On 1st of October Microsoft released the latest Windows 11 feature update. The focus for Windows 24 H2 was on stability and reliability. This Update comes with 36 months of support for Enterprise and Education editions. As with every feature update, Microsoft also shipped some new features and capabilities:
Windows LAPS Improvements
With Windows 11 24 H2 Windows LAPS will get an automatic account management feature. Now it’s possible to configure the automatic creation of the managed local account, to define the name and enable / disable or randomize the name of it. Compared to previous versions of Windows 11, this is a massive step ahead and eliminates the need of a custom solution to create a local admin user. On top of that there are new Settings to configure the complexity (passphraseLength and readability) of the password.
New Update Process
In the latest version of Windows 11, Microsoft introduced „checkpoint cumulative updates.“ Previously, cumulative updates included all changes since the last Release to Manufacturing (RTM) version, which served as the baseline for each update. This approach often led to large update files as more changes accumulated over time. With checkpoint cumulative updates, Microsoft aims to reduce the size of these updates by periodically setting new baselines, making future updates more efficient and manageable. With checkpoint updates, each cumulative update is based on the previous cumulative update, which serves as a “checkpoint.” This approach reduces the size of subsequent update packages, making them faster to download and install, ultimately improving the overall user experience.
Personal Data Encryption for Folders
Personal Data Encryption (PDE) operates as a security mechanism to protect your known folders. With this feature it’s possible to secure your known Windows folders with a user authenticated encryption mechanism. That means your users needs to authenticate with Windows Hello for Business (WHfB) to get access to their desktop, Documents and pictures folder. Unlike BitLocker, which encrypts entire volumes and releases encryption keys at system boot, PDE encrypts individual files and releases keys only upon user sign-in with Windows Hello for Business. This distinction allows PDE to provide additional security by protecting data at the file level. That means that even if someone is local administrator on a user device, it’s not possible to access data of that user protected by Personal Data Encryption.
Local Security Authority (LSA) protection enablement on upgrade
LSA protection helps protect against theft of secrets and credentials used for logon by preventing unauthorized code from running in the LSA process and by preventing dumping of process memory. An audit occurs for incompatibilities with LSA protection for a period of time, starting with this upgrade. If incompatibilities aren’t detected, LSA protection is automatically enabled.
For more information about the Update check out: https://learn.microsoft.com/en-us/windows/whats-new/whats-new-windows-11-version-24h2
New Security Baselines
Microsoft Security Baselines are predefined sets of security configurations and settings developed by Microsoft to help organizations secure their Windows environments and other Microsoft products such as Microsoft Office and Microsoft Edge. These baselines are designed to simplify the process of securing systems by providing a standardized, best-practice configuration that can be easily applied and managed.
A new Windows version provides an excellent opportunity to review and update your current security and configuration policies, adjust settings for new features, and remove any deprecated configurations. Additionally, it’s essential to establish a well-planned, efficient, and reliable update strategy, leveraging all the capabilities Microsoft Intune offers to support this process.
Alongside Windows 24H2, Microsoft released new Security Baselines. Compared to the Windows 11 23H2 Security Baselines, numerous newly configured settings have been added for the following features.
Sudo Command
The newly introduced Sudo Command can now be configured within a policy. It’s possible to customize how the sudo command operates. As used in linux environments, the sudo command can be used a an potential escalation of privilege vector in certain environments. Microsoft disabled this setting in their baseline for Windows 11 24H2.
If your users don’t use the sudo command, we recommend to disable this setting.
Mark of the Web
After some discussions about the Mark of the web (MotW) a new setting got added to the security baselines. It will be enforce the value of disable, which means that MotW will be added to a file that got copied from a network share to the local file system. Of course zone mapping can be used to map any file shares into the Trusted / Intranet zones.
Microsoft Defender Antivirus
Multiple features of Microsoft defender Antivirus get enabled by default from now on. This includes Endpoint Detection and Response (EDR), it will be enabled in block mode. Real-time protection and Security Intelligence Updates during OOBE are enabled by default. This ensures that Defender is already uptodate during the setup. Excluded files will be scanned during quick scans and AV-exclusions will be visible to users.
An overview of all security baseline settings can be found in the Microsoft Security Compliance Toolkit: Link
Managing security baselines is a never-ending topic since they receive updates with every new release of Windows 10/11,Microsoft Edge, Windows Server or the Microsoft 365 Apps.
Release cadence Microsoft Baselines
- Microsoft Windows: 1x year
- Microsoft Office: 2x year (although since 2306 no new baseline was released)
- Microsoft Edge Stable: Every major release, usually every month
- Microsoft Edge Extended Stable: Every major release, usually every second month
Continuous Evaluation of Policies
- Review Microsoft Security baseline updates
- Read the blog (link)
- Review the release notes (link to toolkit)
- Refinement of settings and exclusions, update documentation
- The key to keeping your policies up to date is to regularly review and evaluate them.
- Every cycle starts with defining settings and exclusions and updating the documentation accordingly.
- This phase is crucial, as it forms the foundation for an effective policy update process.
- Prepare pilot targeting for GPO or Intune via OU or security group
- After defining settings and exclusions, prepare pilot targeting and deployment.
- Create policies and profiles
- Next, set up the required policies and exclusions based on the documentation.
- Identify and adjust potential problematic settings
- Challenge as many things as possible to have as few exclusions or deviations as possible.
- Configure exclusions where explicitly required due to potential business impact.
- Deploy profiles to test endpoints and users
- Identity test users / groups (these should include business users)
- The next step is to deploy policies to test endpoints and users.
- Testing
- With the right feedback process, you’ll get a lot of valuable feedback from your users, which you can use to improve and refine your policies again.
Once Microsoft releases new Security Baselines, the whole cycle starts all over again. This is the whole magic from a high-level perspective.
How to Update to Windows 11 24H2
As mentioned in the intro, a well-developed, efficient and reliable update strategy is key to achieving a seamless upgrade to Windows 11 24H2 within your organization. It’s important to adjust the deployment times (*) mentioned in the picture above to your individual business needs.
Microsoft Intune provides several settings to configure the behavior and end user experience for installing updates.
Windows Update for Business (WUfB) plays an important role in keeping Windows devices up to date.
With the feature update deployment policy, it’s possible to configure a granular rollout of the newest Windows 11 release. In addition, many organizations fulfill the license requirements to take advantage of Windows Autopatch (Windows 10/11 Enterprise E3+ or F3). This solution takes the upgrade process to the next level. It’s easy to plan the complete rollout using deployment waves.
Useful Features within Windows Update for Business
With the Intune Service Release 2405, Microsoft introduced a useful addition for feature update policies. Now Admins can make a feature update available as an optional update for users. So that users can decide themselves when they ‘re ready to install the latest updates.
Intune Admin Portal
Enduser Experience
With the above configuration set the user will receive a toast message when the update is available.
How baseVISION can support you on your Windows Upgrade Journey
Upgrading Windows and updating security policies, like Microsoft Security Baselines or CIS Baselines, can feel like a hassle—but don’t worry, we’ve got you covered.
Our Client Update Management Concept is reliable, efficient, and easy to customize, making updates a breeze. Whether you need help deploying Windows updates, refreshing your security baselines, rolling out new policies, or transitioning from Microsoft Security Baselines to CIS, our experts are here to support you.
Let us take the stress out of updates so you can focus on what matters most.