On October 1, 2024, Microsoft began the gradual rollout of the Windows 11 2024 Update (version 24H2) for consumers as well as for organizations, and while new releases of the operating system usually focus on new features and improvements for consumers, the company is also pushing various changes to improve the operating system for business and large organizations.
As part of the initial rollout, the feature update is available for consumers with eligible devices running Windows 11 Home and Pro. Also, the company is making the new version available through Windows Server Update Services, Configuration Manager, Windows Update for Business, and the Microsoft 365 admin center.
In addition, for organizations, the new version for Windows 11 Enterprise and Education editions will receive support for 36 months. On the other hand, the Pro and Home editions receive 24 months of support.
Furthermore, on October 1, 2024, Microsoft also made available the Windows 11 Enterprise LTSC 2024 (or Long-Term Servicing Channel) with support for five years, while the Windows 11 IoT Enterprise LTSC 2024 will be supported for ten years.
In this guide, I will outline the most interesting changes that Microsoft is promoting for the Windows 11 2024 Update for organizations.
Windows 11 version 24H2 changes for admins
In addition to the new changes aimed at consumers, Microsoft is adding some improvements specifically for network administrators.
File Explorer
As part of the changes for File Explorer, starting with this new version, Microsoft is touting the ability to create archival formats.
The wizard includes support for creating 7zip, Tar, and Zip files. However, there's no option to make ".rar" archival, nor is there an option to work with encryption.
You can access the "Create Archive" wizard by right-clicking the file, selecting items, and then clicking "Additional options."
This will allow you to create a Zip, 7z, or TAR file. If you choose the 7zip option, the compression methods include:
- LZMA2.
- Store.
- Deflate.
- BZip2.
- LZMA1.
- LZMA2.
- PPMd.
For Tar (GNU, POSIX pax interchange, Restricted POSIX interchange, and POSIX ustar), the compression methods include:
- BZip2.
- Gzip.
- xz.
- Zstandard.
Finally, for Zip, the compression methods include:
- Store.
- Deflate.
Also, as part of the extraction process, when a file conflicts with a file using the same name, File Explorer automatically outputs a dialog box to skip or replace the conflicts for all the files.
It's important to note that support for archival formats was originally available on version 23H2, which could extract but not create. However, recent updates also brought the ability to create archival formats to version 23H2.
Context menu labels
Another minor but important improvement is the addition of labels for "Cut," "Copy," "Rename," "Share," and "Delete."
These are the changes that the company is touting, but the File Explorer includes several other improvements.
Networking
The Windows 11 2024 Update also brings various welcome improvements regarding networking, which include changes to the Local Administrator Password Solution (LAPS) and Server Message Block (SMB). In addition, this version of the operating system supports Wi-Fi 7.
Local Administrator Password Solution
LAPS is a feature designed to manage the local account passwords of domain-joined computers. On this new version of the operating system, administrators can create the managed local account automatically, configure the account name, deactivate or activate accounts, and randomize the account name.
The "PasswordComplexity" policy can now generate passwords that are easier to understand. The new change will ignore certain characters to make the password more readable. In addition, the LAPS tab in the "Users and Computers" snap-in now uses a different font to simplify passwords.
In addition, the Local Administrator Password Solution supports generating more readable and easier-to-type passphrases. Also, administrators can choose from three-word lists and control the passphrase length.
Furthermore, the Local Administrator Password Solution (LAPS) can now detect when the device rolls back to a previous image, ensuring that passwords are the same between the computer and server running Active Directory. However, network administrators must use the "Update-LapsADSchema" PowerShell cmdlet to work with this feature.
Server Message Block (SMB)
SMB is a communication protocol that simplifies sharing files, printers, and serial ports among devices on a network.
On the Windows 11 2024 Update, Microsoft is introducing changes for SMB signing and encryption, alternative client and server ports, NTLM blocking exception list, dialect management, SMB over QUIC, and firewall rule changes.
SMB signing and encryption
By default, SMB signing is mandatory for all connections on Windows 11 Home, Pro, Education, and Enterprise editions, as it helps prevent attackers from altering data or impersonating other devices.
Also, administrators can now require encryption on all outgoing connections to ensure the highest level of security for transferred data.
Finally, network admins can now easily enable auditing through Group Policy or PowerShell to monitor SMB security compliance.
SMB client and server new ports
It's now possible to connect to an SMB server over TCP, QUIC, or RDMA using alternative network ports other than the default ones. In the server version of the operating system, SMB over QUIC supports endpoints with other port numbers instead of 443.
SMB NTLM blocking
Microsoft is also adding the ability to block NTLM (an older, less secure authentication method) for remote outbound connections without entirely disabling NTLM.
SMB dialect management
You can control which SMB versions (dialects) are allowed to connect, potentially blocking older and less secure devices.
SMB over QUIC
The development team is also adding more control over client access, disabling options, and auditing for SMB connections using the QUIC protocol (an alternative to traditional TCP).
SMB firewall rule
The default firewall behavior for SMB shares has changed. Now, it uses a more restrictive rule set, closing unnecessary ports by default and enhancing security. However, Microsoft isn't removing the ability to customize these rules if needed.
Wi-Fi 7 support
The operating system now supports Wi-Fi 7 (IEEE 802.11be Extremely High Throughput (EHT)), which is based on the Wi-Fi 6 and 6E standards. It delivers speeds over 40Gbps, more than four times the speed offered by the previous versions of the technology, and it provides lower latency, improved efficiency, reliability, and power management.
Of course, your device will still require a Wi-Fi 7 adapter and supported hardware (such as a compatible access point) in the network to use this technology.
You can learn more about additional networking changes rolling out with this feature update.
Taskbar
Windows 11 version 24H2 also includes various improvements specific to the Taskbar. In this release, you will find visual changes for the Quick Settings interface that distance itself from the editable design in favor of a scrollable page that shows all the available options.
In the interface, you can now turn Live Captions on or off, and on the wireless page, there's a new refresh button to rescan the available networks manually. Previously, you had to wait for the system to refresh the network automatically, which could take a long time.
Printer
This release includes changes to printing functionality, the most noticeable of which is the "Windows Protected Print" (WPP) mode. This is a new universal print stack that allows you to set up a printer without installing third-party drivers and software.
Since malicious individuals have been increasingly attacking the Windows printing system (for example, Stuxnet and Print Nightmare), the new feature also focuses on improving security by implementing the Internet Printing Protocol (IPP) for printing, which eliminates the need for third-party drivers, which can be vulnerable to exploits (especially old drivers).
The Windows Protected Print mode also restricts the functionalities accessible to the print spooler, enforces stricter controls on what code can be loaded during the printing process, and allows the XPS rendering to happen under the user instead of the system account.
It's important to note that this feature is only available for Mopria printers, and when configuring it, the system will remove any other printer driver previously installed.
Energy Saver
On Windows 11, the software giant is changing the Battery Saver mode with the Energy Saver mode.
The new energy-saving feature is based on the existing Battery Saver and Power mode features to extend battery life and reduce power usage at the cost of performance.
The feature is available through the "Power & battery" (or Power) settings page, and it can be used on laptops and desktop computers without batteries to help conserve energy.
The Quick Settings flyout also includes an option to toggle the feature on or off quickly from the Taskbar.
The operating system also includes the Content Adaptive Brightness Control (CABC) feature, which manages the contrast and brightness of the display based on the screen content. On version 24H2, Microsoft is expanding the feature to laptops and 2-in-1 devices (when they're plugged into a power source), but it's up to the manufacturer to enable this feature.
System
The operating system now uses Rust for different components in the Windows Kernel to make it more secure.
Rust is a programming language that has been proven to be more secure than C and C++ because it helps prevent issues like buffer overflows, null pointer dereferences, and dangling pointers.
In addition, this new version also comes support for SHA-3, which includes derived functions like SHAKE, cSHAKE, and KMAC.
SHA-3 (Secure Hash Algorithm 3) is a cryptographic hash function designed to replace SHA-2, and it's the latest member of the Secure Hash Algorithm family of standards released by the National Institute of Standards and Technology (NIST).
These functions are now turned on through the Windows CNG library:
- Supported SHA-3 hash functions: SHA3-256, SHA3-384, SHA3-512 (SHA3-224 is not supported)
- Supported SHA-3 HMAC algorithms: HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512
- Supported SHA-3 derived algorithms: extendable-output functions (XOF) (SHAKE128, SHAKE256), customizable XOFs (cSHAKE128, cSHAKE256), and KMAC (KMAC128, KMAC256, KMACXOF128, KMACXOF256).
Sudo command
Microsoft is introducing a Linux-like version of the Sudo (superuser do) command that works in any Windows Terminal consoles, including Command Prompt, PowerShell, and WSL.
Up until now, you had to run the Windows Terminal as an administrator to run elevated commands and prevent the "Access is denied" message. The Sudo command makes it easy to run any command with administrator privileges within a session running as a standard user.
It's important to note that this is similar, but it's not the same Sudo command you get on UNIX-based operating systems, meaning that the version for Windows 11 is more limited. Microsoft could have used another name, but it wanted to minimize a learning curb for users.
The feature has to be enabled manually through the "For developers" settings page.
Location improvements
Microsoft has introduced new privacy controls to limit which apps can access the list of nearby Wi-Fi networks, to improve your location privacy.
This is significant because apps can use Wi-Fi networks to approximate a device's location, which, in terms, can also mean that apps can deduce your location without your permission.
You can manage the apps that have access to the list of wireless networks from the "Location" settings page. Also, the system will now proactively be able to alert you when an unexpected request for access to location services occurs, and you can also deny it.
If you grant access to this information, the app will be logged in to the "Recent activity" section. You can also turn off the "Notify when apps request location" option to hide the prompts when the location has been disabled.
Accessibility
In this version of the operating system, Microsoft is also introducing support for hearing aid devices with Bluetooth Low Energy Audio (LE Audio) technology.
After paring the devices from the "Hearing aids" settings page, you can stream audio and take calls. Also, it's possible to control presets, ambient sounds, and enhancements.
Furthermore, from the settings page, you can monitor the battery life and connection status of your hearing aids.
Windows Update
The Windows 11 2024 Update also ships with "Checkpoint Cumulative Updates," a new type of update mechanism designed to streamline the process by making updates easier and faster to download and install.
The new process creates an incremental checkpoint, and then, instead of downloading the entire update containing patches since the original release, devices receive only the changes made since the last "checkpoint" update, significantly reducing download size, bandwidth, and installation time.
For this process to work as intended, Microsoft will deploy some updates as "checkpoints" several times a year, and the subsequent updates will only include the new changes since the last checkpoint.
Checkpoint Cumulative Updates works automatically on version 24H2 and higher releases. Older versions of the operating system will continue to be updated using the traditional method.
Administrative templates
Microsoft is now offering administrators the ability to download the Administrative Templates (.admx) for this version of Windows 11 separately from the templates already available inside the "PolicyDefinitions" folder.
Remote Desktop Connection
The legacy version of the Remote Desktop Connection app (mstsc.exe) has a few minor improvements. For example, the app will now follow the scaling configuration from the Settings app, and you can choose from different zoom options (350, 400, 450, and 500 percent).
Registry
The Registry isn't getting a lot of improvements, but the Registry Editor now includes support for limiting a query search to the currently selected key and its descendants.
Out-of-box Experience (OOBE)
In addition to redesigning the Windows Setup experience, after the installation, during the Out-of-box Experience, more specifically on the networking page, you will have new "Install drivers" options to supply the network drivers when needed.
Security
As part of the security improvements for version 24H2, the company is touting Personal Data Encryption, Windows Hello with passkeys integration, Default Protective Protection, and Local Security Authority protection.
Personal Data Encryption
Personal Data Encryption (PDE) is a new feature that relies on Windows Hello authentication, and it creates a unique key for profile Desktop, Documents, and Pictures folders to protect their contents. When using this feature, you will notice a new lock icon on each file, and they're only readable during an active session.
This means that if another user logs in as an administrator with a different profile, they may be able to browse the files, but they won't be able to open them.
This feature is available for Enterprise and Education through Windows Hello for Business Authentication, and it works independently of BitLocker or any other type of encryption. This feature is meant to add an extra layer of security and peace of mind.
You can enable this feature from the Microsoft Intune admin center through a policy, and it can take up to a week to finalize the encryption.
Windows Hello with passkeys
Starting with this version of the operating system, Microsoft is expanding the Windows Hello capabilities to work passkeys for more secure, phish-resistant, and multi-factor authentication when signing in to apps or websites.
In other words, when you sign up with an online service or configure a computer with the Microsoft Entra ID with a passkey, Windows 11 will create a key pair. One is stored on your device, and the other one is stored in the online service.
In addition, as part of the version 24H2 security improvements, your Windows Hello authentication credentials have more robust protection using Virtualization Based Security that isolates the credentials outside the running operating system. This feature works with computers with or without biometric components.
Default Proactive Protection
On this release, Windows 11 also added Default Proactive Protection to add another layer of security against malware-based credential theft.
Local Security Authority protection
The Local Security Authority protection is now a feature that Microsoft is enabling by default through the Windows Security app to prevent untrusted code (unsigned drivers and plugins) from accessing Local Security Authority (LSA) memory that is usually used to store credentials.
This layer of security prevents malicious individuals from grabbing a sign-in app token and using it on another device to gain access to your account. This is known as a token replay attack.
AI features
Although the new features powered by AI will become available at some point for supported Copilot+ PCs, Microsoft is also touting them as features for network administrators. Some of them include, Live Captions, Windows Studio Effects, Cocreator on Paint, Auto Super Resolution for ARM-based devices, Restyle Image and Image Creator for Photos, and more.
Live Captions with AI
Although Windows 11 already has Live Captions, the feature can now use AI on Copilot+ PCs to translate audio and video content into English subtitles from 44 languages, not just in text but also in audio.
According to the company, the scanning and generating of the translation happens on-device, and data is shared with Microsoft.
Windows Studio Effects
Windows Studio Effects have been part of the operating system for some time, but on Windows 11 version 24H2, the company is improving these features with AI and expanding them to Copilot+ PCs.
As part of the effects, you can access Automatic Framing, Background Blur, Portrait Light, Voice Focus, Creative Filters, and Eye Contact (standard and teleprompter) for video and audio calls.
- Automatic framing: Keeps you centered in the frame.
- Portrait light: Brightens your face during video calls.
- Eye contact: Adjust your gaze to simulate eye contact. For example, the Standard option offers subtle correction, while the "Teleprompter" option offers advanced AI for more natural eye contact.
- Background blur: the "Standard Blur" blurs the background, while the "Portrait Blur" offers a more pronounced blur.
- Creative Filters: The "Illustrated" option transforms your video into an illustration, while the "Animated" option gives your video a lively, animated effect. You also have the "Watercolor" option to apply a watercolor effect.
Voice Clarity
You will also find that Microsoft is expanding Voice Clarity to more users. This feature is designed specifically to cancel echoes, minimize reverberation in real time, and suppress background noises.
Auto Super Resolution
Auto Super Resolution (Auto SR) is a feature that uses AI hardware to upscale games to improve frame rates and image quality.
The feature works similarly to NVIDIA DLSS Super Resolution, AMD FidelityFX Super Resolution, and Intel XeSS, but Auto SR upscales games automatically without developers updating their code.
The feature works by using the NPU (Neural Processing Unit) rather than the GPU (Graphic Processing Unit) to perform the upscaling.
This feature is exclusive for Copilot+ PCs, and once enabled through the "Graphics" settings page, when a compatible game is detected, the system will show you a notification letting you know that Auto SR is available.
Restyle Image and Image Creator for Photos
Microsoft is also building a new "Restyle Image" feature that uses AI hardware on your computer that allows you to change the style of any picture using different photographic techniques, similar to filters you are used to using on phones.
Also, you can use a text prompt to change the background and other parts of the image.
The company is also bringing the "Image Creator" feature from the Paint app to Photos to convert a text prompt into an image with AI.
Cocreator for Paint
On Paint, "Cocreator" is a new feature that scans your drawing and helps you create your artwork.
This feature allows you to use a text prompt and the slider option to adjust the creativity intensity. In this case, the feature uses a diffusion-based algorithm to draw a high-quality image with minimum effort.
Other details
The Windows 11 2024 Update doesn't increase the hardware requirements for existing devices compatible with the operating system. Furthermore, Microsoft notes that administrators can upgrade compatible systems running Windows 10 directly to Windows 11 version 24H2 using the target version capability available from Windows Update for Business, the business deployment service, and feature update deployments in Windows Autopatch.
According to the company, most applications are compatible with the new version of the operating system, but if organizations find compatibility problems, they can use App Assure service for help.
According to the company, 99.7% of apps will just work on Windows 11, and existing hardware and peripherals should also work without issues as long as those devices include an 8th-generation processor from Intel or equivalent.
This guide only includes the changes that Microsoft is promoting for network administrators. However, the new feature update includes many other new features and improvements.
More resources
For more helpful articles, coverage, and answers to common questions about Windows 10 and Windows 11, visit the following resources: