Windows 11 24H2 GPO Security Changes Explained

Microsoft just dropped the new Windows 11, version 24H2 Security Baseline, and it’s more than just a patch-up job. It’s a full-on security flex designed to reinforce enterprise networks from the ground up. If you’re managing fleets of Windows devices, this one’s worth your attention.

Let’s break it down—with equal love for both policy nerds and bullet-point junkies.

What’s New in This Baseline?

Microsoft sharpened its focus on default protections and has dialed in multiple components. It’s not just about more rules—it’s about smarter, future-ready ones.

Mark of the Web (MotW)

• New policy enforces MotW tagging on files copied from untrusted network shares.
• Setting: Do not apply the Mark of the Web tag to files copied from insecure sources = Disabled.
• Keeps files tracked when they originate from Internet Zone shares.

LAN Manager Gets Buffed

LAN Manager settings have been overhauled to enforce modern SMB protocols and reduce legacy exposure.

Lanman Server:

• Require SMB version: Min 3.0.0, Max 3.1.1
• Disable remote mailslots
• Enable audit logs for encryption/signing/guest logons
• Authentication rate limiter with 2000ms delay

Lanman Workstation:

• Similar audit and encryption-related settings
• Also disables remote mailslots
• Encryption now optional (set to Disabled by default)

Kerberos and Certificate Logon Hardening

A new policy allows organizations to ditch SHA-1 in favor of SHA-256, SHA-384, or SHA-512 for smart card authentication.

• Location: System\KDC and System\Kerberos
• Purpose: Enforce modern cryptography during PKINIT authentication
• Note: Requires both client and KDC on Windows Server 2025

Windows Gets a Taste of Sudo—Then Disables It

Yes, sudo has landed in Windows. No, it’s not active by default.

• Policy: Configure the behavior of the sudo command
• Baseline sets this to Disabled to prevent misuse as a privilege escalation vector

Defender Antivirus Gets Serious

Microsoft Defender Antivirus (MDAV) now comes with six new settings baked in.

• Enable EDR in block mode
• Show exclusions to local users
• Scan excluded files during quick scans
• Real-time protection active during OOBE
• Block warn verdicts in Network Inspection
• Report Dynamic Signature dropped events

These boost endpoint visibility and enhance threat response from the moment the machine powers on.

UAC and Admin Protection: Coming Soon-ish

Two new UAC policies promise to enhance admin privilege handling:

• Prompt for credentials on secure desktop
• Admin Approval Mode with enhanced privilege protection

But hold your horses—these are not functional yet. They’re part of a future release tied to Administrator Protection, currently in preview for Windows Insiders.

Optional, But Worth Your Radar

A few settings weren’t enforced in the baseline but are worth consideration, especially in evolving environments.

Delegated Managed Service Account (dMSA):

• Controlled via System\Kerberos
• Only useful with Windows Server 2025 DCs
• Can be scoped using realm definitions to support hybrid domain models

Windows Protected Print (WPP):

• Modern print model that blocks 3rd-party drivers
• Works with Mopria-certified printers
• Not enforced yet, but highly recommended for future-proofing

VDI-Specific Defender Configs:

• Enable async inspection to prevent slowdowns
• Schedule Security Intelligence Updates for better VDI client behavior

Removed Policy:

• System\Group Policy\Configure registry policy processing has been pulled due to support conflicts

Final Word

This security baseline isn’t just a tune-up—it’s a transformation. Microsoft is aligning policies with modern threats, stricter defaults, and cross-platform compatibility (especially with Windows Server 2025). If you manage a domain, this is your green light to start piloting these changes.