For instance, as best security practices, you can check for system updates and scan the computer for viruses. Also, you can enable other security features, such as ransomware and phishing protection, firewall, biometric authentication, encryption, and other most sonicated features like Smart App Control and Core Isolation. If you need to browse a website that doesn’t seem trustworthy, the Microsoft Defender Application Guard can create an isolated environment without risking malicious code or hackers from trying to access the device. Also, if you have to install an application from an untrusted source, you use Windows Sandbox to create a lightweight virtual machine to test the application without putting the main installation at risk. This guide includes a collection of the best security settings for Windows 11 in 2023. 

Windows 11 best security settings to change in 2023

These are the best security settings to apply on Windows 11. (You don’t have to configure every one of them, only use the ones you consider the best for your situation.)

1. Install system updates

On Windows 11, installing the latest updates on your computer is perhaps the best way to keep your files secure since the packages can fix bugs, enhance security, and improve system performance. To install Windows 11 updates manually, use these steps: Once you complete the steps, if an update is available, it will download and install automatically on Windows 11.

In addition to using the Windows Update settings, you have multiple ways to update the system using Command Prompt, PowerShell, and the Microsoft Update Catalog website.

1. Scan computer for viruses

Windows 11 comes with the Microsoft Defender Antivirus to detect and remove virtually any kind of malware, such as viruses, ransomware, spyware, rootkits, and others. If you suspect your computer has been compromised, you can always perform a full or offline scan (if the device is infected with a tough virus) to ensure the device is free of malware. In addition, you can use periodic scanning on devices with a different antivirus solution. 

Full virus scan 

To perform a full virus scan on Windows 11, use these steps: After you complete the steps, Microsoft Defender Antivirus will scan the computer for viruses and other types of malware. If anything is detected, the antivirus will remove (or quarantine) the threats automatically.

You can also use the antivirus with Command Prompt and PowerShell.

Offline virus scan

To run an offline virus scan on Windows 11, use these steps: Once you complete the steps, the computer will restart automatically in the recovery environment, and Microsoft Defender will start the full virus scan. If the Windows 11 antivirus detects any virus, rootkit, or another type of malware, it automatically removes it.

Enable periodic scanning

If you have another antivirus solution, another best security practice is to enable “periodic scanning” on Windows 11, another best feature that periodically scans and removes threats other antivirus software may have missed. To enable “periodic scanning” on Microsoft Defender Antivirus for Windows 11, use these steps: After you complete the steps, the Windows 11 antivirus will use the “Automatic Maintenance” feature to run the scans at optimal times to minimize the impact on performance and battery life.

3. Enable ransomware protection

“Controlled folder access” is another best security feature built into Windows 11 to protect your computer from ransomware attacks. It does this by monitoring the changes that apps make to your files. If an app tries to modify the files inside a protected folder and the app is blacklisted, you’ll get notified about the suspicious activity. To enable the Controlled folder access anti-ransomware protection on Windows 11, use these steps: Once you complete the steps, Microsoft Defender Antivirus will monitor the protected folders as applications try to modify your files. If suspicious activity occurs, you’ll get a notification about the threat.

In addition to enabling the feature is half of the equation. You can always use these instructions to prevent the feature from blocking trusted applications and protect folder locations other than the defaults.

4. Enable phishing protection

Starting in version 22H2, Windows 11 includes a phishing protection feature that can protect your passwords from malicious sites and apps. The security feature does this in three ways. First, enabling the future will show you a warning when it detects you entered your account password on an untrusted site or app. It’ll also alert you when trying to save passwords in plain text on an application and reusing passwords on other accounts since it makes it easier for hackers to steal your information. The feature works on a Microsoft account, local account, Active Directory, or Azure Active Directory. To enable phishing protection on Windows 11, use these steps:  Once you complete the steps, the “Enhanced Phishing Protection” feature will warn you when entering a password on an untrusted app or website with the option to change the password to reduce the chances of someone gaining unauthorized access to your account.

Since text editors or Office apps were not designed to protect your credentials, you will also get a warning when trying to reuse a password or save passwords in these applications.

5. Check firewall settings

The Microsoft Defender Firewall can monitor incoming and outgoing network traffic to allow or block connections based on predefined rules to protect your computer and information from unauthorized access. The feature should be enabled by default, but it’s always a good idea to check and enable it if it’s not. To enable the firewall through Windows Security, use these steps:  After you complete the steps, the firewall will turn on for the active network profile.

6. Enable Windows Hello Face or fingerprint

As part of the best security settings for Windows 11, you can also use Windows Hello, which allows you to increase your computer’s security by adding biometric elements (such as your face or fingerprint) to sign in to your profile. If you don’t have a device that integrates some sort of biometric hardware, you will need to purchase a compatible face recognition camera or fingerprint reader to set it up.

Enable face recognition authentication

To configure Windows Hello facial recognition to unlock a computer on Windows 11, use these steps: Once you complete the steps, you can lock your device (Windows key + L) and look into the camera to sign in.

Enable fingerprint authentication

To set up Windows Hello with a fingerprint reader, use these steps:  After completing the steps, you can lock your device (Windows key + L) and then use the fingerprint reader to sign in with the finger you configured.

7. Enable Dynamic Lock

Dynamic Lock is a security feature built into Windows 11 that locks your device when you step away based on the proximity of a Bluetooth-paired device (such as your phone or wearable), adding another layer of security. To enable Dynamic Lock on Windows 11, use these steps: Once you complete the steps, when the Bluetooth device isn’t near the computer, Windows 11 will wait 30 seconds and then turn off the screen and lock the account.

8. Block unwanted apps

Windows Security has a feature to protect your installation against malicious apps. The feature is known as “reputation-based protection,” and it can detect and block low-reputation apps that may cause unexpected behaviors on Windows 11, such as poorly designed or harmful apps. To enable reputation-based protection for unwanted apps on Windows 11, use these steps: After you complete the steps, Windows 11 will be able to detect and block apps with a low reputation that may cause problems.

9. Enable encryption

BitLocker is yet another best security feature that allows you to use encryption on a drive to protect your data from unauthorized access to your documents, pictures, and any data you may have on the computer. On Windows 11, the feature is only available in the Pro, Enterprise, and Education edition. However, on Windows 11 Home, you can use “device encryption” on some devices.

Enable device encryption on Windows 11 Pro

To configure BitLocker on a Windows 11 drive, use these steps: After you complete the steps, the computer will restart to apply the settings and enable BitLocker.

You can also enable encryption for secondary and external drives. And using BitLocker To Go, you can protect your data on USB flash drives.

Enable device encryption on Windows 11 Home

To configure BitLocker encryption on Windows 11 Home, use these steps: Once you complete the steps, the feature will encrypt the entire system drive.

If you no longer need encryption, it’s possible to decrypt the drive with the same instructions.

10. Enable Smart App Control

On Windows 11 22H2 and higher releases, Smart App Control (SAC) is a security feature that locks the system down, allowing it to run only trusted apps or apps with valid certificates to prevent unwanted behaviors from untrusted applications. To enable Smart App Control on Windows 11, use these steps: After you complete the steps, the feature will run quietly in the background, but it’ll not block anything. However, in this stage, the system will learn from your application to determine whether the feature can run without affecting the experience. 

If Smart App Control can run as expected, the system will turn it on automatically. If the feature may get in the way, the system will turn it off automatically. Once the evaluation is done, the feature will enable automatically, but you won’t be able to turn it off. Also, if the system then blocks an app, you won’t be able to unblock it unless you turn off the feature that will require reinstallation.

11. Enable Core Isolation

Core Isolation is a collection of security features to protect your computer from malicious code and hackers. One of the features available is “memory integrity,” which blocks different types of malware from compromising high-security processes in memory.  The feature should be enabled by default on Windows 11, but if it’s not, you can use these steps: Once you complete the steps, the security feature will enable on Windows 11.

12. Microsoft Defender Application Guard

Microsoft Defender Application Guard is a feature available on Windows 11 that creates a virtualized version of Microsoft Edge to browse untrusted websites without the risk of malicious code or hackers infecting your computer. This feature is only available on Windows 11 Pro, not in the Home edition. To enable Microsoft Defender Application Guard on Windows 11, use these steps: After completing the steps, you can open Microsoft Edge, click the Settings and more (three-dotted) menu in the top-right corner, and select the “New Application Guard window” option. Once the session starts, you can browse the untrusted website without compromising your main installation.

When you close the session, the virtualization will be deleted from the computer without saving anything.

13. Windows Sandbox

Windows Sandbox is similar to the Microsoft Defender Application Guard feature, but the difference is that the Sandbox feature provides a full desktop virtualization experience to install and test untrusted applications isolated from the main installation. To enable Windows Sandbox on Windows 11, use these steps: Once you complete the steps, you can run Windows Sandbox from the Start menu.

If you have to install an application, you can download the installer from the internet using the browser available in the virtual machine, or from the main installation, you can cut the file and paste it on the Windows Sandbox desktop.

14. Full backup

On Windows 11, a full backup is one of the best security practices to create a copy of the entire system allowing you to recover in case of critical system problems, malware attacks like ransomware, hardware failure, or when upgrading the primary drive. In addition, a backup can help you roll back to a previous installation after upgrading to a new feature update or hard drive. You can always choose a third-party solution (such as Macrium Reflect or Veam), but you can still use the (deprecated) legacy “System Image Backup” tool to save a full backup to a USB hard drive.  To create a full backup on Windows 11, use these steps: Once you complete the steps, Windows 11 will create a full backup of your computer.

You will also receive the option to create a repair disk, but you can ignore it since you can use the Windows 11 bootable media to access the recovery settings to restore the backup. In addition to periodically backup your device, it’s also recommended to use third-party services like OneDrive to store your files in the cloud. This approach will protect the files from hardware failure, ransomware, or theft. Alternatively, copying your files to an external drive with a simple copy and paste (as long as you don’t have a lot of data) is another way to protect your documents, pictures, videos, and other files.

15. Switch from Administrator to Standard User account

Windows 11 offers two types of accounts (“Administrator” and “Standard User)” with different permission levels to manage apps and the system. The Administrator account has unlimited access, allowing users to change system settings, run elevated tasks, and everything else. The Standard User account offers a more restrictive environment. A user with this privilege level can work with apps but cannot install anything else. Also, they can change settings, but not system settings or settings that will affect all users.  Since using an account without limits can be a security risk, switching to a standard account is one of the best practices to improve security. You can create a new “Administrator” account only for management and change your account type to “Standard User.”

Create local administrator account

To create an administrator local account through the Settings app, use these steps: Once you complete the steps, the new account will appear on Windows 11.

Switch to standard account

To change an Administrator account to a Standard Users account on Windows 11, use these steps: After completing the steps, the original account will switch from “Administrator” to “Standard User” account type. You will be prompted to confirm the administrator credential if you ever need to make system changes or install new apps. Or you can also sign in to the administrator account to perform system changes.

16. Disable Remote Desktop 

Although the Remote Desktop feature allows you to access files and applications from another location or offer assistance without being present at the site, it also presents a security risk as it may help a malicious individual to gain unauthorized access to the computer. If you don’t use Remote Desktop, you should disable the feature as a best security practice. To disable Remote Desktop on Windows 11, use these steps: Once you complete the steps, malicious individuals shouldn’t be able to exploit the RDP protocol to gain unauthorized access to your computer.

17. Sync time and date

On Windows 11, it’s also important to keep the system with the correct time and date. Otherwise, it could cause security problems, such as trying to sign in to a service or application on the network or internet. To update the time and date on Windows 11, use these steps: After you complete the steps, Windows 11 will update and show the correct time on the computer.

		      All content on this site is provided with no warranties, express or implied. Use any information at your own risk. Always backup of your device and files before making any changes. Privacy policy info.