Microsoft has changed a key detail about the information sent by winlogon to logon notifier requesters in Windows 11 24H2 that requires a new Registry value be added to maintain the previous behavior.
Policy Name: EnableMPRNotifications
Value Name: EnableMPR
- Starting with 6.8.7 R2, included within official support for Windows 11 24H2, ProfileUnity Client Tools installation routine now sets this new value by default to maintain compatibility for user-based mounting of ProfileDisk VHDX files, which is the default mount method.
- Adding this value requires a reboot to take effect, user-based ProfileDisk mounts may fail on 24H2 machines until a reboot occurs.
- ProfileDisks utilizing Service Account-based mounts, otherwise known as "CAC-Mode", or System-based mounts are not affected by this Windows change and don't require this Registry value be created. Please see this KB article for more information on these mount methods.
Security Teams may someday flag this Registry value within vulnerability scans, and even enforce the new Windows behavior via a MDM or other security policy so that its always re-applied.
- ProfileUnity Client installation will not override this setting/policy if the Registry value already exists.
- User-based mounts will not be an option and another method must be chosen. Please see this KB article for more information on the other options.
- In the case where its not enforced via policy and you want the installation not to set this value, you can adjust the following setting within "LwL.ProfileUnity.Client.Startup.Update.exe.config" prior to installation of the client tools:
<setting name="EnableMPRNotifications" serializeAs="String">
<value>False</value>
</setting>
Reference: Policy CSP - WindowsLogon - EnableMPRNotifications (MDM)