Although Windows 11 is the most secure version of the operating system, you can still add some custom configurations and follow best practices to improve the security of your device. For instance, as part of the best security practices, you can check for system updates and scan the computer for viruses. You can also configure security features, such as ransomware and phishing protection, firewall, biometric authentication, encryption, and other most sonicated features like Smart App Control and Core Isolation.
If you need to browse a website that doesn’t seem trustworthy, the Microsoft Defender Application Guard can create an isolated environment without risking malicious code or hackers from trying to access the device. Furthermore, if you have to install an application from an untrusted source, you use Windows Sandbox to create a lightweight virtual machine to test the application without putting the main installation at risk.
In this guide, I outline a collection of the best security settings for Windows 11 in 2024.
Windows 11 best security settings to change in 2024
These are the best security settings to apply on Windows 11. (You don’t have to configure every one of them. You should only use the ones you consider the best for your situation.)
1. Install system updates
On Windows 11, installing the latest updates is one of the best ways to keep the device and files secure since the packages can fix bugs, enhance security, and improve system performance.
To install Windows 11 updates manually, use these steps:
-
Open Settings on Windows 11.
-
Click on Windows Update.
-
Click the Check for updates button.
-
(Optional) Turn on the “Get the latest updates as soon as they’re available” toggle switch.
-
Click the “Download and install” button to apply a preview of an upcoming update (if applicable).
Quick note: Optional updates usually include non-security changes that Microsoft plans to release in the next Patch Tuesday rollout. -
Click the Restart now button.
Once you complete the steps, if an update is available, it will download and install automatically on Windows 11.
In addition to using the Windows Update settings, you can update the system through different methods, such as Command Prompt, PowerShell, and the Microsoft Update Catalog website.
1. Scan computer for viruses
Windows 11 has the Microsoft Defender Antivirus to detect and remove virtually any malware, such as viruses, ransomware, spyware, rootkits, etc. If you suspect your computer has been compromised, you can always perform a full or offline scan (if the device is infected with a tough virus) to ensure the device is free of malware. In addition, you can use periodic scanning on devices with a third-party antivirus.
Full virus scan
To perform a full virus scan on Windows 11, use these steps:
-
Open Start.
-
Search for Windows Security and click the top result to open the app.
-
Click on Virus & threat protection.
-
Click on Scan options under the “Current threats” section.
-
Select the Full scan option to check the entire system for viruses and any other type of malware.
-
Click the Scan now button.
After you complete the steps, Microsoft Defender Antivirus will scan the computer for malware. If anything is detected, the anti-malware automatically removes (or quarantines) the threats.
You can also use the antivirus with Command Prompt and PowerShell.
Offline virus scan
To run an offline virus scan on Windows 11, use these steps:
-
Open Windows Security.
-
Click on Virus & threat protection.
-
Click on Scan options under the “Current threats” section.
-
Check the “Microsoft Defender Offline scan” option.
-
Click the Scan now button.
-
Click the Scan button.
Once you complete the steps, the computer will restart automatically in the recovery environment, and Microsoft Defender will start the full virus scan. If the Windows 11 antivirus detects any virus, rootkit, or another type of malware, it automatically removes it.
Enable periodic scanning
If you have another antivirus solution, another best security practice is to enable “periodic scanning” on Windows 11, another best feature that periodically scans and removes threats other antivirus software may have missed.
To enable “periodic scanning” on Microsoft Defender Antivirus for Windows 11, use these steps:
-
Open Windows Security.
-
Click on Virus & threat protection.
-
Click the “Microsoft Defender Antivirus options” setting.
-
Turn on the Periodic scanning toggle switch.
After you complete the steps, the Windows 11 antivirus will use the “Automatic Maintenance” feature to run the scans at optimal times to minimize the impact on performance and battery life.
3. Enable ransomware protection
“Controlled folder access” is another best security feature built into Windows 11 to protect your computer from ransomware attacks. It does this by monitoring the changes that apps make to your files. If an app tries to modify the files inside a protected folder and the app is blacklisted, you’ll get notified about the suspicious activity.
To enable the Controlled folder access anti-ransomware protection on Windows 11, use these steps:
-
Open Windows Security.
-
Click on Virus & threat protection.
-
Click the “Manage ransomware protection” setting under the “Ransomware protection” section.
-
Turn on the “Controlled folder access” toggle switch.
Once you complete the steps, Microsoft Defender Antivirus will monitor the protected folders as applications try to modify your files. If suspicious activity occurs, you’ll get a notification about the threat.
In addition to enabling the feature, it is half of the equation. You can always use these instructions to prevent the feature from blocking trusted applications and protect folder locations other than the defaults.
4. Enable phishing protection
Windows 11 includes a phishing protection feature that can protect your passwords from malicious sites and apps. The security feature does this in three ways. First, enabling the future will show you a warning when it detects you entered your account password on an untrusted site or app. It’ll also alert you when trying to save passwords in plain text on an application and reusing passwords on other accounts since it makes it easier for hackers to steal your information.
The feature works on a Microsoft account, local account, Active Directory, or Azure Active Directory. However, the security feature only works when using a password, so you must disable Windows Hello before enabling phishing protection.
I would only recommend this feature if required or if you are already not using Windows Hello. Otherwise, you will probably be better off using passkeys (see instructions below).
To enable phishing protection on Windows 11, use these steps:
-
Open Settings.
-
Click on Accounts.
-
Click the Sign-in options tab.
-
Turn off the “For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device” toggle switch under the “Additional settings” section.
-
Select the active Windows Hello option (facial recognition, fingerprint recognition, or PIN) under the “Ways to sign in” section.
-
Click the Remove button.
-
Click the Remove button again.
-
Confirm your Microsoft account password.
-
Click the OK button.
-
Open Windows Security.
-
Click on App & browser control.
-
Click the “Reputation-based protection settings” option.
-
Turn on the “Phishing protection” toggle switch to enable the security feature.
-
Check the “Warm me about malicious apps and sites” option to display a warning when on an untrusted website or program.
-
Check the “Warm me about password reuse” option to avoid using the same password when creating a new account or updating the information on a website or program.
-
Check the “Warm me about unsafe password storage” option to warn you not to save a password in plain text in a text editor.
Once you complete the steps, the “Enhanced Phishing Protection” feature will warn you when entering a password on an untrusted app or website with the option to change the password to reduce the chances of someone gaining unauthorized access to your account.
Since text editors or Office apps were not designed to protect your credentials, you will also get a warning when trying to reuse a password or save passwords in these applications.
5. Create passkeys for websites and apps
The passkeys feature is a secure alternative to replace passwords when you have to sign in to websites and apps supporting this type of authentication. The feature creates a token for the account you want to access, and it’s downloaded on Windows 11. The next time you want to access the online service or app, you will be prompted to enter your Windows Hello credentials instead of using the password.
In other words, a passkey makes an account more secure since the password is not part of the process, making it harder for hackers to compromise your account.
Passkey is not specific to Windows 11. It’s a security standard that more and more companies, including Microsoft, Google, Amazon, Apple, eBay, PayPal, and many more, are implementing into their services. To create a passkey, you must check the service or app account’s settings to make sure the feature is available.
The following example creates a passkey for your Google account:
-
Open Microsoft Edge (or Google Chrome).
-
Open your Google Account.
-
Sign in and open the web service account settings.
-
Turn on the “Passkey sign-in” option.
-
Click the “Create a Passkey” option.
-
Click the Continue button.
-
Confirm your account credentials on Windows Hello.
-
Click the OK button.
-
Click the Done button.
Once you complete the steps, the passkey will be downloaded as a token on your computer. The next time you want to access the service (or app), you can use Windows Hello authentication to complete the sign-in process instead of using the service password.
The token is only valid per device, meaning you must create a passkey on every device you want to access the service. You can view and delete passkeys from Settings > Account > Passkeys.
You can learn more details about passkeys on Windows 11 in this guide.
6. Check firewall settings
The Microsoft Defender Firewall can monitor incoming and outgoing network traffic to allow or block connections based on predefined rules to protect your computer and information from unauthorized access. The feature should be enabled by default, but it’s always a good idea to check and enable it if it’s not.
To enable the firewall through Windows Security, use these steps:
-
Open Windows Security.
-
Click on Firewall & network protection.
-
Click the active network option.
-
Turn on the “Microsoft Defender Firewall” toggle switch to turn off the firewall.
After you complete the steps, the firewall will turn on for the active network profile.
7. Enable DNS over HTTPS (DoH)
If you want an extra layer of security and privacy when surfing the internet, you must enable DNS over HTTPS (DoH).
DNS over HTTPS is a networking protocol designed to encrypt Domain Name System (DNS) queries using the Hypertext Transfer Protocol Secure (HTTPS) protocol for privacy and to minimize attacks from hackers from viewing and manipulating your DNS traffic.
Some applications like Google Chrome and Mozilla Firefox already support this feature, but you can also configure it on Windows 11. Here’s how:
-
Open Settings.
-
Click on Network & internet.
-
Click the Ethernet or Wi-Fi tab (depending on the active connection).
Quick note: If you have a Wi-Fi connection, click on the connection properties to access the settings. -
Click the Edit button from the “DNS server assignment” setting.
-
Select the Manual option from the drop-down menu.
-
Turn on the IPv4 toggle switch.
-
Under the “Preferred DNS” and “Alternate DNS” sections, specify the primary and secondary DoH IP address from one of the supported services. For example, you can use Cloudflare (1.1.1.1 and 1.0.0.1) or Google (8.8.8.8 and 8.8.4.4)
-
Use the “DNS over HTTPS” drop-down menu and select the On (automatic template) option since it sends all DNS traffic with encryption, but you can also choose other encryption preferences.
-
Turn off the “Fallback to plaintext” toggle switch.
Quick tip: If you enable this feature, the system will encrypt DNS traffic, but it allows queries to be sent without encryption. -
Click the Save button.
Once you complete the steps, the computer will encrypt DNS traffic over the HTTPS protocol for a more secure and private experience.
You can learn more details and how to confirm the DoH settings are working with these instructions.
8. Enable Windows Hello Face or fingerprint
As part of the best security settings for Windows 11, you can also use Windows Hello, which allows you to increase your computer’s security by adding biometric elements (such as your face or fingerprint) to sign in to your profile. If you don’t have a device that integrates some biometric hardware, you must purchase a compatible face recognition camera or fingerprint reader to set it up.
Enable face recognition authentication
To configure Windows Hello facial recognition to unlock a computer on Windows 11, use these steps:
-
Open Settings.
-
Click on Accounts.
-
Click the Sign-in options page on the right side.
-
Select the “Facial recognition (Windows Hello)” setting under the “Ways to sign in” section.
-
Click the Set up button.
-
Click the Get started button.
-
Confirm your current password (or PIN).
-
Look directly into the camera for Windows 11 to create a facial recognition profile of your face.
-
Click the Close button.
Once you complete the steps, you can lock your computer (Windows key + L) and look into the camera to sign in.
Enable fingerprint authentication
To set up Windows Hello with a fingerprint reader, use these steps:
-
Open Settings.
-
Click on Accounts.
-
Click on Sign-in options.
-
Select the “Fingerprint recognition” setting under the “Ways to sign in” section.
-
Click the Set up button to enable the Windows Hello fingerprint option.
-
Click the Get started button.
-
Confirm your account password.
-
Touch the fingerprint sensor as indicated in the wizard.
-
Continue with the on-screen directions to capture your fingerprint from various angles.
After completing the steps, you can lock your device and use the fingerprint reader to sign in with your finger.
9. Enable Dynamic Lock
Dynamic Lock is a security feature built into Windows 11 that locks your computer when you step away based on the proximity of a Bluetooth-paired device (such as your phone or wearable), adding another layer of security.
To enable Dynamic Lock on Windows 11, use these steps:
-
Turn on the peripheral.
-
Turn on the device’s Bluetooth pair option to make it discoverable.
-
Open Settings on Windows 11.
-
Click on Bluetooth & devices.
-
Turn on the Bluetooth toggle switch to enable the wireless radio (if applicable).
-
Click the Add device button.
-
Select the Bluetooth option.
-
Choose the Bluetooth device from the list.
-
Continue with the on-screen directions (if applicable).
-
Click on Accounts.
-
Click the Sign-in options tab.
-
Select the Dynamic lock setting.
-
Check the “Allow Windows to automatically lock your device when you’re away” option.
Once you complete the steps, when the Bluetooth device isn’t near the computer, Windows 11 will turn off the screen and lock your account after 30 seconds of inactivity.
10. Block unwanted apps
Windows Security has a feature to protect your installation against malicious apps. The feature is known as “reputation-based protection,” it can detect and block low-reputation apps that may cause unexpected behaviors on Windows 11, such as poorly designed or harmful apps.
To enable reputation-based protection to protect Windows 11 from unwanted apps, use these steps:
-
Open Windows Security.
-
Click on App & browse control.
-
Click the “Reputation-based protection settings” option under the “Reputation-based protection” section.
-
Turn on the “Potentially unwanted app blocking” toggle switch.
-
Check the Block apps option.
-
Check the Block downloads option.
After you complete the steps, Windows 11 can detect and block apps with a low reputation that may cause problems.
11. Enable encryption
BitLocker is yet another feature on the list that can be considered one of the best for security since it allows you to use encryption on a drive to protect your data from unauthorized access to your documents, pictures, and any data you may have on the computer.
The feature is only available in the Pro, Enterprise, and Education editions of Windows 11. However, on Windows 11 Home, you can use “device encryption” on some devices.
Enable device encryption on Windows 11 Pro
To configure BitLocker on a Windows 11 drive, use these steps:
-
Open Settings.
-
Click on Storage.
-
Click on Advanced storage settings under the “Storage management” section.
-
Click on Disks & volumes.
-
Select the drive with the volume to encrypt.
-
Choose the volume to enable BitLocker encryption and click the Properties button.
-
Click the “Turn on BitLocker” option.
-
Click the “Turn on BitLocker” option under the “Operating system drive” section.
-
Select the “Save to your Microsoft account” option (recommended).
-
Click the Next button.
-
Select the “Encrypt used disk space only” option.
-
Click the Next button.
-
Select the “New encryption mode” option.
-
Click the Next button.
-
Check the “Run BitLocker system check” option.
-
Click the Restart now button.
After you complete the steps, the computer will restart to apply the encryption settings and enable BitLocker.
You can also enable encryption for secondary and external drives. And using BitLocker To Go, you can protect your data on USB flash drives.
Enable device encryption on Windows 11 Home
To configure BitLocker encryption on Windows 11 Home, use these steps:
-
Open Settings.
-
Click on Privacy & Security.
-
Click the Device encryption page under the “Security” section.
-
Turn on Device encryption to enable BitLocker on Windows 11 Home.
Once you complete the steps, the feature will encrypt the entire system drive.
If you no longer need encryption, it’s possible to decrypt the drive using the same instructions.
12. Enable Smart App Control
On Windows 11, Smart App Control (SAC) is a security feature that locks the system down, allowing it to run only trusted apps or apps with valid certificates to prevent unwanted behaviors from untrusted applications.
To enable Smart App Control on Windows 11, use these steps:
-
Open Windows Security.
-
Click on App & browse control.
-
Click on Smart App Control settings.
-
Select the Evaluation option.
After you complete the steps, the feature will run quietly in the background but not block anything. However, in this stage, the system will learn from your applications to determine whether the feature can run without affecting the experience.
If Smart App Control can run as expected, the system will turn it on automatically. If the feature gets in the way, the system will turn it off automatically.
Once the evaluation is complete, the feature will enable automatically, but you won’t be able to turn it off. Also, if the system blocks an app, you won’t be able to unblock it unless you turn off the feature, which will require complete reinstallation of the operating system.
13. Enable Core Isolation
Core Isolation is a collection of security features to protect your computer from malicious code and hackers. One of the features available is “memory integrity,” which blocks different types of malware from compromising high-security processes in memory.
The feature should be enabled by default on Windows 11, but if it’s not, you can use these steps:
-
Open Start.
-
Search for Windows Security and click the top result to open the app.
-
Click on Device Security.
-
Click the “Core isolation details” option under the “Core isolation” section.
-
Turn on the “Memory integrity” toggle switch to enable the Core isolation.
-
Restart the computer.
Once you complete the steps, the security feature will be enabled on Windows 11.
14. Microsoft Defender Application Guard
Microsoft Defender Application Guard is a feature available on Windows 11 that creates a virtualized version of Microsoft Edge so you can browse untrusted websites without the risk of malicious code or hackers infecting your computer. This feature is only available on Windows 11 Pro, not in the Home edition.
To enable Microsoft Defender Application Guard on Windows 11, use these steps:
-
Open Settings.
-
Click on System.
-
Click the Optional features page.
-
Click the “More Windows features” setting under the “Related settings” section.
-
Check the “Microsoft Defender Application Guard” option.
-
Click the OK button.
-
Click the Restart now button.
After completing the steps, you can open Microsoft Edge, click the “Settings and more” (three-dotted) menu in the top-right corner, and select the “New Application Guard window” option. Once the session starts, you can browse the untrusted website without compromising your setup.
When you close the session, the virtualization will be deleted from the computer without saving anything.
15. Windows Sandbox
Windows Sandbox is similar to the Microsoft Defender Application Guard feature. However, the Sandbox feature provides a full desktop virtualization experience to install and test untrusted applications isolated from the main installation.
To enable Windows Sandbox on Windows 11, use these steps:
-
Open Settings.
-
Click on System.
-
Click the Optional features page.
-
Click the “More Windows features” setting under the “Related settings” section.
-
Check the Windows Sandbox option.
-
Click the OK button.
-
Click the Restart now button.
Once you complete the steps, you can run Windows Sandbox from the Start menu.
If you have to install an application, you can download the installer from the internet using the browser available on the virtual machine or from the main installation, cut and paste the file on the Windows Sandbox desktop, and then install it on the isolated environment.
16. Full backup
On Windows 11, a full backup is one of the best security practices to create a copy of the entire system. This allows you to recover in case of critical system problems, malware attacks like ransomware, hardware failure, or upgrading the primary drive. In addition, a backup can help you roll back to a previous installation after upgrading to a new feature update or hard drive.
You can always choose a third-party solution, but you can still use the (deprecated) legacy “System Image Backup” tool to save a full backup to a USB hard drive.
To create a full backup on Windows 11, use these steps:
-
Open Start.
-
Search for Control Panel and click the top result to open the app.
-
Click on System and Security.
-
Click on File History.
-
Click the “System Image Backup” option from the left pane.
-
Click the “Create a system image” option from the left pane.
-
Select the external drive to save the Windows 11 backup.
-
Click the Next button.
-
Click the Start backup button.
-
Click the No button.
-
Click the Close button.
Once you complete the steps, Windows 11 will create a full computer backup.
You will also receive the option to create a repair disk, but you can ignore it since you can use the Windows 11 bootable media to access the recovery settings to restore the backup.
In addition to periodically backing up your device, it’s recommended that you store your files in the cloud using third-party services like OneDrive. This approach will protect the files from hardware failure, ransomware, or theft.
Alternatively, copying your files to an external drive with a simple copy and paste (as long as you don’t have a lot of data) is another way to protect your documents, pictures, videos, and other files.
17. Switch from Administrator to Standard User account
Windows 11 offers two types of accounts (“Administrator” and “Standard User”) with different permission levels to manage the system and apps. The Administrator account has unlimited access and allows users to change system settings, run elevated tasks, and perform virtually any task.
The Standard User account offers a more restrictive environment. A user with this privilege level can work with apps but cannot install apps. They can also change settings, not system settings or settings for other users.
Since using an account without limits can be a security risk, switching to a standard account is one of the best practices to improve security. You can create a new “Administrator” account only for management and change your account type to “Standard User.”
Create local administrator account
To create an administrator local account through the Settings app, use these steps:
-
Open Start.
-
Search for Settings and click the top result to open the app.
-
Click on Accounts.
-
Click the Other users page.
-
Click the Add account button under the “Other users” section.
-
Click the “I don’t have this person’s sign-in information” option.
-
Click the “Add a user without a Microsoft account” option.
-
Create an administrator account by confirming a name and password.
-
Create security questions and answers to recover the account if the password is lost.
-
Click the Next button.
-
Select the newly created account and click the “Change account type” button.
-
Select the Administrator option from the “Account type” setting.
-
Click the OK button.
Once you complete the steps, the new account will appear on Windows 11.
Switch to standard account
To change an “Administrator” account to a “Standard Users” account on Windows 11, use these steps:
-
Sign out of your current account.
-
Sign in to the newly created administrator account.
-
Open Settings.
-
Click on Accounts.
-
Click the Other users page.
-
Select the primary account.
-
Click the “Change account type” button.
-
Select the Standard User option from the “Account type” setting.
-
Click the OK button.
After completing the steps, the original account will switch from “Administrator” to “Standard User” account type. You will be prompted to confirm the administrator credential to make system changes or install new apps. You can still sign in to the administrator account to perform system changes.
18. Disable Remote Desktop
Although the Remote Desktop feature allows you to access files and applications from another location or offer assistance without being present at the site, it also presents a security risk as it may help a malicious individual gain unauthorized access to the computer. As a best security practice, turn off the feature if you don’t use it.
To disable Remote Desktop on Windows 11, use these steps:
-
Open Settings.
-
Click on System.
-
Click on Remote Desktop.
-
Turn off the Remote Desktop toggle switch.
-
Click the Confirm button.
Once you complete the steps, malicious individuals shouldn’t be able to exploit the RDP protocol to gain unauthorized access to your computer.
19. Sync time and date
On Windows 11, it’s also important to keep the system with the correct time and date. Otherwise, it could cause security problems, such as trying to sign in to a service or application on the network or internet.
To update the time and date on Windows 11, use these steps:
-
Open Settings.
-
Click on Time & language.
-
Click the Date & time page.
-
Turn on the “Set time automatically” toggle switch.
-
Click the Sync now button under the “Additional settings” section.
After you complete the steps, Windows 11 will update and show the correct time on the computer.
20. Create system restore point
System Restore allows you to create a copy of the system state as a “restore point” to protect the hard drive’s data if something goes wrong after an update, when installing an application, or when making system changes. The feature automatically creates a restore point when it detects system changes (such as installing a new update or driver), but you can always make a restore point manually.
To create a restore point on Windows 11, use these steps:
-
Open Start on Windows 11.
-
Search for Create a restore point and click the top result to open the app.
-
Select the system drive (C) and click the Configure button under the “Protection Settings” section.
-
Select the “Turn on system protection” option.
-
Click the Apply button.
-
Click the OK button.
-
Click the Create button to create a restore point on Windows 11.
-
Confirm a name for the restore point.
-
Click the Create button.
-
Click the Close button.
Once you complete the steps, the system will create a restore point that includes system files, installed applications, system settings, and a backup of the Registry.
You can also follow these instructions to restore the device using a restore point. You may need to rest the system if the restoration doesn’t work.
What security settings are you changing on Windows 11? Let me know in the comments.
Update May 7, 2024: This guide has been updated to ensure accuracy and reflect changes to the process.