Microsoft has initiated an automated, machine-learning-driven rollout to upgrade unmanaged Windows 11 devices to version 24H2. While the security improvements in 24H2 are substantive, the forced nature of this rollout creates operational, compliance, and security governance challenges that enterprise teams must address proactively.

What Is Changing and Why It Matters

Windows 11 24H2 introduces several significant security enhancements: improved Smart App Control capabilities, expanded Windows Protected Print Mode, enhanced Credential Guard defaults, and Rust-based kernel security improvements that reduce memory safety vulnerabilities. However, Microsoft’s use of ML-based automatic upgrade targeting for unmanaged devices introduces risks of its own:

• Compatibility issues with legacy enterprise applications not yet validated against 24H2.
• Potential to bypass configured Windows Update for Business Group Policies in misconfigured environments.
• Unexpected reboots and operational disruption if upgrades occur during production hours.
• Configuration drift if 24H2-specific security defaults differ from organisational baselines.

Security Governance Considerations

For organisations operating under APRA CPS 234, ISO/IEC 27001:2022, or ASD Essential Eight requirements, uncontrolled OS upgrades on endpoints represent a configuration management risk. ASD Essential Eight’s Patch Operating Systems control mandates patches for critical vulnerabilities within 48 hours for internet-facing systems at Maturity Level 2. But this assumes a managed, controlled update process — not vendor-initiated automatic upgrades that bypass change management.

Practical Steps for Security and IT Teams

1. Audit endpoint compliance status: Identify all devices currently on Windows 11 builds prior to 24H2. Determine which are managed versus unmanaged.
2. Verify Update policy enforcement: Confirm Windows Update for Business deferral settings are correctly applied and not being overridden.
3. Validate CIS Benchmark alignment: Review the delta between the Windows 11 23H2 and 24H2 CIS Benchmarks and identify new security defaults requiring explicit configuration.
4. Test application compatibility: Run compatibility validation against business-critical applications before allowing the 24H2 upgrade in production.
5. Update your CIS L1/L2 baseline documentation to reflect 24H2 configurations for Credential Guard, Smart App Control, and kernel protection settings.

References

• Microsoft — Windows 11 24H2 Release Notes and Security Changelog
• CIS Benchmark for Windows 11, Release 24H2
• ASD Essential Eight Maturity Model — Patch Operating Systems (2023)
• NIST SP 800-128 — Guide for Security-Focused Configuration Management