In today's digital landscape, where cyber threats are too common, taking steps to boost your PC's security is a smart move to prevent potential risks and damages.
Windows 11 is the most secure Windows operating system to date, but it's not entirely foolproof against potential risks. There are still several key security settings that you need to change to maximize your protection.
In this article, we have compiled a list of security settings that you can enable or configure to enhance your PC’s security and protect your privacy.
1. Keep Windows Updated
Keeping your Windows 11 system updated is the best way to fix random bugs, protect your system against new security threats and improve the overall system performance.
In Windows 11, automatic updates are enabled by default. However, if you wish to manually update your system or install other optional updates, follow these steps:
Click the 'Start' button and select 'Settings' from the Start menu.
Go to 'Windows Update' from the left pane and click the 'Check for updates' button.
If you have any pending updates, download and install them.
Then, click the 'Advanced options' tile below.
On the next screen, select 'Optional updates' under Additional options. If you have any pending optional updates, like drivers, install them as well.
After that, restart the computer if prompted.
2. Enable Windows Security and Run a Virus Scan
Windows Security is a free antivirus program that comes preinstalled with Windows 11. It is a powerful antivirus program that offers protection against viruses, ransomware, and spyware.
To ensure Windows Security is enabled, follow these steps:
Click the 'Hidden icons menu' on the task corner and click the 'Windows Security' icon. Alternatively, search for 'Windows Security' in the Start menu and open it.
Select the 'Virus & threat protection' tab and click on 'Manage settings' on the right.
On the Virus & threat protection settings page, make sure all of these settings are enabled.
- Real-time protection
- Cloud-delivered protection
- Automatic sample submission
- Temper protection
Run a Full Virus Scan
Go back to the Virus & threat protection page and click on 'Scan options' under Current threats.
Next, select the 'Full scan' option and click 'Scan now'.
Windows Security is more than capable of providing adequate protection for regular everyday users. However, if you need comprehensive protection against scams, viruses, malicious websites, and real-time threats, you can install paid third-party antivirus software to better protect your PC.
3. Switch to Local Account
When you set up Windows 11 for the first time, Windows 11 forces you to sign in to your Microsoft account, which becomes the default account. Even if you set up a local account, Windows sometimes automatically switches to the Microsoft account when you log into Microsoft apps.
Microsoft Account collects and stores your data on the cloud, while local accounts keep your user data on the device. If you use only one device, it's better to opt for a local account over a Microsoft account, so even if someone manages to gain access to your Microsoft account, your computer would be protected. Here's how you can switch to a local account:
Press Windows
+I
to open Windows Settings. Then, go to the 'Accounts' section. If you don't have a local account, add a user account on your computer. There are two types of accounts in Windows 11, 'Standard' and 'Administrator'. You'll need an administrator account to make changes to your computer for complete protection.
To change a local account into an Administrator account, click the 'Other users' tile in the Account settings.
Then, click on the account name and select 'Change account type'.
After that, select the 'Administrator' option from the drop-down and click 'OK'.
To switch to a local account, go back to the 'Account' settings and select 'Your info'.
Then, click the 'Sign in with a local account instead' link under Account settings.
In the pop-up window, click 'Next' to continue.
Enter your computer PIN/Password and click 'OK'. If you are prompted to enter your Microsoft password, enter that as well.
Next, type a new user or existing user name, password, and password hint, and click 'Next'.
Finally, click 'Sign out and finish' to log out and sign in with the local account.
4. Enable Windows Firewall
Windows Firewall helps protects your PC from unauthorized access by controlling incoming and outgoing network traffic. Keep it turned on all the time and configure it to block unnecessary connections.
Open the Run window (Windows
+R
), type firewall.cpl
and hit Enter
.
In the Windows Defender Firewall window, click the 'Windows Defender Firewall on or off' link from the left sidebar.
Next, select the 'Turn on Windows Defender Firewall' option under the Private network settings and Public network settings sections. Then, click 'OK' to save the changes.
Next, click on 'Allow an app or feature through Windows Defender firewall' from the left.
Then, click the 'Change settings' button and disable the apps that you don't want to allow to communicate through the Firewall. After that, click 'OK' to save the settings.
5. Enable Biometrics on Windows 11
If you want to use a Microsoft account to sign into your PC, you can use Windows Hello to lock your PC, which is much more secure than traditional passwords. Windows Hello offers biometric authentication features like facial recognition and fingerprint scanning (depending on the hardware on your PC). However, biometrics are not available for local accounts.
Open Windows settings, go to the 'Accounts' section, and click on 'Sign-in options'.
Then, select 'Facial recognition' or 'Fingerprint recognition' and click on 'Set up'.
Then, follow the instructions to set up the sign-in options.
If the option to set up Facial recognition or Fingerprint recognition isn't available even when your PC has the supporting hardware, you might need to install an optional update to make it work.
From the left menu in the Settings window, go to 'Windows Update'. Then, click the 'Advanced options' tile.
Next, click the 'Optional updates' tile under Additional options.
You'll see a pending update for Windows Hello here (if there is one). Install the update and restart your PC (if prompted). Then, follow the steps above to set up biometrics using Windows Hello.
If you prefer passwords, set strong and unique passwords for your user accounts. Use a mix of upper and lower case letters, numbers, and special characters.
6. Enable Bitlocker on Drives
BitLocker is a built-in encryption tool in Windows 11 that helps protect your data by encrypting your whole operating system and files within it. In case you lose your computer, your data will be protected. However, the feature is exclusive to Pro and Enterprise editions of the Windows operating system.
Windows 11 allows you to enable BitLocker for operating system drives, fixed drives, as well as removable drives. To turn on Bitlocker on a drive, follow these steps:
Open File Explorer and right-click on the drive you want to encrypt, then select 'Turn on BitLocker' from the context menu.
When you open the BitLocker Drive Encryption wizard, choose how you want to unlock your drive and click 'Next'. You can pick either a password or a smart card to unlock the drive:
- Password: Create a password using a mix of capital and lowercase letters, numbers, spaces, and symbols.
- Smart Card: You can use a Smart card along with a PIN to unlock the encrypted drive. The card needs to be inserted into your computer every time you want to access the drive.
Next, decide how you want to save your recovery key, which you can use to unlock your drive if you forget your password or lose your smart card. There are a few ways:
- Save to Microsoft Account: If you're signed in with a Microsoft account, you can save the recovery key there.
- Save to a file: Save the recovery key as a document on your computer.
- Print the recovery key: Print the recovery key on paper.
After backing up the recovery key, click 'Next' to continue.
Next, choose how much of the selected drive you want to encrypt and click 'Next'.
- Encrypt used disk space only: This is quicker and good for new computers or drives. Only the space with data will be encrypted.
- Encrypt the entire drive: This is slower but better if you want to encrypt everything, even unused space. It's best for drives you've been using for a while.
BitLocker will keep encrypting new data as you add it.
Then, choose an encryption mode:
- New encryption mode: This is advanced and better for fixed drives on Windows 10 or 11.
- Compatible mode: Use this for portable drives you might use on older Windows versions.
If you would like to run a system check before encrypting the drive, check the 'Run BitLocker system check' option and click 'Continue'. This system check ensures whether BitLocker can read the recovery and encryption keys properly.
Click 'Restart now' to continue. After the restart, the system will automatically encrypt the drive.
7. Setup Dynamic Lock on Windows 11
Dynamic Lock is a handy feature in Windows 11 that adds an extra layer of security. It automatically locks your computer when you're not around, using a paired Bluetooth device like your smartphone.
First, turn on Bluetooth on both your Windows 11 computer and your paired device, like your phone.
To connect your Bluetooth device, open Windows Settings, go to 'Bluetooth & devices', and click 'Add device'.
In the pop-up window, select 'Bluetooth'. Then, pair your mobile device to the computer.
Once your Bluetooth device is connected, let's set up Dynamic Lock:
Go back to the Settings app, click 'Accounts', and then select 'Sign-in options'.
Scroll down and click on 'Dynamic lock' under Additional settings.
Check the box that says, 'Allow Windows to automatically lock your device when you're away'.
Now, your computer will lock itself when it doesn't see your Bluetooth device around. Walk away from your computer until the Bluetooth device is out of reach. After a bit, Windows 11 should lock your computer on its own.
8. Enable Find My Device Feature
Find My Device is a helpful tool in Windows 11 that helps you find your laptop or PC if you ever misplace it or if it gets stolen. Follow these steps to enable the feature:
First, make sure you're using a Microsoft account to sign in to your computer. If you're not sure, you can check by going to Settings
> Accounts
> Your info
. Then, look under the Account settings, if it's not a Microsoft account, you can switch to one there.
Next, go to 'Privacy & security' and select 'Location' under App permissions.
Then, click to turn on the 'Location services' to let the computer know where it is to be found.
After that, go back to the 'Privacy & Security' settings, and click on the 'Find my device' tile under Security.
On the next settings page, turn on the toggle next to 'Find my device'.
Now, if you ever need to find your computer, you can easily do that on the Microsoft website. Go to account.microsoft.com/devices in your web browser. Sign in with the same Microsoft account you use on your computer. Then, select the 'Find my device' option.
There, you'll see a list of devices, including your Windows 11 PC. Click on it, and you'll have options to see where it is on a map and even lock if it's lost or stolen.
9. Backup your Windows 11 PC
Backing up your computer's important data is another crucial step in securing your Windows system. Imagine if things went wrong – you'd lose your files, apps, and settings. That's where 'Backup and Restore' comes in.
It lets you create a system image of the entire system and files to an external hard drive or USB storage. If something bad happens, you can use this image to bring your computer back to how it was.
Start by searching for 'Control Panel' in the Start menu. Once you're in the Control Panel, change the View to 'Large icons' and click 'Backup and Restore (Windows 7)'
In the Backup and Restore (Windows 7) window, click on the 'Create a system image' link on the left panel.
Now, you can choose where you want to save the backup (USB or another hard drive). From the 'On a hard disk' drop-down, pick a drive and click 'Next'.
Windows usually knows what's important, so it'll automatically select the partitions such as the EFI system partition, Windows drive (C:), and Windows Recovery Environment (WinRE). If you want more drives, you can add them here. Then, click 'Next' when you're set.
Finally, click 'Start backup' to start the backup process.
It might take a while, so be patient. You can still use your computer while this happens.
Once it's done, click 'OK.' You might see a message about making a repair disc, but you can ignore that for now by clicking 'No' because you can use Windows 11 bootable media or Advanced Startup to access the Windows Recovery Environment to restore the backup. Besides, you will need to insert a blank CD or DVD into your system to create a system repair disc.
Look for a folder named 'WindowsImageBackup' on the drive you picked. Keep this folder safe, and don't make any changes to it because you will need it to restore the backup in the future.
10. Enable User Account Control (UAC)
User Account Control (UAC) is a security feature in Windows that prevents unauthorized changes to your computer. It asks permission or confirmation from a user with administrative privileges before allowing apps or tasks to make changes to your system.
Open the Start menu, search for User account control
, and select the 'Change User Account Control' control panel.
There's a slider with different levels of security. 'Always notify' is the most secure but might result in more prompts. 'Notify me only when apps try to make changes' is a good balance between security and convenience. Make sure to set one of these two levels, then click 'OK'.
11. Use a VPN Connection
Using a VPN on your Windows system is like adding an extra layer of protection to your online world. When you're connected to a VPN, your data becomes unreadable to anyone trying to spy, whether it's cybercriminals or even your local ISP. It's particularly useful on public Wi-Fi networks, protecting your information from potential threats.
Moreover, a VPN hides your real location by masking your IP address and allowing you to appear as if you're browsing from a different country. This not only boosts privacy but also lets you access content that might be blocked in your region. For remote work or keeping personal data safe, a VPN acts like a digital bodyguard, securing your connection and preventing unauthorized access.
However, not all VPN services are equal. Choosing a reliable and trustworthy service is important for better security. While using a VPN might slightly slow down your internet connection due to the encryption process, the protection it offers is worth it.
12. Disable Remote Access
Windows Remote Desktop feature allows users to connect to their PC and control it remotely over a private or public network connection. It is a useful feature to access your home or work computer while you are away.
However, it can also be used by hackers and cybercriminals to gain unauthorized access to your computer and install malware or steal data. Unless remote access is necessary, it is recommended to disable this feature to enhance your system's security.
Open Windows Settings, go to the ‘System’, then click on ‘Remote Desktop’ on the right pane.
Then, switch off the ‘Remote Desktop’ toggle.
Click the ‘Confirm’ button to disable the feature.
13. Avoid Pirated Software
Avoid installing pirated software on your PC. Only download software from official websites or authorized distributors. Regularly update all software, including your operating system and apps, to fix security vulnerabilities.
Pirated software often comes from untrusted sources and may be changed to include malware or viruses. So, when you install pirated software, you risk exposing your computer to potential threats like viruses and unauthorized access by hackers.
14. Activate Smart App Control
In Windows 11 versions 22H2 and higher, there's a security feature called Smart App Control (SAC). It locks down the system to only run trusted apps or those with valid certificates. This prevents risky behavior from untrusted or unknown apps.
To turn on Smart App Control in Windows 11, follow these steps:
Open the Windows Security app from the system tray. Then, click on 'App & browser control' and select 'Smart App Control settings'.
Under Smart App Control, choose either the 'On' or 'Evaluation' option.
The 'On' option allows Smart App Control to block any unknown or potentially malicious software. It even can block some trusted third-party apps sometimes. While in Evaluation mode, the feature will quietly run in the background without blocking anything. At this point, the system will learn from your apps to decide if the feature can run without causing issues. If it works well, the system will enable it automatically. If there are potential problems, the system will disable it
Once the evaluation is complete, the feature will enable automatically, and you can't turn it off. If an app is blocked later on, you can't unblock it without disabling the feature, which will need Windows reinstallation.
15. Enable Core Isolation
Core Isolation is a set of security features in Windows 11 that safeguards your computer against malicious software and hackers. It includes 'memory integrity', which stops various types of malware from attacking important processes in memory.
This feature should be on by default, but if not, here's what to do:
Open Windows Security and click on 'Device Security'. Under Core isolation, click 'Core isolation details'.
Switch on 'Memory integrity' to enable core isolation.
Then, restart your computer to apply the changes
16. Setup Multi-Factor Authentication on Windows 11
Multi-Factor Authentication (MFA) is an important security feature in Windows 11 that adds an extra layer of protection to your account. If enabled, you need to enter your password and then receive a code on your smartphone that you need to input to complete the login. This way, even if someone has your password, they can't access your computer without your phone or another authentication method.
First, open the Microsoft website and sign into your account. Then, click on the 'Security' tab and select 'Advanced security options'.
Under the Ways to prove who you are section, click the 'Add a new way to sign in or verify' link.
Windows 11 offers various MFA methods such as text code, email, biometrics, or authenticator app. To view more options, click 'Show more options'. Choose your preferred method and follow the on-screen prompts to add it to your account.
For instance, if you choose the 'Text a code' option, you'll need to pick your country, enter your phone number, and then click 'Next'. Following that, input the code you received on your mobile to add the sign-in method.
If you select the 'Use an app' method, you'll need to install an authenticator app like Microsoft Authenticator. Then, open the authenticator app and pair the app with your Microsoft account.
After adding the sign-in method, click the 'Turn on' option under Additional security for two-step verification.
Then, click 'Next' to continue.
After that, note down the recovery code. This code can be used to unlock your device in case you lose access to your sign-in options. You also have the option to click 'Print code' to print it out or save it as a PDF file on your device.
Finally, click 'Finish'.
Once you've completed the two-step verification setup, you should see that the Two-step verification status is 'ON' under the Additional security section.
17. Use a Secure Browser
Use a secure browser such as Google Chrome, Edge, or Firefox that can effectively block pop-ups and identify harmful websites.
Wherever you’re online, stick to secure websites. When you're about to visit a website, look at its web address. If it starts with ‘https’ instead of just ‘http’, that website is secure. If it's only ‘http’, be careful. That site might not be safe, so don't share any personal info there or download anything from it.
18. How to Protect Your Privacy in Windows 11
In the digital age, protecting your privacy is essential. Windows 11 provides tools to control how your personal information is gathered and used. Let's see how to protect your privacy on Windows 11 by adjusting settings related to location tracking, ad tracking, diagnostics and feedback, and app permissions.
Disable Location Tracking
Windows keeps track of your location to give you useful services such as Find my device, local weather, etc. However, sometimes when apps know your location, it can compromise your privacy. Here's how to disable location tracking:
Open Windows settings by pressing Windows
key + I
and selecting ‘Privacy & security’.
In the right-side pane, scroll down to the 'App permissions' section and click on 'Location'.
On the Location settings page, you can turn off the ‘Location services’ toggle to disable location tracking for Windows and all your apps.
Then, click ‘Turn off’ on the confirmation box.
However, if you don't want apps to access your location but still want Windows to track your location for the 'Find my device' feature, keep the 'Location services' option turned on and disable the 'Let apps access your location' option.
Similarly, you can go back to the Privacy & Security settings page and disable the Camera, Microphone, and notification services for either all apps or particular ones.
Disable Ad Tracking
Tired of ads following you around online? You can take back control. Let's find out how to disable ad tracking, so you can browse without feeling like you're constantly being watched.
Open Windows Settings, go to 'Privacy & security', and select the 'General' tab on the right.
Then, disable the 'Let apps show me personalized ads by using my advertising ID' option.
Disable Diagnostics and Feedback
To keep Windows 11 safe and updated, Microsoft collects a bit of diagnostic information about how your computer works by default. But there's another kind of diagnostic info that Microsoft collects, such as your browsing history and your app usage. If you want to stop sharing this data with Microsoft, follow these steps:
Go to the 'Privacy & Security' settings and select the 'Diagnostics & feedback' tile.
Then, turn off the switch for 'Send optional diagnostic data'.
Also, we suggest turning off the three options below that - 'Improve inking and typing', 'Tailored experiences', and 'View diagnostic data'.
This will make sure Windows 11 doesn't use your info to give you tips and suggestions. It will also stop Windows 11 from sending your writing and typing info to Microsoft.
Disable Activity History
Windows also includes a feature called Activity History that keeps a record of your tasks and activities. It basically keeps track of all the things you do on your computer. If you want to safeguard your privacy in Windows 11 and make sure Microsoft doesn't keep track of your activities, do this:
Open up the 'Privacy & Security' section in Windows Settings and click on 'Activity history' on the right side.
Under Activity History, turn off the switch that says 'Store my activity history on this device'.
That's it. Privacy and security are legit concerns when it comes to our devices that have become a dominant part of our lives. We hope this article will help you bolster your security on your Windows 11 device.
Member discussion