a broader operational program to update Secure Boot trust anchors because several Microsoft CA certificates from 2011 begin expiring in mid‑2026. Administrators must factor those timelines into their update and firmware coordination plans.

---

What KB5064080 (August 2025 Preview) Delivers​

The August preview (KB506408dnd includes a mixture of bug fixes, management improvements, and a prominent enterprise capability. The Release Preview notes summarize the changes; the most relevant items for end users and IT pros are listed below.

Key fixes and reliability improvements​

• Copilot: Improved reliability of the Copilot hardware key and resolved an issue that prevented users from restarting Copilot after using the key.
• Country and Operator Settings Asset (COSA): Operator profiles for cellular connectivity were refreshed to keep mobile ont.
• Device management: A fix ensures the removable storage policy (USB flash drives and the like) blocks external devices correctly in managed enlevant to organizations enforcing data‑exfiltration controls.
• Family Safety: Restores the “Ask to Use” parental approval prompt for blocked apps so the expected approval workflow appears again.
• File Explorer: Correcte Explorer could unexpectedly show only a single folder (for example, Desktop) and addresses performance degradation when syncing many SharePe sharing / SMB over QUIC**: Mitigates unexpected delays when accessing SMB shares over QUIC, improving file‑share responsiveness in QUIC‑enabled environments.
• File system (ReFS): Fixes a race/hangication and compression at the same time on ReFS could occasionally cause the system to become unresponsive.
• Input / IME: Resolves rendering errors where certainacters (including rare Chinese symbols) appeared as blanks or incorrect glyphs, and corrects problems in the Chinese (Simplified) IME. This brings the OS into alignment with GB1.
• Narrator: Fixes incorrect Narrator announcements for the “Enhance Facial Recognition Protection” control under Windows Hello.
• Network connectivity: Addresses an issue where Wi‑Fi might not reconnect automatically after a Group Policy update.
• *Remote Desktopmeration problems in RDS/Remote Desktop sessions where newly attached cameras were not recognized mid‑session.

Servicing Stack Upeview includes a servicing stack update (SSU) that Microsoft lists as KB5064743 (an SSU raising servicing build to a higher mnhances update reliability and is bundled with the LCU in the combined package. If you deploy the combined package, be aware that the SSU portion will remat be removed independently.​

Windows Backup for Organizations — GA note​

Microsoft’s Release Preview notes call out Windows Backup for Organizations as newly available. The feature is pitched as an enterprise‑grade backup and restore flow to smooth device transitions, upgrades to Windows 11, and refresh scenarios while preserving productivity. However, the Release Preview announcement i of visibility for GA messaging; independent confirmation of availability and full production documentation should be checked in admin portals and official product pages before assuming complete GA availability across tenants. Treat the Release Preview announcement as an early GA signal that needs verification in your tenant and management plane.

---

Why this matters (enterprise and end‑user impact)​

This preview is not a blockbuster feature release, but it is consequential for several reasons:

• Operational resilience — Fixes to removal device policing, ReFS stability, and remote‑session camera detection reduce real‑world helpdesk and compliance incidents that surface in managed fleets.
• **Migration and device refrWnizations capability, if available in your tenant, can materially shorten reprovisioning windows for IT and improve mean‑time‑to‑productivity after hardware refresh or OS migration. Validate prerequisites such as Intune enrollment and tenant licensing prior to adoption.
• Language and accessibility compliance — The input/IME and Narrator fixes addressulatory compliance needs for CJK locales, which matters for international deployments and accessibility programs.

• Servicing complexity — The combined SSU + LCU approach improves installation success but constrains rollbacks. Organizations that rely on rapid rollback as a mitigation should plan for the fact that the SSU is effectively per​

The Secure Boot certificate expiration — the looming operational risk​

One of the most important non‑functional items Microsoft continues to call out is the Windows Secure Boot certificate expiration program. SeEK CA certificates issued in 2011 are scheduled to begin expiring in June 2026, with follow‑on expirations later in 2026. If devices do not acquire the replacement 2023 CA chain (or otherwise receive the replacement trust anchors) before expiration, some experience Secure Boot trust failures or lose the ability to receive pre‑boot security updates.
Why this is operationally tricky:

• Secure Boot trust anchors are a hybrid of firmware (OEM UEFI variables) and OS‑level updates. Many devices require a coordinated firmware update (OEM/BIOS) that will persist the new KEK/DB entries in NVRAM; other devices can accept variable updates written by the OS at runtime. This creates a dependency chain across OEMs, firmware vendors, IT tooling, and Windows Update telemetry.
• Devices that are highly restricted (air‑gapped) or that block telemetry and automatic servicineficate updates and therefore must be prepared with a manual, documented offline workflow. Microsoft’s published guidance emphasizes inventory, OEM coordination, and early testing.

Action‑oriented summary (Secure Boot):

• Inventory devices by OEM/model/firmware and record Secure Boot variable state.
• Coordinate with OEMs to confirm which devices will receive firmware updates to accept the new CA family.
• Validatpathway for CA updates on a small pilot before broad rollout.
• For air‑gapped fleets, prepare the documented manual provisioning workflow and test it on representative hardware.

---

Deployment guidance and recommended checklist​

Preview updates are optional by design; they’re intended for validation prior to mais a practical, prioritized playbook to deploy KB5064080 in production environments.

• Inventory and classification
• Identify Windows 11 23H2 systems, their OS build (22621 vs 22631), and whether they are “feature‑on” or “feature‑off” configurations. Map ReFS usage, SharePoint sync heavy users, and Remote Desktop Service hosts.
• Pilot ring
• Create a pilot cohort that includes:
• Devices with ReFS + dedupe/compression usageavily sync SharePoint libraries in File Explorer.
• RDS / VDI hosts that stream camera devices.
• Family Safety–managed devices if you use parental controls at scale.
• Devices subjected to removable storage policies.
• Test scenarios (what to validate)
• File Explorer navigation and context‑menu performance when many SharePoint sites are connected.
• ReFS operations with deduplication + compression enabled under realistic workloads.
• Removable Storage policy eck/unblock cycles.
• Remote Desktop camera plug/unplug recognition mid‑session.
• SMB access over QUIC latency and reliability.
• Input/IME rendering of extended Unicode glyphs (GB18030‑2022 test cases).
• Narrative/Accessibility flows (Narrator speaking the intended labels).
• Backup and rollback plan
• Take full system backups (or snages) before broad deployment.
• If you need to remove the LCU after installing the combined SSU+LCU package, use DISM /Remove‑Package with the LCU package name. Do not rely on wusa.exe /uninstall for combined packages because SSUs embedded in combined packages are not removable via wusa.
• Staged rollout
• Move from pilot → broader internal validation → production in measured waves. Monitor telemetry and helpdesk tickets closely during each wave.
• Communication
• Notify helpdesk teams about the specific fixes included (ReFS, File Explorer, Removable Storage eety prompts) so they can triage user reports quickly.

---

Special notes for administrators​

• Windows Backup for Organizations: If you plan to adopt this feature to simplify refresh and migration flows, verify prerequisites (Intune, Entra/tenant licensing) and run end‑to‑end backup/restore tests on representative devices. The Release Preview note signals availability, buity and admin documentation must be confirmed before production adoption.
• Servicing stack permanence: The SSU component included with the LCU will remain installed and affects rollback strategies. If your environment relies on frequent rollbacks to pre‑update states, ensure your rollback plan accounts for the non‑removable SSU portion.
• **Recovery regis August cycle follows a separate August out‑of‑band incident earlier in the month where Microsoft issued emergency OOB cumulative updates to fix a regression that broke Reset/Recovery flows and RemoteWipe in managed fleets. That incident is a reminder to validate recovery workflows after any cumulative update. If your environment relies heavily on Reset/Recovery or MDM RemoteWipe, explicitly test these flows after appling change.

---

Risks and limitations — what to watch for​

• Unverified GA claim: The statement that Windows Backup for Organizations is “generally available” appeared in Release Preview release notes; independent production‑grade documentation and tenant availafied before assuming full GA. Until that confirmation arrives, treat the capability as conditionally available and test carefully.
• Firmware / OEM coordination for Secure Boot: The Secure Boot CA replacement effort requires OEM firmware cooperation for many devices. Organizations that delay planning risk last‑minute complications in mid‑2026 when the first certificates enter expiry. Put Secure Boot remediation on your calendar now.
• Rollback complexity: Combined SSU+LCU packaging simplifies successful installs but increases rollback complexity; don’t assume you can easily uninstall updates with standard wusa tools. Use DISM /get‑packages and /remove‑package where required and test the removal path in non‑production first.
• Preview nature: As an optional preview, KB5064080 is not mandatory. Install it in test rings first; do not skip backups. The preview channel is where Microsoft expects to catch any last‑minute regressions before broad release.

---

Quick reference — how to get KB5064080​

• Via Settings → Windows Update: Check for updates and look in “Optional updates available” for the Release Preview package.
• Windows Update for Business: The next security update for Windows Update for Business will include these changes as part of the Microsoft Update Catalog: Standalone packages are available for manual download and offline deployment.
• WSUS: Import manually from the Update Catalog if you manage updates via WSUS.

If you must remove only the LCU portion after installing the combined SSU+LCU package, use DISM /online /get‑packaCU package name, then run DISM /online /remove‑package /PackageName:<LCU‑PackageName>. Do not rely on wusa.exe /uninstall on the combined package because it will not remove the embedded SSU.

---

Bottom line — recommended next steonment today for impacted vectors: ReFS with dedupe/compression, heavy SharePoint‑in‑File‑Explorer usage, RDS camera users, devices using removable storage policies, and fleetfety flows.​

• Add Secure Boot CA remediation to your 2025/2026 firmware update calendar. Inventory OEM firmware readiness now and engage vendors fomelines.
• Run KB5064080 in a pilot ring, validate the scenarios listed above, and escalate issues to Microry or reset flows behave unexpectedly — particularly because this month’s cycle hasd OOB fixes earlier in August.
• If you plan to adopt Windows Backup for Organizations, test full backup and restore workflows end‑to‑end on representative hardware and ensure tenant and Intune prerequisites are met before relying on it for mass reprovisioning.

---

Conclusion​

KB5064080 is a focused Release Preview updte reliability problems across device management, file systems, networking, input/IME, and accessibility — and it surfaces a potentially important enterprise capability in Windows Backup for Organizations. For most IT organizations the prudent path is clear: inventory, py flows, and coordinate firmware/OEM work for the Secure Boot certificate program well ahead of the June 2026 expirations. The combined SSU+LCU packaging reduces instalut increases the need for careful pre‑deployment testing because rollback options are more constrained. Applied thoughtfully, this preview will reduce day‑to‑day incidents and smooth management workflows; applied without testing, it risks the very operational disruption that cautious administrators work to avoid.

---

Source: Microsoft - Message Center August 26, 2025—KB5064080 (OS Build 22621.5840) Preview - Microsoft Support