Microsoft’s August preview updates quietly deliver a major new enterprise capability: Windows Backup for Organizations has been promoted into Release Preview and is being positioned as the supported, tenant‑gated path for backing up and restoring user settings and Microsoft Store app lists in managed environments — while Microsoft also ships targeted reliability fixes for File Explorer, SMB over QUIC, ReFS, Family Safety, and device management policies in KB5064080 (Windows 11) and KB5063842 (Windows 10). (support.microsoft.com) (blogs.windows.com)
Microsoft released non‑security preview updates in late August 2025 that blend traditional quality fixes with a strategically important enterprise feature set. The Windows 11 preview carries the KB number KB5064080 and raises OS build status to 22621.5840; the Windows 10 release to Release Preview is published as KB5063842 (Build 19045.6276). These are Release Preview / optional (C‑channel) updates intended for testing and validation prior to inclusion in a cumulative security rollup. (support.microsoft.com, blogs.windows.com)
The standout for IT is the formal listing of Windows Backup for Organizations as available in the Release Preview notes and associated Intune guidance — a first‑party restore flow aimed specifically at device reprovisioning, refreshes, and migrations from Windows 10 to Windows 11. Microsoft’s messaging describes it as a way to reduce troubleshooting and speed time‑to‑productivity by restoring settings and selected Microsoft Store app lists during enrollment. At the same time, administrators should treat these preview updates as test candidates, not immediate production drops; pilot validation remains essential. (techcommunity.microsoft.com, support.microsoft.com)
Action items for Secure Boot:
Microsoft’s Release Preview notes and Intune documentation together outline a pragmatic path forward: a first‑party, tenant‑managed settings restore flow that fits into existing Autopilot and Intune provisioning patterns, plus a pragmatic set of non‑security fixes that address real operational pain points. The net result is progress toward simpler device refreshes — provided organizations validate prerequisites, test workflows, and maintain existing backup and application deployment controls rather than relying on the new service alone. (techcommunity.microsoft.com, support.microsoft.com)
Source: heise online Windows Update Preview brings Windows backup for organizations
Microsoft released non‑security preview updates in late August 2025 that blend traditional quality fixes with a strategically important enterprise feature set. The Windows 11 preview carries the KB number KB5064080 and raises OS build status to 22621.5840; the Windows 10 release to Release Preview is published as KB5063842 (Build 19045.6276). These are Release Preview / optional (C‑channel) updates intended for testing and validation prior to inclusion in a cumulative security rollup. (support.microsoft.com, blogs.windows.com)The standout for IT is the formal listing of Windows Backup for Organizations as available in the Release Preview notes and associated Intune guidance — a first‑party restore flow aimed specifically at device reprovisioning, refreshes, and migrations from Windows 10 to Windows 11. Microsoft’s messaging describes it as a way to reduce troubleshooting and speed time‑to‑productivity by restoring settings and selected Microsoft Store app lists during enrollment. At the same time, administrators should treat these preview updates as test candidates, not immediate production drops; pilot validation remains essential. (techcommunity.microsoft.com, support.microsoft.com)
What Microsoft shipped in these previews
KB5064080 (Windows 11, Release Preview)
- Identified as August 26, 2025 — KB5064080, raising builds to OS Build 22621.5840. The package includes a bundled servicing stack update (SSU) to improve install reliability. (support.microsoft.com)
- Major changelog highlights:
- Windows Backup for Organizations noted as New! Generally available in the release notes (tenant opt‑in required).
- Reliability fixes: Copilot key behavior, Family Safety prompt, removable storage policy enforcement, File Explorer single‑folder view and performance when many SharePoint sites are mounted.
- Networking and storage fixes: Reduced SMB over QUIC delays; ReFS hang mitigation when deduplication + compression are both enabled.
- Input and accessibility fixes: Extended Unicode/IME issues and Narrator corrections.
- Packaging notes: Combined SSU + LCU means SSU is persistent once installed; removing the LCU requires DISM removal with the package name. (support.microsoft.com)
KB5063842 (Windows 10 22H2, Release Preview)
- Released to the Release Preview Channel (Build 19045.6276), Microsoft describes this as the final preview release pathway for Windows 10 22H2, with security servicing continuing under scheduled channels until formal end‑of‑service milestones. The update contains similar targeted fixes (IME, Narrator, RDS camera enumeration, mobile operator profile updates, removable storage policy), and it introduces a licensing control for certain keyless Commercial ESU scenarios. (blogs.windows.com, support.microsoft.com)
Deep dive: Windows Backup for Organizations — scope, prerequisites, limits
What it does (and what it doesn’t)
- Windows Backup for Organizations backs up a curated set of Windows settings and the list of Microsoft Store apps tied to a Microsoft Entra identity. It’s designed to:
- Restore personalization and device settings during Autopilot/OOBE or enrollment flows.
- Speed up mass device refresh and migrations by reapplying environment state rather than rebuilding devices manually. (techcommunity.microsoft.com, learn.microsoft.com)
- Important boundary conditions:
- The service does not back up installed Win32 apps, user file data, or serve as a replacement for full‑image or data backup solutions. Treat it as configuration and environment state restore, not as a substitute for enterprise backup products. (learn.microsoft.com)
Supported platforms and minimum build numbers
Microsoft’s Intune documentation and TechCommunity guidance define specific minimum builds for reliable operation:- Supported for Windows 10 and Windows 11, with minimum builds for backup and restore operations spelled out in Intune documentation. The documented minimums include:
- Windows 10, version 22H2: build 19045.5917 or later for backup functionality.
- Windows 11, version 22H2: build 22621.5413 or later (with restore requiring Windows 11 22H2 or newer during OOBE).
- Windows 11 23H2 and 24H2 minimum builds are also specified for restore during OOBE. (learn.microsoft.com, techcommunity.microsoft.com)
Enrollment, tenant enablement and admin roles
- The restore flow is tenant‑wide and opt‑in: an Intune service administrator or Global Administrator must enable the restore page for the tenant via the Intune admin center (Devices → Enrollment → Windows → Enrollment options → Windows Backup and Restore). Users can only restore if their device is Microsoft Entra joined and they sign in with the same Entra account that created the backup. (learn.microsoft.com, techcommunity.microsoft.com)
- Autopilot note: For OOBE restores, Autopilot profiles must be user‑driven (not self‑deploying) to present the restore page correctly. If enrolled devices are older than required baseline builds, Intune’s Enrollment Status Page can be configured to install quality updates during OOBE to meet prerequisites. (techcommunity.microsoft.com)
Data residency, governance and compliance considerations
- Backups are stored in Microsoft cloud services tied to the organizational tenant and Entra identity. Organizations must verify whether the service meets their data residency, retention, encryption, and compliance requirements before adopting it at scale.
- Conditional Access, MFA, and Conditional Access policies that govern sign‑in and device compliance can affect backup/restore flows. Add the Microsoft Activity Feed Service and other necessary endpoints to Conditional Access allowlists as recommended. (learn.microsoft.com, techcommunity.microsoft.com)
Verification and caution
- Microsoft’s Release Preview notes label Windows Backup for Organizations as “generally available” in the preview build, but practical availability is tenant‑gated and requires Intune configuration and Entra join compliance. Administrators must verify that the setting appears in their tenant and perform test backup → restore cycles in a lab tenant before trusting the service for production device refreshes. This phrasing and rollout model are echoed in Microsoft’s TechCommunity guidance and the Intune docs; treat the Release Preview blog note as an official signal rather than a guarantee that every tenant will see immediate GA behavior. (techcommunity.microsoft.com, learn.microsoft.com)
Why this matters to IT teams — benefits and operational impact
- Reduced mean time to productivity (MTTP): Restoring settings and the Start menu Microsoft Store app list during enrollment reduces the manual configuration burden on help desks and reduces end‑user downtime after reprovisioning.
- Consistent reprovisioning at scale: For large fleets undergoing Windows 10 → Windows 11 migrations, a cloud‑managed settings restore is an operational time‑saver that complements Autopilot and image management strategies.
- Better control over policy and compliance: The restore flow is controlled by Intune and tied to Entra identity, which keeps the workflow within the enterprise management plane rather than external consumer services.
- Complementary, not replacement: Because Win32 applications and user file data are not backed up, this capability is complementary to existing application deployment and data backup tooling. Relying solely on it for full device restoration would be a strategic mistake. (learn.microsoft.com, techcommunity.microsoft.com)
Critical analysis: strengths, risks and unknowns
Strengths
- Strategic alignment: Microsoft is extending first‑party lifecycle tooling into core provisioning scenarios — an area long dominated by third‑party configuration management and imaging tools. The Intune integration is a clear strength for organizations that have standardized on Microsoft management. (techcommunity.microsoft.com)
- Targeted reliability fixes: KB5064080 and KB5063842 address several high‑impact operational problems (ReFS hangs under dedupe+compression, removable storage policy enforcement, File Explorer sync performance and single‑folder views) — fixes that reduce common helpdesk tickets. (support.microsoft.com, blogs.windows.com)
- Servicing stability: Bundling an SSU with the cumulative update improves install success rates and may reduce failed updates in complex environments (at the cost of rollback complexity). (support.microsoft.com)
Risks and caveats
- Preview volatility: These are Release Preview updates — historically, preview packages can interact unpredictably with third‑party drivers, kernel filters, EDR/AV, and vendor firmware. Err on the side of staged rollouts and pilot rings.
- Rollback complexity: The combined SSU + LCU package is harder to remove. SSUs are persistent; removing the LCU requires DISM with the correct package name. Maintain golden images and tested rollback playbooks before broad deployment. (support.microsoft.com)
- Scope and expectations: Windows Backup for Organizations is not a full backup solution. Organizations that misunderstand its scope risk data loss or failed recovery expectations if it’s treated as a file‑level or application backup. (learn.microsoft.com)
- Tenant gating and gradual rollouts: The “GA” designation in the Release Preview notes does not necessarily mean every tenant will have immediate production access. Verify in the Intune admin center and perform lab validation. (techcommunity.microsoft.com)
Unverifiable or conditional claims (flagged)
- Some industry coverage and early Release Preview posts called this Windows Backup “GA” in the build notes. That claim is an official Microsoft communication, but the exact tenant‑by‑tenant rollout status (who sees it today in their tenant without configuration) is conditional and must be verified in your tenant. Until you confirm the restore toggle in Intune and successfully complete a backup/restore test, treat the GA claim as operationally conditional.
Recommended rollout and testing checklist for IT teams
- Pilot selection
- Choose 1–5% of your fleet that covers:
- Laptops/desktops with common OEM drivers
- Devices that mount many SharePoint sites (File Explorer sync tests)
- Endpoints that use SMB over QUIC
- Storage hosts running ReFS with dedupe/compression
- Devices managed by your EDR/AV vendors and other kernel‑mode drivers
- Prepare the lab tenant
- Enable the Intune restore toggle in a sandbox tenant.
- Verify Entra join/hybrid join workflows and Autopilot user‑driven OOBE behavior.
- Confirm Conditional Access allowlists for required service endpoints (Activity Feed Service etc.). (learn.microsoft.com, techcommunity.microsoft.com)
- Execute backup → restore cycles
- Create a backup on representative devices.
- Reimage or perform an Autopilot OOBE on a test device and perform a restore.
- Record exactly which settings are restored and which are not; test the Start menu and Store app list restore behavior. (learn.microsoft.com)
- Test scenario matrix
- File Explorer: reproduce single‑folder view and SharePoint sync loads.
- SMB over QUIC: measure access latency and directory listing performance.
- ReFS: stress dedupe + compression in a controlled cluster to confirm the hang mitigation.
- Removable storage policy: test enforcement and logging for blocked USB devices.
- Accessibility and IME: validate Unicode rendering and Narrator changes in localized builds. (support.microsoft.com)
- Plan rollback and image recovery
- Keep golden images and confirm DISM uninstall steps for LCUs if necessary (remember SSUs cannot be removed post‑install via wusa.exe). Document exact package names with DISM /online /get‑packages. (support.microsoft.com)
- Monitor and expand
- Expand rings if telemetry shows no regression for 1–3 weeks.
- Monitor Windows Update for Business, WSUS, and Microsoft Update Catalog distribution. Track community channels for edge regressions.
The Secure Boot certificate timeline and what it means for organizations
Microsoft also cautioned that many Windows devices include Secure Boot certificates that start expiring in June 2026 and that organizations should plan certificate updates now to avoid boot‑time disruptions. The Secure Boot certificate rollout is separate from the preview updates but is an immediate operational planning item — OEM firmware updates and Microsoft’s certificate distribution via Windows Update will be required for a smooth transition. Microsoft recommends letting Microsoft manage certificate updates via Windows Update where possible and coordinating with OEM firmware updates for devices that require vendor action. (techcommunity.microsoft.com, support.microsoft.com)Action items for Secure Boot:
- Inventory devices for Secure Boot state and UEFI firmware capability.
- Coordinate with OEMs to confirm firmware updates are available for your models.
- Enable Microsoft‑managed Secure Boot updates for managed devices where acceptable, or prepare a validated plan for offline / air‑gapped environments.
- Test boot policies and certificate updates on a controlled set of machines before scaling. (techcommunity.microsoft.com)
Practical takeaways and final assessment
- The August 2025 Release Preview updates (KB5064080 for Windows 11 and KB5063842 for Windows 10) are notable for delivering Windows Backup for Organizations into the Release Preview pipeline and for addressing several practical reliability issues that matter to admins and users alike. Administrators should welcome the focused fixes while approaching the preview releases with defined testing discipline. (support.microsoft.com, blogs.windows.com)
- Windows Backup for Organizations is a meaningful addition to enterprise lifecycle tooling: it reduces reprovisioning overhead and integrates with Intune and Microsoft Entra, but it is deliberately scoped to settings and Store app lists — not a replacement for application and data backup systems. Confirm tenant enablement and run test backup/restore cycles in a lab tenant before trusting the service for production device refreshes. (learn.microsoft.com, techcommunity.microsoft.com)
- Operationally, plan for:
- Careful pilot rollouts and monitoring for driver/EDR interactions;
- Documented rollback procedures for combined SSU+LCU packages;
- Compliance checks around backup data residency and Conditional Access impacts;
- A proactive approach to the Secure Boot certificate update cycle to avoid boot disruptions in mid‑2026. (support.microsoft.com, techcommunity.microsoft.com)
Quick reference — essential links and checks for deployment (admin checklist)
- Confirm KB availability in your update catalog and identify the combined SSU package name for rollback planning. (support.microsoft.com)
- Validate Intune settings: Devices → Enrollment → Windows → Enrollment options → Windows Backup and Restore (turn this On for tenant restore). (learn.microsoft.com)
- Verify device prerequisites (Entra join, minimum builds listed in Intune docs) and configure Enrollment Status Page to deliver required quality updates during OOBE if needed. (techcommunity.microsoft.com, learn.microsoft.com)
- Inventory firmware status for Secure Boot and coordinate OEM firmware updates ahead of June 2026 certificate expirations. (techcommunity.microsoft.com)
Microsoft’s Release Preview notes and Intune documentation together outline a pragmatic path forward: a first‑party, tenant‑managed settings restore flow that fits into existing Autopilot and Intune provisioning patterns, plus a pragmatic set of non‑security fixes that address real operational pain points. The net result is progress toward simpler device refreshes — provided organizations validate prerequisites, test workflows, and maintain existing backup and application deployment controls rather than relying on the new service alone. (techcommunity.microsoft.com, support.microsoft.com)
Source: heise online Windows Update Preview brings Windows backup for organizations