Windows 11 Security Settings: 15 Best to Enable or Change

Reading time icon 11 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Key notes

  • Microsoft takes the security of their operating systems seriously, and Windows 11 brought many security improvements.
  • The biggest change lies in the tampering protection, that is now required by default.
  • The latest operating system also has a wide array of settings that you can change in order to improve your security.

Windows 11 has been out for a while, and many wonder about Windows 11 security and safety.

The good news is that the operating system brought some improvements in terms of security that should help users stay safe.

In today’s guide, we will answer all your security-related questions and show you all the security settings you need to change to maximize your protection.

To learn how Windows 11 security compares to its predecessor, read our Windows 11 vs Windows 10 guide.

Does Windows 11 have better security?

The short answer is yes, Windows 11 has better security than its predecessors. To understand the differences, you must know what security features Windows 11 offers.

Trusted Platform Module (TPM)

TPM chart (Source: Microsoft)

Windows 11 comes with a new requirement called TPM, and we wrote about Windows 11 and TPM in a separate guide.

TPM is a feature that verifies the integrity of your firmware, preventing unauthorized users from accessing your encryption keys or installing rootkits that will run before your operating system boots.

Virtualization-Based Security (VBS)

Next on our list is Virtualization-Based Security, and this feature creates a secure and isolated section in your memory.

By doing so, Windows can use this virtual secure mode to run various security solutions, thus providing better protection for your operating system.

Hypervisor-Protected Code Integrity (HVCI)

This feature is related to the VBS and secures the Windows kernel from malware. Many exploits tend to attack your kernel to access the operating system, and this feature prevents that.

UEFI Secure Boot

This isn’t a new feature, and it’s closely associated with TPM. Using the secure boot ensures that your firmware isn’t tempered, thus preventing malware from running as soon as you boot your PC.

Now that you know about Windows 11 features, let’s answer the most important question.

Is Windows 10 or 11 more secure?

Both operating systems support all of the features above. However, these features aren’t enabled on Windows 10 by default, plus Windows 10 doesn’t force you to use them.

On the other hand, TPM is required for Windows 11, and features such as HVCI can negatively affect performance on older CPUs, so Windows 11 has higher standards.

Overall, Windows 11 is more secure, especially if you’re a less experienced user who doesn’t know how to enable these security features manually.

If you want to avoid Windows 11 security issues, you need to make a few adjustments to your settings.

How can I improve security in Windows 11?

1. Keep your system up to date

  1. Press the Windows key + I to open the Settings app.
  2. Now go to the Windows Update section.
  3. Click on Check for updates.

If any updates are available, they’ll start downloading. In most cases, Windows automatically checks for updates, so you won’t have to do this manually.

To keep your PC safe, it’s crucial to download Windows 11 security updates regularly.

2. Protect your account with a password

  1. Open the Settings app using the Windows key + I shortcut.
  2. Go to Accounts and then select Sign-in options.
  3. Expand the Password section and click on Add.
  4. Now enter the new password.
    windows 11 security new password

Adding an account password gives you basic protection from unauthorized access. This can be helpful if you’re sharing your PC with others or if somebody tries to access your device without your knowledge.

3. Add fingerprint or facial recognition

  1. Press Windows key + S and enter sign-in options. Select the Sign-in options from the list of results.
    windows 11 security
  2. Select Facial recognition or Fingerprint recognition and click on Set up.
    windows 11 security
  3. Follow the instructions on the screen to complete the process.

This is a more convenient protection method, since only you will be able to unlock your device, so you don’t have to worry about someone knowing your password.

4. Make sure Windows Defender is running

  1. Open the Search by pressing the Windows key + S. Enter windows security and select Windows Security.
    windows 11 security windows security search results
  2. Select Virus & threat protection and then go to Manage settings.
    windows 11 security manage settings
  3. Enable all options.
    windows 11 security settings

Windows 11 comes with Windows Defender pre-installed, but sometimes Windows Defender is turned off, and that can make your PC vulnerable.

A few users reported that Windows Defender isn’t installed on their PCs, which can be a major security concern.

You should never turn off Windows 11 security because it’s the only defense against malware. Therefore, checking if the application is enabled and properly running on your PC is important.

5. Use third-party antivirus

While Windows Defender is a great security solution, it’s not as advanced as other malware protection software, so many users are choosing third-party antivirus solutions instead.

We already did a comparison between Windows Defender and Avast, so you should check it out for more information.

If you’re having security concerns about Windows 11, be sure to visit our best antivirus for Windows 11 guide and pick the right protection for your PC.

Suppose you want to stay protected on all fronts and be able to run your antivirus in the background without it affecting your PC’s performance. In that case, we suggest you use ESET HOME Security Essential.

6. Use a Standard account

  1. Press the Windows key + I to open the Settings app.
  2. Go to Accounts and select Other users.
  3. Click on Add account.
  4. Pick I don’t have this person’s sign-in information.
  5. Now select Add a user without a Microsoft account.
  6. Enter the username and password for the new account.

By using the Standard account instead of the Administrator, you’ll have to enter your administrator password every time you want to make a system change.

This is incredibly helpful if you’re sharing your PC with someone or using a business computer and don’t want users to have unrestricted access to the PC.

7. Make sure User Account Control is running

  1. Click the Search button and enter user account control. Select User Account Control Settings from the results.
  2. Make sure that User Account Control is set to a recommended value or the one above.
  3. Click on OK to save changes.

This feature works great if you have a Standard and Administrator account since it will ensure that users won’t be able to change system settings on their own.

8. Use Dynamic Lock

  1. Press the Windows key + I to open the Settings app.
  2. Go to the Bluetooth section and click on Add a device.
  3. Follow the instructions on the screen to connect your Bluetooth device to your PC.
  4. Once your device is connected go to Accounts and select Sign-in options.
  5. In the Dynamic lock section, enable Allow Windows to automatically lock your device when you’re away.

After enabling this feature, as soon as you step away from your PC for more than 30 seconds, it will automatically become locked.

9. Check if your firewall is enabled

  1. Click the Search icon and type windows security. Select Windows Security.
  2. Select Firewall & network protection and make sure that firewall is enabled for all types of connections.
  3. To change your firewall settings, click on Allow an app through firewall.
  4. Now you can choose which applications have access to the Internet.

Modifying the firewall settings is an advanced procedure, so be sure to double-check the suspicious application before you prevent it from accessing the Internet.

10. Encrypt your drives

  1. Press the Windows key + I to open the Settings app.
  2. Navigate to Storage.
  3. Expand the Advanced storage settings section and click on Disks & volumes.
  4. Select the partition you want to encrypt and click on Properties.
  5. Now click on Turn on BitLocker.
    windows 11 security turn on bitclocker
  6. Click on Turn on BitLocker.
  7. Choose how you want to save your recovery key.
    recovery key bitlocker windows 11 security
  8. Select how much of your drive you want to encrypt.
  9. Select the desired encryption mode.
  10. Now click on Start encrypting and closely follow the instructions on the screen.

After your device is encrypted, nobody will be able to see your data without a password, which is great protection if your device gets stolen for example.

11. Make sure TPM and Secure Boot are enabled

  1. Restart your PC and keep pressing F2 to access BIOS.
  2. Go to the Miscellaneous tab. Locate TPM Device Selection and set it to PTT or fTPM
  3. Go to the Boot section and locate Secure Boot. Set it to Enabled.
  4. Save changes and restart your PC.

For more information, we have a separate guide that focuses on how to enable TPM 2.0 in different versions of BIOS, so be sure to read it.

12. Scan your PC frequently

  1. Press Windows key + S and enter windows security. Select Windows Security from the list.
  2. Go to the Virus & threat protection and click on Scan options.
  3. Select the type of scan that you want and click on Scan now.

We suggest using a Full scan to scan all files on your PC, but this might take several hours to complete, so keep that in mind.

In most cases, your security software will detect the threats automatically, but it’s not a bad idea to manually scan your PC once in a while.

13. Enable Find my device feature

  1. Open the Settings app. You can use Windows key + I to do that quickly.
  2. Go to Privacy & Security and select Find my device.
    windows 11 security find my device settings app
  3. If you see a warning message, click on Location settings.
    windows 11 security location service turned off
  4. Enable Location services and go back.
    windows 11 security location services enable
  5. Now you need to enable Find my device.
    windows 11 security enable find my device

After doing this, you can track if your device gets stolen or lost via your Microsoft account.

14. Use a password manager

To ensure that you’re safe online, always use password manager software. By doing so, you’ll generate unique and strong passwords for every website that you log into.

This will prevent hackers from accessing your online accounts, plus you won’t have to remember your passwords anymore since the software will do that for you.

15. Use a VPN

VPN is extremely useful if you’re concerned about your privacy or if you tend to use a lot of open and insecure networks during the day.

VPN software will encrypt and hide all your traffic from third parties and your ISP, allowing you to browse the web privately.

If you want a good VPN with access to thousands of servers worldwide and that’s equipped with all the security features you need, we recommend Private Internet Access.

It’s compatible with all major platforms, including Windows 11, with an easy-to-use application. It’s able to circumvent geo-blocks and has dedicated servers for streaming.

Get Private Internet Access

How do I protect my privacy on Windows 11?

Disable location tracking

  1. Press the Windows key + I to open the Settings app.
  2. Go to Privacy & security and select Location.
    windows 11 security location settings
  3. Disable Location services.
    windows 11 security location services disable

Disable Ad tracking

  1. Open the Settings app. You can do that with the Windows key + I shortcut.
  2. Go to Privacy & security and then select General.
  3. Disable all available options.

Disable Diagnostics and Feedback

  1. Click Start and then Settings.
  2. Go to Privacy & security and select Diagnostics & feedback.
  3. Now set all the options to Off.

Disable app permissions

  1. Press the Windows key + I. This will open the Settings app.
  2. Go to Privacy & security.
  3. Now scroll down to App permission settings and disable Location, Camera, Microphone, Voice activation, Call history, and Account info settings.

After adjusting these Windows 11 privacy settings, you’ll disable all features that are collecting personal information.

Does Windows 11 Defender protect against malware?

Yes, Windows Defender protects against malware, ransomware, and other types of malware. The software is effective in dealing with the latest malware types out of the box.

However, some users prefer using third-party solutions since they offer more advanced features. Windows Defender lacks a reliable scheduling feature, and this is the main drawback for many.

The firewall configuration is powerful, but it feels unintuitive to use. Defender also lacks features such as Game Mode, webcam and microphone protection, banking protection, and vulnerability evaluation.

Does Windows 11 automatically encrypt?

No, Windows 11 doesn’t automatically encrypt your drives, and to encrypt them, you need to set up BitLocker protection.

Alternatively, you can use file encryption software to protect your data from unauthorized access.

Windows 11 brought some changes, and while it’s similar to its predecessor, it still has improved security with the TPM requirement.

Most security features are now enabled by default, thus providing additional protection to the users. Speaking of security, we also wrote a great guide on whether Windows 11 needs an antivirus, so be sure to check. And if you are going with the built-in antivirus, check the best Windows Defender settings!

You can enhance your security even further by creating a USB security key for additional protection.

What are your thoughts on Windows 11 security? Let us know in the comments section below.

More about the topics: Windows 11