- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
- Switch between Windows Terminal and the legacy console - Thu, Nov 16 2023
By default, Microsoft turns off new features delivered through monthly updates on managed PCs ("Temporary Enterprise Feature Control"). However, businesses can activate them right away when they are released using group policies. If they don't do so, they will receive all new functions at once with the next feature update, currently with 23H2.
Hence, many of these officially new features have already been introduced by Microsoft in recent months and have been available on consumer PCs for some time.
A significant batch of these features was introduced with the September update, including additional options for authentication and firewall rules, as well as Windows 365 Boot. In addition, Dev Home and Dev Drive, a drive optimized for developer tasks, was announced.
Integration of LAPS
After being included in a Windows 11 preview about a year ago, the new LAPS is now shipping as part of the operating system for the first time. The native Local Administrator Password Solution brings several interesting improvements, including the encryption of passwords stored in Active Directory, the management of the DSRM account, and an automatic password reset after a defined period.
Last week, support for Entra ID was added, allowing local admin passwords to be stored in the Azure Active Directory. The management of this feature, such as retrieving passwords, can be done through the AAD portal, Intune, or via PowerShell using the Graph API.
At the same time, Microsoft marked the previous version of LAPS as deprecated and blocks its installation on newer versions of Windows containing the new LAPS:
- Windows 11 22H2 - April 11 2023 Update
- Windows 11 21H2 - April 11 2023 Update
- Windows 10 - April 11 2023 Update
- Windows Server 2022 - April 11 2023 Update
- Windows Server 2019 - April 11 2023 Update
New authentication options
The EnablePasswordLessExperience setting can be used to remove authentication via password from the logon screen if users use Hello for Business or FIDO2 keys instead. For this, the computers must be managed via the MDM interfaces, for example with Intune.
Another new feature is OS-level support for passkeys for logging in to web services such as M365. This is a new standard for passwordless web authentication.
When a user logs in to an online service, their device generates a new key pair. The private key is securely stored on the user's device, while the public key is registered with the service.
To authenticate, the device must prove that it possesses the private key by signing a challenge. The private keys can only be used after being unlocked by the user using biometric methods or a PIN.
Microsoft introduced web logon with Windows 10. However, this was limited to authentication using a Temporary Access Pass (TAP), a time-limited password.
With the September update, Microsoft integrated new authentication methods into web logon with Windows 11. These methods include logging in with the Microsoft Authenticator App or using a federated SAML P-Identity.
The kiosk mode, available since Windows 8.1, restricts a computer to the use of a single application. This could be the web browser, for example, whose access is limited to a specific website.
The multi-app kiosk now allows the use of multiple applications, which can be accessed through a customized start menu with allowed apps.
Declared Configuration Protocol and Config Refresh
Windows 11 23H2 implements OMA-DM SyncML to restore a desired configuration at regular intervals and prevent computers from deviating from it. With the help of MDM systems like Intune, Config Refresh can be achieved.
The policies defined in a profile are then applied to the endpoints every 90 minutes by default, but you have the option to reduce the intervals to 30 minutes. Devices do not need to check in with Intune for this to work.
With Config Refresh, admins achieve a similar effect as when using GPOs, whose policies are also reapplied by the client-side extensions every 90 minutes.
Microsoft is currently integrating AI functions originating from OpenAI into all kinds of products under the Copilot brand. For example, the manufacturer just announced the availability of Copilot for Microsoft 365.
Windows 11 23H2 includes a preview of this feature, which is intended to assist users in controlling the operating system and troubleshooting issues. Due to regulatory requirements, Copilot is not initially available in the EU.
Other new features
As usual, the upgrade brings a series of minor changes and improvements that can be quite useful from an admin's perspective. These changes include:
- New group policies for configuring the taskbar: This allows the search field to be customized as well as the chat icon to be removed;
- File Explorer now supports other archive formats besides ZIP, such as RAR;
- Five years after a Windows 10 preview introduced tab support in the Explorer, this feature is now officially available;
- The Task Manager now provides the option to filter processes and allows for theme switching.
Since the core components of Windows 11 23H2 (also called as Windows 11 2023 Update) are based on the same code base as its predecessor, the update is delivered through an enablement package.
This package is distributed through various update channels, including WSUS and Windows Update for Business.
Subscribe to 4sysops newsletter!
The support period for this release is again 24 months for the Home and Pro editions, and 36 months for the Enterprise and Education variants.