Muokkaa

Jaa


What's new in Windows 11 IoT Enterprise, version 24H2

Overview

Windows 11 IoT Enterprise, version 24H2 is a feature update for Windows 11 IoT Enterprise. Windows 11 IoT Enterprise, version 24H2 includes all updates to Windows 11 IoT Enterprise, version 23H2 plus some new and updated features. This article lists the new and updated features valuable for IoT scenarios.

Servicing Lifecycle

Windows 11 IoT Enterprise follows the Modern Lifecycle Policy.

Release Version Build Start Date End of Servicing
Windows 11 IoT Enterprise, version 24H2 26100 2024‑10‑01 2027‑10‑12

For more information, see Windows 11 IoT Enterprise support lifecycle.

Note

Windows 11 IoT Enterprise, version 24H2 is now available for OEMs building new devices and for upgrade using Windows Update.

  • If you are an OEM building new devices, contact your Windows IoT Distributor for assistance with Licensing.
  • For devices running a previous version of Windows 11 IoT Enterprise (non-LTSC), Windows 11 IoT Enterprise, version 24H2 is available as an upgrade through Windows Update.
  • If you have a Visual Studio Subscription, and Windows IoT Enterprise is available with your subscription, you can download previous versions of Windows IoT Enterprise from Visual Studio Subscriptions - Downloads.

New Devices

Windows 11 IoT Enterprise, version 24H2 is available for preinstall by an Original Equipment Manufacturer (OEM).

  • For information regarding the purchase of devices with Windows IoT Enterprise preinstalled, contact your preferred OEM.

  • For information regarding OEM preinstallation Windows IoT Enterprise on new devices for sale, see OEM Licensing.

Upgrade

Windows 11 IoT Enterprise, version 24H2 is available as an upgrade to devices running Windows 11 IoT Enterprise (non-LTSC) through Windows Update, Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see How to get the Windows 11, version 24H2 update, Windows 11, version 24H2 Windows IT Pro blog post.

To learn more about the status of the update rollout, known issues, and new information, see Windows release health.

Accessibility

Feature Description
Bluetooth ® Low Energy Audio support for assistive devices
[24H2]
Windows takes a significant step forward in accessibility by supporting the use of hearing aids equipped with the latest Bluetooth ® Low Energy Audio technology. For more information, see Improving accessibility with Bluetooth ® Low Energy (LE) Audio.
Remote Desktop Connection improvements
[24H2]
The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under Settings > Accessibility > Text size. Remote Desktop Connection supports zoom options of 350, 400, 450, and 500%

Applications

Feature Description
File Explorer
Context menu
[24H2]
Support for creating 7-zip and TAR archives.
Compress to > Additional options allows you to compress individual files with gzip, BZip2, xz, or Zstandard
Labels were added to the context menu icons for actions like copy, paste, delete, and rename.
Registry Editor
Search
[24H2]
The Registry Editor supports limiting a search to the currently selected key and its descendants
Remote Desktop
Connection improvements
[24H2]
The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under Settings > Accessibility > Text size, provides zoom options of 350, 400, 450, and 500%, and improves the connection bar design
Sudo for Windows
[24H2]
Sudo for Windows is a new way for users to run elevated commands (as an administrator) directly from an unelevated console session. For more information, see Sudo for Windows.

Developer

Feature Description
Power Grid Forecast
[24H2]
The Power Grid Forecast API was introduced. App developers can minimize environmental impact by shifting background workloads to times when renewable energy is available to the local grid. Forecast data isn't available globally and quality of data varies by region.
Energy saver notification callback
[24H2]
Added an energy saver notification callback setting GUID to represent the new energy saver experience. Apps can subscribe to the energy saver status and implement different behaviors to optimize energy or performance depending on the current energy saver status. For more information, see Power Setting GUIDs
Effective Power Mode
[24H2]
Extended the Effective Power Mode API to interpret the new energy saver levels when determining the returned effective power mode.

Management

Feature Description
Sudo for Windows
[24H2]
Sudo for Windows is a new way for users to run elevated commands (as an administrator) directly from an unelevated console session. For more information, see Sudo for Windows.

Networking

Feature Description
Wi-Fi 7 consumer access points
[24H2]
Support for Wi-Fi 7 consumer access points offers unprecedented speed, reliability, and efficiency for wireless devices. For more information, see the Wi-Fi 7 announcements from Wi-Fi Alliance and the Windows Insider.
Windows location improvements
[24H2]
New controls were added to help manage which apps have access to the list of Wi-Fi networks around you, which could be used to determine your location. You can view and modify which apps can access the list of Wi-Fi networks from Settings > Privacy & security > Location. A new prompt appears the first time an app attempts to access your location or Wi-Fi information. Developers can use the Changes to API behavior for Wi-Fi access and location article to learn about API surfaces impacted by this change.

Security

Feature Description
App Control for Business
[24H2]
Customers can now use App Control for Business (formerly called Windows Defender Application Control) and its next-generation capabilities to protect their digital property from malicious code. With App Control for Business, IT teams can configure what runs in a business environment through Microsoft Intune or other MDMs in the admin console, including setting up Intune as a managed installer. For more information, see Application Control for Windows.
Local Security Authority (LSA) protection
[24H2]
LSA protection prevents unauthorized code from running in the LSA process to prevent theft of secrets and credentials used for sign in and prevents dumping of process memory. An audit occurs for incompatibilities with LSA protection starting with this upgrade. If incompatibilities aren't detected, LSA protection is automatically enabled. You can check and change the enablement state of LSA protection in the Windows Security application under the Device Security > Core Isolation page. In the event log, LSA protection records whether programs are blocked from loading into LSA. If you would like to check if something was blocked, review the LSA protection logs.
Rust in the Windows kernel
[24H2]
There's a new implementation of GDI region in win32kbase_rs.sys that utilizes Rust, which offers advantages in reliability and security over traditional programs written in C/C++. We expect to see an increase in the use of Rust in the kernel moving forward.
SHA-3 support
[24H2]
Support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, KMAC) was added. The SHA-3 family of algorithms is the latest standardized hash functions by the National Institute of Standards and Technology (NIST). Support for these functions is enabled through the Windows CNG library.
Windows Local Admin Password Solution (LAPS)
[24H2]
Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. Windows LAPS is the successor for the now deprecated legacy Microsoft LAPS product. For more information, see What is Windows LAPS?
Windows LAPS
Automatic account management
[24H2]
Windows Local Administrator Password Solution (LAPS) has a new automatic account management feature. Admins can configure Windows LAPS to:
  • Automatically create the managed local account
  • Configure name of account
  • Enable or disable the account
  • Randomize the name of the account
Windows LAPS
Policy improvements
[24H2]
  • Added passphrase settings for the PasswordComplexity policy
  • Use PassphraseLength to control the number of words in a new passphrase
  • Added an improved readability setting for the PasswordComplexity policy, which generates passwords without using characters that are easily confused with another character. For example, the number 0 and the letter O aren't used in the password since the characters can be confused.
  • Added the Reset the password, logoff the managed account, and terminate any remaining processes setting to the PostAuthenticationActions policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation.
Windows LAPS
Image rollback detection
[24H2]
Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, msLAPS-CurrentPasswordVersion, to the Windows LAPS schema. This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in msLAPS-CurrentPasswordVersion is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the Update-LapsADSchema PowerShell cmdlet.
Windows protected print mode
[24H2]
Windows protected print mode (WPP) enables a modern print stack which is designed to work exclusively with Mopria certified printers. For more information, see What is Windows protected print mode (WPP) and Windows Insider WPP announcement.
SMB signing requirement changes
[24H2]
SMB signing is now required by default for all connections. SMB signing ensures every message contains a signature generated using session key and cipher suite. The client puts a hash of the entire message into the signature field of the SMB header. If anyone changes the message itself later on the wire, the hash won't match and SMB knows that someone tampered with the data. It also confirms to sender and receiver that they are who they say they are, breaking relay attacks. For more information about SMB signing being required by default, see https://aka.ms/SMBSigningOBD.
SMB client encryption
[24H2]
SMB now supports requiring encryption on all outbound SMB client connections. Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing, which allows both client and server requirements. With this new option, administrators can mandate that all destination servers use SMB 3 and encryption, and if missing those capabilities, the client won't connect. For more information about this change, see https://aka.ms/SmbClientEncrypt.
SMB signing and encryption auditing
[24H2][24H2]
Administrators can now enable auditing of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell.
SMB alternative client and server ports
[24H2]
The SMB client now supports connecting to an SMB server over TCP, QUIC, or RDMA using alternative network ports to the hardcoded defaults. However, you can only connect to alternative ports if the SMB server is configured to support listening on that port. Starting in Windows Server Insider build 26040, the SMB server now supports listening on an alternative network port for SMB over QUIC. Windows Server doesn't support configuring alternative SMB server TCP ports, but some third parties do. For more information about this change, see https://aka.ms/SMBAlternativePorts.
SMB NTLM blocking exception list
[24H2]
The SMB client now supports blocking NTLM for remote outbound connections. With this new option, administrators can intentionally block Windows from offering NTLM via SMB and specify exceptions for NTLM usage. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and can't brute force, crack, or pass hashes. This change adds a new level of protection for enterprises without a requirement to entirely disable NTLM usage in the OS. For more information about this change, see https://aka.ms/SmbNtlmBlock.
SMB dialect management
[24H2]
The SMB server now supports controlling which SMB 2 and 3 dialects it negotiates. With this new option, an administrator can remove specific SMB protocols from use in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting. For example, admins can specify to only use SMB 3.1.1, the most secure dialect of the protocol. For more information about this change, see https://aka.ms/SmbDialectManage.
SMB over QUIC client access control
[24H2]
SMB over QUIC, which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC client access control improves the existing SMB over QUIC feature. Administrators now have more options for SMB over QUIC such as:
  • Specifying which clients can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience.
  • Disabling SMB over QUIC for client with Group Policy and PowerShell
  • Auditing client connection events for SMB over QUIC

For more information about these changes, see https://aka.ms/SmbOverQUICCAC.
SMB firewall rule changes
[24H2]
The Windows Firewall default behavior has changed. Previously, creating an SMB share automatically configured the firewall to enable the rules in the File and Printer Sharing group for the given firewall profiles. Now, Windows automatically configures the new File and Printer Sharing (Restrictive) group, which no longer contains inbound NetBIOS ports 137-139.

This change enforces a higher degree of default of network security and brings SMB firewall rules closer to the Windows Server File Server role behavior, which only opens the minimum ports needed to connect and manage sharing. Administrators can still configure the File and Printer Sharing group if necessary as well as modify this new firewall group, these are just default behaviors. For more information about this change, see https://aka.ms/SMBfirewall. For more information about SMB network security, see Secure SMB Traffic in Windows Server.

Servicing

Feature Description
Checkpoint cumulative updates
[24H2]
Windows quality updates are provided as cumulative updates throughout the life cycle of a Windows release. Checkpoint cumulative updates introduce periodic baselines that reduce the size of future cumulative updates making the distribution of monthly quality updates more efficient. For more information, see https://aka.ms/CheckpointCumulativeUpdates.

Features Removed or Deprecated

Each version of Windows client adds new features and functionality. Occasionally, features and functionality are removed, often because a newer option was added. For a list of features no longer in active development that might be removed in a future release, see deprecated features. The following features are removed in Windows 11 IoT Enterprise LTSC 2024:

Feature Description
WordPad
[24H2]
WordPad is removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025.
Alljoyn
[24H2]
Microsoft's implementation of AllJoyn, which included the Windows.Devices.AllJoyn API namespace, a Win32 API, a management configuration service provider (CSP), and an Alljoyn Router Service is retired.