What's new in Windows 11 Enterprise LTSC 2024

This article lists some of the new and updated features and content that is of interest to IT Pros for Windows 11 Enterprise long-term servicing channel (LTSC) 2024, compared to Windows 10 Enterprise LTSC 2021. For a brief description of the LTSC servicing channel and associated support, see Windows Enterprise LTSC.

Windows 11 Enterprise LTSC 2024 builds on Windows 10 Enterprise LTSC 2021, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.

The Windows 11 Enterprise LTSC 2024 release includes the cumulative enhancements provided in Windows 11 versions 21H2, 22H2, 23H2, and 24H2. Details about these enhancements are provided below.

Lifecycle

Windows 11 Enterprise LTSC 2024 was first available on October 1, 2024. Features in Windows 11 Enterprise LTSC 2024 are similar to Windows 11, version 24H2.The LTSC release is intended for special use devices. Support for LTSC by apps and tools, such as in-box apps and Microsoft Store, that are designed for the general availability channel release of Windows might be limited.

Important

Windows 11 Enterprise LTSC 2024 has a 5 year lifecycle. (IoT Enterprise LTSC continues to have a 10 year lifecycle). Windows 11 Enterprise LTSC 2024 follows the Fixed Lifecycle Policy.

Accessibility

Feature
[Release]
Description
Windows accessibility
22H2
Improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator.
For more information, see:
  • New accessibility features coming to Windows 11
  • How inclusion drives innovation in Windows 11
  • Accessibility information for IT professionals.
Braille displays
23H2
Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. We also added support for new braille displays and new braille input and output languages in Narrator. For more information, see Accessibility information for IT professionals.
Narrator improvements
23H2
Scripting functionality was added to Narrator. Narrator includes more natural voices. For more information, see Complete guide to Narrator.
Bluetooth ® LE audio support for assistive devices
24H2
Windows has taken a significant step forward in accessibility by supporting the use of assistive hearing devices equipped with the latest Bluetooth ® Low Energy Audio technology. For more information, see Using hearing devices with your Windows 11 PC.
Remote Desktop Connection improvements
24H2
The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under Settings > Accessibility > Text size. Remote Desktop Connection supports zoom options of 350, 400, 450, and 500%.

Applications

Feature
[Release]
Description
Internet Explorer Internet Explorer (IE) is no longer available in Windows 11 Enterprise LTSC 2024. However, you can use IE Mode if a website needs Internet Explorer. For more information, see Internet Explorer (IE) Mode
Microsoft Edge
21H2
The Microsoft Edge browser is the default browser. For information about configuring Microsoft Edge on Windows, see Configure Microsoft Edge policy settings on Windows devices.
File Explorer
23H2/24H2
Tabs:
File Explorer includes tabs to help you organize your File Explorer sessions.
Context menu:
Support for creating 7-zip and TAR archives.
Compress to > Additional options allows you to compress individual files with gzip, BZip2, xz, or Zstandard
Labels were added to the context menu icons for actions like copy, paste, delete, and rename.
Registry Editor
Search
24H2
The Registry Editor supports limiting a search to the currently selected key and its descendants
Remote Desktop
Connection improvements
24H2
The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under Settings > Accessibility > Text size, provides zoom options of 350, 400, 450, and 500%, and improves the connection bar design
Sudo for Windows
24H2
Sudo for Windows is a new way for users to run elevated commands (as an administrator) directly from an unelevated console session. For more information, see Sudo for Windows.

Developer

Feature
[Release]
Description
Arm64EC (Emulation Compatible) Code built as Arm64EC is interoperable with x64 code running under emulation within the same process. The Arm64EC code in the process runs with native performance, while any x64 code runs using emulation that comes built-in with Windows 11. For more information, see Arm64EC - Build and port apps for native performance on Arm
Power Grid Forecast
24H2
The Power Grid Forecast API was introduced. App developers can minimize environmental impact by shifting background workloads to times when renewable energy is available to the local grid. Forecast data isn't available globally and quality of data varies by region.
Energy saver notification callback
24H2
Added an energy saver notification callback setting GUID to represent the new energy saver experience. Apps can subscribe to the energy saver status and can implement different behaviors to optimize energy or performance depending on the current energy saver status. For more information, see Power Setting GUIDs
Effective Power Mode
24H2
Extended the Effective Power Mode API to interpret the new energy saver levels when determining the returned effective power mode.

Management

Feature
[Release]
Description
Microsoft Intune
21H2
Microsoft Intune is a mobile application management (MAM) and mobile device management (MDM) provider. It helps manage devices, and manage apps on devices in your organization. You configure policies, and then deploy these policies to users and groups. You can create and deploy policies that install apps, configure device features, enforce PIN requirements, block compromised devices, and more.

If you use Group Policy to manage your Windows 10 devices, then you can also use Group Policy to manage Windows 11 devices. In Intune, there are administrative templates and the settings catalog that include many of the same policies. Group Policy analytics analyze your on-premises group policy objects.
Control Windows Update notifications
22H2
You can now block user notifications for Windows Updates during active hours. This setting is especially useful for organizations that want to prevent Windows Update notifications from occurring during business hours. For more information, see Control restart notifications.
Organization name in update notifications
22H2
The organization name now appears in the Windows Update notifications when Windows clients are associated with a Microsoft Entra ID tenant. For more information, see Display organization name in Windows Update notifications.
Start menu layout
22H2
New Configuration Service Providers (CSPs) for customizing the start menu layout. These CSPs allow you to hide the app list and disable context menus. For more information, see Supported configuration service provider (CSP) policies for Windows 11 Start menu.
Restricted User Experience
23H2
Restricted User Experience (formerly Multi-App Kiosk Mode) supports the creation of a controlled user experience while maintaining the familiar look and feel of the Windows 11 desktop. Ideal for shared devices that require access to more than one app, admins can configure a curated experience to limit distractions and potential tampering points while focusing the experience around the device's dedicated purpose.
Declared configuration protocol
23H2
Declared configuration protocol is a new protocol for device configuration management based on a desired state model and uses OMA-DM SyncML protocol. It allows the server to provide the device with a collection of settings for a specific scenario, and the device to handle the configuration request and maintain its state. For more information, see What is the declared configuration protocol.
Control File Explorer Home Recommended section
23H2
Configure the Recommended section added to File Explorer Home for users signed into Windows with a Microsoft Entra ID account. For more information, see DisableGraphRecentItems.
To configure using Local Group Policy Editor, see Computer Configuration\Administrative Templates\Windows Components\File Explorer\Turn off files from Office.com in Quick Access View.
Taskbar Button Policies
23H2
Policies to customize taskbar buttons were added to provide you with more control over the taskbar search experience across your organization. For more information, see Supported taskbar CSPs.
Control Start Menu Recommended section
23H2
Configure the Recommended section of the Start Menu, which displays personalized website recommendations. For more information, see HideRecoPersonalizedSites.
To configure using Local Group Policy Editor, see Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove Personalized Website Recommendations from the Recommended section in the Start Menu.
Sudo for Windows
24H2
Sudo for Windows is a new way for users to run elevated commands (as an administrator) directly from an unelevated console session. For more information, see Sudo for Windows.

Networking

Feature
[Release]
Description
Wi-Fi 7 consumer access points
24H2
Support for Wi-Fi 7 consumer access points offers unprecedented speed, reliability, and efficiency for wireless devices. For more information, see the Wi-Fi 7 announcements from Wi-Fi Alliance and the Windows Insider.
Windows location improvements
24H2
New controls were added to help manage which apps have access to the list of Wi-Fi networks around you, which could be used to determine your location. You can view and modify which apps can access the list of Wi-Fi networks from Settings > Privacy & security > Location. A new prompt appears the first time an app attempts to access your location or Wi-Fi information. Developers can use the Changes to API behavior for Wi-Fi access and location article to learn about API surfaces impacted by this change.

Security

The security and privacy features in Windows 11 are similar to Windows 10. Security for your devices starts with the hardware, and includes OS security, application security, and user & identity security. There are features available in the Windows OS to help in these areas. For a more comprehensive view, including Zero Trust, see Windows security.

Feature
[Release]
Description
Windows Security app
21H2
Windows Security app is an easy-to-use interface, and combines commonly used security features. For example, your get access to virus & threat protection, firewall & network protection, account protection, and more. For more information, see the Windows Security app.
Security baselines
21H2
Security baselines include security settings that are already configured, and ready to be deployed to your devices. If you don't know where to start, or it's too time consuming to go through all the settings, then you should look at Security Baselines. For more information, see Windows security baselines.
Microsoft Defender Antivirus
21H2
Microsoft Defender Antivirus helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. For more information, see:
  • Microsoft Defender Antivirus
  • Microsoft Defender for Endpoint
  • Enforce compliance for Microsoft Defender for Endpoint
Application Security
21H2
The Application Security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more. For more information, see Windows application security.
Microsoft Pluton
22H2
Pluton, designed by Microsoft and built by silicon partners, is a secure crypto-processor built into the CPU. Pluton provides security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data, and encryption keys. Information is harder to be removed even if an attacker installed malware or has complete physical possession. For more information, see Microsoft Pluton security processor.
Enhanced Phishing Protection
22H2
Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft passwords against phishing and unsafe usage. Enhanced Phishing Protection works alongside Windows security protections to help protect sign-in passwords. For more information, see:
  • Enhanced Phishing Protection in Microsoft Defender SmartScreen
  • Protect passwords with enhanced phishing protection in the Windows IT Pro blog.
Smart App Control
22H2
Smart App Control adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. Smart App Control helps block unwanted apps that affect performance, display unexpected ads, offer extra software you didn't want, and other things you don't expect. For more information, see Smart App Control.
Credential Guard
22H2
Credential Guard, enabled by default, uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like pass the hash and pass the ticket. For more information, see Configure Credential Guard.
Malicious and vulnerable driver blocking
22H2
The vulnerable driver blocklist is automatically enabled on devices when Smart App Control is enabled and for clean installs of Windows. For more information, see recommended block rules.
Security hardening and threat protection
22H2
Enhanced support with Local Security Authority (LSA) to prevent code injection that could compromise credentials. For more information, see Configuring Additional LSA Protection.
Personal Data Encryption (PDE)
22H2
Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows. PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.
Passkeys in Windows
23H2
Windows provides a native experience for passkey management. You can use the Settings app to view and manage passkeys saved for apps or websites. For more information, see Support for passkeys in Windows.
Windows passwordless experience
23H2
Windows passwordless experience is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.
When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords. For more information, see Windows passwordless experience.
Web sign-in for Windows
23H2
You can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options, and capabilities. For more information, see Web sign-in for Windows.
Federated sign-in
23H2
Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the federated identity provider. For more information, see Configure federated sign-in for Windows devices.
Windows Hello for Business authentication improvement
23H2
Peripheral face and fingerprint sensors can be used for Windows Hello for Business authentication on devices where Enhanced Sign-in Security (Secure Biometrics) enabled at the factory. For more information, see Common questions about Windows Hello for Business.
App Control for Business
24H2
Customers can now use App Control for Business (formerly called Windows Defender Application Control) and its next-generation capabilities to protect their digital property from malicious code. With App Control for Business, IT teams can configure what runs in a business environment through Microsoft Intune or other MDMs in the admin console, including setting up Intune as a managed installer. For more information, see Application Control for Windows.
Local Security Authority (LSA) protection enablement
24H2
An audit occurs for incompatibilities with LSA protection for a period of time, starting with this upgrade. If incompatibilities aren't detected, LSA protection is automatically enabled. You can check and change the enablement state of LSA protection in the Windows Security application under the Device Security > Core Isolation page. In the event log, LSA protection logs whether programs are blocked from loading into LSA.
Rust in the Windows kernel
24H2
There's a new implementation of GDI region in win32kbase_rs.sys. Since Rust offers advantages in reliability and security over traditional programs written in C/C++, you'll continue to see more use of it in the kernel.
SHA-3 support
24H2
Support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, KMAC) was added. The SHA-3 family of algorithms is the latest standardized hash functions by the National Institute of Standards and Technology (NIST). Support for these functions is enabled through the Windows CNG library.
Windows Local Admin Password Solution (LAPS)
24H2
Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. Windows LAPS is the successor for the now deprecated legacy Microsoft LAPS product. For more information, see What is Windows LAPS?
Windows LAPS
Automatic account management
24H2
Windows Local Administrator Password Solution (LAPS) has a new automatic account management feature. Admins can configure Windows LAPS to:
  • Automatically create the managed local account
  • Configure name of account
  • Enable or disable the account
  • Randomize the name of the account
Windows LAPS
Policy improvements
24H2
  • Added passphrase settings for the PasswordComplexity policy
  • Use PassphraseLength to control the number of words in a new passphrase
  • Added an improved readability setting for the PasswordComplexity policy, which generates passwords without using characters that are easily confused with another character. For example, the number 0 and the letter O aren't used in the password since the characters can be confused.
  • Added the Reset the password, logoff the managed account, and terminate any remaining processes setting to the PostAuthenticationActions policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation.
Windows LAPS
Image rollback detection
24H2
Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, msLAPS-CurrentPasswordVersion, to the Windows LAPS schema. This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in msLAPS-CurrentPasswordVersion is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the Update-LapsADSchema PowerShell cmdlet.
Windows protected print mode
24H2
Windows protected print mode (WPP) enables a modern print stack which is designed to work exclusively with Mopria certified printers. For more information, see What is Windows protected print mode (WPP) and Windows Insider WPP announcement.
SMB signing requirement changes
24H2
SMB signing is now required by default for all connections. SMB signing ensures every message contains a signature generated using session key and cipher suite. The client puts a hash of the entire message into the signature field of the SMB header. If anyone changes the message itself later on the wire, the hash won't match and SMB knows that someone tampered with the data. It also confirms to sender and receiver that they are who they say they are, breaking relay attacks. For more information about SMB signing being required by default, see https://aka.ms/SMBSigningOBD.
SMB client encryption
24H2
SMB now supports requiring encryption on all outbound SMB client connections. Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing, which allows both client and server requirements. With this new option, administrators can mandate that all destination servers use SMB 3 and encryption, and if missing those capabilities, the client won't connect. For more information about this change, see https://aka.ms/SmbClientEncrypt.
SMB signing and encryption auditing
24H2
Administrators can now enable auditing of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell.
SMB alternative client and server ports
24H2
The SMB client now supports connecting to an SMB server over TCP, QUIC, or RDMA using alternative network ports to the hardcoded defaults. However, you can only connect to alternative ports if the SMB server is configured to support listening on that port. Starting in Windows Server Insider build 26040, the SMB server now supports listening on an alternative network port for SMB over QUIC. Windows Server doesn't support configuring alternative SMB server TCP ports, but some third parties do. For more information about this change, see https://aka.ms/SMBAlternativePorts.
SMB NTLM blocking exception list
24H2
The SMB client now supports blocking NTLM for remote outbound connections. With this new option, administrators can intentionally block Windows from offering NTLM via SMB and specify exceptions for NTLM usage. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and can't brute force, crack, or pass hashes. This change adds a new level of protection for enterprises without a requirement to entirely disable NTLM usage in the OS. For more information about this change, see https://aka.ms/SmbNtlmBlock.
SMB dialect management
24H2
The SMB server now supports controlling which SMB 2 and 3 dialects it negotiates. With this new option, an administrator can remove specific SMB protocols from use in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting. For example, admins can specify to only use SMB 3.1.1, the most secure dialect of the protocol. For more information about this change, see https://aka.ms/SmbDialectManage.
SMB over QUIC client access control
24H2
SMB over QUIC, which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC client access control improves the existing SMB over QUIC feature. Administrators now have more options for SMB over QUIC such as:
  • Specifying which clients can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience.
  • Disabling SMB over QUIC for client with Group Policy and PowerShell
  • Auditing client connection events for SMB over QUIC

For more information about these changes, see https://aka.ms/SmbOverQUICCAC.
SMB firewall rule changes
24H2
The Windows Firewall default behavior has changed. Previously, creating an SMB share automatically configured the firewall to enable the rules in the File and Printer Sharing group for the given firewall profiles. Now, Windows automatically configures the new File and Printer Sharing (Restrictive) group, which no longer contains inbound NetBIOS ports 137-139.

This change enforces a higher degree of default of network security and brings SMB firewall rules closer to the Windows Server File Server role behavior, which only opens the minimum ports needed to connect and manage sharing. Administrators can still configure the File and Printer Sharing group if necessary as well as modify this new firewall group, these are just default behaviors. For more information about this change, see https://aka.ms/SMBfirewall. For more information about SMB network security, see Secure SMB Traffic in Windows Server.

Servicing

Feature
[Release]
Description
Windows Updates and Delivery optimization
21H2
Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more. For more information, see:
  • Delivery Optimization for Windows updates
  • Installation & updates
  • Manage updates in Windows
Control Windows Update notifications
22H2
You can now block user notifications for Windows Updates during active hours. This setting is especially useful for organizations that want to prevent Windows Update notifications from occurring during business hours. For more information, see Control restart notifications.
Organization name in update notifications The organization name now appears in the Windows Update notifications when Windows clients are associated with a Microsoft Entra ID tenant. For more information, see Display organization name in Windows Update notifications.
Checkpoint cumulative updates
24H2
Windows quality updates are provided as cumulative updates throughout the life cycle of a Windows release. Checkpoint cumulative updates introduce periodic baselines that reduce the size of future cumulative updates making the distribution of monthly quality updates more efficient. For more information, see https://aka.ms/CheckpointCumulativeUpdates.

User Experience

Feature
[Release]
Description
High Efficiency Video Coding (HEVC) support
22H2
HEVC is designed to take advantage of hardware capabilities on some newer devices to support 4K and Ultra HD content. For devices that don't have hardware support for HEVC videos, software support is provided, but the playback experience might vary based on the video resolution and your devices performance.
Task Manager
22H2/23H2
A new command bar was added to each page to give access to common actions. Task Manager matches the system wide theme configured in Windows Settings. Added an efficiency mode that allows you to limit the resource usage of a process.
Process filtering, theme settings, and the ability to opt out of efficiency mode notification were added to Task Manager.
Taskbar overflow menu
23H2
The taskbar offers an entry point to a menu that shows all of your overflowed apps in one spot.
Taskbar Optimize for touch
23H2
Taskbar touch optimization is available for devices that can be used as a tablet. Once enabled, the user can switch between a collapsed taskbar, saving screen space, and an expanded taskbar, optimized for touch. The taskbar changes to this optimized version when you disconnect or fold back the keyboard on a 2-in-1 device. To enable or disable this feature on a tablet capable device, go to Settings > Personalization > Taskbar > Taskbar behaviors. See also February 28, 2023 - KB5022913
Windows Ink as input
23H2
Windows Ink allows users to handwrite directly onto most editable fields
Uninstall Win32 app
23H2
Selecting Uninstall for a Win32 app from the right-click menu uses the Installed Apps page in Settings rather than Programs and Features in Control Panel. For more information, see September 2023 - KB5030310
Dev Drive
23H2
Dev Drive is a new form of storage volume available to improve performance for key developer workloads. For more information, see Set up a Dev Drive on Windows 11 and September 2023 - KB5030310.

Features Removed

Each version of Windows client adds new features and functionality. Occasionally, features and functionality are removed, often because a newer option was added. For a list of features no longer in active development that might be removed in a future release, see deprecated features. The following features are removed in Windows 11 Enterprise LTSC 2024:

Feature Description
WordPad
24H2
WordPad is removed from all editions of Windows starting in Windows 11, version 24H2 and Windows Server 2025.
Alljoyn
24H2
Microsoft's implementation of AllJoyn, which included the Windows.Devices.AllJoyn API namespace, a Win32 API, a management configuration service provider (CSP), and an Alljoyn Router Service is retired.