This past week, we saw a new version of Windows 11 (highly anticipated as well) with 24H2. It’s a very exciting update, which also ushered in the era of the Copilot+ PC. Today, we will cover a few things:
- New Features in Windows 11 24H2
- New Features for Copilot+ PCs in 24H2
- Policy Changes in Windows 11 24H2
- New Windows 11 24H2 Policy Best Practices
- Final Thoughts
Let’s get started as there’s a bunch of stuff to be excited about!
New Features in Windows 11 24H2
We saw some interesting changes in 24H2, and we can organize them into a few categories:
We will look at these items in a bit more detail because they will impact most of you. Let’s start with SMB changes.
SMB Changes in Windows 11 24H2
Who doesn’t LOVE SMB? Well, me I definitely do NOT love SMB. All things considered; they did make some changes you should be aware of.
Firstly, with signing and encryption:
- SMB signing is now required by default. This ensures that a signature with session key and ciphers is used to sign each message. You will see it now in the SMB header, which is a form of tamper protection. This will help with certain relay attacks. If your message isn’t signed, you will see an error like this:
0xc000a000
-1073700864
STATUS_INVALID_SIGNATURE
The cryptographic signature is invalid.You might also run into one of these issues if you’re using guest access on a 3rd party SMB:
You can't access this shared folder because your organization's security policies block
unauthenticated guest access. These policies help protect your PC from unsafe or malicious
devices on the network.
Error code: 0x80070035
The network path was not found.
System error 3227320323 has occurred.If you want to make sure your SMB environment is ready you can run this command:
Get-SmbServerConfiguration | FL requiresecuritysignature
Get-SmbClientConfiguration | FL requiresecuritysignatureI won’t cover how to disable it, because that’s bad. So, don’t be bad.
- SMB encryption is now supported for outbound SMB client connections. This now extends the previous server capabilities letting you enforce SMB 3 and encryption.
You can check the current client settings and even set them manually if you want:
Set-SmbClientConfiguration -RequireEncryption $true
Get-SmbClientConfiguration | FL RequireEncryption
- Admins can also add auditing of SMB client and server support for these features. It will even show if a 3rd party doesn’t support signing or encryption.
- You can now use TCP, QUIC, or RDMA using alternate network ports (which requires configuration on the SMB server). You can’t change it on Windows Server, but you might be able to for a 3rd party.
- SMB can now block NTLM for remote outbound connections.
- SMB can control which SMB 2 and 3 dialects it negotiates aka only use SMB 3.1.1.
- SMB over QUIC is now available. It has been growing increasingly popular because of security improvements like mandatory cert-based encryption.
- Windows Firewall now uses the new “File and Printer Sharing (Restrictive) group when creating SMB shares (doesn’t contain NetBIOS ports 137-139 now).
LAPS Enhancements in Windows 11 24H2
The new LAPS changes are finally here that we have been seeing in public preview for quite a while. That means this evil beast can finally be vanquished in Intune: (oh how we love the errors it creates)
So, the things they have introduced are:
- Automatically create the admin account
- Configure the name of the admin account
- Enable/disable the account
- Randomize the account name
The bad news is these features are not yet available in the GUI:
We can set the proper settings with a Custom Profile in Intune:
Below are what they should look like:
| Title | Description | OMA-URI Path | Type | Value |
| Automatic Account Management Enabled | Use this setting to specify whether automatic account management is enabled. | ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnabled | Boolean | TRUE |
| Automatic Account Management Enable Account | Use this setting to configure whether the automatically managed account is enabled or disabled. | ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementEnableAccount | Boolean | TRUE |
| Automatic Account Management Name Prefix | Use this setting to configure the name or prefix of the managed local administrator account. | ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementNameOrPrefix | String | Admin |
| Automatic Account Management Randomize Name | Use this setting to configure whether the name of the automatically managed account uses a random numeric suffix each time the password is rotated. | ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementRandomizeName | Boolean | TRUE |
| Automatic Account Management Target | Use this setting to configure which account is automatically managed. | ./Device/Vendor/MSFT/LAPS/Policies/AutomaticAccountManagementTarget | Integer | 1 |
| Password Complexity | Set this to ensure the password you use has enhanced readability. You’ll thank me later. | ./Device/Vendor/MSFT/LAPS/Policies/PasswordComplexity | Integer | 5 |
| LAPS Backup Directory | Use this setting to tell is to sync to Entra ID | ./Device/Vendor/MSFT/LAPS/Policies/BackupDirectory | Integer | 1 |
In addition, they also made a few improvements:
- PassphraseLength lets you specify how many words are in the passphrase.
- Updated the PasswordComplexity to added improved readability settings which will generate passwords without easily confused characters e.g. 0 and O.
- Added a new change to the Post Authentication Actions that will reset the password, logoff the managed account, and terminate remaining processes.
- Improved event logging for post auth actions.
One last thing they added was image rollback detection. When a device is rolled back to a previous image (which could cause a password mismatch), it will write a random GUID to a new attribute called msLAPS-CurrentPasswordVersion. On a processing cycle, if it doesn’t match, the password will be immediately rotated.
Updating that feature requires running Update-LapsADSchema via PowerShell in AD.
Sudo for Windows
One of the things I’m the most excited about is Sudo for Windows. This is just the first stage in a number of local admin enhancements coming. More are being announced next month at Ignite!
Sudo lets you simply elevate within a regular PowerShell or CMD window, which makes things easier and more secure. Simply you just:
sudo netstat-abnI will do a deep dive into it in an article next week, but for now this about covers it. One other thing to mention is you can run sudo in 3 modes:
- New Window
- Input Disabled (BAD BAD BAD)
- Inline aka the same window you’re already in
We’ll discuss more next week, but certain modes have security concerns. When we run them with input disabled or inline, there are possibilities that malicious process could try to drive the elevated process.
With inputClosed, it does somewhat mitigate risk by closing the input handle. By sending it to a new window, you stop unelevated processes from sending input to the elevated process.
With inline, the process receives input from the current console session. An unelevated process can send input to the elevated one, which can be an issue.
Other Windows 11 24H2 Security and Usability Changes
A few other changes that I wanted to mention in 24H2 are:
- LSA protection ensures the LSASS runs as a protected process and the setting is stored in a UEFI variable in the firmware. This stops it from being deleted or changed. It will now be automatically enabled.
- The Remote Mailslot protocol is now disabled by default
- Rust is starting to appear in the Windows kernel, specifically in win32kbase_rs.sys. Microsoft states we’re going to start seeing Rust more prevalently used in Windows.
- Personal Data encryption for folders is now available. Read more about PDE here in my security best practices article.
- Windows Protected Print mode (WPP) is being introduced, which only lets devices print using the Windows modern print stack. (One note, using this mode will actually remove Adobe PDF as a print option). I will be writing a blog article on WPP soon, but basically it leverages the IPP print stack, which requires less permissions and uses a new less invasive version of the Print Spooler. Research has shown that it eliminates over half of the attack vectors used in attacks like Stuxnet.
- SHA-3 support
- App Control for Business is now widely available, which I cover here.
- Wi-Fi 7 support.
- Bluetooth LE audio support for assistive devices.
- Windows location improvements where you can view/modify what apps can see your network list.
- Enabling optional updates via policy.
- Remote Desktop received a few improvements with text size scaling via the accessibility menu and new zoom options up to 500% along with some connection bar design changes
- File Explorer can now create 7-zip and TAR archives along with compressing with gzip, BZip2, xz, or Zstandard. Labels were also added to the context menu icons for copy, paste, delete, and rename.
- You can now install drivers via OOBE when they’re missing.
- Updates to RegEdit to limit searches to the currently selected key and its descendants.
- Task Manager has Mica material and a redesigned icon.
- They removed wordPad and Alljoyn from 24H2
New Features for Copilot+ PCs in 24H2
One of the things that has evolved are exclusive features for the new fancy Copilot+ PCs (which shipped with 24H2 to begin with). Of the many things that makes them special, are their NPUs (neural processing units), which are like GPUs for AI. We can achieve in excess of 40 trillion ops per second (TOPS). Here are some of the features we can now use with Copilot+ PCs:
- Live Captions translating audio and video content into English subtitles from 44 languages
- Windows Studio Effects to automatically improve lighting and noise cancellation during video calls.
- Cocreator in MS Paint that leverages AI to help you create artwork.
- Auto Super Resolution aka Auto SR which is AI-powered gaming resolution enhancements technology.
- Image Creator and Restyle Image in the Microsoft Photos app that helps you modify your existing photos or create new ones powered by AI.
Policy Changes in Windows 11 24H2
After reviewing the policy delta changes, a few things stood out to me:
- Let’s start with MDM supportability:
- Computer Policy (146/205) 71% are MDM supported as we saw some Defender Firewall deprecation, LSA, SMB, and other settings not supported.
- IE settings for computer and user, User policy are all fully supported
- Most of BitLocker is supported except disabling new DMA devices when the PC is locked
- Credential Guard fully deprecated
- A few settings for Defender are not supported:
When we look at the delta’s they’re somewhat interesting, a few to note:
- Lots of new policies for Defender remediation.
- Controls on package manager (you can block WinGet command line installs or configs).
- All of the SMB stuff I mentioned earlier is in there.
- Ability to block WH4B caching.
- Ability to block screen recording for the Snipping Tool.
Below you can see the full list of changes in 24H2 for policies. I recommend looking at these settings and see if any of them actually matter to you. If so, update your 23H2 policy accordingly. Do NOT straight deploy 24H2 brand new because you will get less than ideal results:
| Filename | Instance | Policy Path | Policy Setting |
| Security Settings | Security Options | Domain controller: LDAP server signing requirements Enforcement | |
| Security Settings | Security Options | Domain controller: Refuse setting default machine account password | |
| Security Settings | Security Options | Network security: LDAP client encryption requirements | |
| Security Settings | Security Options | User Account Control: Behavior of the elevation prompt for administrators running with enhanced privilege protection | |
| Security Settings | Security Options | User Account Control: Configure type of Admin Approval Mode | |
| ControlPanelDisplay.admx | Machine | Control Panel\Personalization | Load a specific theme |
| DnsClient.admx | Machine | Network\DNS Client | Configure multicast DNS (mDNS) protocol |
| DnsClient.admx | Machine | Network\DNS Client | Turn off default IPv6 DNS Servers |
| LanmanServer.admx | Machine | Network\Lanman Server | Audit client does not support encryption |
| LanmanServer.admx | Machine | Network\Lanman Server | Audit client does not support signing |
| LanmanServer.admx | Machine | Network\Lanman Server | Audit insecure guest logon |
| LanmanServer.admx | Machine | Network\Lanman Server | Enable authentication rate limiter |
| LanmanServer.admx | Machine | Network\Lanman Server | Enable remote mailslots |
| LanmanServer.admx | Machine | Network\Lanman Server | Enable SMB over QUIC |
| LanmanServer.admx | Machine | Network\Lanman Server | Mandate the maximum version of SMB |
| LanmanServer.admx | Machine | Network\Lanman Server | Mandate the minimum version of SMB |
| LanmanServer.admx | Machine | Network\Lanman Server | Set authentication rate limiter delay (milliseconds) |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Alternative Port Mappings |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Audit insecure guest logon |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Audit server does not support encryption |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Audit server does not support signing |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Block NTLM (LM NTLM NTLMv2) |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Block NTLM Server Exception List |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Enable Alternative Ports |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Enable remote mailslots |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Enable SMB over QUIC |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Mandate the maximum version of SMB |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Mandate the minimum version of SMB |
| LanmanWorkstation.admx | Machine | Network\Lanman Workstation | Require Encryption |
| Printing.admx | Machine | Printers | Configure RPC packet level privacy setting for incoming connections |
| Printing.admx | Machine | Printers | Configure Windows protected print |
| StartMenu.admx | Machine | Start Menu and Taskbar | Prevent users from customizing their Start Screen |
| Taskbar.admx | Machine | Start Menu and Taskbar | Remove Notifications and Action Center |
| WPN.admx | Machine | Start Menu and Taskbar\Notifications | Turn off toast notifications |
| Sudo.admx | Machine | System | Configure the behavior of the sudo command |
| kdc.admx | Machine | System\KDC | Allow name-based strong mappings for certificates |
| Kerberos.admx | Machine | System\Kerberos | Enable Delegated Managed Service Account logons |
| LAPS.admx | Machine | System\LAPS | Configure automatic account management |
| Netlogon.admx | Machine | System\Net Logon\DC Locator DNS Records | Block NetBIOS-based discovery for domain controller location |
| sam.admx | Machine | System\Security Account Manager | Configure SAM change password RPC methods policy |
| AppDeviceInventory.admx | Machine | Windows Components\App and Device Inventory | Turn off API Sampling |
| AppDeviceInventory.admx | Machine | Windows Components\App and Device Inventory | Turn off Application Footprint |
| AppDeviceInventory.admx | Machine | Windows Components\App and Device Inventory | Turn off compatibility scan for backed up applications |
| AppDeviceInventory.admx | Machine | Windows Components\App and Device Inventory | Turn off Install Tracing |
| AppxPackageManager.admx | Machine | Windows Components\App Package Deployment | Not allow per-user unsigned packages to install by default (requires explicitly allow per install) |
| DesktopAppInstaller.admx | Machine | Windows Components\Desktop App Installer | Enable App Installer Local Archive Malware Scan Override |
| DesktopAppInstaller.admx | Machine | Windows Components\Desktop App Installer | Enable App Installer Microsoft Store Source Certificate Validation Bypass |
| DesktopAppInstaller.admx | Machine | Windows Components\Desktop App Installer | Enable Windows Package Manager command line interfaces |
| DesktopAppInstaller.admx | Machine | Windows Components\Desktop App Installer | Enable Windows Package Manager Configuration |
| EventLog.admx | Machine | Windows Components\Event Log Service | Limit remote access to the Event Log Service |
| WindowsExplorer.admx | Machine | Windows Components\File Explorer | Do not apply the Mark of the Web tag to files copied from insecure sources |
| inetres.admx | Machine | Windows Components\Internet Explorer | Allow legacy functionality for Internet Shortcut files |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus | Control whether exclusions are visible to local users |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Device Control | Set the Azure AD refresh rate |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Device Control | Set the data duplication limit (MB) |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Device Control | Set the policy refresh rate |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Device Control | Set the retention period for files in the local device control cache |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Device Control | Set up a support link for device control notifications |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Device Control | Turn on device control for specific device types |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Features | Enable EDR in block mode |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Features | Intel TDT Integration Level |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction | Apply a list of exclusions to specific attack surface reduction (ASR) rules |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Network Inspection System | Convert warn verdict to block |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Network Inspection System | Turn on asynchronous inspection |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Real-time Protection | Configure performance mode status |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Real-time Protection | Configure real-time protection and Security Intelligence Updates during OOBE |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Remediation\Behavioral Network Blocks\Brute-Force Protection | Configure Brute-Force Protection aggressiveness |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Remediation\Behavioral Network Blocks\Brute-Force Protection | Configure Brute-Force Protection blocking time |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Remediation\Behavioral Network Blocks\Brute-Force Protection | Configure Remote Encryption Protection Mode |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Remediation\Behavioral Network Blocks\Brute-Force Protection | Set exclusions from Brute-Force Protection |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Remediation\Behavioral Network Blocks\Remote Encryption Protection | Configure how aggressively Remote Encryption Protection blocks threats |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Remediation\Behavioral Network Blocks\Remote Encryption Protection | Configure Remote Encryption Protection blocking time |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Remediation\Behavioral Network Blocks\Remote Encryption Protection | Configure Remote Encryption Protection Mode |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Remediation\Behavioral Network Blocks\Remote Encryption Protection | Set exclusions from Remote Encryption Protection |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Reporting | Configure whether to report Dynamic Signature dropped events |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Scan | Scan excluded files and directories during quick scans |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Scan | Trigger a quick scan after X days without any scans |
| WindowsDefender.admx | Machine | Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates | Configure security intelligence updates according to the scheduler for VDI clients. |
| TerminalServer.admx | Machine | Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection | Restrict clipboard transfer from client to server |
| TerminalServer.admx | Machine | Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security | Disconnect remote session on lock for legacy authentication |
| TerminalServer.admx | Machine | Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security | Disconnect remote session on lock for Microsoft identity platform authentication |
| Passport.admx | Machine | Windows Components\Windows Hello for Business | Disable caching of the Windows Hello for Business credential after sign-in |
| WindowsSandbox.admx | Machine | Windows Components\Windows Sandbox | Allow mapping folders into Windows Sandbox |
| WindowsUpdate.admx | Machine | Windows Components\Windows Update\Manage end user experience | Enable Hotpatching for Servers |
| WindowsUpdate.admx | Machine | Windows Components\Windows Update\Manage end user experience | Specify deadline for automatic updates and restarts for feature update |
| WindowsUpdate.admx | Machine | Windows Components\Windows Update\Manage end user experience | Specify deadline for automatic updates and restarts for quality update |
| WindowsUpdate.admx | Machine | Windows Components\Windows Update\Manage updates offered from Windows Update | Enable optional updates |
| inetres.admx | User | Windows Components\Internet Explorer | Allow legacy functionality for Internet Shortcut files |
| TerminalServer.admx | User | Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection | Restrict clipboard transfer from client to server |
| Programs.admx | User | Windows Components\Snipping Tool | Allow Screen Recorder |
| WindowsCopilot.admx | User | Windows Components\Windows AI | Turn off Windows AI User Data Analysis |
New Windows 11 24H2 Policy Best Practices
Below, are my new Windows 11 24H2 Policies for Intune:
- New Defender Baseline
- MSFT Internet Explorer 11 24H2 – Computer Policy
- MSFT Windows 11 24H2 – User and User IE Policy
- MSFT Windows 11 24H2 – Computer Policy
- MSFT Windows 11 24H2 – BitLocker Policy
These policies are importable JSON into Intune, which are what I currently think are solid for most environments. There are people like James Robinson and his amazing OpenIntuneBaseline, which I also recommend checking out because he’s incredibly at baselines. As I always call him, the GOAT of Baselines.
Overall, I think my policies should be very helpful and I always advocate for deploying them like this instead of the baselines built into Intune because those aren’t as good as we would like them to be.
Final Thoughts
Simply, Windows 24H2 is a foundational release for Microsoft. It’s the starting point for Copilot+ PCs, the true real release of LAPS (now that it can create your accounts for you), and the start of a major philosophical change on security with things like Sudo and other upcoming changes to rethinking Windows security. So, leverage Autopatch and get your PCs updated. It’s an exciting time and I can’t wait to see what else they build on top of this at Microsoft Ignite.
One final note, if you enjoy this article and my content don’t miss my webinar on the Future of EUC Unfiltered on October 23, 2024 at 10 AM EDT. Sign up here!
