The annual updates to Windows 11 get 36 months of support for enterprise and education and 24 months for the Pro editions, and the clock starts when those updates are generally available. If you want to take full advantage of that support window, you may want to start evaluating Windows 11 22H2 soon, and the security improvements may make that more urgent.
Key improvements in Windows 11 22H2
There are also a number of improvements in Windows 11 22H2 that enterprise users and IT teams may appreciate, like File Explorer showing both the sync status of OneDrive files more clearly as well as who last edited shared files, so you can quickly check files you’ve recently asked colleagues for input on to see if there’s anything for you to look at yet.
The Windows Studio Effects might sound like a multimedia consumer feature, but if your organization is embracing hybrid work, the effects should help improve virtual meetings. PCs need the right hardware to deliver these real-time AI-powered improvements (the necessary neural processing units are in many new devices that come with 22H2):
- Automatic filtering of background noise with Voice Focus (similar to the features in Teams but for any app using the camera and microphone)
- Microsoft Teams-style background blur and a new softer “portrait” blur for any app using the camera
- Automatic framing that zooms and pans to put each participant’s face in the middle of their camera stream even when they move around
- Correcting the eye gaze shown on camera, so it looks like someone is looking you in the eyes, even if they glance down at their keyboard to take notes on what you’re saying
The enterprise version of Microsoft Teams already has automatic live captioning, but Windows 11 22H2 extends that to any audio with live captions for U.S. English: webinars, videos or just a conversation you’re having in front of your PC; just press Ctrl + Win + L to get a transcription bar at the top of the screen that shows live captions.
SEE: Windows, Linux, and Mac commands everyone needs to know (free PDF) (TechRepublic)
There’s also another iteration of the voice control and dictation features that have been in Windows for a long time, but are now (also for U.S. English only) powered by Microsoft’s latest speech recognition technologies locally on the device. It allows for more accurate recognition of cloud speech tools without needing to be online; although, you need to download a speech model on each device. If you’re supporting employees with accessibility needs, Narrator now has improved integration with Microsoft Edge and better voices that use Microsoft’s latest neural text-to-speech models.
With Windows 22H2, Universal Print is now supported in Azure Virtual Desktop, and there are new reports to help track how many documents your organization is printing.
If you use Windows 10 for kiosk devices that run multiple applications rather than just one—a useful way to provide PCs with a limited number of apps and have them all show up on the Start menu—22H2 now supports that for Windows 11 as well. There are also a lot more device settings you can manage through MDM with 22H2.
Windows 11 22H2 includes more security features
The most interesting features for large organizations will likely be the security improvements, which include some of what was originally promised for Windows 11 becoming more broadly available.
The hypervisor-protected code integrity (HVCI) security that underpins key Windows security features will be turned on by default in clean installs of Windows 11 22H2 on more PCs, including any PC with Intel 8th generation chipsets and higher. If you have Windows 11 Enterprise (E3 and E5) licenses, enterprise-joined Windows 11 PCs will now have Windows Defender Credential Guard turned on automatically to protect against pass-the-hash and pass-the-ticket attacks and stop malware reading system secrets even if it’s running as admin.
Organizations moving to passwordless often still need to issue passwords for some systems and devices, which means they’re still vulnerable to phishing. Microsoft Defender SmartScreen in Windows 11 tracks when users type the same Microsoft account, Active Directory, Azure AD or local password they use to sign into their device into an app or website in any Chromium browser that’s not trusted, it warns them that they need to change that password right away.
They get a similar warning to change the password if they try to reuse it for a site or application where they’re setting up an account, to stop them reusing it somewhere it could be a vulnerability. And if they type the password into a Notepad file or a document in any Microsoft 365 app, they get a warning that’s not a safe thing to do with the suggestion to delete it right away.
The IT team can also see when a user has tried to store, reuse or disclose their password in the Microsoft Defender for Endpoint portal, so they can track the incident and maybe schedule security training for them. You can configure which of the scenarios users get warnings for using group policy or by using a mobile device management tool like Intune to manage the Windows configuration service provider.
If you manage SmartScreen through an MDM it runs in audit mode by default, so you can see how many incidents there are, but users don’t see the warnings until you’re ready to turn on the notifications. That way you can still find out about potential problems, but you can take the time to educate users that this tracking will happen and explain the different warnings they’ll see.
The 22H2 Smart App Control feature blocks untrusted and unsigned applications, macros and scripts from running. Though, it only works on PCs with a clean install of 22H2, because it has to start from a known state. That’s based on Windows Defender Application Control, which many enterprises already use. And since it’s intended to protect customers and smaller businesses, Smart App Control will automatically be turned off on managed enterprise PCs unless users have turned it on themselves.
If you don’t use WDAC and want to turn on Smart App Control, you can set the VerifiedAndReputablePolicyState (DWORD) registry value under HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy to 2 to run it in audit mode to check the impact or 1 to turn it on. But, if that’s not set when the 22H2 update is applied, Windows will need to be restarted or reinstalled. If you have unmanaged BYOD devices connecting to your network, you’ll want to encourage users to leave Smart App Control turned on.
Windows 11’s smaller, faster monthly updates
Microsoft promised that Windows 11 will have smaller, faster monthly updates. Windows 11 22H2 can shrink the size of the upgrade by redesigning the way cumulative updates work, and it makes update packages smaller by not updating in-box apps from Windows Update if they’ve already been updated from the Windows Store. At some point, it will also speed up applying updates by including .NET framework updates, so there’s one less reboot required; although, that hasn’t rolled out yet.
SEE: Feature comparison: Time tracking software and systems (TechRepublic Premium)
If you have corporate sustainability commitments to deliver, the new “carbon aware” update policy may be helpful. This uses information about how the electrical grid is powered from partners Electricity Maps and WattTime to automatically schedule updates at times that more power is coming from renewable energy sources.
Although the coverage maps for the two partners don’t cover the entire globe, they’re no longer restricted to just North America. Between them, they include much of Europe, South America and Australasia but much less of Africa, Asia and India.
Upgrading to Windows 11 22H2: The essential details
If you’re ready to start rolling out Windows 11 22H2 to PCs, ideally with an initial test group to validate the applications, drivers and devices your organization uses, you can use the Select target Feature Update version setting in Group Policy, create a feature update profile in Intune, or set a Target Version via the TargetReleaseVersion setting in the Windows configuration service provider through your usual device management tool.
The security baseline, group policy reference, .ADMX administrative templates, Windows Assessment and Deployment Kit, release health dashboard and release history are all available for 22H2.
If you’re moving from Windows 10 and you have a Windows Enterprise E3 license, you can use the new Windows 11 Readiness report in Microsoft Endpoint Manager and Endpoint Analytics to see which devices will be eligible for the upgrade. Systems requirements haven’t changed, so all PCs currently running Windows 11 should be able to upgrade; although, a number of devices are currently on a safeguard hold.
Although Windows 10 is supported until October 14, 2025, Windows 10 21H1 stops getting security updates on December 13, 2022, so if you’re not upgrading to Windows 11 yet, make sure you’re running Windows 10 21H2 by then.
Master Windows 11 with these resources in TechRepublic Academy:
If your organization is going to hire a network admin to handle such Windows deployments, you can get a recruiting and hiring kit on TechRepublic Premium.