TEXAS A&M UNIVERSITY
Windows 11 Version 24H2: A Deep-Dive Technical Overview for IT Professionals
Audience: IT administrators Assumed knowledge: Windows fundamentals, network basics (SMB, Kerberos), PowerShell, Group Policy, Intune Scope / Out of scope: This guide covers the key technical changes, new features, security updates, and known issues in Windows 11 Version 24H2 relevant to enterprise management and deployment. It does not cover basic end-user functionality in detail.
TL;DR
- Critical Security Changes: Introduces Personal Data Encryption (PDE), stricter SMB signing, and Kerberos enhancements that require immediate review before deployment.
- AI & Copilot+ PC Features: Rolls out new AI-powered tools like Windows Recall, Live Captions, and Co-Creator in Paint, some of which have significant security implications (e.g., Recall).
- Modernized Management: Features significant updates to Windows Update with Checkpoint Cumulative Updates for faster, more reliable patching and enhanced LAPS with Azure AD integration.
Background & context
Windows 11 Version 24H2 is a significant annual update that brings a host of new features, substantial security enhancements, and performance improvements. This release resets the support lifecycle for all editions and introduces critical changes to core protocols like SMB and Kerberos, AI-driven features for new Copilot+ PCs, and more robust data protection with Personal Data Encryption (PDE). For IT professionals, understanding these changes is crucial for planning a smooth and secure deployment.
Release Timeline and Availability
- Initial Release Date: Windows 11 Version 24H2 was first released to the Windows Insider Program (Beta and Release Preview Channels) on October 1, 2024.
- General Availability Date: The general availability (GA) began in October 2024, with a phased rollout to eligible devices.
- Deployment Channels: The update is available via Windows Update, the Volume Licensing Service Center (VLSC), and can be managed using WSUS, Microsoft Endpoint Configuration Manager (MECM), or Intune.
Prerequisites
| Requirement | Minimum / version | Notes |
|---|---|---|
| Eligible Devices | Devices running Windows 11, version 22H2 or 23H2. | Check hardware requirements, especially for Copilot+ PC features which require specific NPUs. |
| Management Tools | WSUS, MECM, Intune | Required for controlled enterprise deployment and policy management. |
| Permissions | Local Administrator / Intune Administrator / Group Policy Administrator | Needed to configure new security policies and deployment settings. |
| Network / Firewall | - | Review firewall rules for SMB Alternative Ports if used. Ensure endpoints for WSUS/Intune are accessible. |
What’s new / Key changes
AI & Copilot+ PC Enhancements
| Area | Prior behavior | New / changed behavior |
|---|---|---|
| Windows Recall | Not available. | Captures system snapshots to create a browsable visual timeline. Secured via Windows Hello. |
| Live Captions | Basic functionality. | Provides real-time captions for any audio content on the device, enhancing accessibility. |
| Windows Studio Effects | Basic camera effects. | AI-enhanced video and audio effects like background blur, voice clarity, and automatic framing. |
| Co-Creator in Paint | Standard Paint tools. | Integrates AI to generate or modify images based on user descriptions. |
Security Enhancements
| Area | Prior behavior | New / changed behavior |
|---|---|---|
| Personal Data Encryption (PDE) | Not available. | File-level encryption tied to Windows Hello credentials, protecting user data even if the device is compromised. |
| SMB Protocol | SMB signing was optional. NTLM was a common fallback. | SMB signing is now mandatory by default. SMB NTLM blocking is introduced to push for Kerberos adoption. |
| Kerberos | Less strict authentication policies. | Stricter Kerberos policies are enforced, which may impact cross-domain authentication in one-way trust environments. |
| LAPS | Primarily managed via on-premises Active Directory. | Deeply integrated into the OS with native support for storing passwords in Azure AD. |
| Windows Protected Print Mode | Standard print protocols. | Introduces end-to-end encryption for print jobs sent to Mopria-certified printers. |
OS & Update Management
| Area | Prior behavior | New / changed behavior |
|---|---|---|
| Windows Update | Traditional, monolithic cumulative updates. | Introduces Checkpoint Cumulative Updates—smaller, modular updates for faster installation and component-level rollback. |
Procedure / Implementation
Use these procedures to manage the new features in your environment.
Step 1 – Block 24H2 Deployment Until Validation is Complete
Admin Alert
It is highly recommended to block the Windows 11 24H2 update in your environment until you have validated that the changes outlined in this guide do not negatively impact your users or infrastructure.
- Open the Group Policy Management Console.
- Navigate to
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business. - Find the setting Select the target Feature Update version.
- Set the policy to Enabled.
- Enter
Windows 11for the target version product. - Enter
23H2for the target version. This will prevent devices from updating to a newer version like 24H2.
Step 2 – Manage and Disable Microsoft Recall
Recommendation
Disable Windows Recall immediately due to potential exposure of sensitive data until the feature can be thoroughly reviewed by your security teams.
Method 1: Group Policy
- Open the Group Policy Management Console.
- Navigate to:
User Configuration > Administrative Templates > Windows Components > Windows AI. - Set the policy
Turn off Savings Snapshots for Windowsto Enabled. - Apply the policy.
Method 2: Intune Configuration Profile
- In the Intune admin center, navigate to Devices > Configuration Profiles.
- Create a new profile for Windows 10 and later with a type of Settings catalog.
- Search for and add the setting Turn off Savings Snapshots for Windows.
- Set it to Enabled and assign the profile to your target device groups.
Step 3 – Mitigate Kerberos Authentication Issues
If you encounter cross-domain authentication failures or privilege elevation issues, you may need to temporarily adjust Kerberos policies.
-
Enable Enhanced Logging:
- In Group Policy, go to
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff. - Enable auditing for Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations. This will help diagnose failures.
- In Group Policy, go to
-
Temporarily Disable Stricter Checks (PowerShell):
DisableCloudKerberosTicketRetrieval.ps1# This disables some of the stricter validation checks until underlying issues are resolved.
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos" -Name "CloudKerberosTicketRetrievalEnabled" -Value 0 -
Allow Fallback to NTLM for Legacy Systems:
- In Group Policy, navigate to
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. - Set Network security: Restrict NTLM to
Disablefor affected systems.
- In Group Policy, navigate to
Verification: After applying changes, test cross-domain resource access and administrative privilege elevation. Check the Security event log on domain controllers for Kerberos-related error codes.
Step 4 – Optionally Disable New SMB Hardening Features
While recommended for security, you may need to temporarily disable new SMB features for compatibility with legacy systems. Perform these actions only on a temporary basis.
Disable SMB Signing
Disable-SMBSigning.ps1
# On client
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" -Name "EnableSecuritySignature" -Value 0
# On server
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "RequireSecuritySignature" -Value 0
Disable SMB Encryption
Disable-SMBEncryption.ps1
# On server
Set-SmbServerConfiguration -EncryptData $false
# On client
Set-SmbClientConfiguration -EnableSecuritySignature $false
Known caveat
Disabling SMB signing or encryption significantly reduces the security of your file-sharing infrastructure and exposes it to man-in-the-middle attacks. This should only be a temporary measure while legacy devices are remediated.
Rollback / Fallback Plan
- Windows Update: The new Checkpoint Cumulative Updates allow for component-level rollback. If a monthly update causes issues, it can be uninstalled via
Settings > Windows Update > Update history > Uninstall updateswithout removing the entire cumulative update. - Feature Update: To roll back from version 24H2 to your previous version, you can use the recovery option in
Settings > System > Recovery > Go back. This option is available for 10 days after the upgrade.
Troubleshooting & Known Issues
Below is a summary of known issues affecting Windows 11 24H2 as of October 2025.
| Issue | Description | Status | Last Updated |
|---|---|---|---|
| DirectAccess connection issues | After upgrading to 24H2, devices may fail to connect via DirectAccess, remaining in a "connecting" state. | Resolved | Resolved in KB5044384. |
| OOBE Language Translation | In the Out-of-Box-Experience, the language selection button may incorrectly display "Continue in English" regardless of the chosen language. This is a cosmetic issue. | Resolved | Resolved in the September 30, 2024 update (KB5043178). |
| sprotect.sys driver incompatibility | Devices with apps using the sprotect.sys driver (from SenseShield Technology) may become unresponsive or show a blue screen. | Confirmed | A safeguard hold is in place. Microsoft is working with the vendor. |
| WUSA Update Failures | Installing updates from a shared network folder using WUSA might fail if the folder contains multiple .msu files. | Mitigated | A Known Issue Rollback (KIR) has been issued. Workaround is to copy the .msu file locally before installing. |
| Protected Content Playback | Some Blu-Ray, DVD, or Digital TV apps may fail to play DRM-protected content, causing freezing or black screens. | Mitigated | Partially resolved in the September 2025 preview update. A full fix is still in development. |
| Intel SST Driver Incompatibility | Devices with 11th Gen Intel Core processors and specific Intel Smart Sound Technology driver versions may experience a blue screen. | Resolved (External) | Resolved by updating Intel SST drivers to version 10.30.00.5714 / 10.29.00.5714 or later. |
| Wallpaper Apps | Some wallpaper customization applications may not function correctly after the update. | Mitigated | Safeguard hold is being gradually removed as app developers release updates. |
For a complete and live list of issues, refer to the official Microsoft resources:
Security & Compliance Considerations
- Personal Data Encryption (PDE): PDE is a powerful tool for protecting user data on shared or remote devices. However, it is tied to Windows Hello credentials. Organizations must have a robust process for credential recovery. Recommendation: Disable by default until policies for deployment and recovery are established.
- Windows Recall: This feature creates a detailed history of user activity, which could be a target for attackers if a device is compromised. Recommendation: Disable via Group Policy or Intune across the enterprise until a thorough security review is completed.
- SMB Hardening: The mandatory signing and NTLM blocking significantly improve security against common attacks. However, they can break connectivity for legacy devices and applications. Recommendation: Conduct a thorough audit of your SMB infrastructure and test the new settings in a non-production environment before broad deployment.
- Kerberos Enhancements: Stricter policies improve security but can disrupt authentication in complex, multi-domain environments. Recommendation: Audit all domain trust relationships, especially one-way trusts, and validate cross-domain service access.
Best Practices & Recommendations
- Phased Rollout: Use deployment rings in Windows Update for Business, WSUS, or Intune to roll out 24H2 gradually. Start with a small group of IT professionals and pilot users before expanding.
- Validate Line-of-Business (LOB) Apps: Thoroughly test all critical LOB applications, especially those that rely on network shares (SMB) or cross-domain authentication (Kerberos).
- Update Drivers and Firmware: Before deploying the update, ensure that all device drivers, especially for network, storage, and audio (e.g., Intel SST), are updated to the latest versions to avoid known compatibility issues.
- Educate Users: Inform users about new features like the enhanced security prompts and changes to the UI to reduce helpdesk calls.
References & FAQs
Related Resources
- Official Microsoft Docs:
- Original Document References:
This article was collaboratively developed by a human subject matter expert and an AI assistant to ensure it is both comprehensive and easy to understand.