Note: This is an early peek at a chapter from my new book, De-Enshittify Windows 11. –Paul
Windows 11 presents a mixed bag when it comes to user security and privacy. While the operating system excels in security, it sometimes compromises on default configurations in the name of privacy. Therefore, ensuring that Windows 11 is as secure as possible is paramount.
✅ Tip: For those purchasing a new PC, the most secure option is a Copilot+ PC equipped with a Qualcomm Snapdragon X-series processor running Windows 11 on Arm. These models, including the less reliable x64 variants with Intel or AMD processors, offer significant security enhancements over standard Windows 11 PCs. However, Windows 11 on ARM with Snapdragon X stands out as the superior choice.
Most users will log into Windows 11 using a Microsoft account, which provides a reasonable level of security. However, power users may opt for a local account, which can be configured in a less secure manner. Thus, it is essential to examine account security closely.
⛔ The problems with not using a Microsoft account
During the initial setup of Windows 11, users typically sign in with a Microsoft account, a process that, while almost mandatory, carries both advantages and disadvantages. The drawbacks often relate to online tracking and targeted advertising, but the security benefits of using a Microsoft account generally outweigh these concerns.
Key advantages include:
- Your Microsoft account can and should be secured with two-factor authentication (2FA), providing a more secure alternative to a simple password.
- Signing in with a Microsoft account generates a device-bound passkey for seamless authentication across various Microsoft apps and services.
- In the event of a compromise, your Microsoft account can be recovered.
- Configurations and settings are automatically backed up to the cloud, allowing for easy recovery when switching devices or resetting your PC.
- Disk encryption is automatically enabled, safeguarding your data in case of loss or theft, with the recovery key stored securely in OneDrive.
- OneDrive Folder Backup is automatically configured, ensuring that essential files are synced to the cloud for easy access across devices.
While some users criticize the enforced Microsoft account sign-in as a form of enshittification, the alternative—a local account—poses significant security risks:
- A local account is limited to a single PC, making recovery impossible if compromised.
- It can be set up without a password, creating an inherent security vulnerability.
- Without a password, a local account cannot utilize a PIN, which adds an extra layer of security.
- Local accounts lack support for 2FA and other passwordless authentication methods.
- Key Windows 11 security features, such as full disk encryption and Windows Hello biometric authentication, are unavailable unless additional steps are taken.
While I do not recommend using a local account, this chapter will guide you on securing Windows 11, regardless of your chosen sign-in method.
💛 Windows 11 security first steps
Ideally, you should secure Windows 11 during the initial configuration of a new or reset PC, but it is also possible to enhance security later. Upon clean installing Windows 11, you will encounter several configuration tasks related to security.
Take any actions suggested by Windows Security
Windows Security serves as the hub for most of Windows 11’s security features. It runs automatically at boot, and you can find its icon in the hidden icons pop-up next to the system tray. If no actions are needed, a green checkmark will indicate that everything is in order. However, a yellow or red alert may signal recommended or required actions.
Clicking the Windows Security icon will launch the app, where you can view any items needing attention. One common feature that often requires activation is “App & browser control.” Ensure this feature is enabled, along with any other flagged recommendations.
Correctly configure device encryption
If you signed in with a Microsoft account, Windows 11 automatically enables a full disk encryption feature called Device encryption. To verify its status, navigate to Settings > Privacy & security > Device encryption. If it shows as “On,” your data is secure.
For those using a local account, you will need to enable Device encryption manually. If you are running Windows 11 Home, you must back up your recovery key to a Microsoft account. For Windows 11 Pro users, you can utilize BitLocker for additional encryption options.
💚 Improve your sign-in account security
When you sign into Windows 11 with a Microsoft account, you typically create a password and a PIN during setup. If your PC supports Windows Hello, you may also configure facial or fingerprint recognition. Regardless of your initial choices, it is advisable to revisit and enhance your account security settings.
Facial recognition (Windows Hello)
If your PC supports facial recognition, you can enroll your face for sign-in. Additionally, consider enabling enhanced protection against spoofing and re-enrolling your face with and without glasses for improved accuracy.
Fingerprint recognition (Windows Hello)
For PCs equipped with fingerprint recognition, you can enroll multiple fingers for sign-in. Re-enrolling the same finger can also improve recognition accuracy.
PIN (Windows Hello)
Creating a PIN during setup provides an additional layer of security. If you have multiple devices, consider using different PINs for each to enhance security further.
Enhanced sign-in security
For users with Copilot+ PCs, Windows Hello Enhanced Sign-in Security (ESS) will be automatically configured to require sign-in every time you return to your device.
💚 Configure additional security features in Windows Security
Beyond the initial recommendations from Windows Security, several additional features can bolster your system’s defenses:
- Controlled folder access: This feature offers extra protection against ransomware by restricting unauthorized apps from modifying your files. Enable it through Virus & threat protection > Ransomware protection.
- Smart App Control: This feature provides another layer of protection against malicious apps. It is advisable to enable it for enhanced security.
💚 Remove third-party security apps
Many PCs come pre-installed with third-party security applications that are often unnecessary due to Windows 11’s robust built-in protections. These applications may also require costly subscriptions. To remove them, navigate to Settings > Apps > Installed apps, select the app, and click “Uninstall.” Be prepared for potential pushback from the app’s maker.
💛 Keep Windows 11 up-to-date
Maintaining an up-to-date Windows 11 installation is crucial for security. Regular updates, including security fixes, are rolled out monthly. To ensure your system is current, navigate to Settings > Windows Update and check for updates regularly.
Properly configure Windows Update
To avoid unexpected disruptions during your work, adjust your Windows Update settings. Disable automatic restarts and enable notifications for required restarts to prevent data loss.
Keep apps up-to-date
Apps installed from the web or the Microsoft Store typically update automatically, but it’s wise to manually check for updates occasionally. Utilize the Microsoft Store app or command line tools to ensure all applications are current.
