Microsoft has released the next version of Windows 11 client operating system. It has some really good features built into the OS that will not only help end users, but will also help admins to more effectively manage and deploy client operating systems for end users. The enhancements include new features for security and manageability. Let’s look at the top features that admins will be excited about.
Available now
This update is now available through the normal distribution channels, including WSUS, Windows Update for Business, and the Microsoft 365 admin center.
Windows Hello works with passkeys
Passkeys are a more secure and phish resistant multi-factor authentication. When you register with an online service or setup your device with a Microsoft Entra account using a passkey, a new cryptographic keypair is generated. The private key is securely stored on your Windows 11 24H2 device and the public key is stored with the online service.
The Windows device first proves it possesses the private key only after using Windows Hello and unlocking using your face, fingerprint or PIN.
With PCs that already come with 24H2 installed, virtualization-based security is on by default that isolates credentials outside the operating system in a secured container.
Windows Local Administrator Password Solution (LAPS) Enhancements
One of the standout security enhancements in Windows 11 24H2 is the improvement of the Local Administrator Password Solution (LAPS). This solution now includes automatic account management and other features that include the ability to:
- Automatically create the account to be managed locally
- Name the managed account
- Disable or Enable the account
- Create a random name for the account
- Use passphrases for LAPS passwords using better passphrases
- Implement improvements to the post-authentication actions for LAPS
Key takeaways on LAPs improvements
LAPS has long been a tool that admins have used for easier management and more secure local account passwords. However, it has had its share of challenges with historical implementations of LAPS. The new features simplify the management of local admin credentials by automating the creation, rotation, and management of these accounts.
With the new features, IT admins will no longer have to rely on manual processes to make sure their local admin passwords are unique and regularly rotated. The automatic account features also make auditing easier and make it easier to track changes and access to local admin accounts.
Personal Data Encryption (PDE)
Personal Data Encryption is a new feature that is included in Windows 11 Enterprise and EDU editions of 24H2 that uses Windows Hello for Business authentication and creates a personal encryption key for that specific user to encrypt their Documents, Desktop, and Pictures folders.
As a side note about PDE as well, this is a layer of encryption on top of BitLocker Encryption or any other type of volume-level encryption.
Also, if a workstation is shared between users, even when another user, who is an administrator, browses to the folders of the other user with PDE enabled, they will be able to see the files, but if they attempt to access the files, they will not be able to.
These settings can be enabled using Microsoft Intune managed devices using policy.
Key takeaways for admins
The extra layer of security that is enabled with PDE will help organizations and admins protect sensitive data and make sure it remains encrypted even if a device is compromised by an attacker, or malicious user. Since admins can easily control turning on PDE with Microsoft Intune, they can easily reduce the risk of compromise and also make sure of compliance with data protection regulations and governance requirements.
This feature will be especially helpful in highly sensitive business sectors like finance, healthcare, and government, where the protection of sensitive information is extremely important.
App Control for Business
App Control for Business is a technology that is previously known as Windows Defender Application Control. It has been enhanced in the 24H2 update to provide IT pros with better protection against malicious code. It can restrict the types of apps that users can run and the code that runs in the system kernel. App control can also block unsigned scripts and MSI files. You can also use it to run Windows PowerShell in Constrained Language Mode which enables additional restrictions.
Key takeaways for admins
Microsoft continues to improve App Control for Business and allowing admins to have better tools to manage allow lists and block lists with applications so that only trusted apps can run. Attackers are continually trying to use malicious apps and code to compromise end-user systems. The new controls in App Control for Business give IT admins stricter policies to work with, and help to improve security across the organization.
SMB Protocol changes and enhancements
The Server Message Block (SMB) protocol has been around for decades and is heavily used in Windows environments. It is also a protocol that in early versions was very insecure and had many vulnerabilities. Microsoft has been working to improve the security stance of SMB in the enterprise with newer implementations of the protocol.
Windows 11 24H2 introduces many updates to the Server Message Block (SMB) protocol. These improvements include changes in firewall rules, support for NTLM blocking, and there are also new features like SMB over QUIC, which is an alternative to TCP.
Key takeaways for admins
The new protocol changes with SMB will provide admins with new tools to secure file-sharing systems and also improve network performance for file shares. SMB over QUIC also allows secure file sharing over the Internet without having to use something like a VPN. This will be especially beneficial in today’s very hybrid work environments.
NTLM blocking will also help to improve security by mitigating risks of legacy authentication protocols. However, admins will need to implement these changes after carefully auditing existing applications and protocols to make sure legacy authentication mechanisms and file protocols are no longer needed or required.
Rust in the Windows Kernel
Microsoft has integrated Rust programming language into the Windows kernel in this update. Rust is a programming language that is known for its memory safe features. These features help eliminate certain types of vulnerabilities that attackers might try to take advantage of, such as buffer overflows and null pointer dereferences.
Key takeaways for admins
Microsoft incorporating Rust in the Windows kernel is definitely a step in the right direction to help make the Windows kernel more secure and stable. With Rust implemented, admins can expect fewer problems and have a more stable operating system environment. This will help to manage large scale device deployments where if you have a kernel vulnerability, it may have a widespread security impact for an organization.
Rust will probably undoubtedly allow for many more improvements to come in stability, performance, and security in the Windows operating system.
Support for Wi-Fi 7 and Bluetooth LE audio
Windows 11 24H2 brings with it support for Wi-Fi 7 and also enhancements with Bluetooth LE audio. This will help to bring compatibility with the latest Wi-Fi standards and Bluetooth device connectivity.
Key takeaways for admins
For admins servicing enterprise clients, the added support for Wi-Fi 7 will mean faster network speeds for clients and more reliable networks. With more employees working from hybrid locations it will mean users will have access to the latest connectivity standards. The Bluetooth enhancements offer more control over audio settings, and easier management for audio peripherals for users needing accessibility with Bluetooth devices.
Windows Protected Print Mode
The new Windows Protected Print Mode is a new mode that allows devices to print using the Windows modern print stack. It uses the Morpia certified printers that means you no longer need third-party software installers and can print securely to Morpia-certified printers. When you enable the Protected Print mode, the OS deletes all the traditional printer drivers and will no longer be used or useable.
Attackers commonly abuse printer ports and DLLs associated with printing to load malicious code. They have in the past been able to trick the Spooler service into loading malicious code. With Protected Print Mode this is no longer possible.
Key takeaways for admins
Printing has always been a challenge for admins, in terms of drivers and security. Now with Protected Print mode, organizations will have additional tools to help manage printers and eliminate many of the security vulnerabilities associated with drivers and other printer applications.
It means IT admins can now secure print settings without any third-party solutions involved. This will simplify and streamline the overall print management process. It will also help with securing printing for highly regulated industries like legal, healthcare, and finance.
Administrative Tools and Deployment Updates
Windows 11 24H2 includes updates to many of the deployment and management tools that admins have used. The new list of updated tools includes the following:
- Windows 11 version 24H2 security baseline
- Administrative templates for Windows 11 version 24H2
- Group Policy settings reference spreadsheet for Windows 11 24H2
- Remote Server Administration Tools (RSAT)
- Windows 11 Enterprise Evaluation
- Windows 11 version 24H2 update history
- Windows release health
Key takeaways
The updated security baseline and Group Policy templates will help to simplify the management of security policies across the organization. It will help admins with compliance with best practices objectives. The enhancements to RSAT tools will help manage Windows Server roles and features directly from Windows 11 devices.
Wrapping up
There are many great new features in Windows 11 24H2 that will help to improve the overall experience with Windows 11. However, a large number of improvements have been made that will help assist admins with the challenges of managing hybrid environments. Windows 11 24H2 includes many great security and management improvements.
The LAPS improvements, SMB protocol updates, app control features, Protected Print Mode, and other administrative features in Windows 11 24H2 are great advancements that provide good reasons for admins to look at upgrades for their Windows clients. It will provide new ways to protect corporate data and devices and streamline administrative tasks that come with managing a large-scale Windows environment.
