MS-DEFCON 1: Controlling features — 24H2 pushed hard

By Susan Bradley

If your machine is eligible for Windows 11 — meaning it ticks all the boxes for hardware compatibility — Windows 11 24H2 will download in preparation for installation, with no way to stop it.

For right now, the only way to prevent this is to adjust Registry keys accordingly, and the simplest, fastest way to do so is with InControl.

Although it’s time to pause until Patch Tuesday passes, the increased push by Microsoft for 24H2 is the key reason I’m raising the MS-DEFCON level to 1. Pay attention, and exercise caution.

In this regard, let me apologize for something I thought was universal but may not apply to everyone. When I write about how Microsoft is doing this update or pushing that feature, I’m basing my observations and advice on the experience I see using my suite of PCs, both at home and in the office. Due to all the experiments and testing I do, my machines may not match the more general experience of most users, even though I usually test on more than one machine.

In my last MS-DEFCON alert, I wrote about a small link that appeared very low on a screen and offered the ability to opt out of 24H2. It turns out that this is not a universal experience. Instead — and as I mentioned above — 24H2 just downloads, assuming your machine is eligible.

Now here’s the catch: once that download starts, it may move to installation automatically, with no way for you to stop it. If that happens, let it go. Don’t attempt to abort it in the middle or do anything crazy — just go through the process. Then, after 24H2 is up and running, start poking around to determine whether anything is broken. If not, you should be okay. If you find something amiss and it is something you’re having trouble working around, roll back to 23H2 and wait for me to finally say that 24H2 is ready for prime time.

To roll back, go to Settings | System | Recovery | Go back.

You’ll have 10 days to decide whether to roll back. If you do, let the system re-index itself and get back to where it was, your previous “normal.”

This advice does not apply to a new PC purchased with Windows 11 24H2 installed. You would need to perform a setup using a 23H2 ISO downloaded from Microsoft. The result would be that your system would have to be rebuilt and you’d have to find any missing drivers. If you don’t put in the InControl setting, you will once again be offered 24H2. That would be far worse than working through any problems you might have with 24H2. If your new computer came with 24H2, stick with it.

If you use NAS devices that don’t support SMBv2 or v3, you will have file-sharing issues unless you take action to lower the security on your system. If you have networking problems, you may need to use commands to get networking back.

Let me emphasize again that I am not yet recommending Windows 11 24H2. The advice here is based on 24H2 being installed in a way that is out of your control — the “hard push” from Microsoft — and on your dealing with that as best suits your situation. In other words, I’m not saying that you will have problems with 24H2; everything could be fine. Just be prepared, in case there are side effects.

As doom approaches (otherwise known as the end of support for Windows 10), the chatter about ways to get around the hardware requirements for Windows 11 so it can be installed on noncompliant hardware is getting louder. Ignore the noise. Microsoft’s probable efforts to prevent the known workarounds and certain aspects of those workarounds make using one of those methods risky. If you really need to hang on to that old hardware, or at least delay the inevitable, get extended support.

With one of my older Surface devices, I wanted to see whether I could get around the hardware block and install Windows 11. I succeeded. Then there were problems. The main one was that version updates are not easy. I must find methods to get from feature release to feature release. It isn’t too bad for moving from 22H2 to 23H2 (because only the enablement updates are needed), but getting to 24H2 is more difficult. It’s back to an ISO and doing a complete setup. Then you won’t be offered feature updates, just the out-of-date notification.

Can you get around the hardware-requirements block? Yes. Should you do so? No. There are too many uncertainties, including the possibility that Microsoft will get tougher and actively prevent further updates from installing.

Consumers

Adding to my decision to push MS-DEFCON all the way to level 1 is that the February updates will include several annoyances, including the installation of Outlook (new). Defer. Give me some time for my standard due diligence and testing of the updates. Set your phaser on stun; use InControl to hold your location in the galaxy to Windows 11 23H2.

If you subscribe to Microsoft 365, you can still continue to use Outlook (classic). But if you love the Windows Mail client, the end of the road has come and gone. This transition is such a mess, as Peter Deegan has amply described, that I’ve come to the conclusion that you should look into a different email client altogether. There are other options without the foolish limitations Microsoft has created.

If you have a consumer version of Microsoft 365 and have received Copilot in Word, there is now a new button in Options that allows you to disable Copilot from within the application. Note that if you are a Microsoft 365 business user, you don’t have that button. That’s confusing. Some have said that Copilot is almost as annoying as Clippy — but at least if you are nostalgic about Clippy, you can download one from the GitHub site.

It remains to be seen whether we will see a fix for the Windows 10 event-viewer bug. As Microsoft notes in KB5050081: although the Windows updates released January 14, 2025, conflict with the initialization of this service, no impact to performance or functionality should be observed. There is no change to the security level of a device as a result of this issue. This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe presently serves no purpose.

Businesses

Microsoft released a tech note about past patches at its admin portal. It noted that after the September updates are installed, Remote Desktop Services licensing server will experience High CPU utilization in the LSASS process. The resolution feels a tad late, but if you are experiencing high CPU use on your RDS servers, follow the guidance.

Just a reminder: The hardening of Windows networks is coming in February and April. First up is the full enforcement mode noted in KB5014754. As detailed by Richard Hicks, if you need to opt out of these strong certificate-mapping requirements on Active Directory Domain Controllers, you can still do so temporarily.

You can implement this change by opening an elevated PowerShell command window and running the following command:

If you have taken no action to test the impact, look for issues with workloads using certificate-based authentication such as Always On VPN, Wi-Fi, and others.

April brings full enforcement of PAC Validation changes. As noted in KB5037754:

The Windows security updates released in or after April 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing the April 2025 update.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of January): 487

RIP Matrix | Farewell my friend