Windows 11 24H2 Network Breakage: DHCP, WPAD, and WcmSvc Mitigations

A serious compatibility change in Windows 11’s recent updates has left many IT teams scrambling — and, according to recent reporting, a Microsoft staffer appears to have indicated the behavior may not be reverted. The issue touches DHCP, WinHTTP/WPAD behavior and a surprising dependency that can leave corporate laptops with their network adapters disabled if an environment has hardened or disabled the WinHTTP Auto-Proxy (WPAD) service. Here’s what happened, why it matters for offices, what administrators are doing to mitigate the problem, and practical guidance you can apply immediately.
Background — what’s broken and who is affected

• Starting with Windows 11 version 24H2 (and in a few related updates), administrators began reporting that some clients could not obtain or keep normal network connectivity after the upgrade. Symptoms include “No Internet” or APIPA (169.254.x.x) addresses, network adapters shown as disabled in Settings, and applications suddenly ignoring corporate proxy settings.
• Two related but distinct problem sets emerged:
• DHCP-related failures in some environments where certain DHCP options or duplicate DHCP options in replies can stop IPv4 connectivity on affected clients.
• A WinHTTP / WPAD-related regression where disabling the WinHTTP Auto-Proxy (WinHttpAutoProxySvc / “WPAD”) service — a common security hardening step in some shops — caused Windows Connection Manager (WcmSvc) to fail to start properly or to make network adapters transiently disable. This behavior manifests most painfully at logon: NICs appear, then become disabled seconds later, preventing users from getting online or completing device enrollment tasks that require network access.
• The problem has been widely reported by enterprise admins (large corporate fleets and managed devices) and appears to affect a subset of hardware/drivers and particular DHCP server option setups. It’s not universal — many Windows 11 machines work normally — but when it hits, it’s disruptive.

What the “may never be fixed” claim is about (and my verification)

• Headlines recently suggested that a Microsoft employee “confirmed Windows 11 may never fix a key internet feature for office PCs.” That claim appears to refer to public Microsoft engineer replies and Feedback/Answers/Q&A posts where Microsoft staff acknowledged the issues and, in some posts, described design changes or constraints that make rolling back behavior non-trivial.
• Important verification note: I could not find an authoritative Microsoft engineering statement that uses the exact phrase “may never fix” as a firm policy; instead, public Microsoft responses and release-health notes document ongoing investigation, partial fixes, and in some threads indicate that certain behaviors are intentional or constrained by other platform changes. In short: Microsoft has acknowledged and patched specific cases (for example, cases caused by duplicate DHCP options) but many admins report ongoing regressions and Microsoft’s official responses have in some situations emphasized mitigations or workarounds rather than an immediate revert. Treat the “may never fix” headline as an interpretation of Microsoft’s messaging and community replies rather than a literal Microsoft policy statement.
• Because the original article that prompted the request quotes a Microsoft employee via a third-party site, and because Microsoft’s own public channels show both acknowledgements and incremental fixes, the accurate takeaway is: Microsoft has acknowledged the problems, supplied targeted fixes for certain scenarios, but some problematic behaviors remain and — depending on the root cause and compatibility constraints — may require architectural work or tradeoffs before a full “restore previous behavior” solution is possible.

Why this is so disruptive to offices

• Many enterprise environments deliberately disable legacy network/autodiscovery services (including WPAD/WinHTTP) as part of security hardening. WPAD has well-known weaknesses (e.g., WPAD spoofing) and many security teams prefer explicit proxy configuration via GPO, MDM, or device-based configuration rather than relying on automatic discovery.
• If a Windows update makes WcmSvc depend on WinHttpAutoProxySvc (or otherwise assumes WPAD behavior), machines where WPAD was intentionally disabled can see their network stack break at boot or login — a particularly bad outcome for laptops that must authenticate or access corporate resources on first sign-in.
• The interaction with DHCP options compounds the problem in some networks. Some DHCP scope options (and the way certain vendors encode them) can confuse the Windows DHCP client after the update; duplicate or unexpected option types have been implicated in several reports.

Short-term triage and mitigations (what to do right now)
If you have affected devices, here are immediate, practical steps that many IT teams have used to restore connectivity and reduce disruption. Implement these carefully and test on a small pilot group before wide deployment.
A. Restore connectivity quickly (if you’re dealing with NICs disabling)

• Re-enable or set WinHttpAutoProxySvc to an enabled start type (temporary):
• Run as Administrator:
  sc config WinHttpAutoProxySvc start= auto
  sc start WinHttpAutoProxySvc
• Alternatively, set the registry key:
• HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc\Start = 2 (automatic) or 3 (manual); then reboot.
• Note: This restores the service dependency and often prevents WcmSvc from disabling NICs on devices where the GPO had disabled the service. Many admins used a GPO to flip the key and/or set a short login script while they implement a more permanent fix.
• Remove the WPAD dependency from WcmSvc (if you cannot enable the service in your environment)
• Edit the registry (test first):
• Path: HKLM\SYSTEM\CurrentControlSet\Services\WcmSvc
• Value: DependOnService (multi-string): remove WinHttpAutoProxySvc from that list.
• Reboot.
• This change removes the dependency and prevents WcmSvc from requiring the WinHTTP service. Use caution: editing service dependencies is powerful and should be validated on test hardware. Deploy via a controlled GPO or script if you decide to roll it out.

B. DHCP-related workarounds (if clients don’t get proper IP or gateway)

• Inspect DHCP server options and duplicate options. On some DHCP stacks, options can be defined multiple times or encoded with an unexpected type (text vs string); clients reported success when admins changed an option’s type (e.g., option 43, option 252) from “text” to “string” or removed duplicate entries.
• As a temporary measure, use static addressing for critical devices or set DHCP reservations until the issue is resolved in your environment.
• Apply Microsoft’s released updates that target known DHCP cases — check Windows Release Health and your updates for fixes that reference “duplicate DHCP options” or similar wording.

C. Application-level proxy/workarounds

• For apps that ignore system proxy settings after the update (e.g., some WinHTTP-dependent services), you can import proxy settings into WinHTTP from Internet Explorer/Edge with:
  netsh winhttp import proxy source=ie
• Or set WinHTTP proxy directly:
  netsh winhttp set proxy proxy-server="http=proxy.example.com:8080"

Security tradeoffs — why re-enabling WPAD may be a problem

• Re-enabling WPAD/WinHTTP Auto-Proxy in a corporate environment reintroduces the very attack surface many teams had intentionally removed (WPAD attacks, inadvertent PAC fetching on untrusted networks, etc.).
• If you must re-enable the service for connectivity, consider:
• Deploying a blank/controlled DHCP option 252 (string) that points to an internal, locked-down PAC file or to 127.0.0.1 to prevent external WPAD lookups when on public networks.
• Using firewall rules to block outbound PAC retrieval to the internet when the device is on untrusted networks.
• Use GPO/MDM to restrict which networks allow automatic proxy discovery.

Longer-term and recommended enterprise actions

• Create a temporary safeguard on deployments:
• Block 24H2 or the problematic update on your management platforms (WSUS, Intune feature update ring, SCCM) until you complete a test cycle. Make the block targeted to pilot groups and vulnerable models.
• Put a fast rollback plan in place:
• Either revert affected devices to 23H2 or use an image restore procedure for devices that can’t be remediated in-place.
• Document and script mitigations:
• Create a GPO or PowerShell script to set WinHttpAutoProxySvc start=3/2 or to remove the WcmSvc dependency, and make that script available to field support teams.
• Harden alternate proxy delivery:
• Move away from WPAD for core policy distribution. Use Group Policy (Internet Explorer / Edge proxy settings) or MDM profiles to set proxy/PAC on managed devices. That prevents reliance on DHCP/DNS auto-discovery and reduces exposure.
• Engage vendor/driver teams:
• Some reports show hardware/driver model interplay (Intel wireless drivers, certain OEM images). If a vendor model is disproportionately affected, escalate with that vendor for validated driver updates.
• Monitor Microsoft Release Health and update advisories:
• Microsoft’s release-health pages have listings for Windows 11 24H2 known issues and any mitigations/patches. Track the specific KB articles that mention DHCP or network fixes and test them in your lab before broad deployment.

If you manage Intune / OOBE provisioning

• Consider using the new OOBE update options (if available in your environment) so devices get current quality updates before initial user sign-in (this reduces the chance a device boots into an unusable state on first login). Plan pilot testing because those features are gated to certain builds/management settings.

Why Microsoft may be cautious about restoring old behavior

• When a platform change touches network stack behavior, reversing it can reintroduce older security issues and complicate compatibility with other modernized components.
• In some cases the “regression” is actually the result of a platform hardening or dependency realignment (for example, making WinHTTP a dependency of WcmSvc might be intended to fix another class of problems) and undoing it could destabilize other fixes.
• The net result is Microsoft must weigh compatibility, security and stability; that process sometimes yields targeted mitigations and workarounds rather than a wholesale rollback. That tradeoff is likely why some responses from Microsoft engineering teams emphasize mitigations and targeted patches instead of an immediate reversion.

How to communicate to your users and support teams

• Prepare a short user-facing note: explain that an update can cause network access issues and provide simple steps (reboot, connect to wired network, contact IT) — don’t ask users to edit the registry.
• Equip your 1st/2nd-line support with a checklist:
• Is the device Windows 11 24H2? (osbuild)
• Is WinHttpAutoProxySvc set to disabled? (check registry/service)
• Can you start WinHttpAutoProxySvc and WcmSvc? (try services.msc / sc start)
• Can you temporarily set a static IP to get online?
• If in scope: push the GPO/script to re-enable service or remove dependency.
• Maintain an inventory of device models and driver versions that show the highest failure rate to target fixes and vendor escalations.

Summary and recommended next steps (for IT teams)

• Immediate (next 24–72 hours):
• Identify affected device population and stage rollback or mitigation for critical endpoints.
• Deploy a pilot GPO or script to re-enable WinHttpAutoProxySvc on a small set of devices (or to remove the WcmSvc dependency) to validate restoration.
• If DHCP issues are present, inspect DHCP scope option types and duplicates — test changing problematic options from text to string or removing duplicates.
• Short-term (up to 2 weeks):
• Hold the 24H2 rollout in production until you have a tested remediation or Microsoft supplies a confirmed patch that addresses your specific scenario.
• Coordinate with network and security teams to scope the security tradeoffs of re-enabling WPAD vs. removing the dependency.
• Medium-term (1–3 months):
• Move to explicit proxy configuration (GPO/MDM) and avoid WPAD in managed networks.
• Schedule driver and firmware updates for affected OEM models and coordinate with vendors for confirmed fixes.
• Track Microsoft’s Release Health and target KBs; validate fixes in an isolated lab before re-enabling mass rollout.

Final note on the reporting and claims

• Headlines that a platform “may never be fixed” are often shorthand for Microsoft acknowledging a complex compatibility change and signaling that a simple rollback is not straightforward. Microsoft has fixed specific scenarios (for example, cases involving duplicate DHCP options), but multiple environment-specific interactions (driver quirks, DHCP option encodings, and deliberate security hardening like disabling WPAD) have meant the problem remains for some shops.
• If you need help triaging a specific client or network configuration, share (securely) the device model, OS build, and a sanitized DHCP option list — I can help craft a targeted remediation script or test plan.

If you want, I can:

• Produce a one-page runbook your helpdesk can use to triage affected machines (with exact commands, registry paths, and rollback steps).
• Draft Group Policy or PowerShell scripts to (a) toggle WinHttpAutoProxySvc start type, (b) remove the WcmSvc dependency reliably and safely, and (c) detect affected devices automatically for remediation.
• Walk through a small test plan you can run on 5–10 pilot devices to validate any proposed fix before you deploy it at scale.

Which would you like me to prepare next: the runbook, the GPO/PowerShell script, or a step-by-step pilot test plan?

---

Source: Neowin Microsoft employee confirms Windows 11 may never fix a key internet feature for office PCs