The 24H2 update for Windows 11 introduces several new features, including enhanced security measures, support for Wi-Fi 7, and improvements such as power saving mode and updated quick settings. It also marks the beginning of 36 months of support for the Enterprise and Education editions and offers a number of deployment tools and updates, including new controls for Copilot+ PCs. The update is available now and can be obtained via the integrated update channels. Further information can be found in this blog post.
New features in this update
Windows 11 version 24H2 includes all the features and capabilities that have been delivered as part of the ongoing innovation of Windows 11 and are now enabled by default. These include:
- Policy improvements to Windows Local Administrator Password Solution (LAPS) and new automatic account management feature
- Personal Data Encryption (PDE), so that known Windows folders (documents, desktop and images) are protected by user-authenticated encryption
- App Control for Business (formerly Windows Defender Application Control) to better protect your digital property from malware
- Protected Windows print mode, so you no longer need to rely on third-party software installers for Mopria-certified printers.
- Protection by the Local Security Authority (LSA) to protect against the theft of secrets and login information used for login
- Support for Wi-Fi 7
- Bluetooth® LE audio support for hearing aids
- New controls for managing the apps that have access to the list of Wi-Fi networks in your environment
- Rust in the Windows kernel
- SHA-3 support
With Windows 11 version 24H2, Microsoft has also introduced numerous changes to the Server Message Block (SMB) protocol. These include changes to firewall rules, support for blocking NTLM, dialect management, alternative network port connections, SMB over QUIC (an alternative to TCP and RDMA) and changes to SMB signing and encryption.
The enhanced version also includes improvements designed to enhance the overall Windows 11 experience, such as
- A scrollable list (as opposed to a single window) of quick settings in the taskbar that can be arranged in the way that makes the most sense for the way you work
- Text labels for the “Cut”, “Copy”, “Rename”, “Share” and “Delete” actions available at the top of the File Explorer context menu
- Support for the creation of 7-Zip and TAR archives
- Save energy: An easy way to extend battery life and reduce energy consumption. You can configure the function to run automatically or you can switch it on and off manually via the quick settings.
- Extended adaptive brightness control for laptops and 2-in-1 devices, even if they are connected to the mains and support Content Adaptive Brightness Control (CABC)
- Extended availability of Voice Clarity, which eliminates echoes, suppresses background noise and reduces reverberation in real time
Microsoft has added new features to Bluetooth® LE Audio to control audio presets, ambient sound and more. Microsoft has created the ability to customize audio presets for hearing aids via Settings or Quick Settings.
The changes in detail:
Changes to the SMB protocol (Server Message Block)
Â
SMB signing and encryption
The following changes have been made to the SMB signature and encryption:
- Changes to the requirements for the SMB signature: In Windows 11 version 24H2 for Home, Pro, Education and Enterprise editions, SMB signing is now required by default for all connections. SMB signing ensures that each message contains a signature generated with the session key and cipher suite. The client inserts a hash of the entire message into the signature field of the SMB header. If someone later changes the message itself, the hash does not match and SMB knows that someone has tampered with the data. SMB also confirms to the sender and recipient that they are who they say they are.
- SMB Client Encryption: SMB now supports requiring encryption for all outbound SMB client connections. Encrypting all outbound SMB client connections enforces the highest level of network security and provides administrative parity for SMB signing so that both client and server requirements can be met. With this new option, administrators can specify that all target servers use SMB 3 and encryption. If these features are missing, the client will not connect.
- SMB signature and encryption monitoring: Administrators can now enable monitoring of SMB servers and clients for SMB signature and encryption support. This will indicate if a third-party client or server does not support SMB encryption or signing. The settings for SMB signature and encryption monitoring can be changed in Group Policy or via PowerShell.
Alternative SMB client and server ports
The SMB client now supports the connection to an SMB server via TCP, QUIC or RDMA via alternative network ports to the permanently programmed default values. However, you can only connect via alternative ports if the SMB server is configured to support listening on that port. Starting with Windows Server Insider Build 26040, the SMB server now supports listening on an alternate network port for SMB via QUIC. Windows Server does not support configuring alternate TCP ports for SMB servers, but some third-party vendors do.
List of SMB NTLM-blocking exceptions
The SMB client now supports blocking NTLM for outgoing remote connections. With this new option, administrators can deliberately prevent Windows from offering NTLM over SMB and set exceptions for the use of NTLM. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive NTLM data and will no longer be able to perform brute force, crack or hash attacks. This change adds a new layer of protection for organizations without having to completely disable the use of NTLM in the operating system.
SMB dialect management
The SMB server now supports control over which SMB dialects 2 and 3 it negotiates. With this new option, an administrator can exclude certain SMB protocols from use in the organization and block the connection of older, less secure and less capable Windows devices and third-party devices. For example, administrators can specify that only SMB 3.1.1, the most secure dialect of the protocol, is used.
SMB via QUIC
SMB over QUIC is an alternative to TCP and RDMA that provides secure connectivity for edge file servers over untrusted networks such as the Internet. QUIC has significant advantages, the most important being mandatory certificate-based encryption instead of passwords. SMB access control via the QUIC client enhances the existing SMB over QUIC functionality.
Administrators now have more options for SMB compared to QUIC, e.g:
- Specify which clients can access SMB via QUIC servers. This provides organizations with more protection, but does not change the Windows authentication used for the SMB connection or the end-user experience.
- Disable SMB via QUIC for the client with Group Policy and PowerShell
- Monitor client connection events for SMB via QUIC
Further information on these changes can be found at https://aka.ms/SmbOverQUICCAC.
Changes to the SMB firewall rule
The default behavior of the Windows firewall has changed. Previously, when an SMB share was created, the firewall was automatically configured to enable the rules in the File and Printer Sharing group for the specified firewall profiles. Now Windows automatically configures the new File and Printer Sharing (Restrictive) group, which no longer contains the incoming NetBIOS ports 137-139.
This change enforces a higher level of network security and brings the SMB firewall rules closer to the behavior of the Windows Server File Server Role, opening only the minimum ports required to connect and manage sharing. Administrators can still configure the file and printer sharing group and change this new firewall group if required. This is only a default behavior.
Activation of Local Security Authority (LSA) protection during the upgrade
LSA protection helps protect against theft of secrets and credentials used for logon by preventing unauthorized code from running in the LSA process and preventing the process memory from being cleared. From this upgrade onwards, monitoring for incompatibilities with LSA protection is performed for a certain period of time. If no incompatibilities are detected, LSA protection is automatically activated. You can check and change the activation status of the LSA protection in the Windows security application on the Device Security>Core Isolation page. In the event log, LSA protection records whether the loading of programs in the LSA is blocked. If you want to check whether something has been blocked, check the log.
Remote Mailslot protocol disabled by default
The remote mailslot protocol was deprecated in November 2023 and is now disabled by default as of Windows 11 version 24H2. For more information on remote mailslots, see Information on mailslots.
Improvements to the solution for local administrator passwords (Laps)
LAPS has a new feature for automatic account management. IT administrators can configure Windows LAPS for the following:
- Automatic creation of the managed local account
- Configuring the account name
- Activating or deactivating the account
- Random name of the account
LAPS has the following policy enhancements:
- Passphrase settings for the PasswordComplexity policy added
- Use PassphraseLength to control the number of words in a new passphrase
- An improved readability setting has been added for the PasswordComplexity policy, which generates passwords without using characters that can easily be confused with another character. For example, the zero and the letter O are not used in the password as the characters can be confused.
- The Reset the password, logoff the managed account, and terminate any remaining processes setting has been added to the PostAuthenticationActions policy. The event logging messages that are issued during execution after the authentication action have also been enhanced to provide insight into exactly what happened during the process.
Image rollback detection has been introduced for LAPS. LAPS can recognize when a rollback to a previous image has been performed for a device. When a device is rolled back, the password in the Active Directory may not match the password on the device that was rolled back. This new feature adds an Active Directory attribute msLAPS-CurrentPasswordVersion to the Windows LAPS schema. This attribute contains a random GUID that Windows LAPS writes each time a new password is stored in the Active Directory, followed by the storage of a local copy. During each processing cycle, the GUID stored in msLAPS-CurrentPasswordVersion is queried and compared with the locally persistent copy. If the GUIDs are different, the password is rotated immediately. To enable this feature, you must run the latest version of the PowerShell cmdlet Update-LapsADSchema.
Rust in the Windows kernel
There is a new implementation of the GDI region in win32kbase_rs.sys. Since Rust offers advantages over traditional programs written in C/C++ in terms of reliability and security, you will continue to see more usage in the kernel.
Personal Data Encryption (PDE) for folders
PDE for folders is a security feature that protects the contents of known Windows folders (Documents, Desktop and Pictures) using a user-authenticated encryption mechanism. Windows Hello is the user authentication used to provide the keys to encrypt user data in the folders. PDE for folders can be enabled via a policy in Intune. IT administrators can select all folders or a subset and then apply the policy to a group of users in their organization. PDE for Folder settings are available on Intune under Endpoint Security>Disk Encryption.
Further information on PDE can be found under Overview of PDE.
Windows-protected print mode
In Windows-protected print mode, devices can only print using the modern Windows print stack designed for Morpia-certified printers. With morpia-certified printers, it is no longer necessary to rely on third-party software installation programs. To activate the windows protected print mode:
- Go to Settings>Bluetooth & Devices>Printer & Scanner and then select Setup in protected Windows print mode.
- Activate the “Configure Windows Protected Printing” policy in Group Policy under Computer Configuration>Administrative Templates>Printer
SHA-3 support
Support for the SHA-3 family of hash functions and functions derived from SHA-3 (SHAKE, cSHAKE, KMAC) has been added. The SHA-3 family of algorithms are the latest standardized hash functions from the National Institute of Standards and Technology (NIST). Support for these functions is enabled via the Windows CNG library.
- Supported SHA-3 hash functions: SHA3-256, SHA3-384, SHA3-512 (SHA3-224 is not supported)
- Supported SHA-3 HMAC algorithms: HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512
- Supported sha-3 derived algorithms: Extensible output functions (XOF) (SHAKE128, SHAKE256), customizable XOFs (cSHAKE128, cSHAKE256) and KMAC (KMAC128, KMAC256, KMACXOF128, KMACXOF256).
App Control for Business
Customers can now leverage App Control for Business (formerly Windows Defender Application Control) and next-generation capabilities to protect their digital assets from malware. With App Control for Business, IT teams can configure what runs in a business environment through Microsoft Intune or other MDMs in the management console, including setting up Intune as a managed installer. For more information, see App Control for Windows.
Support for Wi-Fi 7
Support for Wi-Fi 7 has been added for consumer access points. Wi-Fi 7, also known as IEEE 802.11be Extreme Throughput (EHT), is the latest Wi-Fi technology that provides unprecedented speed, reliability and efficiency for wireless devices. For more information on Wi-Fi 7, see the Wi-Fi Alliance announcement.
Bluetooth ® LE audio support for auxiliary devices
Clients wearing these hearing aids can now pair directly with an LE Audio-enabled PC, stream audio, answer calls and control audio presets. Users with Bluetooth LE Audio enabled hearing aids can go to Settings>Accessibility>Hearing aids to determine if their PC is LE Audio enabled and then configure and manage it. For more information, see Using hearing aids with your Windows 11 PC.
Improvements to Windows storage locations
New controls have been added to manage which applications have access to the list of Wi-Fi networks in your area that can be used to determine your location.
- Under Settings>Privacy &Security location> you can view and change which apps can access the list of Wi-Fi networks.
- A new prompt will appear the first time an app tries to access your location or Wi-Fi information.
- The prompt also notifies you if an app unexpectedly requests access to location services so that you can deny it.
- If you grant permission, apps that use location or Wi-Fi information will now appear on the Location settings page under Recent activity, and the location icon will appear on the taskbar while the app is in use.
- To hide these prompts when location is disabled, disable Notify me when apps request location on the Location settings page .
- Developers can use the article Changes to API behavior for Wi-Fi access and location to learn more about API interfaces affected by this change.
Sudo for Windows
Sudo for Windows is a new way for users to execute commands with elevated privileges (as administrator) directly from an irrelevant console session. The sudo command can be configured for execution in three different modes:
- In a new window: The command with elevated rights is executed in a new window. This mode is similar to the behavior of the runas /user:admin command.
- With input disabled: Executes the process with elevated rights in the current window, but the input handle is closed. This means that the process with elevated rights cannot receive any input from the current console window.
- Inline: Runs the process with elevated privileges in the current window, and the process can receive input from the current console session. This mode is most similar to the sudo experience on other platforms.
It is recommended that you review the security considerations for each mode here before enabling the sudo command on your computer. For more information, see Sudo for Windows.
Activate optional updates
In addition to the monthly cumulative updates, optional updates are available to provide new features and non-security related changes. Most optional updates are released on the fourth Tuesday of the month and are referred to as optional, non-security preview releases. Optional updates may also contain features that are introduced in stages, known as Controlled Feature Rollouts (CFRs). The installation of optional updates is not enabled by default for devices that receive updates via Windows Update for Business. However, you can enable optional updates for devices using the Enable optional updates policy.
Improvements to the remote desktop connection
The Remote Desktop Connection has the following improvements:
- The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under Settings>Accessibility>Text size.
- Remote desktop connection supports zoom options of 350, 400, 450 and 500%
- Improvements to the design of the connecting strip
Further functions
- Explorer: The following changes have been made to the Explorer context menu:
- Support for the creation of 7-ZIP and TAR archives
- Compress in>With additional options, you can compress individual files with gzip, BZip2, xz or Zstandard.
- Labels have been added to the context menu icons for actions such as copy, paste, delete and rename.
- OOBE enhancement: If you need to connect to a network and there are no Wi-Fi drivers available, you will be given the option Install drivers to install drivers that have already been downloaded.
- Registry Editor: The Registry Editor supports restricting a search to the currently selected key and its successor.
- Task Manager: The settings page of the Task Manager contains mica material and a redesigned icon
Developer APIs
The following developer APIs have been added or updated:
- Introduction of the Power Grid Prediction API. App developers can minimize the impact on the environment by shifting background workloads to times when renewable energy is available for the local grid. Forecast data is not available globally and the quality of data can vary by region.
- Added a GUID for the power saving notification callback setting to represent the new power saving experience. Apps can subscribe to power saving statuses by passing the corresponding GUID to the PowerSettingRegisterNotification API and implement different behaviors to optimize power or performance depending on the current power saving status. For more information, see Power Setting GUIDs
- The effective power mode API has been extended to interpret the new power saving levels when determining the returned effective power mode.
Features removed in Windows 11 version 24H2
The following deprecated features will be removed in Windows 11 version 24H2:
- WordPad: WordPad will be removed from all editions of Windows from Windows 11, version 24H2 and Windows Server 2025.
- AllJoyn: Microsoft’s implementation of AllJoyn, which included the Windows.Devices.AllJoyn API namespace, a Win32 API, a Management Configuration Service Provider (CSP), and an AllJoyn Router Service, is being discontinued.
Conclusion
The Windows 11 update version 24H2 offers numerous improvements in the areas of security, connectivity and user convenience. With features such as support for Wi-Fi 7, new data protection solutions and practical optimizations such as the energy-saving mode, the update aims to increase productivity and simplify system management. Overall, this version provides Microsoft with a stable foundation to meet modern requirements for flexibility and security.
