Microsoft has unveiled the security baseline package for Windows 11, version 24H2. This update furthers enterprise security with changes to LAN Manager, Kerberos, User Account Control, Microsoft Defender Antivirus, and more. To implement these updates, users are encouraged to download the Microsoft Security Compliance Toolkit.

Mark of the Web

The latest release introduces a setting regarding the Mark of the Web (MotW), applying tags to files copied from insecure sources. By disabling the 'Do not apply' setting, files from network shares in the Internet Zone will be tagged within the local system. Trust mapping can designate specific file shares as safe.

LAN Manager Enhancements

Refinements for the LAN Manager include updates for server and workstation settings, supporting encryption, signing, and authentication rate limiting. This ensures safer, encrypted, and controlled data exchange across networks.

Certificate Logon and Sudo Behavior

A new feature enables configuration of hash algorithms for certificate-based smart card logons with Kerberos, promoting stronger algorithms like SHA-256 and above. Customize sudo command operations with a new setting that disables it by default to prevent privilege escalation.

Microsoft Defender Antivirus Improvements

Microsoft Defender Antivirus incorporates six new settings enhancing control over exclusions visibility, real-time protection, and reporting dynamics, bolstering the security landscape on Windows 11.

User Account Control

User Account Control's enhanced privilege protection mode introduces additional security layers, isolating sensitive data from potential threats. Recommended configurations prompt for credentials on a secure desktop and adopt enhanced privilege protection in admin approval modes.

Evaluations and Recommendations

Admins should consider new policies like the support for delegated Managed Service Account (dMSA) logons, especially where a Windows Server 2025 Domain Controller is used. Similarly, Windows Protected Print (WPP) offers a secure print solution, built to withstand third-party driver risks.

Feedback is requested through comments or the Security Baseline Community.

For further details, you can read the complete announcement here.