Microsoft released an optional non-security preview update for Windows 11 version 23H2 on August 26, 2025, packing a new enterprise backup capability and a stark reminder about expiring Secure Boot certificates. KB5064080, distributed through the Release Preview channel, targets IT administrators with a mix of reliability fixes and a serviced-driven backup tool while signaling that time is running out to address Secure Boot trust anchors set to expire in mid-2026.

This update arrives as a combined package—a Latest Cumulative Update (LCU) bundled with a Servicing Stack Update (SSU) under KB5064743. That bundling improves installation reliability but complicates rollback because the SSU cannot be removed independently. For IT teams, the message is twofold: validate these fixes in controlled rings now, and start inventorying firmware for the inevitable Secure Boot refresh.

What KB5064080 fixes

The preview tackles a range of pain points across the OS, many of which directly affect managed fleets:

  • Hardware and accessibility: The Copilot hardware key reliability is improved; a bug preventing Copilot restart after key use is squashed. Narrator now correctly announces the “Enhance Facial Recognition Protection” control in Windows Hello. Input and IME issues—including incorrect rendering of rare Chinese characters and problems in the Simplified Chinese IME—are resolved, aligning with GB18030-2022 requirements.
  • File system and networking: A race condition when using deduplication and compression simultaneously on ReFS volumes could hang the system; that is patched. File Explorer no longer shows only a single folder (like Desktop) unexpectedly, and performance degradation when syncing many SharePoint libraries is addressed. SMB over QUIC latency is reduced, and Wi‑Fi reconnection after Group Policy updates now works reliably.
  • Management and policy: The removable storage policy correctly blocks USB flash drives and other external devices in managed environments, closing a data exfiltration gap. Remote Desktop sessions now detect newly attached cameras without requiring a reconnect. Family Safety’s “Ask to Use” approval prompt is restored for blocked apps. Cellular connectivity profiles (COSA) are refreshed for mobile operators.

These changes are not flashy, but they reduce helpdesk tickets and compliance risks in day-to-day operations.

Windows Backup for Organizations: A new enterprise lifeline

The most prominent new capability in this release is Windows Backup for Organizations. Pitched as an enterprise-grade backup and restore flow, it aims to smooth device transitions, upgrades to Windows 11, and hardware refresh scenarios while preserving user productivity. Microsoft’s Release Preview notes describe it as generally available, but admins should independently verify tenant availability and check admin portals for full documentation. Prerequisites likely include Intune enrollment and appropriate Azure AD (Entra ID) licensing.

If the feature works as advertised, it could dramatically shorten reprovisioning times after hardware refresh or OS migration. IT teams should run end-to-end backup and restore tests on representative hardware before betting on it for mass deployment.

The ticking clock: Secure Boot certificate expiration

The update also reiterates an urgent operational concern: Microsoft’s 2011 CA certificates that underpin Secure Boot on most Windows devices will begin expiring in June 2026, with more expirations later that year. Devices that don’t receive the newer 2023 CA chain risk Secure Boot trust failures or loss of pre-boot security updates.

This is not a simple Windows Update problem. Secure Boot trust anchors live in firmware (UEFI NVRAM) and require cooperation from OEMs to persist the new KEK/DB entries. Many devices will need a coordinated firmware update; others can accept OS‑level variable updates. Air‑gapped or telemetry‑blocked systems are especially vulnerable because they may miss automatic certificate updates.

Microsoft urges administrators to:
- Inventory devices by OEM, model, and firmware version, recording Secure Boot variable state.
- Engage OEMs now to confirm which devices will receive firmware updates.
- Validate the certificate update pathway on a small pilot before broad rollout.
- For air‑gapped fleets, prepare a documented manual provisioning workflow and test it on representative hardware.

The clock is loud: mid‑2026 is less than two years away, and OEM firmware timelines are notoriously slow.

How to deploy KB5064080 safely

Because KB5064080 is a preview, installation is optional. Microsoft intends it for validation before next month’s mandatory security update. A phased approach is prudent:

  1. Inventory: Identify Windows 11 23H2 systems, their build numbers (22621 vs 22631), and whether they use ReFS, heavy SharePoint sync, Remote Desktop Services, or removable storage policies.
  2. Pilot ring: Create a cohort that includes devices with ReFS+dedupe/compression, heavy SharePoint sync users, RDS/VDI hosts, Family Safety‑managed devices, and systems subject to removable storage policies.
  3. Test scenarios: Validate File Explorer performance, ReFS stability under realistic workloads, removable storage policy enforcement, remote camera detection mid‑session, SMB over QUIC latency, extended Unicode glyph rendering, and Narrator announcements.
  4. Backup plan: Take full system backups or snapshots before deploying. If you need to remove the LCU after installing the combined SSU+LCU package, use DISM /online /get-packages to find the LCU package name, then DISM /online /remove-package /PackageName:<LCU-PackageName>. Do not rely on wusa.exe /uninstall—it cannot remove the embedded SSU.
  5. Staged rollout: Expand from pilot to broader internal validation, then to production in waves, monitoring helpdesk tickets closely.
  6. Communicate: Notify helpdesk teams about the specific fixes so they can triage reports of previously known issues.

Special risks and caveats

Several factors make this update trickier than a typical preview:

  • Unverified GA for Windows Backup: The Release Preview note touts general availability, but independent confirmation is lacking. Treat the backup feature as conditionally available until you see it in your tenant.
  • Firmware coordination for Secure Boot: The looming certificate expiration is not solved by this update alone. It requires OEM engagement, and planning should start now—not in 2026.
  • Combined SSU+LCU rollback complexity: The non‑removable SSU means a full uninstall isn’t possible. If your environment depends on rapid rollback as a safety net, you must adjust your disaster recovery procedures.
  • Preview nature: This is not a security update; regressions can still appear. Install it in test rings first, and never skip backups.
  • Earlier August OOB incident: Earlier in August, Microsoft issued emergency out‑of‑band updates to fix reset/recovery and RemoteWipe failures. That incident underscores the need to explicitly test recovery flows after applying any cumulative update.

The bottom line

KB5064080 is a focused, IT‑centric update that mends several nagging reliability gaps and introduces a potentially transformative backup tool. For most organizations, the roadmap is clear: inventory affected workloads, pilot the update thoroughly, and start the Secure Boot certificate remediation conversation with OEMs today. The combined SSU+LCU packaging makes installation smoother but demands careful pre‑deployment testing and a solid rollback plan. Applied thoughtfully, this preview will reduce incidents and smooth management workflows; applied hastily, it risks the very disruption IT pros work to avoid.