Windows: Administration, Policies, and Common Issue Fix Guide 2026

Windows 11 ships with security settings pre-configured, but "pre-configured" doesn't mean "enterprise-ready." Security baselines are the answer here. These are collections of Group Policy settings that Microsoft has already tuned for security, tested against the OS, and documented. If you don't know where to start with Windows 11 security policy, and especially if you're migrating a fleet from Windows 10, baselines are your foundation.

You download the Windows 11 Security Baseline from the Microsoft Security Compliance Toolkit. The toolkit includes a PolicyAnalyzer tool that lets you compare your existing GPOs against the baseline. This matters because most Windows 10 baselines don't map cleanly to Windows 11, there are new settings, deprecated settings, and renamed policy paths.

To import the baseline into Group Policy Management:

1. Download the Security Compliance Toolkit from Microsoft's Download Center
2. Extract the Windows 11 Security Baseline folder
3. Open Group Policy Management Console (gpmc.msc)
4. Right-click your target OU → "Import Settings"
5. Browse to the extracted baseline folder
6. Select the appropriate sub-baseline (Computer or User configuration)
7. Complete the import wizard

One thing I always tell people: don't apply the baseline to the entire domain at once. Link it to a test OU first with a small pilot group. Some baseline settings, particularly around LAPS, credential guard, and SmartScreen, can break line-of-business applications that rely on older authentication methods. Test, then roll out in waves.

After applying, run gpresult /h C:\BaselineCheck.html on a pilot machine. Look for the baseline GPO in the "Applied GPOs" section and confirm every setting in it shows "Applied" rather than "Not Applied" or "Superseded." If settings are being superseded, a higher-priority GPO in your OU structure is overriding them, check link order in GPMC.

Deploying Microsoft 365 apps to Windows 11 clients is one of the top questions I get. The good news: the same device management tools you already know work here. You have two main paths, Microsoft Intune and Microsoft Configuration Manager, and picking the wrong one for your environment is where most deployment failures start.

If you're using Microsoft Intune: navigate to the Intune admin center at intune.microsoft.com. Go to Apps > Windows > Add. Select "Microsoft 365 Apps for Windows 10 and later" as the app type. This is the modern deployment method that works natively on Windows 11. Configure your suite settings, select which apps to include (Word, Excel, Outlook, etc.), set your update channel (Monthly Enterprise Channel is the safest for stability), and assign the app to your device or user groups.

Intune Admin Center → Apps → Windows → Add
App type: Microsoft 365 Apps for Windows 10 and later
Update channel: Monthly Enterprise Channel
Assignment: Required (for managed devices) or Available (self-service)

If you're using Configuration Manager: use the Office Customization Tool integrated into ConfigMgr. Navigate to Software Library > Application Management > Applications > Create Application. Configuration Manager handles the download and installation of the Office Deployment Tool automatically when you use the built-in Microsoft 365 Apps wizard. Deploy to your Windows 11 collection and monitor in the Deployments node.

The failure mode I see most often: organizations running both Intune and Configuration Manager in co-management mode try to deploy Microsoft 365 from both systems to the same device. This creates install conflicts, triggers repair loops, and produces cryptic event log errors like Event ID 1001 in the Application log. Fix this by setting the Apps workload in co-management to either Intune or Configuration Manager, not split. Go to ConfigMgr Console > Administration > Cloud Services > Co-management Properties > Workloads and slide Apps to your chosen authority.

After deployment, confirm with: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Microsoft 365*"}

Windows Hello for Business is one of the most important Windows 11 security features and one of the most commonly broken ones. It replaces passwords with a PIN or biometric that lives locally on the device, never transmitted, never stored on a server. The payoff for going passwordless is real, but getting enrollment working across a fleet takes precision.

The most common enrollment failure shows as error code 0x801C0003 or the device cycling through the "Setting up your PIN" screen and failing silently. Almost always, this traces back to one of three root causes: the TPM isn't provisioned correctly, the device isn't hybrid Azure AD joined, or the Intune enrollment profile is misconfigured.

Check TPM status first:

Get-Tpm

You want to see TpmPresent: True and TpmReady: True. If you see TpmReady: False, the TPM needs to be cleared and re-provisioned. Open tpm.msc, click "Clear TPM," reboot, and let Windows re-initialize it. On some devices, particularly those with AMD fTPM, you'll also need to check BIOS settings and confirm that fTPM is enabled, not the legacy PTT option.

For hybrid Azure AD join verification:

dsregcmd /status

Look for AzureAdJoined: YES and DomainJoined: YES. If AzureAdJoined is NO, the device hasn't synced with Azure AD Connect yet, run a delta sync from your Azure AD Connect server: Start-ADSyncSyncCycle -PolicyType Delta.

In Intune, verify your Windows Hello for Business enrollment policy under Devices > Windows > Windows Enrollment > Windows Hello for Business. Confirm "Configure Windows Hello for Business" is set to Enabled. Set minimum PIN length to 6, and if your hardware supports it, enable biometric authentication. Assign the policy to your All Devices or Windows 11 devices group and force a sync with dsregcmd /refreshprt after confirming the policy reached the device.

Windows 11 gives users and admins new ways to organize the desktop, Snap Layouts, Snap Groups, and a redesigned Start menu. These features are genuinely useful for hybrid work environments. But in managed environments, you need to control them through policy or they'll drift into states that confuse users and create support tickets.

To deploy a custom Start menu layout, you create a JSON-based layout file and deploy it via Intune or Group Policy. This is different from Windows 10, which used an XML LayoutModification file. The Windows 11 Start menu customization uses a newer schema.

Generate your base layout on a reference machine configured exactly how you want it:

Export-StartLayout -Path C:\StartLayout.json

Edit the JSON to pin your organization's apps (Outlook, Teams, internal LOB apps). Then in Intune, go to Devices > Configuration Profiles > Create Profile > Windows 10 and later > Settings Catalog. Search for "Start" and add the "Start Menu Layout" setting. Paste in your JSON content. Assign to your target group.

For Snap Layouts, users can manage some settings via Settings > System > Multitasking. But in a managed environment, you may want to control whether snap is enabled at all. The relevant Group Policy path is:

User Configuration → Administrative Templates → Desktop → 
Prevent the user from changing the Snap settings

Starting with Windows 11 22H2, snap layouts can also be triggered by dragging a window to the top of the screen, useful for touch-based devices. This behavior is on by default. If you're deploying to kiosk-style setups where this causes accidental window rearrangement, disable it via the Multitasking policy settings in your Intune configuration profile.

If your custom Start menu layout isn't applying, check Event Viewer under Applications and Services Logs > Microsoft > Windows > ShellCommon-StartLayoutPopulation > Operational. Event ID 22 indicates a layout parsing failure, usually a malformed JSON file or an app reference that doesn't resolve on the target machine.

Microsoft Defender Antivirus is built into Windows 11, you don't install it, you configure and manage it. In an Intune-managed environment, you control Defender through Endpoint Security policies. But when Group Policy, ConfigMgr, and Intune are all in the picture, Defender policy conflicts are one of the most common sources of security gaps.

The tell-tale sign of a Defender policy conflict: the Windows Security app shows "Some settings are managed by your organization" but the specific settings you deployed aren't reflected. Or worse, real-time protection keeps toggling off. Event ID 5007 in the Microsoft-Windows-Windows Defender/Operational log captures every configuration change, it's your first stop when investigating these conflicts.

Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" |
  Where-Object {$_.Id -eq 5007} |
  Select-Object -First 20 |
  Format-List TimeCreated, Message

For organizations using Intune with Microsoft Defender for Endpoint integration, the correct management path is through Intune Endpoint Security > Antivirus policies, not through a custom OMA-URI profile or a legacy ConfigMgr Endpoint Protection policy. Running both simultaneously causes a tamper protection conflict where settings applied by one system are overwritten by the other on every sync cycle.

To verify Defender is properly managed by Intune and not in a conflict state:

Get-MpComputerStatus | Select-Object -Property AMRunningMode, 
  RealTimeProtectionEnabled, IsTamperProtected, 
  AMProductVersion

You want AMRunningMode: Normal and IsTamperProtected: True. If tamper protection is False, an external process is overriding Defender settings. Check ConfigMgr's Endpoint Protection workload in co-management settings, if it's set to Configuration Manager while Intune is also pushing Defender policies, you'll see this conflict. Pick one authority and stick with it.

For organizations using Microsoft Defender for Endpoint alongside Intune, you can create compliance policies in Intune that check threat levels reported by Defender for Endpoint and automatically block non-compliant devices from accessing corporate resources, a zero-trust enforcement mechanism that requires no manual intervention once configured.