Managing security in hybrid Windows 11 and WIndows 10 environments

You’ve been given the task for 2022 to start a pilot project for deploying and managing Windows 11.  Any platform is only as secure as how well you can manage it. Microsoft has stated that managing Windows 11 will be just like managing Windows 10. However, some distinct nuances in management may make you reconsider the security management tools that you’ll use for Windows 11 and possibly even Windows 10.

Many firms use a traditional Active Directory infrastructure to manage a mixture of Windows machines – for example, Group Policy to manage security settings as well as to set security settings for Windows Software Update Services or Windows Update for Business.  As a recent Microsoft blog noted, you may need to determine which ADMX templates you need to deploy in your Group Policy central store. If your firm will be staying on Windows 10 for the near future, it’s recommended that you stay with Windows 10 ADMX templates rather than installing and using the Windows 11 templates. If you will be primarily using Windows 11, even if you still have some machines on Windows 10, you’ll want to roll out the Windows 11 ADMX templates.

Managing Windows 10 and Windows 11 in the same domain

If you need to control Windows 10 and 11 in the same domain, you have options for management. First, you can control Windows 10 and 11 workstations from two different management workstations. Point one to the domain controller for the management store. For the other, after you install the RSAT tools by going through the add feature wizard, add a registry key to point the management tools to the local workstation rather than the server.

Open Registry Editor and add following registry value:

Key: HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsGroup Policy
Value: EnableLocalStoreOverride
Type: REG_DWORD
Data: 1

Once you’ve set this registry key, the Group Policy management tool can then manage your Windows 11 machines while a separate workstation can still manage Windows 10 machines. For example, Windows 11 has a group policy to allow you to control “NewsandInterests”, which is not in the Windows 10 group policy templates.

Using this methodology, you’ll need two virtual machines that have sufficient administrative rights to control workstations, one for controlling Windows 10, the other for controlling Windows 11. You’ll need to log into each to control each version in your domain.

However, there is an alternative way to manage Windows 11 workstations. Many of us are reevaluating how we deploy and manage our networks. Some in small- and medium-sized business are even considering moving to a model with no on-site Active Directory domain controller and either placing that domain controller in Azure as a virtual server or moving to a model where Azure Active Directory is the only domain infrastructure with Intune as your management and control tool.

Group Policy for Windows 10, Intune for Windows 11

Consider using the traditional Group Policy tools for Windows 10 and moving to Intune and other cloud tools for Windows 11. While it will mean that you’ll be using two tools to manage your desktops, it will assist you in moving to the “modern” tools. You can enroll your Windows 11 devices in Intune and then use its cloud-based console for the management and control of those platforms. Especially for disconnected computers during remote access, you may wish to review your options for management.

If you will have some Windows 11 devices in the insider channel so you can review upcoming changes to the Task Manager and other new features in the testing pipeline, you can use Intune to change systems to the insider versions. While I do not recommend using the Insider editions in production settings, it’s wise to have some advanced administrators using the preview releases in testing to be aware of upcoming features.

Review security baselines and policies

Microsoft updates its Microsoft Security Toolkit after every platform release. This bundle includes Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations. It includes Windows 11 and Windows 10 security baselines, as well as Windows 10 update baseline documentation. There are 61 new Group Policy/registry settings unique to that platform ranging from “Prevent lock screen background motion” to “Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC”.

I’d also use deployment planning to review existing policies. Microsoft employee Aira Carley, who specializes in updating policies for various Windows platforms, released a blog post listing group policies that you shouldn’t use when managing Windows 10. In Windows 11, Microsoft created a subfolder in the Windows 11 ADMX templates to signify legacy policies that are no longer used. The listing ranges from the setting of “Do not display ‘Install Updates and Shut Down’ option in ‘Shut Down Windows’ dialog box” to “Update Power Policy for Cart Restarts” which is indicated that it will still work with Windows 10 and Windows 11. However, it will dramatically reduce compliance and the velocity at which the device takes updates. Microsoft recommends using Active Hours instead.

Windows 11 pushes toward using security settings

Windows 11, as noted in Michael Neihaus’s two recent blog posts (see part 1 and part 2), doesn’t include significant new security features. Rather, it pushes us to enforce security settings we haven’t put in place to date such as protection for credentials and machine encryption.

New mobile device management (MDM) polices for Windows 11 include Policy CSP, which added these policies in Windows 11, version 21H2:

• NewsAndInterests/AllowNewsAndInterests
• Experiences/ConfigureChatIcon
• Start/ConfigureStartPins
• Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity
• Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable

DMClient CSP updated the description of the following node:

• Provider/ProviderID/ConfigLock/Lock
• Provider/ProviderID/ConfigLock/UnlockDuration
• Provider/ProviderID/ConfigLock/SecuredCore

Windows 11 is pushes you to use more of the security settings you already have in Windows 10 but are not using now. “Microsoft wants you to use existing Windows 10-era security features that have specific hardware requirements (e.g., HVCI/VBS, TPM, Secure Boot), and those features don’t have sufficient adoption on Windows 10,” Neihaus wrote.

While the changes between Windows 10 and Windows 11 are not great, consider this a good time to reevaluate how you manage and deploy security templates on the platform. It’s time to review whether there are better ways to do what you’ve been doing for years.