Microsoft has introduced significant security updates for Windows 11 (24H2) and Server 2025. As Chief Information Security Officers (CISOs) prepare for these changes, it’s crucial to understand the implications of features like Recall and hotpatching.
New Feature: Recall
Microsoft is rolling out Recall, which allows users to take snapshots of their actions on their devices. This feature, perceived as a potential privacy nightmare, has transitioned to an opt-in status following user concerns. To utilize Recall, devices must have a capable neural processing unit (NPU) that can perform over 40 trillion operations per second. Only systems designated as Copilot+ will support this feature, but Windows 11 Professional and Enterprise users can also enable it. Importantly, Recall is not activated by default on domain machines, so security teams may want to establish policies preventing its installation if it doesn’t align with organizational privacy standards.
Hotpatching: A Game Changer for Updates
Another groundbreaking feature is hotpatching, enabling security patches to be applied without requiring system reboots. This capability is available for Windows 11 Enterprise 24H2 users, provided they are managing their systems through Intune. Microsoft has released a calendar detailing which updates can be applied via hotpatching, allowing organizations to avoid disruptive reboots for certain updates. Security teams need to evaluate their current reboot policies before adopting hotpatching, especially if their software mandates regular reboots.
Additional Security Actions
In addition to Recall and hotpatching, it’s essential for security teams to reassess their security baselines for Windows 24H2 and Server 2025. Recommendations include blocking all consumer Microsoft account logins to enforce Entra ID usage and reviewing security settings related to features like Copilot and Recall. For Server 2025 specifically, new settings such as lowering the account lockout threshold to three attempts and defining rules for smart card usage further bolster security standards.
Phasing Out NTLM
Microsoft is also making strides to phase out NTLM, historically criticized for its vulnerabilities. Security administrators can now configure settings to block NTLM connections, creating a more secure authentication environment.
Conclusion
As organizations look to implement Windows 11 and Server 2025, a thorough review of authentication methods and existing security policies is vital. The features introduced aim to enhance security but also require careful management to mitigate potential risks associated with new implementations like Recall.
For further details on implementing these changes, consult Microsoft’s official guidance.