Best Windows 11 Settings For Security And Privacy

Whether you have purchased a new Windows computer, installed a fresh operating system, or simply want to increase the security of your Windows device; there are certain Windows settings that you should change and configure right now to make it more secure and enhance your privacy.

Microsoft introduced Windows 11 with hardened requirements, including TPM 2.0 and Secure Boot, making the system more secure. Even so, there are certain configurations that you should make to make your system even more secure from outside threats and protect your privacy.

In this guide, you will learn what settings you should change on a Windows 11 computer to make sure that there are reduced chances of your device getting hacked, or your privacy being violated. The best security practices include keeping the system updated for the latest vulnerability patches, enabling encryption, biometric authentication, and much more.

Additionally, you will also learn how to perform each of those configurations and where to find those settings, so that you have a seamless experience of making your device more secure as soon as you get your hands on it.

Windows 11 settings to change for best security protection

The following are the best security-enhancing configurations you get natively on Windows 11. Note that while some need to be configured, the others are configured by default. I have still added them to the list in case you have obtained an old Windows device and the settings have been tampered with by the previous owner.

Install latest Windows updates

The first thing you ought to do is install the latest Windows updates that are available, but not installed on your computer.

Since Windows updates include Common Vulnerabilities and Exposures (CVE) patches, Windows Security (formerly Microsoft Defender) must keep its definitions updated for maximum protection.

1. Press the Windows Key + i to open the Settings app.

2. Click “Windows Update” on the left.

3. Then click “Check for updates.”

   

4. When the scan completes, the pending updates should begin downloading and installing automatically. When completed, restart the computer.

Enable BitLocker encryption

BitLocker is a native encryption feature of Windows that keeps your device secure offline. It is available on almost all Windows editions except for Home. BitLocker encrypts the data in individual drives, including the boot drive, and you can unlock them as needed with the correct encryption key.

Here are the steps to enable BitLocker on Windows 11:

Learn how to manage BitLocker from the command line.

1. Press the Windows Key + E to launch File Explorer.

2. Right-click on the partition to encrypt and click “Turn on BitLocker.”

   

3. Select “Use a password to unlock the drive,” enter and confirm a password (this password will be used to decrypt the partition when required), and click Next.

   

4. Select “Save to a file.”

   Alternatively, you can select another option depending on where you want to store the BitLocker Recovery Key.

   

5. Now save the file to your desired location.

   Note: The BitLocker Recovery Key cannot be saved to the same partition that is being encrypted.

6. Back on the BitLocker wizard, click Next.

7. On the next screen, select “Encrypt used disk space only” and click Next.

   

8. Select “New encryption mode” and click Next.

   

9. Now click “Start encrypting.”

   The encryption process will now begin. This step may take some time depending upon the amount of data present in the drive.

10. Once the encryption process is complete, close the dialog box.

After performing the steps above, BitLocker encryption will be enabled on the selected drive. However, it is recommended that you enable BitLocker on all drives, including the Boot drive. Once encryption is enabled on the Boot drive, you can even configure a pre-boot PIN for BitLocker for easy access.

Enable Windows Firewall

Windows Firewall is a piece of software that monitors and filters all data and packets coming in and going out from your computer through the network. Disabling it would mean that all sorts of packets can come and go without being detected.

Although this is enabled by default, you must ensure that it is not disabled. Here are the steps to enable Windows Firewall:

1. Press the Windows key + R to launch the Run Command box.

2. Type in “firewall.cpl” and press Enter to launch the firewall applet.

   

3. Click “Turn Windows Defender Firewall on or off” on the left.

   

4. Here, select “Turn on Windows Defender Firewall” for all network profiles and then click OK.

   

Scan for malware

If you just got a new device that was previously in use, you should scan it for malware before you start importing your personal data. You can perform deep scans on your PC for malware using the native Windows Security, which automatically quarantines malicious files and items.

Here are the steps to perform a full, detailed scan of your PC:

1. Open the “Windows Security” app by searching for it in the Start menu.

2. Click “Virus & threat protection” on the left.

3. Click “Scan options.”

   

4. Select “Full scan” and then click “Scan now.”

   

   Windows Security will now scan your PC for malware and quarantine any apps or files that are deemed malicious. Note that this scan can take some time and is resource-intensive. Therefore, your PC may lag during this time.

5. Once the scan is complete, go through any quarantined files and remove them from your PC permanently.

Enable Smart App Control

Smart App Control (SAC) is a Windows Security feature that prevents untrusted and dangerous applications from running on your Windows 11 computer. This feature is only enabled on fresh installations of Windows because Microsoft wants to make sure that there aren’t already untrusted apps running on the device when Smart App Control is enabled.

Once the feature is disabled, you must perform a clean Windows 11 installation to enable it again. Otherwise, you will notice that the options are grayed out.

Here are the steps to enable it:

1. Open the “Windows Security” app by searching for it in the Start menu.

2. Click “App and browser control.”

3. Click “Smart App Control settings.”

   

4. Select “Evaluation.”

   

   Alternatively, you may also select “On,” but the chances of the tool blocking even legitimate apps significantly increase, and then Smart App Control becomes a hindrance in your daily work.

Enable Core Isolation (Memory Integrity)

Core Isolation is another Windows Security component that keeps your device secure by preventing malicious code from being run on your PC. This also includes unsigned drivers. Here is how to enable the feature:

1. Open the Windows Security app.

2. Go to “Device Security.”

3. Click “Core isolation details.”

   

4. Toggle the sliders under “Memory Integrity” and “Microsoft Vulnerable Driver Blocklist” into the On position.

   

5. Now restart the computer for the changes to take effect.

Enable Reputation-based protection

Reputation-based protection refers to the database of notorious and malicious content that has already infected the internet. Microsoft uses this list to update Windows Security definitions so such malware is automatically blocked before it even enters your device.

Windows Security offers the following reputation-based protection:

• Apps and files: Blocks unrecognized apps and files downloaded from the internet.
• SmartScreen for Microsoft Edge: Block access to malicious sites and downloads.
• Phishing protection: Protects against different types of phishing attacks.
• Unwanted app blocking: Low-reputation apps and apps that are automatically installed with other programs are blocked.
• SmartScreen for Microsoft Store: Checks and blocks unwanted content downloaded from Microsoft Store.

All of these protection settings can be enabled from a single page inside Windows Security, and here is how:

1. Open the Windows Security app.

2. Go to “App & browser control.”

3. click “Reputation-based protection settings.”

   

4. Now toggle the slider under all of the following options into the On position:

   • Check apps and files
   • SmartScreen for Microsoft Edge
   • Phishing protection
   • Potentially unwanted app blocking
   • SmartScreen for Microsoft Store apps

   

Install Microsoft Defender Application Guard

Microsoft Defender Application Guard is a security feature that helps prevent old and new cyberattacks. This utility works with Microsoft Office, Internet Explorer (deprecated), and Microsoft Edge.

In the case of Microsoft Edge, Application Guard isolates all websites running that are not mentioned in the whitelist created by the IT administrator by running them in a virtualized bubble using a Hyper-V container. Any URL not mentioned in the whitelist will automatically run in an isolated environment.

This way, if an attacker attempts to penetrate your session, and then tries to gain access to your computer or network, they would not be able to. This is because the online session would be in standalone mode.

Similarly, in the case of Microsoft Office, if an employee opens a malicious file in Word or Excel (or any other Office application), it would be isolated from the rest of the network, hence securing it from threats.

Here are the steps to install Microsoft Defender Application Guard:

1. Press the Windows Key + R to open the Run Command box.

2. Type in “optionalfeatures” and press Enter to launch the Optional Features window.

3. Select “Microsoft Defender Application Guard” and click OK.

   

4. Click “Restart now” to finalize the installation.

   

Additionally, you can also perform the following steps if you want to allow copy, paste, saving, printing, camera, and microphone access in Application Guard. Note that these are additional steps and in no way affect the security of your computer.

1. Open Windows Security.

2. Click “App & browser control.”

3. Click “Change Application Guard settings“.

   

4. Toggle the slider into the On position under the setting that you want to allow.

   

5. When done, restart the computer for the changes to take effect.

Enable Controlled Folder Access

Controlled Folder Access is another Windows Security feature that primarily protects your PC against ransomware and other threats. It restricts the modification of critical system folders from external apps and programs that are not trusted.

Here are the steps to enable Controlled Folder Access on your Windows 11 device:

1. Open the Windows Security app.

2. Open the “Virus & threat protection” tab.

3. Scroll down and click “Manage ransomware protection.”

   

4. Enable Controlled Folder Access by toggling the slider into the On position.

   

Set up Windows Hello (Facial/Biometric recognition)

Windows Hello is a more intuitive method to securely access your Windows computer account by configuring a password, PIN, or any other biometric verification method like facial recognition or fingerprint.

A password prevents your account from physically unauthorized access when you are away from your PC, keeping the data secure. The default Windows settings also lock out the ability to enter more passwords if a certain number of incorrect passwords have been entered, blocking Brute Force attacks.

Learn about Windows’ password complexity requirements.

You can set up Windows Hello from Settings > Accounts > Sign-in Options.

On this page in Windows 11, you can configure the following access security options:

• Password
• PIN
• Fingerprint recognition
• Facial recognition
• Picture password
• Security key

Enable Dynamic Lock

Dynamic Lock is another Windows security feature that automatically locks your account as soon as you are away from the computer. It is based on Bluetooth, and as soon as a paired device’s signals fall below a certain threshold, Windows automatically locks the account.

Dynamic Lock provides an additional layer of security in case a user forgets to lock the account. However, if a perpetrator gains access to the computer before the Bluetooth device is far away and the PC is not idle, the account will not lock.

To enable dynamic lock, you must have a phone paired with your PC. Even after pairing it, the phone must be connected to it via Bluetooth for Dynamic Lock to work.

Here are the steps to enable Dynamic Lock on Windows 11:

1. Open the Settings app.

2. Go to “Accounts” and then “Sign-in options.”

3. Click “Dynamic Lock” to expand it.

4. Select “Allow Windows to automatically lock your device when you’re away.”

   

The steps above will enable Dynamic Lock. However, it is useless unless you have a phone paired via Bluetooth, and connected, If not, you will see the following message, as in the image above:

Dynamic Lock is not working because Bluetooth is off on your PC. Go to Bluetooth & other devices to turn Bluetooth on.

If so, pair and connect your phone via Bluetooth, and always keep them connected when you are on your PC, so it knows when the device is far away (with you) and Windows will then lock your account automatically.

When a device i connected, it will be shown in the “Dynamic Lock” section.

Manage privacy settings (Windows and app permissions)

Different components within Windows track different activities that we humans perform. While some are allowed to track our typing, others are allowed to collect other data and send it back to Microsoft. By default, these privacy settings allow these components to track, collect, and communicate data, unless you change them from the Out Of Box Experience (OOBE) screens while installing the OS.

In Windows, there are a plethora of different privacy settings that I recommend you look at, and perhaps disable, to protect your privacy, both online and offline.

Here is what I recommend you do:

1. Open the Settings app.

2. Click “Privacy & security.”

3. Click “General” under the Windows permissions section.

   

4. Here, disable the following 4 options:

   • Let apps show me personalized ads by using my advertising ID
   • Let websites show me locally relevant content by accessing my language list
   • Let Windows improve Start and search results by tracking app launches
   • Show me suggested content in the Settings app

   

5. Now go back to “Privacy & security” and click “Inking & typing personalization.”

6. Disable the option “Custom inking and typing dictionary.”

   

7. Return to the “Privacy & security” page and then go to “Diagnostics & feedback.”

8. Here, expand and disable the following options:

   • Diagnostic data > Send optional diagnostic data
   • Tailored experiences > Let Microsoft use your diagnostic data…

   

9. Now expand “Delete diagnostic data” and click Delete.

   

10. Return to the “Privacy & security” page and open “Activity History.”

11. Expand “Activity History” and disable the option “Store my activity history on this device.”

12. Click “Clear history.”

    

13. When asked for confirmation, click Clear.

14. Go back to the “Privacy & security” page and open “Search permissions.”

15. Here, disable the following options:

    • Cloud content search > Microsoft account
    • Cloud content search > Work or School account
    • History > Search history on this device

    

16. Now back on the “Privacy & security” Settings page, visit the sections under the “App permissions” and disable access to the ones that you do not use. These include the following (but are not limited to):

    • Location
    • Camera
    • Microphone
    • Contacts
    • Phone calls
    • Call history
    • Emails
    • Messaging
    • Documents
    • Pictures
    • Videos

    

Once you are done with the steps above, you will have successfully disabled and gone through all the privacy settings in Windows that store your data, share it, or use it to show you personalized content.

Disable Remote Desktop

Remote Desktop is a Windows feature that allows other computers on your network, or even outside the network, to access your PC (or vice versa) remotely. This also opens network ports on your computer, making it vulnerable to attacks. Therefore, I strongly suggest that you disable it if you do not use the service. Here is how:

1. Open the Settings app, click System, and then open the Remote Desktop settings.

2. Toggle the slider in front of “Remote Desktop” into the Off position.

   

3. When asked for a confirmation, click Confirm.

   

Use standard user accounts

There are two types of user accounts on a computer:

• Standard: A standard user account has limited privileges to perform tasks. For example, they cannot change the properties of other user accounts, install computer-wide software, etc. When you create a new user account in Windows, it is a standard account by default, which needs to be manually changed to an administrator account if required.
• Administrator: Administrative accounts have complete control over the computer and the other user accounts on it. The first account created while installing Windows is an administrative account by default and is a member of the Administrators group. However, there is another “Administrator” user account on the computer that is disabled by default and needs to be enabled if needed.

It is recommended that you always use a standard user account for normal day-to-day tasks. This ensures that even if your account is compromised, the attacker will not have sufficient privileges to perform system-specific tasks, like executing malicious scripts that affects all users or system settings.

Using an administrative account is only recommended when you absolutely need it, like when performing legitimate tasks that require those kinds of rights and privileges.

That said, if you are using and administrative account, use the following steps to convert it into a regular standard account:

Note: You need at least one administrator account on your computer at a time that is not disabled. Otherwise, the option to convert an account into a standard account will be disabled and grayed out.

1. Press the Windows key + R to open the Run Command box.

2. Type in “Control” and press Enter to launch the Control Panel.

3. Go to “User accounts“, and then click “User accounts” again.

4. Click “Change your account type“.

   

5. Select “Standard” and click “Change Account Type“.

   

As mentioned earlier, if you cannot change the account type to Standard bcause it is grayed out, it is likely that you are using the only administrator account available on your PC. In this case, it is recommended that you stop using this account and create a new standard account, nd make that one your default user account.

Only use this administrative account when dire.

Configure Find My Device

“Find My Device” is a Windows feature that lets you track and lock your computer even if you are away. It can be used to see where your friends and family are located or track the device in case it is stolen, or even lock your device in case of theft, or track it.

Find My Device uses your device’s integrated Global Positioning System (GPS) and transmits the coordinates where it is authorized and requested, using the internet. The coordinates are then displayed on a map to the user who requested the location of the device. Of course, only authorized people can access that kind of information, which includes you; the owner.

To use Find My Device on your Windows PC, you must first ensure that the following requirements are met:

• You should be logged in from an administrative account.
• You should be logged in with a Microsoft account.
• The location services must be enabled.
• The device must have an active internet connection.

Here are the steps to enable Find My Device on Windows 11:

1. Press the Windows Key + i to open the Settings app.

2. Click “Privacy & security” on the left, and then click “Find my device” on the right side.

   

3. Toggle the slider in front of “Find my device” into the On position.

   

Once it is enabled, you can track and lock the device remotely in case of theft or loss. Additionally, to make sure that the prerequisites are met, you can follow the complete guide to set up “Find My Device” here.

Configure backups and system restore points

Windows offers several native backup solutions, some of which are automated and regularly back up your data both on the device and off-premise (if configured). Often overlooked, backups can save you a lot of time, data, and a headache when it comes to saving information in case of a disaster.

A bad omen for your data cannot be predicted. May it be a cyber attack, a natural disaster, or a simple hard drive failure, keeping your data backed up can help you preserve it forever.

On Windows 11, you can configure the automatic creation of restore points – these points (in time) let you revert your settings to a previous state when needed.

Here are the steps to create restore points:

Learn how to check if system restore is already enabled.

1. Press the Windows key + R to open the Run Command box.

2. Type in “sysdm.cpl” and press Enter to launch the System Properties applet.

3. Switch to the “System Protection” tab.

4. Select the boot (c) drive and click Configure.

   

5. Select “Turn on system protection” and then adjust the slider to allow the maximum space the backups can take.

6. When done, click Apply and OK.

   

7. Back on the System Properties applet, click Create to create a restore point right now as well.

   

8. Enter a name for the restore point an click Create.

   

Once created, you can revert to a restore point later in case of data corruption or any issues faced with Windows.

Additionally, you can also use third-party disk imaging and backup software to create complete backups of your system when needed and keep them off-site. Or, you can create a system image using the Windows-native tool.

Moreover, you can use the following detailed guides to back up different kinds of data from your Windows PC:

• Backup and restore application settings
• Backup device drivers
• Backup printer drivers, queues, and ports
• Backup file versions with file history

Enable Windows Sandbox

Windows Sandbox is a virtualized and isolated desktop environment that allows you to test applications and scripts that are unsafe to run on the actual PC. Whatever happens inside a Sandbox stays within, without affecting the rest of the computer. Moreover, the environment inside the Sandbox is the same as the actual Windows PC.

Windows Sandbox is disabled by default. You have to enable it via the optional features and then run it, like an app, to be able to use it.

Here are the steps to enable Windows Sandbox:

1. Press the Windows key + R to open the Run Command box.

2. Type in “optionalfeatures” and press Enter.

3. Select “Windows Sandbox” and press OK.

   

   Windows Sandbox will now be installed.

4. Launch Sandbox by searching for it in the Start menu.

Windows Sandbox will provide you with a secure environment to access emails that seem suspicious or run apps and programs that you do not trust.

Closing words

This article discusses how you can secure your Windows computer immediately after getting your hands on it. This includes the instances when you buy a new Windows 11 PC or perform a fresh, clean installation.

To make sure that you are protected from day one, implement the configurations and settings discussed in this post that will ensure that all the necessary precautions are taken from your end. These will kee your device secure from online and offline threats, as well as protect your privacy.