MS-DEFCON 2: 24H2 is around the corner

By Susan Bradley

I can always tell when fall is in the air.

No, it’s not a decrease in temperatures — we’re still very hot here in Central California. No, it’s not that pumpkin-spice aroma around coffee shops.

It’s the technology headlines about imminent updates from Redmond and Cupertino. Naturally, that means I’m raising the MS-DEFCON level to 2. Here are a few things you should consider.

Windows

For now, stick to Windows 11 23H2. An excellent and simple way to do that is with Steve Gibson’s InControl app. Download and run it on an “uncontrolled” PC, and you’ll see the window in Figure 1. (Note that InControl is a zero-install program. After downloading it, move the executable file incontrol.exe to your preferred location, and perhaps add a shortcut to the desktop or Taskbar.)

Figure 1. Updates are not controlled, and Windows can do as it pleases.

InControl manages six Windows Registry keys. If those are missing, you’ll see the message in Figure 1. Simply set the Version/Release values as desired, then press the Take Control button. InControl will create (or alter) the registry keys, based upon your values. Note that InControl assumes you know what you’re doing well enough to get those two values correct. It will accept bogus values (e.g., 95/9602), but they’ll have no effect. Because I’m recommending staying on Windows 11 23H2, you’ll enter 11/23H2.

Once you’ve set the values by “taking control,” the InControl Window will change, as shown in Figure 2.

Figure 2. InControl has placed you in control.

The message now indicates that version updates to Windows will be blocked; this is safe. However, security updates will be processed.

If you want to control all updates, see our BlockAPatch website.

Why do I recommend holding off on 24H2? Most of its major changes are exclusive to Copilot+ PCs, which became available only a few months ago. The vast majority of users do not have such a PC and thus do not need to rush to 24H2. For the most part, I’m seeing only dribbled changes, most of which are insignificant. One potentially significant improvement is the ability to share content to your Android device, but this is also coming to Windows 11 23H2 in the September security updates.

Apple

Monday is “Glowtime” at Apple. Its September event is usually reserved for iPhone announcements, so the iPhone 16 models are expected. macOS Sequoia, still in beta, is expected by the end of the month or early October, so there may be announcements on Monday.

Importantly, Sequoia brings Apple Intelligence, which is a breaking point for Apple because it requires more modern hardware. Older devices will not be supported. Here’s the list of devices that will run the new macOS version:

Although Macs with M4 SoCs are expected, these will most likely be introduced in November.

Consumers

Pause updates. The September security updates may not include the fix for dual-booting; if you dual-boot, disable Secure Boot or pause until we see a release that supports dual-booting natively.

As noted above, I recommend using InControl to lock your Windows version release. Don’t worry about Windows 10, because no version releases beyond 22H2 are expected. But for Windows 11, lock your machine on 23H2 for now.

This is a good time to check your Macs to see whether they are included in the list above. Then you can plan accordingly.

We’ll be asking our usual questions about Windows 11 adoption in our annual survey in January. However, it was interesting to learn from Steam’s August survey that just over 50% of respondents were using Windows 11.

Businesses

Focus less on the monthly updates for now, and spend more time thinking about that looming date a year from now — when Windows 10 reaches its official end of life (October 2025).

On a timelier note: October 8, 2024, marks the end of servicing for Windows 11 Enterprise and Education 21H2, Windows 11 Home and Pro 22H2, and Windows 11 IoT Enterprise 21H2.

Important long-term projects include Boot Manager revocations (KB5025885). Posts at the PatchManagement Google Group (registration required) clearly indicate that firms that are slogging through it, saying it’s confusing. Matt Guelde reported that

(i) applied all 4 mitigation steps on a spare laptop, and once the revocation step was applied, I was no longer able to boot from either of our WinPE boot media (the one my colleague built, and the one from our endpoint management software).

Also be aware of the upcoming changes to certificate-based authentication on Windows domain controllers, as noted in KB5014754. And note the additional steps needed in KB5037754 relating to PAC validation changes (CVE-2024-26248 and CVE-2024-29056).

Monitor changes needed for TLS server authentication. Remember: In late 2024, 1024-bit RSA keys will be deprecated.

Finally, if you use Windows Smart Cards, determine whether you are impacted by the upcoming changes in early 2025 that will remove the RSA override and retain KSP as the default. Test the recommended registry key if you use RSA-based certificates and smart cards.

Resources

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts