When security breaks compatibility

Windows 11 24H2 Baseline vs. FSLogix Storage Mounting

< Back to blog

Overview

With the release of Windows 11 version 24H2, Microsoft introduced a refreshed security baseline aimed at tightening enterprise security. While these changes are welcome in principle, they’ve introduced an unexpected issue —particularly for environments using FSLogix for profile container management.

We found that enforcing the 24H2 security baseline can break the mounting of FSLogix storage accounts, disrupting user profile loading.

What Changed in the 24H2 Security Baseline?

The 24H2 baseline includes stricter configurations around Lanman workstation SMB protocol enforcement. The policy enforces a minimum version of 3.0.0 and max 3.1.1. Read more about the changes here.

🔍 Root Cause

The issue appears to stem from tightened SMB protocol requirements in the 24H2 baseline. Specifically, the baseline enforces a minimum SMB version of 3.0.0, which can conflict with how FSLogix interacts with Azure Storage.

🛠 Our Workaround

Through extensive testing, we found that setting the Lanman Workstation minimum SMB version to 2.0.2 effectively resolves the FSLogix mounting issue without compromising security. Crucially, SMB traffic remains fully encrypted, ensuring that sensitive data, including credentials, is never transmitted in plain text. This was confirmed through Wireshark network traces, which clearly show the server selecting the SMB dialect and the client negotiating to use the most secure version supported.

🔧 How We Applied It:

We created a new Group Policy and manually configured the SMB minimum version override, bypassing the baseline’s default enforcement. GPO Setting: Computer Configuration —> Administrative Templates —> Network —> Lanman Workstation Policy: Mandate the minimum version of SMB —> 2.0.2

⚠️ Group Policy Glitch?

Interestingly, we suspect that Microsoft’s W11 24H2 Security Baseline Group Policy setting for SMB minimum version isn’t applying correctly in some environments. We’ve raised this with Microsoft Support for further investigation…

📌 Final Thoughts

If you’re running FSLogix in your environment and planning to enforce the W11 24H2 security baseline, be aware of this potential conflict. Until Microsoft provides a formal fix or clarification, overriding the SMB minimum version to 2.0.2 is a safe and effective workaround.