Microsoft’s Release Preview channel just received a pair of updates that blend long-awaited enterprise features with essential reliability fixes. The Windows 11 preview, tracked as KB5064080, bumps the OS to build 22621.5840, while the Windows 10 counterpart, KB5063842, lands at build 19045.6276. Both are optional, non-security “C-channel” updates intended for testing before broader deployment, but the headliner is unmistakable: Windows Backup for Organizations has officially arrived, bringing tenant-gated settings and Store app restoration to the managed device lifecycle.

This marks a significant step for IT teams that have long relied on third-party tools or manual configuration to reapply user environments during migration or device refresh. The feature is now listed as generally available in the Release Preview notes, though its full functionality remains contingent on Intune configuration and Microsoft Entra join. Alongside the backup capability, the updates address nagging issues in File Explorer, SMB over QUIC, ReFS deduplication and compression, and more — all while Microsoft sends a separate urgent call to update Secure Boot certificates.

What’s in the updates

KB5064080 for Windows 11 22H2 (the supported enterprise version) and KB5063842 for Windows 10 22H2 share a common theme: they fix operational pain points that generate helpdesk tickets and slow down users. The Windows 11 package incorporates a combined servicing stack update (SSU) and cumulative update (LCU), which improves install reliability but complicates rollbacks. The Windows 10 update, delivered only to the Release Preview Channel, is described by Microsoft as the final preview pathway for that OS, with security servicing continuing separately until the formal end-of-service milestones.

Key fixes and improvements include:

  • File Explorer: The update corrects a single-folder view glitch and improves performance when many SharePoint sites are synced, addressing a common source of support calls in organizations that rely on SharePoint libraries.
  • SMB over QUIC: Reduced delays in directory listing and file access, making network shares over QUIC more responsive for remote and hybrid workers.
  • ReFS: Mitigated a hang that could occur when both deduplication and compression are enabled, a critical stabilization for Windows Server environments and hyper-converged setups.
  • Removable storage policy: Enforcement was tightened, ensuring that policies blocking USB drives work as expected — a win for security-conscious shops.
  • Input and accessibility: Extended Unicode and IME fixes plus Narrator corrections improve usability for global and accessibility-focused users.
  • Copilot key behavior and Family Safety prompt reliability were also polished.

Windows Backup for Organizations: a tenant-gated restore

The star of these previews is Windows Backup for Organizations, a first-party restore flow designed to reduce the friction of reprovisioning devices. During Autopilot enrollment or the Out-Of-Box Experience (OOBE), the feature can reapply a user’s settings and a list of Microsoft Store apps that were backed up to Microsoft’s cloud — all tied to the user’s Entra identity.

Microsoft’s messaging is clear: this is not a full-system backup. It does not capture installed Win32 applications, user file data, or serve as a replacement for enterprise backup solutions. Instead, it addresses the configuration layer, restoring personalization preferences, Start menu layout, and Store app inventory to slash the time it takes for employees to get productive on a new or refreshed device.

Prerequisites and scope

Administrators must activate the restore capability tenant-wide through the Intune admin center (Devices > Enrollment > Windows > Enrollment options > Windows Backup and Restore). Once enabled, the restore page appears during OOBE only for devices that are Microsoft Entra joined and signed in with the same Entra account that created the backup. Autopilot profiles must be user-driven; self-deploying and pre-provisioned modes won’t show the restore page.

The feature requires specific minimum OS builds, which Microsoft documents explicitly:

  • Windows 10, version 22H2: build 19045.5917 or later for backup functionality.
  • Windows 11, version 22H2: build 22621.5413 or later; restore during OOBE requires Windows 11 22H2 or newer.
  • Later versions (23H2, 24H2) have their own documented minimums.

If devices fall below these baselines, Intune’s Enrollment Status Page can be configured to install quality updates during OOBE to bring them up to spec.

Data residency and compliance

Backups are stored in Microsoft cloud services under the organizational tenant. Before rolling out at scale, IT must verify whether the service meets internal data residency, retention, and encryption requirements. Conditional Access policies that govern sign-in and device compliance can impact backup and restore flows; admins should add the necessary service endpoints (e.g., Activity Feed Service) to Conditional Access allowlists as recommended by Microsoft.

Operational impact and caution

Despite the “generally available” label in the Release Preview notes, the feature’s real-world availability is gated by both tenant configuration and Entra join compliance. Microsoft’s TechCommunity blog and Intune documentation emphasize that admins should test backup and restore cycles in a lab tenant before trusting the service for production device refreshes. The service complements existing imaging and deployment tools; it cannot replace application packaging or data backup workflows.

Beyond backup: reliability fixes that matter

While the backup capability grabs headlines, the cumulative updates deliver fixes that will immediately benefit day-to-day operations:

  • File Explorer: The single-folder view bug was a persistent irritation for users who rely on folder-based navigation, and the SharePoint sync performance fix improves open and save times for files in large document libraries.
  • SMB over QUIC: By reducing latency during directory enumeration, the patch makes remote file access over QUIC feel snappier — especially important for VPN-less deployments.
  • ReFS: The hang mitigation for deduplication plus compression scenarios eliminates a silent productivity killer in backup and archival workloads.
  • Removable storage policy: Inconsistent enforcement left security gaps; this fix ensures that if a policy says “block USB,” the device obeys.

Each of these addresses a pain point that often triggers helpdesk tickets or escalations, giving IT teams a reason to move these previews into pilot rings sooner rather than later.

Secure Boot certificates: don’t wait until 2026

Embedded in the KB5064080 support article is a stark reminder: Secure Boot certificates used by most Windows devices will begin expiring in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices for months, but organizations must act now. If a device lacks the updated certificates, it will still boot normally, but standard Windows updates will continue to install the newer certificates over time. The risk is that a laggard device might encounter boot disruptions if the old certificates are finally revoked.

Microsoft’s guidance for IT admins:

  • Inventory devices to confirm Secure Boot state and UEFI firmware capability.
  • Coordinate with OEMs to ensure firmware updates that include the new certificates are available for your models.
  • Enable Microsoft-managed Secure Boot updates for managed devices where acceptable, or prepare a validated offline process for air-gapped systems.
  • Test boot policies and certificate updates on a controlled set of machines before scaling.

This is a separate thread from the preview updates but is woven into the communication because it affects the same audience. Ignoring it could lead to a wave of support calls in mid-2026.

How IT should approach these previews

Given that these are Release Preview updates, discipline is essential. The combined SSU+LCU package in KB5064080 makes rollback more involved: the SSU is persistent, so removing the LCU requires DISM with the exact package name. Pilot testing should include:

  1. Pilot selection: Cover laptops and desktops with common OEM drivers, devices that mount many SharePoint sites, endpoints using SMB over QUIC, any storage hosts running ReFS with dedupe/compression, and representative EDR/AV configurations.
  2. Lab tenant validation: Enable the Intune restore toggle in a non-production tenant, verify Entra join workflows, and confirm Conditional Access allowlists for required endpoints.
  3. Backup/restore cycles: Create a backup on a representative device, reimage or Autopilot-reset it, and restore. Document exactly which settings transfer and which don’t.
  4. Scenario testing: Reproduce the File Explorer single-folder view bug, stress SMB over QUIC latency, validate ReFS dedupe+compression under load, and test removable storage policy enforcement.
  5. Rollback planning: Keep golden images and document DISM uninstall commands for the LCU using the package name from DISM /online /get-packages.
  6. Monitor and expand: After 1–3 weeks of telemetry with no regressions, expand the pilot ring and watch community channels for edge-case issues.

For Windows Backup for Organizations specifically, success hinges on a thorough understanding of its scope. Treat it as a configuration accelerator, not a backup replacement, and maintain existing application deployment (SCCM, Intune Win32 apps) and data protection solutions.

Conclusion

The August 2025 Release Preview updates are more than just a routine quality drop. They mark the official entry of Windows Backup for Organizations into the enterprise toolkit, giving IT administrators a tenant-gated, cloud-mediated way to restore user settings and Store app lists during device enrollment. The bundled fixes for File Explorer, SMB over QUIC, and ReFS further increase the appeal for early adopters willing to pilot these builds.

Yet the real story is one of thoughtful preparation. Administrators who treat these previews as an opportunity to validate workflows, test rollbacks, and get ahead of the Secure Boot deadline will turn a set of optional patches into a strategic advantage. Those who skip the testing or misunderstand the backup service’s limits risk disruption. In a world where device refresh cycles and migrations never really end, that’s a trade-off worth getting right.