The transition to Windows 11 from Windows 10 gives organizations the opportunity to review and optimize security tools, settings and policies. Credit: Microsoft You’ve been given the task for 2022 to start a pilot project for deploying and managing Windows 11. Any platform is only as secure as how well you can manage it. Microsoft has stated that managing Windows 11 will be just like managing Windows 10. However, some distinct nuances in management may make you reconsider the security management tools that you’ll use for Windows 11 and possibly even Windows 10.Many firms use a traditional Active Directory infrastructure to manage a mixture of Windows machines – for example, Group Policy to manage security settings as well as to set security settings for Windows Software Update Services or Windows Update for Business. As a recent Microsoft blog noted, you may need to determine which ADMX templates you need to deploy in your Group Policy central store. If your firm will be staying on Windows 10 for the near future, it’s recommended that you stay with Windows 10 ADMX templates rather than installing and using the Windows 11 templates. If you will be primarily using Windows 11, even if you still have some machines on Windows 10, you’ll want to roll out the Windows 11 ADMX templates.Managing Windows 10 and Windows 11 in the same domainIf you need to control Windows 10 and 11 in the same domain, you have options for management. First, you can control Windows 10 and 11 workstations from two different management workstations. Point one to the domain controller for the management store. For the other, after you install the RSAT tools by going through the add feature wizard, add a registry key to point the management tools to the local workstation rather than the server.Open Registry Editor and add following registry value: Key: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsGroup Policy Value: EnableLocalStoreOverride Type: REG_DWORD Data: 1Once you’ve set this registry key, the Group Policy management tool can then manage your Windows 11 machines while a separate workstation can still manage Windows 10 machines. For example, Windows 11 has a group policy to allow you to control “NewsandInterests”, which is not in the Windows 10 group policy templates. Using this methodology, you’ll need two virtual machines that have sufficient administrative rights to control workstations, one for controlling Windows 10, the other for controlling Windows 11. You’ll need to log into each to control each version in your domain.However, there is an alternative way to manage Windows 11 workstations. Many of us are reevaluating how we deploy and manage our networks. Some in small- and medium-sized business are even considering moving to a model with no on-site Active Directory domain controller and either placing that domain controller in Azure as a virtual server or moving to a model where Azure Active Directory is the only domain infrastructure with Intune as your management and control tool.Group Policy for Windows 10, Intune for Windows 11Consider using the traditional Group Policy tools for Windows 10 and moving to Intune and other cloud tools for Windows 11. While it will mean that you’ll be using two tools to manage your desktops, it will assist you in moving to the “modern” tools. You can enroll your Windows 11 devices in Intune and then use its cloud-based console for the management and control of those platforms. Especially for disconnected computers during remote access, you may wish to review your options for management.If you will have some Windows 11 devices in the insider channel so you can review upcoming changes to the Task Manager and other new features in the testing pipeline, you can use Intune to change systems to the insider versions. While I do not recommend using the Insider editions in production settings, it’s wise to have some advanced administrators using the preview releases in testing to be aware of upcoming features.Review security baselines and policiesMicrosoft updates its Microsoft Security Toolkit after every platform release. This bundle includes Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations. It includes Windows 11 and Windows 10 security baselines, as well as Windows 10 update baseline documentation. There are 61 new Group Policy/registry settings unique to that platform ranging from “Prevent lock screen background motion” to “Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC”.I’d also use deployment planning to review existing policies. Microsoft employee Aira Carley, who specializes in updating policies for various Windows platforms, released a blog post listing group policies that you shouldn’t use when managing Windows 10. In Windows 11, Microsoft created a subfolder in the Windows 11 ADMX templates to signify legacy policies that are no longer used. The listing ranges from the setting of “Do not display ‘Install Updates and Shut Down’ option in ‘Shut Down Windows’ dialog box” to “Update Power Policy for Cart Restarts” which is indicated that it will still work with Windows 10 and Windows 11. However, it will dramatically reduce compliance and the velocity at which the device takes updates. Microsoft recommends using Active Hours instead. Windows 11 pushes toward using security settingsWindows 11, as noted in Michael Neihaus’s two recent blog posts (see part 1 and part 2), doesn’t include significant new security features. Rather, it pushes us to enforce security settings we haven’t put in place to date such as protection for credentials and machine encryption.New mobile device management (MDM) polices for Windows 11 include Policy CSP, which added these policies in Windows 11, version 21H2:NewsAndInterests/AllowNewsAndInterestsExperiences/ConfigureChatIconStart/ConfigureStartPinsVirtualizationbasedtechnology/HypervisorEnforcedCodeIntegrityVirtualizationbasedtechnology/RequireUEFIMemoryAttributesTableDMClient CSP updated the description of the following node:Provider/ProviderID/ConfigLock/LockProvider/ProviderID/ConfigLock/UnlockDurationProvider/ProviderID/ConfigLock/SecuredCoreWindows 11 is pushes you to use more of the security settings you already have in Windows 10 but are not using now. “Microsoft wants you to use existing Windows 10-era security features that have specific hardware requirements (e.g., HVCI/VBS, TPM, Secure Boot), and those features don’t have sufficient adoption on Windows 10,” Neihaus wrote. While the changes between Windows 10 and Windows 11 are not great, consider this a good time to reevaluate how you manage and deploy security templates on the platform. It’s time to review whether there are better ways to do what you’ve been doing for years. Related content news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe