• United States



Contributing Writer

Managing security in hybrid Windows 11 and Windows 10 environments

Feb 02, 20226 mins
Network SecurityWindows 11Windows Security

The transition to Windows 11 from Windows 10 gives organizations the opportunity to review and optimize security tools, settings and policies.

Windows 11 logo bloom
Credit: Microsoft

You’ve been given the task for 2022 to start a pilot project for deploying and managing Windows 11.  Any platform is only as secure as how well you can manage it. Microsoft has stated that managing Windows 11 will be just like managing Windows 10. However, some distinct nuances in management may make you reconsider the security management tools that you’ll use for Windows 11 and possibly even Windows 10.

Many firms use a traditional Active Directory infrastructure to manage a mixture of Windows machines – for example, Group Policy to manage security settings as well as to set security settings for Windows Software Update Services or Windows Update for Business.  As a recent Microsoft blog noted, you may need to determine which ADMX templates you need to deploy in your Group Policy central store. If your firm will be staying on Windows 10 for the near future, it’s recommended that you stay with Windows 10 ADMX templates rather than installing and using the Windows 11 templates. If you will be primarily using Windows 11, even if you still have some machines on Windows 10, you’ll want to roll out the Windows 11 ADMX templates.

Managing Windows 10 and Windows 11 in the same domain

If you need to control Windows 10 and 11 in the same domain, you have options for management. First, you can control Windows 10 and 11 workstations from two different management workstations. Point one to the domain controller for the management store. For the other, after you install the RSAT tools by going through the add feature wizard, add a registry key to point the management tools to the local workstation rather than the server.

Open Registry Editor and add following registry value:

Key: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsGroup Policy Value: EnableLocalStoreOverride Type: REG_DWORD Data: 1

Once you’ve set this registry key, the Group Policy management tool can then manage your Windows 11 machines while a separate workstation can still manage Windows 10 machines. For example, Windows 11 has a group policy to allow you to control “NewsandInterests”, which is not in the Windows 10 group policy templates.

Using this methodology, you’ll need two virtual machines that have sufficient administrative rights to control workstations, one for controlling Windows 10, the other for controlling Windows 11. You’ll need to log into each to control each version in your domain.

However, there is an alternative way to manage Windows 11 workstations. Many of us are reevaluating how we deploy and manage our networks. Some in small- and medium-sized business are even considering moving to a model with no on-site Active Directory domain controller and either placing that domain controller in Azure as a virtual server or moving to a model where Azure Active Directory is the only domain infrastructure with Intune as your management and control tool.

Group Policy for Windows 10, Intune for Windows 11

Consider using the traditional Group Policy tools for Windows 10 and moving to Intune and other cloud tools for Windows 11. While it will mean that you’ll be using two tools to manage your desktops, it will assist you in moving to the “modern” tools. You can enroll your Windows 11 devices in Intune and then use its cloud-based console for the management and control of those platforms. Especially for disconnected computers during remote access, you may wish to review your options for management.

If you will have some Windows 11 devices in the insider channel so you can review upcoming changes to the Task Manager and other new features in the testing pipeline, you can use Intune to change systems to the insider versions. While I do not recommend using the Insider editions in production settings, it’s wise to have some advanced administrators using the preview releases in testing to be aware of upcoming features.

Review security baselines and policies

Microsoft updates its Microsoft Security Toolkit after every platform release. This bundle includes Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations. It includes Windows 11 and Windows 10 security baselines, as well as Windows 10 update baseline documentation. There are 61 new Group Policy/registry settings unique to that platform ranging from “Prevent lock screen background motion” to “Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC”.

I’d also use deployment planning to review existing policies. Microsoft employee Aira Carley, who specializes in updating policies for various Windows platforms, released a blog post listing group policies that you shouldn’t use when managing Windows 10. In Windows 11, Microsoft created a subfolder in the Windows 11 ADMX templates to signify legacy policies that are no longer used. The listing ranges from the setting of “Do not display ‘Install Updates and Shut Down’ option in ‘Shut Down Windows’ dialog box” to “Update Power Policy for Cart Restarts” which is indicated that it will still work with Windows 10 and Windows 11. However, it will dramatically reduce compliance and the velocity at which the device takes updates. Microsoft recommends using Active Hours instead.

Windows 11 pushes toward using security settings

Windows 11, as noted in Michael Neihaus’s two recent blog posts (see part 1 and part 2), doesn’t include significant new security features. Rather, it pushes us to enforce security settings we haven’t put in place to date such as protection for credentials and machine encryption.

New mobile device management (MDM) polices for Windows 11 include Policy CSP, which added these policies in Windows 11, version 21H2:

  • NewsAndInterests/AllowNewsAndInterests
  • Experiences/ConfigureChatIcon
  • Start/ConfigureStartPins
  • Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity
  • Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable

DMClient CSP updated the description of the following node:

  • Provider/ProviderID/ConfigLock/Lock
  • Provider/ProviderID/ConfigLock/UnlockDuration
  • Provider/ProviderID/ConfigLock/SecuredCore

Windows 11 is pushes you to use more of the security settings you already have in Windows 10 but are not using now. “Microsoft wants you to use existing Windows 10-era security features that have specific hardware requirements (e.g., HVCI/VBS, TPM, Secure Boot), and those features don’t have sufficient adoption on Windows 10,” Neihaus wrote.

While the changes between Windows 10 and Windows 11 are not great, consider this a good time to reevaluate how you manage and deploy security templates on the platform. It’s time to review whether there are better ways to do what you’ve been doing for years.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author