You\u2019ve been given the task for 2022 to start a pilot project for deploying and managing Windows 11. \u00a0Any platform is only as secure as how well you can manage it. Microsoft has stated that managing Windows 11 will be just like managing Windows 10. However, some distinct nuances in management may make you reconsider the security management tools that you\u2019ll use for Windows 11 and possibly even Windows 10.Many firms use a traditional Active Directory infrastructure to manage a mixture of Windows machines \u2013 for example, Group Policy to manage security settings as well as to set security settings for Windows Software Update Services or Windows Update for Business. \u00a0As a recent Microsoft blog noted, you may need to determine which ADMX templates you need to deploy in your Group Policy central store. If your firm will be staying on Windows 10 for the near future, it\u2019s recommended that you stay with Windows 10 ADMX templates rather than installing and using the Windows 11 templates. If you will be primarily using Windows 11, even if you still have some machines on Windows 10, you\u2019ll want to roll out the Windows 11 ADMX templates.Managing Windows 10 and Windows 11 in the same domainIf you need to control Windows 10 and 11 in the same domain, you have options for management. First, you can control Windows 10 and 11 workstations from two different management workstations. Point one to the domain controller for the management store. For the other, after you install the RSAT tools by going through the add feature wizard, add a registry key to point the management tools to the local workstation rather than the server.Open Registry Editor and add following registry value:Key: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsGroup PolicyValue: EnableLocalStoreOverrideType: REG_DWORDData: 1Once you\u2019ve set this registry key, the Group Policy management tool can then manage your Windows 11 machines while a separate workstation can still manage Windows 10 machines. For example, Windows 11 has a group policy to allow you to control \u201cNewsandInterests\u201d, which is not in the Windows 10 group policy templates.Using this methodology, you\u2019ll need two virtual machines that have sufficient administrative rights to control workstations, one for controlling Windows 10, the other for controlling Windows 11. You\u2019ll need to log into each to control each version in your domain.However, there is an alternative way to manage Windows 11 workstations. Many of us are reevaluating how we deploy and manage our networks. Some in small- and medium-sized business are even considering moving to a model with no on-site Active Directory domain controller and either placing that domain controller in Azure as a virtual server or moving to a model where Azure Active Directory is the only domain infrastructure with Intune as your management and control tool.Group Policy for Windows 10, Intune for Windows 11Consider using the traditional Group Policy tools for Windows 10 and moving to Intune and other cloud tools for Windows 11. While it will mean that you\u2019ll be using two tools to manage your desktops, it will assist you in moving to the \u201cmodern\u201d tools. You can enroll your Windows 11 devices in Intune and then use its cloud-based console for the management and control of those platforms. Especially for disconnected computers during remote access, you may wish to review your options for management.If you will have some Windows 11 devices in the insider channel so you can review upcoming changes to the Task Manager and other new features in the testing pipeline, you can use Intune to change systems to the insider versions. While I do not recommend using the Insider editions in production settings, it\u2019s wise to have some advanced administrators using the preview releases in testing to be aware of upcoming features.Review security baselines and policiesMicrosoft updates its Microsoft Security Toolkit after every platform release. This bundle includes Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations. It includes Windows 11 and Windows 10 security baselines, as well as Windows 10 update baseline documentation. There are 61 new Group Policy\/registry settings unique to that platform ranging from \u201cPrevent lock screen background motion\u201d to \u201cReplace JScript by loading JScript9Legacy in place of JScript via MSHTML\/WebOC\u201d.I\u2019d also use deployment planning to review existing policies. Microsoft employee Aira Carley, who specializes in updating policies for various Windows platforms, released a blog post listing group policies that you shouldn\u2019t use when managing Windows 10. In Windows 11, Microsoft created a subfolder in the Windows 11 ADMX templates to signify legacy policies that are no longer used. The listing ranges from the setting of \u201cDo not display \u2018Install Updates and Shut Down\u2019 option in \u2018Shut Down Windows\u2019 dialog box\u201d to \u201cUpdate Power Policy for Cart Restarts\u201d which is indicated that it will still work with Windows 10 and Windows 11. However, it will dramatically reduce compliance and the velocity at which the device takes updates. Microsoft recommends using Active Hours instead.Windows 11 pushes toward using security settingsWindows 11, as noted in Michael Neihaus\u2019s two recent blog posts (see part 1 and part 2), doesn\u2019t include significant new security features. Rather, it pushes us to enforce security settings we haven\u2019t put in place to date such as protection for credentials and machine encryption.New mobile device management (MDM) polices for Windows 11 include Policy CSP, which added these policies in Windows 11, version 21H2:NewsAndInterests\/AllowNewsAndInterestsExperiences\/ConfigureChatIconStart\/ConfigureStartPinsVirtualizationbasedtechnology\/HypervisorEnforcedCodeIntegrityVirtualizationbasedtechnology\/RequireUEFIMemoryAttributesTableDMClient CSP updated the description of the following node:Provider\/ProviderID\/ConfigLock\/LockProvider\/ProviderID\/ConfigLock\/UnlockDurationProvider\/ProviderID\/ConfigLock\/SecuredCoreWindows 11 is pushes you to use more of the security settings you already have in Windows 10 but are not using now. \u201cMicrosoft wants you to use existing Windows 10-era security features that have specific hardware requirements (e.g., HVCI\/VBS, TPM, Secure Boot), and those features don\u2019t have sufficient adoption on Windows 10,\u201d Neihaus wrote.While the changes between Windows 10 and Windows 11 are not great, consider this a good time to reevaluate how you manage and deploy security templates on the platform. It\u2019s time to review whether there are better ways to do what you\u2019ve been doing for years.