Historically, Windows has had a bad reputation for security, and there are far more malware strains that target Windows than any other operating system out there — largely due to the scale of PCs that exist in the world. With such a vast array of potential threats, it’s more important than ever to keep your Microsoft PC safe and protected.
But doing so doesn’t have to be difficult or expensive. In fact, you can start right now with just the computer you own, no extra software necessary. And if you do want to supplement your PC with some of the best Windows apps that will boost your security and privacy, you don’t need to pay a penny.
In this guide, we’ll take you through some of the most important Windows 11 security settings that everyone should know. Put them to use and you’ll be able to ramp up your computer’s security in just a few clicks. Let’s see how it’s done.
Enable virus protection
Because it’s the most popular operating system on the planet, Windows is a prime target for hackers, and that means you need to have robust virus protection on your computer. To enable that, open the Windows Security app from the Windows search bar and choose Virus & threat protection in the sidebar. There, you’ll see details on your chosen antivirus app (make sure you’re running either Microsoft Defender or one of the best third-party antivirus apps). If you need to remedy anything, follow the on-screen prompts to bilk up your security.
Regardless of which antivirus app you use, it’s a good idea to regularly schedule virus scans so that you can catch any threats as soon as they appear. The steps to do this will vary with each app, but make sure to look them up for your chosen app to keep your PC protected.
Secure your account
In the Windows Security app, select Account protection in the sidebar. Under Windows Hello, choose Manage sign-in options. If you have a webcam or fingerprint reader on your PC, enable the options for either Facial recognition (Windows Hello) or Fingerprint recognition (Windows Hello), as these will offer much stronger protection than just using a password to log in.
Going back to the Account protection section in Windows Security, pick Dynamic lock settings under the Dynamic lock header and tick the highlighted checkbox on the next screen. This setting will automatically lock your device once your paired phone is outside of Bluetooth range, with the assumption being that you’ve left your desk. This way, your PC and its private data are not accessible to anyone who tries to sneak up to your computer when you’re not there.
Fire up the firewall
Ensuring you have a strong firewall is another good way to keep your PC and its contents safe when connecting to the internet. In the Windows Security app, choose Firewall & network protection in the sidebar. Make sure that under each of the headers on the page (Domain network, Private network, and Public network), you see the text Firewall is on. If not, select the header and follow the on-screen prompts to enable the firewall.
Back on the Firewall & network protection page, select Allow an app through firewall at the bottom. Check the resulting list to make sure that every app should actually be allowed through. If you find an app that you’re sure does not need to be granted a firewall exception, select Change settings and untick the checkbox to the left of its name. When you’re done, select OK.
Apps and browsers
Moving down the sidebar, head to App & browser control in the Windows Security app and choose Reputation-based protection. Ensure that the toggles for all of the sections on the page are turned on. Then go back to the App & browser control page and choose Exploit protection > Exploit protection settings > System settings and make sure that everything is enabled.
Back on the App & browser control page, you’ll see the Smart App Control section. This blocks malicious and untrusted apps from your PC, adding to its protection. However, it relies on sending Microsoft optional diagnostic information — if you disabled this when you first installed Windows, you’ll need to reinstall Windows in order to enable Smart App Control. If you don’t want to send Microsoft your optional diagnostic info for privacy reasons, Smart App Control will be unavailable.
Secure boot and drive encryption
In the Windows Security app, move down to Device security in the sidebar. At the top of this section, you’ll see the Secure boot header. This feature prevents malware from loading when you turn on your PC, and it’s required to be able to install Windows 11. Thus, if you’re currently running Windows 11, you should see a green tick next to the Secure boot text. If you don’t, follow the on-screen instructions to rectify the issue.
Underneath is the Data encryption section. Here, you can tell Windows to encrypt your device, preventing anyone from accessing its files if they don’t have the correct login password. Note that this setting is not available on all Windows PCs — if you don’t see it on yours, you might have an option to Manage BitLocker drive encryption. If you do, select this to enable BitLocker encryption instead.
Check permissions
Over time, you can end up granting wide-ranging access to your data to both Windows itself and a range of apps. If you want to check or rescind some of those permissions, you’ll need to open the Settings app and go to Privacy & security in the sidebar. From there, head to the Windows permissions section.
Once you’re there, go through each of the sections one b y one, including Speech, Search permissions, and more, to see what activities Windows has access to. To withdraw those permissions, disable the toggle next to your chosen settings.
Below Windows permissions, you’ll find App permissions. This is where you can control which apps can access things like your location, your microphone, your webcam, and more. It’s important to go through each of these sections to make sure there aren’t any unwanted surprises, like an app that has been granted permission to vacuum up your location data when it really shouldn’t have been.
Find my device
If you lose your Windows device, you’ll want to get it back as quickly as possible. One way to help you do that is to enable Find my device. To do so, head to Privacy & security in the Settings app, then select Find my device near the top of the page. After that, simply enable the toggle next to Find my device.
Once that’s been done, open a web browser and go to Microsoft’s device location website. Log in with your Microsoft account and you’ll see a list of your connected devices. Choose the one you want to locate, then select Find to bring up a map with your device’s current location displayed. You can also remotely lock your device to prevent any unauthorized person from using it — once you’ve found your device on the map, pick Lock > Next. You can reset your password from here as well for an extra dose of security.
Note that Find my device requires location settings to be enabled. If they’re not, you’ll see a notice on the Find my device page. Select the Location settings button to be taken to the appropriate page, where you can amend the necessary settings.
Update your PC
The last point on the list isn’t really a setting, but it’s the single most important thing you can do to improve your PC’s security. And that, quite simply, is to keep it regularly updated. That way, you’ll always be sure that you’ve got the latest security patches installed to help fend off viruses and malware.
To update Windows, open the Settings app and select Windows Update in the left-hand sidebar, then pick Check for updates. Wait for your PC to finish checking, then follow the on-screen instructions to install any updates that are available. You might need to restart your PC for the updates to complete.
That will get Windows itself updated for you, but what about your apps? For that, it’s worth getting an app like Patch My PC. This free utility checks all your installed apps for updates and then installs them for you, making it fast and simple to keep everything safe, secure, and up to date.
Bonus: ensure your privacy is being protected
You might not know it, but Windows collects an awful lot of your private information and sends it off to Microsoft, often without you realizing it. This includes everything from telemetry to potential privacy issues with CoPilot. That’s bad for your privacy, but you can put things right with a third-party app or two.
One such app is ShutUp10++ from O&O Software. Originally made for Windows 10 (which will be end-of-life in 2025), this app also works in Windows 11 and is a one-stop shop for blocking Microsoft’s worst data-collection habits. It lets you go through settings in granular detail, stopping anything that involves collecting more data than is necessary. Helpfully, you can apply all of its recommended settings with just a couple of clicks, or import settings from other computers you use.
There are other apps that can help. For instance, BCUninstaller removes all of the unnecessary bloatware that can get loaded onto Windows, protecting your privacy and speeding up your machine in one go. And Safing Portmaster helps you keep track of your network activity to make sure apps aren’t firing off your data without your permission. These and other apps are a good way to increase the privacy and security of your Windows PC.