Windows 11 security settings

Best security settings for Windows 11 (2024)

Windows 11 has many security features, and these are the best ones you should enable and configure on your computer.

Although Windows 11 is the most secure version of the operating system, you can still add some custom configurations and follow best practices to improve the security of your device. For instance, as part of the best security practices, you can check for system updates and scan the computer for viruses. You can also configure security features, such as ransomware and phishing protection, firewall, biometric authentication, encryption, and other most sonicated features like Smart App Control and Core Isolation.

If you need to browse a website that doesn’t seem trustworthy, the Microsoft Defender Application Guard can create an isolated environment without risking malicious code or hackers from trying to access the device. Furthermore, if you have to install an application from an untrusted source, you use Windows Sandbox to create a lightweight virtual machine to test the application without putting the main installation at risk.

In this guide, I outline a collection of the best security settings for Windows 11 in 2024. 

Windows 11 best security settings to change in 2024

These are the best security settings to apply on Windows 11. (You don’t have to configure every one of them. You should only use the ones you consider the best for your situation.)

1. Install system updates

On Windows 11, installing the latest updates is one of the best ways to keep the device and files secure since the packages can fix bugs, enhance security, and improve system performance.

To install Windows 11 updates manually, use these steps:

  1. Open Settings on Windows 11.

  2. Click on Windows Update.

  3. Click the Check for updates button.

    Windows 11 check and install updates

  4. (Optional) Turn on the “Get the latest updates as soon as they’re available” toggle switch.

  5. Click the “Download and install” button to apply a preview of an upcoming update (if applicable).

    Quick note: Optional updates usually include non-security changes that Microsoft plans to release in the next Patch Tuesday rollout.
  6. Click the Restart now button.

Once you complete the steps, if an update is available, it will download and install automatically on Windows 11.

In addition to using the Windows Update settings, you can update the system through different methods, such as Command Prompt, PowerShell, and the Microsoft Update Catalog website.

1. Scan computer for viruses

Windows 11 has the Microsoft Defender Antivirus to detect and remove virtually any malware, such as viruses, ransomware, spyware, rootkits, etc. If you suspect your computer has been compromised, you can always perform a full or offline scan (if the device is infected with a tough virus) to ensure the device is free of malware. In addition, you can use periodic scanning on devices with a third-party antivirus. 

Full virus scan 

To perform a full virus scan on Windows 11, use these steps:

  1. Open Start.

  2. Search for Windows Security and click the top result to open the app.

  3. Click on Virus & threat protection.

  4. Click on Scan options under the “Current threats” section.

    Windows Security

  5. Select the Full scan option to check the entire system for viruses and any other type of malware.

    Full virus scan

  6. Click the Scan now button.

After you complete the steps, Microsoft Defender Antivirus will scan the computer for malware. If anything is detected, the anti-malware automatically removes (or quarantines) the threats.

You can also use the antivirus with Command Prompt and PowerShell.

Offline virus scan

To run an offline virus scan on Windows 11, use these steps:

  1. Open Windows Security.

  2. Click on Virus & threat protection.

  3. Click on Scan options under the “Current threats” section.

    Open scan options

  4. Check the “Microsoft Defender Offline scan” option.

    Microsoft Defender Offline scan

  5. Click the Scan now button.

  6. Click the Scan button.

Once you complete the steps, the computer will restart automatically in the recovery environment, and Microsoft Defender will start the full virus scan. If the Windows 11 antivirus detects any virus, rootkit, or another type of malware, it automatically removes it.

Enable periodic scanning

If you have another antivirus solution, another best security practice is to enable “periodic scanning” on Windows 11, another best feature that periodically scans and removes threats other antivirus software may have missed.

To enable “periodic scanning” on Microsoft Defender Antivirus for Windows 11, use these steps:

  1. Open Windows Security.

  2. Click on Virus & threat protection.

  3. Click the “Microsoft Defender Antivirus options” setting.

  4. Turn on the Periodic scanning toggle switch.

    Configure periodic scanning

After you complete the steps, the Windows 11 antivirus will use the “Automatic Maintenance” feature to run the scans at optimal times to minimize the impact on performance and battery life.

3. Enable ransomware protection

“Controlled folder access” is another best security feature built into Windows 11 to protect your computer from ransomware attacks. It does this by monitoring the changes that apps make to your files. If an app tries to modify the files inside a protected folder and the app is blacklisted, you’ll get notified about the suspicious activity.

To enable the Controlled folder access anti-ransomware protection on Windows 11, use these steps:

  1. Open Windows Security.

  2. Click on Virus & threat protection.

  3. Click the “Manage ransomware protection” setting under the “Ransomware protection” section.

    Manage ransomware protection

  4. Turn on the “Controlled folder access” toggle switch.

    Enable ransomware protection

Once you complete the steps, Microsoft Defender Antivirus will monitor the protected folders as applications try to modify your files. If suspicious activity occurs, you’ll get a notification about the threat.

In addition to enabling the feature, it is half of the equation. You can always use these instructions to prevent the feature from blocking trusted applications and protect folder locations other than the defaults.

4. Enable phishing protection

Windows 11 includes a phishing protection feature that can protect your passwords from malicious sites and apps. The security feature does this in three ways. First, enabling the future will show you a warning when it detects you entered your account password on an untrusted site or app. It’ll also alert you when trying to save passwords in plain text on an application and reusing passwords on other accounts since it makes it easier for hackers to steal your information.

The feature works on a Microsoft account, local account, Active Directory, or Azure Active Directory. However, the security feature only works when using a password, so you must disable Windows Hello before enabling phishing protection. 

I would only recommend this feature if required or if you are already not using Windows Hello. Otherwise, you will probably be better off using passkeys (see instructions below).

To enable phishing protection on Windows 11, use these steps: 

  1. Open Settings.

  2. Click on Accounts.

  3. Click the Sign-in options tab.

  4. Turn off the “For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device” toggle switch under the “Additional settings” section.

    Disable Window Hello

  5. Select the active Windows Hello option (facial recognition, fingerprint recognition, or PIN) under the “Ways to sign in” section.

  6. Click the Remove button.

  7. Click the Remove button again.

  8. Confirm your Microsoft account password.

  9. Click the OK button.

  10. Open Windows Security.

  11. Click on App & browser control.

  12. Click the “Reputation-based protection settings” option.

    Reputation-based protection settings

  13. Turn on the “Phishing protection” toggle switch to enable the security feature.

    Enable phishing protection

  14. Check the “Warm me about malicious apps and sites” option to display a warning when on an untrusted website or program.

  15. Check the “Warm me about password reuse” option to avoid using the same password when creating a new account or updating the information on a website or program.

  16. Check the “Warm me about unsafe password storage” option to warn you not to save a password in plain text in a text editor.

Once you complete the steps, the “Enhanced Phishing Protection” feature will warn you when entering a password on an untrusted app or website with the option to change the password to reduce the chances of someone gaining unauthorized access to your account.

Since text editors or Office apps were not designed to protect your credentials, you will also get a warning when trying to reuse a password or save passwords in these applications.

5. Create passkeys for websites and apps

The passkeys feature is a secure alternative to replace passwords when you have to sign in to websites and apps supporting this type of authentication. The feature creates a token for the account you want to access, and it’s downloaded on Windows 11. The next time you want to access the online service or app, you will be prompted to enter your Windows Hello credentials instead of using the password.

In other words, a passkey makes an account more secure since the password is not part of the process, making it harder for hackers to compromise your account.

Passkey is not specific to Windows 11. It’s a security standard that more and more companies, including Microsoft, Google, Amazon, Apple, eBay, PayPal, and many more, are implementing into their services. To create a passkey, you must check the service or app account’s settings to make sure the feature is available. 

The following example creates a passkey for your Google account:

  1. Open Microsoft Edge (or Google Chrome).

  2. Open your Google Account.

  3. Sign in and open the web service account settings.

  4. Turn on the “Passkey sign-in” option.

  5. Click the “Create a Passkey” option.

    Create Passkey option

  6. Click the Continue button.

    Create Passkey on Windows 11

  7. Confirm your account credentials on Windows Hello.

    Windows Hello Passkey authentication

  8. Click the OK button.

  9. Click the Done button.

Once you complete the steps, the passkey will be downloaded as a token on your computer. The next time you want to access the service (or app), you can use Windows Hello authentication to complete the sign-in process instead of using the service password.

The token is only valid per device, meaning you must create a passkey on every device you want to access the service. You can view and delete passkeys from Settings > Account > Passkeys.

You can learn more details about passkeys on Windows 11 in this guide.

6. Check firewall settings

The Microsoft Defender Firewall can monitor incoming and outgoing network traffic to allow or block connections based on predefined rules to protect your computer and information from unauthorized access. The feature should be enabled by default, but it’s always a good idea to check and enable it if it’s not.

To enable the firewall through Windows Security, use these steps: 

  1. Open Windows Security.

  2. Click on Firewall & network protection.

  3. Click the active network option.

    Firewall & network protection

  4. Turn on the “Microsoft Defender Firewall” toggle switch to turn off the firewall.

    Microsoft Defender Firewall enabled

After you complete the steps, the firewall will turn on for the active network profile.

7. Enable DNS over HTTPS (DoH)

If you want an extra layer of security and privacy when surfing the internet, you must enable DNS over HTTPS (DoH).

DNS over HTTPS is a networking protocol designed to encrypt Domain Name System (DNS) queries using the Hypertext Transfer Protocol Secure (HTTPS) protocol for privacy and to minimize attacks from hackers from viewing and manipulating your DNS traffic.

Some applications like Google Chrome and Mozilla Firefox already support this feature, but you can also configure it on Windows 11. Here’s how:

  1. Open Settings.

  2. Click on Network & internet.

  3. Click the Ethernet or Wi-Fi tab (depending on the active connection).

    Quick note: If you have a Wi-Fi connection, click on the connection properties to access the settings.
  4. Click the Edit button from the “DNS server assignment” setting.

    Open DNS settings on Windows 11

  5. Select the Manual option from the drop-down menu.

  6. Turn on the IPv4 toggle switch.

  7. Under the “Preferred DNS” and “Alternate DNS” sections, specify the primary and secondary DoH IP address from one of the supported services. For example, you can use Cloudflare (1.1.1.1 and 1.0.0.1) or Google (8.8.8.8 and 8.8.4.4)

    Enable DoH for IPv4

  8. Use the “DNS over HTTPS” drop-down menu and select the On (automatic template) option since it sends all DNS traffic with encryption, but you can also choose other encryption preferences.

  9. Turn off the “Fallback to plaintext” toggle switch.

    Quick tip: If you enable this feature, the system will encrypt DNS traffic, but it allows queries to be sent without encryption.
  10. Click the Save button.

Once you complete the steps, the computer will encrypt DNS traffic over the HTTPS protocol for a more secure and private experience.

You can learn more details and how to confirm the DoH settings are working with these instructions.

8. Enable Windows Hello Face or fingerprint

As part of the best security settings for Windows 11, you can also use Windows Hello, which allows you to increase your computer’s security by adding biometric elements (such as your face or fingerprint) to sign in to your profile. If you don’t have a device that integrates some biometric hardware, you must purchase a compatible face recognition camera or fingerprint reader to set it up.

Enable face recognition authentication

To configure Windows Hello facial recognition to unlock a computer on Windows 11, use these steps:

  1. Open Settings.

  2. Click on Accounts.

  3. Click the Sign-in options page on the right side.

  4. Select the “Facial recognition (Windows Hello)” setting under the “Ways to sign in” section.

  5. Click the Set up button.

    Windows Hello face setup

  6. Click the Get started button.

    Windows Hello get started

  7. Confirm your current password (or PIN).

  8. Look directly into the camera for Windows 11 to create a facial recognition profile of your face.

    Windows Hello camera setup

  9. Click the Close button.

Once you complete the steps, you can lock your computer (Windows key + L) and look into the camera to sign in.

Enable fingerprint authentication

To set up Windows Hello with a fingerprint reader, use these steps: 

  1. Open Settings.

  2. Click on Accounts.

  3. Click on Sign-in options.

  4. Select the “Fingerprint recognition” setting under the “Ways to sign in” section.

  5. Click the Set up button to enable the Windows Hello fingerprint option.

    Set up fingerprint reader

  6. Click the Get started button.

    Get started Windows Hello fingerprint

  7. Confirm your account password.

  8. Touch the fingerprint sensor as indicated in the wizard.

    Touch fingerprint sensor

  9. Continue with the on-screen directions to capture your fingerprint from various angles.

After completing the steps, you can lock your device and use the fingerprint reader to sign in with your finger.

9. Enable Dynamic Lock

Dynamic Lock is a security feature built into Windows 11 that locks your computer when you step away based on the proximity of a Bluetooth-paired device (such as your phone or wearable), adding another layer of security.

To enable Dynamic Lock on Windows 11, use these steps:

  1. Turn on the peripheral.

  2. Turn on the device’s Bluetooth pair option to make it discoverable.

  3. Open Settings on Windows 11.

  4. Click on Bluetooth & devices.

  5. Turn on the Bluetooth toggle switch to enable the wireless radio (if applicable).

  6. Click the Add device button.

    Bluetooth add new device

  7. Select the Bluetooth option.

    Windows 11 Bluetooth pairing option

  8. Choose the Bluetooth device from the list.

    Bluetooth device pairing

  9. Continue with the on-screen directions (if applicable).

  10. Click on Accounts.

  11. Click the Sign-in options tab.

  12. Select the Dynamic lock setting.

  13. Check the “Allow Windows to automatically lock your device when you’re away” option.

    Enable Dynamic Lock

Once you complete the steps, when the Bluetooth device isn’t near the computer, Windows 11 will turn off the screen and lock your account after 30 seconds of inactivity.

10. Block unwanted apps

Windows Security has a feature to protect your installation against malicious apps. The feature is known as “reputation-based protection,” it can detect and block low-reputation apps that may cause unexpected behaviors on Windows 11, such as poorly designed or harmful apps.

To enable reputation-based protection to protect Windows 11 from unwanted apps, use these steps:

  1. Open Windows Security.

  2. Click on App & browse control.

  3. Click the “Reputation-based protection settings” option under the “Reputation-based protection” section.

    Reputation based protection settings

  4. Turn on the “Potentially unwanted app blocking” toggle switch.

    Block unwanted apps on Windows 11

  5. Check the Block apps option.

  6. Check the Block downloads option.

After you complete the steps, Windows 11 can detect and block apps with a low reputation that may cause problems.

11. Enable encryption

BitLocker is yet another feature on the list that can be considered one of the best for security since it allows you to use encryption on a drive to protect your data from unauthorized access to your documents, pictures, and any data you may have on the computer.

The feature is only available in the Pro, Enterprise, and Education editions of Windows 11. However, on Windows 11 Home, you can use “device encryption” on some devices.

Enable device encryption on Windows 11 Pro

To configure BitLocker on a Windows 11 drive, use these steps:

  1. Open Settings.

  2. Click on Storage.

  3. Click on Advanced storage settings under the “Storage management” section.

  4. Click on Disks & volumes.

    Disks & volumes

  5. Select the drive with the volume to encrypt.

  6. Choose the volume to enable BitLocker encryption and click the Properties button.

    Settings app drive properties

  7. Click the “Turn on BitLocker” option.

    Windows 11 turn on BitLocker option

  8. Click the “Turn on BitLocker” option under the “Operating system drive” section.

    BitLocker Windows 11 drive encryption

  9. Select the “Save to your Microsoft account” option (recommended).

    Save encryption key to Microsoft account

  10. Click the Next button.

  11. Select the “Encrypt used disk space only” option.

    Encrypt used disk space only

  12. Click the Next button.

  13. Select the “New encryption mode” option.

    New encryption mode

  14. Click the Next button.

  15. Check the “Run BitLocker system check” option.

    BitLocker system check

  16. Click the Restart now button.

After you complete the steps, the computer will restart to apply the encryption settings and enable BitLocker.

You can also enable encryption for secondary and external drives. And using BitLocker To Go, you can protect your data on USB flash drives.

Enable device encryption on Windows 11 Home

To configure BitLocker encryption on Windows 11 Home, use these steps:

  1. Open Settings.

  2. Click on Privacy & Security.

  3. Click the Device encryption page under the “Security” section.

    Open Device encryption settings

  4. Turn on Device encryption to enable BitLocker on Windows 11 Home.

    Windows 11 Home enable BitLocker

Once you complete the steps, the feature will encrypt the entire system drive.

If you no longer need encryption, it’s possible to decrypt the drive using the same instructions.

12. Enable Smart App Control

On Windows 11, Smart App Control (SAC) is a security feature that locks the system down, allowing it to run only trusted apps or apps with valid certificates to prevent unwanted behaviors from untrusted applications.

To enable Smart App Control on Windows 11, use these steps:

  1. Open Windows Security.

  2. Click on App & browse control.

  3. Click on Smart App Control settings.

    Smart App Control settings

  4. Select the Evaluation option. 

    Smart App Control evaluation

After you complete the steps, the feature will run quietly in the background but not block anything. However, in this stage, the system will learn from your applications to determine whether the feature can run without affecting the experience. 

If Smart App Control can run as expected, the system will turn it on automatically. If the feature gets in the way, the system will turn it off automatically.

Once the evaluation is complete, the feature will enable automatically, but you won’t be able to turn it off. Also, if the system blocks an app, you won’t be able to unblock it unless you turn off the feature, which will require complete reinstallation of the operating system.

13. Enable Core Isolation

Core Isolation is a collection of security features to protect your computer from malicious code and hackers. One of the features available is “memory integrity,” which blocks different types of malware from compromising high-security processes in memory. 

The feature should be enabled by default on Windows 11, but if it’s not, you can use these steps:

  1. Open Start.

  2. Search for Windows Security and click the top result to open the app.

  3. Click on Device Security.

  4. Click the “Core isolation details” option under the “Core isolation” section.

    Open Core isolation settings

  5. Turn on the “Memory integrity” toggle switch to enable the Core isolation.

    Memory Integrity disabled

  6. Restart the computer.

Once you complete the steps, the security feature will be enabled on Windows 11.

14. Microsoft Defender Application Guard

Microsoft Defender Application Guard is a feature available on Windows 11 that creates a virtualized version of Microsoft Edge so you can browse untrusted websites without the risk of malicious code or hackers infecting your computer. This feature is only available on Windows 11 Pro, not in the Home edition.

To enable Microsoft Defender Application Guard on Windows 11, use these steps:

  1. Open Settings.

  2. Click on System.

  3. Click the Optional features page.

    Open Optional features

  4. Click the “More Windows features” setting under the “Related settings” section.

    More Windows features

  5. Check the “Microsoft Defender Application Guard” option.

    Microsoft Defender Application Guard

  6. Click the OK button.

  7. Click the Restart now button.

After completing the steps, you can open Microsoft Edge, click the “Settings and more” (three-dotted) menu in the top-right corner, and select the “New Application Guard window” option. Once the session starts, you can browse the untrusted website without compromising your setup.

When you close the session, the virtualization will be deleted from the computer without saving anything.

15. Windows Sandbox

Windows Sandbox is similar to the Microsoft Defender Application Guard feature. However, the Sandbox feature provides a full desktop virtualization experience to install and test untrusted applications isolated from the main installation.

To enable Windows Sandbox on Windows 11, use these steps:

  1. Open Settings.

  2. Click on System.

  3. Click the Optional features page.

    Open Optional features

  4. Click the “More Windows features” setting under the “Related settings” section.

    More Windows features

  5. Check the Windows Sandbox option.

    Enable Windows Sandbox

  6. Click the OK button.

  7. Click the Restart now button.

Once you complete the steps, you can run Windows Sandbox from the Start menu.

If you have to install an application, you can download the installer from the internet using the browser available on the virtual machine or from the main installation, cut and paste the file on the Windows Sandbox desktop, and then install it on the isolated environment.

16. Full backup

On Windows 11, a full backup is one of the best security practices to create a copy of the entire system. This allows you to recover in case of critical system problems, malware attacks like ransomware, hardware failure, or upgrading the primary drive. In addition, a backup can help you roll back to a previous installation after upgrading to a new feature update or hard drive.

You can always choose a third-party solution, but you can still use the (deprecated) legacy “System Image Backup” tool to save a full backup to a USB hard drive. 

To create a full backup on Windows 11, use these steps:

  1. Open Start.

  2. Search for Control Panel and click the top result to open the app.

  3. Click on System and Security.

  4. Click on File History.

  5. Click the “System Image Backup” option from the left pane.

    System Image Backup

  6. Click the “Create a system image” option from the left pane.

    Create a system image

  7. Select the external drive to save the Windows 11 backup.

    Windows 11 backup external drive

  8. Click the Next button.

  9. Click the Start backup button.

    Windows 11 Start backup

  10. Click the No button.

  11. Click the Close button.

Once you complete the steps, Windows 11 will create a full computer backup.

You will also receive the option to create a repair disk, but you can ignore it since you can use the Windows 11 bootable media to access the recovery settings to restore the backup.

In addition to periodically backing up your device, it’s recommended that you store your files in the cloud using third-party services like OneDrive. This approach will protect the files from hardware failure, ransomware, or theft.

Alternatively, copying your files to an external drive with a simple copy and paste (as long as you don’t have a lot of data) is another way to protect your documents, pictures, videos, and other files.

17. Switch from Administrator to Standard User account

Windows 11 offers two types of accounts (“Administrator” and “Standard User”) with different permission levels to manage the system and apps. The Administrator account has unlimited access and allows users to change system settings, run elevated tasks, and perform virtually any task.

The Standard User account offers a more restrictive environment. A user with this privilege level can work with apps but cannot install apps. They can also change settings, not system settings or settings for other users. 

Since using an account without limits can be a security risk, switching to a standard account is one of the best practices to improve security. You can create a new “Administrator” account only for management and change your account type to “Standard User.”

Create local administrator account

To create an administrator local account through the Settings app, use these steps:

  1. Open Start.

  2. Search for Settings and click the top result to open the app.

  3. Click on Accounts.

  4. Click the Other users page.

  5. Click the Add account button under the “Other users” section.

    Add account

  6. Click the “I don’t have this person’s sign-in information” option.

    Skip Microsoft account option

  7. Click the “Add a user without a Microsoft account” option.

    Windows 11 local account option

  8. Create an administrator account by confirming a name and password.

    Windows 11 local account info

  9. Create security questions and answers to recover the account if the password is lost.

  10. Click the Next button.

  11. Select the newly created account and click the “Change account type” button.

    Change account type

  12. Select the Administrator option from the “Account type” setting.

    Change Standard to Administrator

  13. Click the OK button.

Once you complete the steps, the new account will appear on Windows 11.

Switch to standard account

To change an “Administrator” account to a “Standard Users” account on Windows 11, use these steps:

  1. Sign out of your current account.

  2. Sign in to the newly created administrator account.

  3. Open Settings.

  4. Click on Accounts.

  5. Click the Other users page.

  6. Select the primary account.

  7. Click the “Change account type” button.

    Change account type

  8. Select the Standard User option from the “Account type” setting.

    Change account type to standard

  9. Click the OK button.

After completing the steps, the original account will switch from “Administrator” to “Standard User” account type. You will be prompted to confirm the administrator credential to make system changes or install new apps. You can still sign in to the administrator account to perform system changes.

18. Disable Remote Desktop 

Although the Remote Desktop feature allows you to access files and applications from another location or offer assistance without being present at the site, it also presents a security risk as it may help a malicious individual gain unauthorized access to the computer. As a best security practice, turn off the feature if you don’t use it.

To disable Remote Desktop on Windows 11, use these steps:

  1. Open Settings.

  2. Click on System.

  3. Click on Remote Desktop.

  4. Turn off the Remote Desktop toggle switch.

    Remote Desktop disabled

  5. Click the Confirm button.

Once you complete the steps, malicious individuals shouldn’t be able to exploit the RDP protocol to gain unauthorized access to your computer.

19. Sync time and date

On Windows 11, it’s also important to keep the system with the correct time and date. Otherwise, it could cause security problems, such as trying to sign in to a service or application on the network or internet.

To update the time and date on Windows 11, use these steps:

  1. Open Settings.

  2. Click on Time & language.

  3. Click the Date & time page.

  4. Turn on the “Set time automatically” toggle switch.

  5. Click the Sync now button under the “Additional settings” section.

    Windows 11 sync time settings

After you complete the steps, Windows 11 will update and show the correct time on the computer.

20. Create system restore point

System Restore allows you to create a copy of the system state as a “restore point” to protect the hard drive’s data if something goes wrong after an update, when installing an application, or when making system changes. The feature automatically creates a restore point when it detects system changes (such as installing a new update or driver), but you can always make a restore point manually.

To create a restore point on Windows 11, use these steps:

  1. Open Start on Windows 11.

  2. Search for Create a restore point and click the top result to open the app.

  3. Select the system drive (C) and click the Configure button under the “Protection Settings” section.

    Protection settings on Windows 11

  4. Select the “Turn on system protection” option.

    Enable system protection

  5. Click the Apply button.

  6. Click the OK button.

  7. Click the Create button to create a restore point on Windows 11.

    Create Registry backup

  8. Confirm a name for the restore point.

  9. Click the Create button.

  10. Click the Close button.

Once you complete the steps, the system will create a restore point that includes system files, installed applications, system settings, and a backup of the Registry. 

You can also follow these instructions to restore the device using a restore point. You may need to rest the system if the restoration doesn’t work.

What security settings are you changing on Windows 11? Let me know in the comments.

Update May 7, 2024: This guide has been updated to ensure accuracy and reflect changes to the process.

About the author

Mauro Huculak is a Windows How-To Expert who started Pureinfotech in 2010 as an independent online publication. He has also been a Windows Central contributor for nearly a decade. Mauro has over 15 years of experience writing comprehensive guides and creating professional videos about Windows and software, including Android and Linux. Before becoming a technology writer, he was an IT administrator for seven years. In total, Mauro has over 21 years of combined experience in technology. Throughout his career, he achieved different professional certifications from Microsoft (MSCA), Cisco (CCNP), VMware (VCP), and CompTIA (A+ and Network+), and he has been recognized as a Microsoft MVP for many years. You can follow him on X (Twitter), YouTube, LinkedIn and About.me. Email him at [email protected].