Windows 11 23H2 KB5064080 Preview: Windows Backup for Organizations GA & Enterprise fixes

Microsoft has published its August 2025 non-security preview update for Windows 11 version 23H2 — KB5064080 (OS Build 22621.5840) — and it brings the long-awaited general availability of Windows Backup for Organizations along with a collection of quality fixes spanning Copilot reliability, device management, Family Safety behavior, File Explorer, ReFS, input/IME behavior, network reconnection, and Remote Desktop camera handling. The release is an optional C (preview) update aimed at bringing improvements and new features to early adopters and enterprise testers; administrators should treat it as a staging candidate rather than a mandatory security rollout.

---

Background / Overview​

Microsoft’s August 26, 2025 preview release (KB5064080) is a non-security update packaged as the monthly “C” release. These preview updates are distributed as optional quality improvements and new features for testing before they are included in the monthly security rollups. The package for Windows 11, version 23H2, is listed with OS build 22621.5840 (with parallel build variants appearing for certain channel and SKU combinations), and the update bundle also includes a servicing stack update to ensure reliable installation.
This release is notable primarily because it promotes Windows Backup for Organizations from preview to general availability for enterprise environments. The feature is intended to streamline device transitions, reduce end-user downtime after refresh or reimage, and provide an enterprise-managed restore path for user settings and Microsoft Store apps under Microsoft Entra and Intune management.
At the same time, the broader August 2025 update window has been active: Microsoft also shipped security updates earlier in August with their own fixes (and reported issues in some environments), so organizations should coordinate testing of preview and security releases to avoid unexpected interactions.

---

What’s in KB5064080 (Quick summary)​

• Windows Backup for Organizations: Now generally available; enables enterprise-grade backup and restore of user settings and Microsoft Store app lists for Microsoft Entra joined/hybrid devices when enabled via Microsoft Intune.
• Copilot key: Reliability improvements and a fix for scenarios that prevented restarting Copilot after using the Copilot hardware key.
• Device management: Fix to the removable storage policy that previously failed to block external devices such as USB flash drives and memory sticks.
• Family Safety: Restores the expected “Ask to Use” approval prompt when blocked apps are opened under Family Safety policies.
• File Explorer: Fixes for unexpected single-folder views and performance regressions when syncing many SharePoint sites to File Explorer.
• File sharing (SMB over QUIC): Reduced unexpected delays when accessing files on an SMB share delivered over QUIC.
• File system (ReFS): Fix addressing system hangs when enabling deduplication and compression simultaneously on ReFS volumes.
• Input and IME: Fixes for extended Unicode characters (important for GB18030-2022 compliance) and Chinese (Simplified) IME issues where some characters appeared as empty boxes.
• Narrator: Corrected a spoken label issue for facial recognition protection settings.
• Networking: Fix for Wi-Fi not reconnecting automatically after a Group Policy update.
• Remote Desktop: Cameras added or removed during a session now appear correctly in RDS environments.
• Servicing stack update: Included SSU to improve update reliability (packaged as KB5064743 in the combined release).

---

Windows Backup for Organizations — Deep dive​

What it does and what’s new​

Windows Backup for Organizations is a native backup and restore capability designed for enterprise device lifecycle scenarios: device refresh, reimage, and migration to modern Windows builds. It captures user-specific settings and the list of Microsoft Store apps so that, during device enrollment, IT can restore a familiar user environment to a Microsoft Entra-joined device.
Microsoft positions the feature as a way to reduce remediation time after resets, accelerate mass migrations to Windows 11, and minimize time lost to manual configuration. Those are meaningful outcomes for large-scale deployments, but they reflect vendor guidance and should be validated in real-world pilot projects.

Requirements and limitations​

• Devices must be Microsoft Entra joined or hybrid joined.
• Supported OS versions include Windows 10 (22H2) and Windows 11 (22H2 and later); specific minimum build requirements apply for reliable restore during OOBE.
• Windows Backup for Organizations requires configuration and enablement through Microsoft Intune (the restore setting is tenant-wide).
• Backups leverage the user’s Microsoft Entra account for authentication, so Conditional Access and Intune-related policies can impact restore behavior.
• Win32 desktop apps (traditional MSI/EXE apps) are not backed up by this service; the feature primarily handles settings and Microsoft Store app lists.
• Because restore flows require the same Entra account used for backup, cross-account restore scenarios are not a supported scenario.

These nuances make the feature most valuable to organizations already invested in Entra/Intune management models. Organizations using AD-joined, unmanaged, or local-account devices will not be able to benefit immediately from the tenant-wide restore option.

Administrative controls and deployment​

• Enablement is performed from the Intune admin center under Devices > Enrollment > Windows > Enrollment options; the restore toggle is tenant-wide.
• Administrators must ensure Conditional Access policies and token acquisition flows do not block Intune from obtaining tokens necessary for restore operations.
• For seamless OOBE restores, devices should be preprovisioned with the appropriate base OS build or the Intune Enrollment Status Page must be configured to install quality updates during enrollment.
• The feature includes auditing and telemetry hooks that can be used to log backup and restore events — useful for compliance and incident timelines.

Risks, trade-offs and caveats​

• The restore functionality depends on cloud identity and Intune; outages or misconfigured Conditional Access rules can block restores.
• The native backup does not replace full image-level or third-party backup strategies when system-level data, local Win32 applications, or specialty drivers must be preserved.
• The tenant-wide restore toggle can be blunt if you need targeted rollout; plan pilot groups and use device configuration and enrollment timing to control exposure.

---

Notable fixes and why they matter​

Copilot key reliability​

The update improves the reliability of the Copilot hardware key and fixes an issue where Copilot could not be restarted immediately after use. For devices with a Copilot-dedicated key (hardware OEM-provided), this reduces friction for workflows that expect instant re-invocation of the assistant.
Practical impact: fewer user support tickets for stuck Copilot states and smoother keyboard-driven AI interactions.

Removable storage policy enforcement​

Earlier behavior where the removable storage policy could fail to block USB flash drives and other external devices has been corrected. This fix is important for organizations enforcing data loss prevention (DLP) and removable-media policies.
Practical impact: better alignment between policy intent and device behavior — but policy testing is still required for mixed-vendor endpoints and third-party USB drivers.

Family Safety “Ask to Use” prompt​

Family Safety’s approval prompt now appears as expected when a blocked app is launched, restoring the intended parent/guardian control flow. This is significant for managed family devices and organizational devices configured with family or kiosk-like restrictions.

File Explorer behavior and SharePoint sync​

Two quality fixes reduce confusing single-folder views in File Explorer and improve performance when a large number of SharePoint sites are synced. Users who rely on SharePoint integration will likely see smoother navigation and faster context menu responses.

ReFS deduplication + compression hang fix​

ReFS environments that combine deduplication and compression could occasionally cause the system to stop responding. The patch addresses that scenario, which is particularly relevant to server workloads and specialized storage hosts using Resilient File System.

SMB over QUIC file access latencies​

Fixes target unexpected delays accessing SMB shares over QUIC; organizations adopting SMB over QUIC for secure file access across WAN connections should test performance improvements and examine interplay with network appliances.

Input, IME, and GB18030-2022 compliance​

Addressing extended Unicode display issues and IME behavior helps organizations with multilingual or regulatory compliance needs, especially those operating in regions requiring GB18030-2022 character support.

Remote Desktop camera enumeration​

Cameras added or removed during a remote session now appear correctly. That fix benefits RDS and virtual desktop infrastructures where peripheral hot-plugging is common.

---

Servicing stack and installation notes​

KB5064080 bundles a servicing stack update (SSU) to improve update reliability. The combined package means you cannot uninstall the servicing stack once it’s applied using the standard WUSA uninstall switch; removing the LCU is only possible via DISM with the package name. Administrators should:

• Review SSU and LCU behavior in lab environments before broad deployment.
• Catalog the package name with DISM /online /get-packages if you may need to remove the LCU component.
• Use controlled pilot rings and monitoring in enterprise update channels (Windows Update for Business, WSUS, or Microsoft Endpoint Configuration Manager) rather than immediate broad deployment.

Also note the Microsoft guidance that some organizational updates require use of EKB/known KBs to move devices to Windows 11, version 23H2 — follow the documented prerequisites before mass upgrades.

---

How to get KB5064080 (practical steps)​

• For consumer and small business devices: Open Settings > Windows Update > Check for updates. Look for the Optional updates available area or the preview update listing; the preview update will appear as an optional (C) release.
• To receive the update faster: Settings > Windows Update > Turn on Get the latest updates as soon as they’re available (useful for users enrolled in Release Preview channel behavior).
• For enterprise deployment:
• Use Windows Update for Business policies to stage optional updates to pilot groups.
• Use WSUS or Microsoft Endpoint Configuration Manager to test and approve the update before broader rollout.
• If you use Intune, control pilot ring assignments and Enrollment Status Page settings for OOBE restore scenarios.

If you need to remove the newly installed LCU after installing a combined SSU+LCU package, use the DISM Remove-Package process and the package name (listed by DISM /online /get-packages). Running wusa.exe with /uninstall on the combined package will not remove the SSU.

---

Risks and compatibility considerations — read before you deploy​

• Preview updates are optional: As this is a non-security preview (C release), treat it as an early access/test candidate. It is not required for security; do not auto-deploy to production without validation.
• Interplay with August security patches: The broader August 2025 update window included security releases and reported issues in some environments that affected recovery tools and storage under heavy load. Because of those separate security update problems, take extra caution — test recovery and reset flows after you apply both preview and security rollups.
• Backup your backups: Although this update brings an enterprise backup availability claim, do not rely on it as the sole protection during pilot testing. Keep image-level backups and verify restore procedures before decommissioning other protections.
• Conditional Access and Intune dependencies: Restore flows hinge on cloud identity tokens. Any Conditional Access policy that interferes with Intune’s token acquisition can break restore. Review Conditional Access exclusions and token issuance carefully before enabling tenant-wide restores.
• Peripheral and third-party driver interactions: Device policy and removable-media enforcement fixes presume consistent driver behavior. Legacy or third-party security tooling can interfere; validate policies on representative hardware.
• ReFS server workloads: The ReFS deduplication/compression fix is important, but large storage deployments should validate dedupe/compression combinations in staging to avoid surprises.

---

Recommended rollout plan for enterprise IT​

• Inventory & prerequisites
• Identify Entra-joined and Intune-managed devices that will use Windows Backup for Organizations.
• Confirm baseline builds (per restore OOBE requirements) and ensure Windows updates necessary for restore flows are in place.
• Lab validation
• Install the KB in a lab that matches enterprise configurations: Hybrid join, Conditional Access policies, and Intune enrollment flows.
• Validate backup/restore end-to-end, OOBE flows, and token acquisition under your Conditional Access rules.
• Pilot ring
• Release to a small pilot group (e.g., 5–10% of devices) that represents typical hardware and use cases.
• Monitor telemetry, user feedback, and any deployment blocks for at least one or two business cycles.
• Scale with staged approvals
• Incrementally increase exposure using Windows Update for Business deferral policies or WSUS approvals.
• Maintain rollback plans and ensure DISM package names are documented in case an LCU removal is required.
• Communicate
• Notify helpdesk and end users about the availability and behavior changes (e.g., Copilot key behavior, Family Safety changes).
• Provide a small runbook for restoring backups and verifying success.
• Post-deployment verification
• Confirm critical recovery scenarios (Reset this PC, recovery media, offline images) still operate as expected given the wider August patch set.
• Validate backups are auditable and restore operations are logged for compliance.

---

Strengths and potential pitfalls — critical analysis​

Strengths​

• Tight Intune/Entra integration: Native restore flows that respect tenant controls and Conditional Access are valuable for modern managed fleets.
• Focus on user-state recovery: Restoring settings and Microsoft Store app lists accelerates user productivity after device refreshes.
• Broad quality fixes: The update addresses a range of small but meaningful issues (Copilot, File Explorer, ReFS, IME) that improve day-to-day UX and enterprise manageability.
• Servicing stack improvements: Bundled SSU helps ensure subsequent updates install reliably.

Potential pitfalls and caveats​

• Not a full system backup replacement: Windows Backup for Organizations is not a drop-in substitute for full image-based backup, third-party backup solutions, or enterprise backup appliances that handle system images, device drivers, or Win32 applications.
• Restore dependency on cloud identity: Organizations with strict Conditional Access may inadvertently prevent restores unless policies are tuned for restore scenarios.
• Preview vs security updates: Because KB5064080 is an optional preview, mixing it with security-only production updates requires careful testing. The presence of reported issues with some August security patches escalates that need.
• Device and policy diversity: Heterogeneous fleets (OEM-specific Copilot keys, legacy USB controllers, custom IME solutions) may show variance; significant pilot testing is required.

Flag: Marketing phrases such as “sustain productivity with minimal disruption” derive from vendor messaging. They describe intended outcomes but are not independent measurements of real-world improvement. Evaluate them empirically within your environment before accepting them as true.

---

Quick checklist before you press “Install”​

• Verify device is Entra joined / hybrid and managed by Intune if you want to use backup & restore.
• Confirm prerequisites for OOBE restore (base OS build thresholds or ensure Enrollment Status Page installs the latest quality updates).
• Archive a full system image for critical endpoints before applying preview updates.
• Validate Conditional Access policies allow Intune to acquire tokens necessary for restore operations.
• Run a pilot on representative hardware and test:
• Backup creation
• Restore during OOBE
• Recovery/Reset flows (Reset this PC)
• Removable storage policy enforcement
• File Explorer/SharePoint sync performance
• SMB over QUIC latency profile
• Document DISM package names and rollback commands ahead of time.

---

Conclusion​

KB5064080 (OS Build 22621.5840) represents a significant step for managed Windows deployments — chiefly because Windows Backup for Organizations moves into general availability and provides a native, Intune-driven path to preserve user settings and Store app lists during device refreshes or OS migrations. The additional quality fixes improve everyday behavior for Copilot, removable storage policy enforcement, Family Safety, File Explorer, ReFS, IME support, networking, and Remote Desktop.
However, this is a non-security preview release: treat it as a staged candidate. Validate the feature in a controlled pilot, confirm interplay with existing security updates and recovery procedures, and don’t consider this a replacement for full-image backup strategies. For organizations, the right approach is cautious adoption: validate, test, and scale. For individuals and small businesses, the update is safe to try but keep local backups and know how to roll back LCU packages if necessary.
For administrators preparing for large-scale migrations and modern management, Windows Backup for Organizations is worth adding to your toolkit — after you’ve validated that it fits your identity, compliance, and restore expectations.

---

Source: The Tech Outlook Microsoft Releases its August 2025 Non-Security Preview Update for Windows 11 Version 23H2: Now Available to Users - The Tech Outlook