back to top

The Best Windows 11 Security Settings

Follow Us
placeholder text

Microsoft keeps updating Windows 11. There are many configurations for your security settings that you can adjust accordingly. One way is to keep Windows 11 up-to-date. You can turn on or off several things, such as security features, ransomware and phishing protection, a firewall, biometric authentication, encryption, and more, like app controls and core isolations.

Today, in this article, we will share some of the best practices you can follow to ensure Windows security settings. The company has added features like Microsoft Defender Application Guard, which creates a sandbox that allows you to browse a website without risking your device and protects your Windows 11 from untrusted sources.

The Best Windows 11 Security Settings

You can adjust the Windows security settings according to your preferences. Consider enabling or disabling based on your use case. Here are some of the best security settings for Windows 11 that you can check.

Update your Windows 11

When you update Windows 11, your computer receives the patch update with the latest Install System update. Keeping Windows 11 updated will help fix bugs, enhance security, and improve system performance.

  • Open Windows Settings (Windows + I) and head to Windows Update from the left sidebar.
  •  Click on Check for Updates, and if there is an update available, click on Download and Install to install the latest update.
  •  Once the update is installed, click on Restart Now to finish installing the update.

Scan for Windows 11

Microsoft’s Windows Defender can detect and remove viruses, ransomware, spyware, rootkits, and other threats. Windows 11 also updates the Microsoft Defender, and running periodic scans helps keep your device secure.

Perform a full scan.

  • Click the Windows button to open Windows Start and start typing “Windows Security.”
  •  Open it and then click on “Virus & Threat Protection.” There you will find “Scan Options.”
  •  Click on “Scan Options,” and then check the checkbox for “Full Scan.” Click on “Scan Now” to start scanning.

Perform an offline virus scan.

  • Open Windows Security and head over to “Virus & Threat Protection.”
  •  Click on “Scan Options” and then choose “Microsoft Defender Antivirus (Offline Scan).”
  •  Then click on “Scan Options.” It will restart automatically in the recovery environment to start a full virus scan.

Perform ransomware protection.

This is one of the best security features, “Controlled Folder Access,” to monitor changes and modify files inside the protected folder. The app is blocklisted, and it will notify users about suspicious activity.

  • Open Windows Security and go to “Virus & Threat Protection.”
  •  Under “Ransomware Protection,” click on “Manage Ransomware Protection Settings.”
  •  Next, enable the “Controlled Folder Access” toggle switch.

After enabling it, Microsoft Defender Antivirus will start monitoring the protected folder. Now, if there is any suspicious activity, it will notify you about the threat.

Perform phishing protection.

Windows 11 22H2 brings the Phishing Protection feature, which allows users to protect their passwords from malicious sites and apps. Enabling this feature will detect when you enter your account password on an untrusted site or app. It will then show an alert to save the password in plain text on the app and warn you about reusing passwords on other accounts since it makes it easier for hackers to steal your information.

To enable this feature:

  • Open Windows Settings and go to Accounts.
  •  Click on Sign-in Options and then look for the “For Improved Security, Only Allow Windows Hello Sign-in for Microsoft Accounts on This Device” option in the Additional Section.
  •  Toggle the option to turn it off.
  •  Under “Ways to Sign In,” you will find the Windows Hello option (Facial et al., or PIN).
  •  Click on the Remove button twice.
  •  Enter your Microsoft account password to verify it, and then click OK to continue.
  •  Open Windows Security and go to App & Browser Controls.
  •  Click on Reputation-based Protection Settings.
  •  Toggle to enable “Phishing Protection” and check the checkboxes for “Warn me about malicious apps and sites,” “Warn me about password reuse,” and “Warn me about unsafe password storage.”

After enabling the phishing protection feature, it will warn you to reduce the chances of someone gaining unauthorized access to your account.

Perform firewall settings.

This will monitor your network traffic to enable or block connections based on predefined rules to protect your computer and information from unauthorized access. Usually, it is enabled by default, and there are guides on enabling the firewall through Windows Security.

To enable the firewall:

  • Open Windows Security and go to Firewall and Network Protection.
  •  Click on the Active Network option and use the toggle to enable Microsoft Defender Firewall.
  •  That is it! It will enable the active network profile.

Perform Windows Hello Face or Fingerprint

This will increase your computer’s security by adding biometric elements like a face or fingerprint to sign in to your profile.

Perform face-recognition authentication.

  • Open Windows Settings and head over to Account.
  •  Go to the Sign-in Option, and then under Ways to Sign-in, choose Facial Recognition (Windows Hello).
  •  Click on Setup, and then click on the Get Started button.
  •  Enter your password or PIN, and then look for a Camera for Windows 11 to create a facial recognition profile of your face.
  •  That’s it! Click on the Close button.

Perform fingerprint authentication.

  • Open Windows Settings, and then click on Accounts.
  •  Go to the Sign-in option and select Fingerprint Recognition Settings under Ways to Sign in.
  •  Choose the Setup button to enable the Windows Hello Fingerprint option, then click the Get Started button.
  •  Enter your password to verify, and then authenticate your fingerprint by touching the fingerprint sensor.
  •  Follow the on-screen instructions to finish the setup.

Enable Dynamic Lock

This built-in security feature in Windows 11 allows you to lock your device. Moving away from your device will lock automatically based on the proximity of a Bluetooth-paired device, such as a wearable, adding an extra layer of security.

  • Open Windows Settings and go to Bluetooth and Devices.
  •  Pair your Bluetooth device by clicking on the Add Device button.
  •  Follow the on-screen instructions to choose the Bluetooth device from the list, and then click on Account.
  •  Click on the Sign-in option, and then choose Dynamic Lock.
  •  Check the checkbox for the “Allow Windows to lock your device when you are away automatically” option, and that is it.

Block unwanted apps.

This feature is designed to protect Windows 11 against malicious apps. It is reputation-based protection, which detects and blocks low-reputation apps that cause unexpected behavior on Windows 11.

  • Open Windows Security and go to Apps and Browser Control.
  •  Go to the Reputation-based Protection Settings option under Reputation-based Protection and then enable the Potentially Unwanted App Blocking Toggling to switch to the device from unwanted apps on Windows 11.
  •  Check the checkbox for the Block app and Block download options.

Enable Encryption

This excellent security feature allows Windows 11 users to use encryption on their drives to protect their data from unauthorized access to their documents, pictures, and any other data. This feature is available on Windows 11 Pro, Enterprise, and Education.

Steps to Enable Device Encryption

  • Open Windows Settings, and then head over to Storage.
  •  Click on the Advanced Storage Settings that appear on Storage Management, and then click on Disc & Volumes.
  •  Click on the drive with Volume to Encrypt, then choose Volume to enable BitLocker encryption.
  •  Click on the Properties button, and then the Turn on BitLocker option appears under the Operating System Drive section.
  •  Turn on the Turn on BitLocker option, then choose the option to back up the recovery key.
  •  Click on Next, choose the Encrypt used disc space only option, and do the same for the following dialogue box.
  •  Click on the Next button, and then check the checkbox for Run BitLocker System Check and click on Restart Now.

Steps to Enable Device Encryption on Windows 11 Home

  • Open Windows Settings, and then click on Privacy and Security.
  •  Go to the Device Encryption page that appears in the Security section.
  •  Toggle to enable device encryption to enable BitLocker on Windows 11 Home.
  •  That is it!

Enable Windows 11 Smart App Control.

A SmartApp Control (SAC) security feature locks the system down and only runs trusted apps or apps with valid certificates to prevent unwanted behavior from untrusted applications.

  • Open Windows Security, and then go to App & Browser Controls.
  •  Select Smart App Control Settings, and then click on the Evaluation option.

Once you enable Smart App Control, it will block an app that you will not be able to unblock unless you enable the feature that will require installation.

Enable Windows 11 Core Isolation.

It is a collection of security features to protect Windows 11 from malicious code and hackers. The Windows 11 Core Isolation feature is available as Memory Integrity, which blocks different types of malware from compromising high-security processes in memory.

  • Open Windows Start, and then search for Windows Security to open it.
  •  Go to Device Security and click on Core Isolation Details.
  •  Toggle to enable memory integrity to enable core isolation, and that is it. Restart your computer.

Enable Microsoft Defender Application Guard.

It creates a virtualized version of Microsoft Edge to browse untrusted websites without risking malicious code or hacker infection.

  • Open Windows Settings and click on Apps.
  •  Next, go to Optional Features and click More Windows Features under Related Settings.
  •  Check the checkbox for the Microsoft Defender Application Guard option and click OK.
  •  That’s it. Now restart your computer.

After restarting, Windows 11 will monitor your browser without compromising your central installation.

Windows Sandbox

This is similar to Microsoft Defender Application Guard, which allows a desktop virtualization experience to install and test untrusted applications isolated from the central installation.

  • Open Windows Settings and head over to Apps.
  •  Next, go to the Optional Feature page and then click on More Windows Feature Settings that appear under Related Settings.
  •  Check the Windows Sandbox option’s checkbox, click OK, and then Restart Now.

Disable Remote Desktop

This feature allows access to files and applications from another location or offers assistance without being present at the site. It reduces the risk of malicious individuals and unauthorized access.

  • Open Windows Settings, and then go to System.
  •  From there, click on Remote Desktop, and then toggle to enable Remote Desktop.
  •  Now, confirm your action.

Sync Time and Date

It is essential to keep your time and date correct so that it will not cause any security issues when trying to sign in to a service or application on the network or internet.

  • Open Windows Settings, and then click on Time and Language.
  •  Next, go to the Date & Time page, and then use the Time Zone settings to choose the proper time zone for your location.
  •  After that, enable setting the time automatically with the toggle switch, and then click on the Sync Now button that appears under Additional Settings.

So, these are some of the best practices that you can use to keep your device safe.