Top Windows Security and Privacy Settings You Should Change Right Now

If you install Windows 11, log into a Microsoft account, and click OK on all the suggestions the system offers during the setup guide, you’ll be left with a computer that sends a significant amount of data to both Microsoft and the developers of the software you install.

However, what you do get is a computer that is not insecure. Microsoft has made a great effort to secure Windows over the past 10 years, and Windows 11 is, without any additional settings or security packages, significantly more secure than older versions of the system. Still, there are some things you can do to further protect yourself.

In this guide, I will go through the most important things you can do to increase security and protect your privacy from snooping companies and malicious programs and websites.

Stop Sharing Analytics Data with Microsoft

Diagnostic Data

If you weren’t paying attention when installing Windows, there’s a high chance you approved sharing a lot of diagnostic data and more. It may not be the end of the world, but it’s a good idea to go through the settings so that you know exactly what you are sharing and can turn off the things you prefer not to share.

Open Settings and go to Privacy and Security -> Diagnostics and Feedback. Here, primarily two settings affect how much of your computer usage Microsoft can track. At the top, you see a switch for Sending Optional Diagnostic Data, with an explanation of what kind of data this entails. Microsoft states that this information is used to identify bugs and improve Windows.

A bit further down, you see the setting for Custom Usage Experiences. If this feature is activated, Microsoft tracks what you do to display tailored ads and various “tips.” My recommendation is to turn it off. You can then use the Clear Diagnostic Data feature below, which will prompt Microsoft to delete data already collected.

Master Windows Privacy Settings

In addition to analytical data, there are many other settings in the system that affect your privacy. Start in Settings -> Privacy and Security, where there are several sub-sections.

1- Block Advertising Tracking

General – Here you can disable everything. Allowing websites to see what language you use can, for example, be exploited to track you as part of a fingerprinting technique. This technique looks at a large number of variables where you may be the only visitor on a website with just your particular combination of attributes such as resolution, language, available features, installed fonts, and so on.

Location – If you have no need for programs or websites to know where you are, you can completely turn off Location Services.

Search Permissions – If you don’t want to include results from OneDrive and Microsoft programs, you can turn that off. You can also disable the “Safe Search” filter if you don’t want Microsoft to filter web searches, but I keep the feature that stores search history on the computer because it’s convenient and isn’t sent to Microsoft.

2- Activity History

Activity History – Turn it off; this feature is rarely used, and if by any chance you miss it, you can always go back and enable it.

You should also go through the other sub-sections and check that all looks fine. Normally, you can leave features such as Camera, Microphone, and Contacts enabled, but be vigilant about which programs you grant access to them. If you see that a program has access to a feature that you don’t think it needs, you can turn off access here.

3- Privacy Settings for Individual Programs

If you go to Apps -> Installed Apps, you can also access all the privacy settings for individual programs. Click on the more button to the right of a program and select Advanced Options (if the option is missing, the program has no such settings).

Is Defender Enough, or Do I Need an Antivirus Program?

A common question is whether Windows’ built-in antivirus protection, Microsoft Defender, is capable enough or if it’s best to acquire a robust security package. The answer isn’t straightforward and basically boils down to: It depends on your risk profile.

If you generally use your computer cautiously – never clicking on links in emails, never installing dubious programs from unknown developers, not dealing with cryptocurrencies or other valuable data – you can do quite well with Defender. It offers real-time protection, and combined with other security features in Windows 11, you should feel secure.

If you live a bit more dangerously and enjoy testing new things, or simply prefer the extra security, the best antivirus programs offer more.

For example, Defender has proven less capable when you are not connected to the internet. This doesn’t affect browsing protection, but malware in already downloaded email attachments and files might slip past the protection.

Defender’s effectiveness in detecting known malware has varied over the years. Sometimes Microsoft is really on top of it, and other times, it lags behind, missing some malware that other antivirus programs catch. The interface also leaves something to be desired.

Maximize Security with Defender and Windows Security

Whether you choose to stick with Defender or install an antivirus program/security package from another developer, there are many settings in the Windows Security program that contribute to making your computer safer.

Defender Settings

Virus & Threat Protection – Microsoft Defender. Click here and then Manage Settings to view the various Defender functions you can turn on or off. If you don’t activate all of them, Defender becomes less effective, and in that case, it would be better to switch to a third-party program.

Account Protection – If you have chosen to use a local account instead of a Microsoft account, the system will complain here, but you can ignore that.

Firewall & Network Protection – Settings for Windows’ built-in firewall. It’s always best to keep it turned on. In the settings here, you can add individual exceptions, but only do this if you’re sure that a program is being hindered by the firewall.

Reputation-based Protection

App and Browser Control – Here you find three different types of protection. Smart App Control blocks programs that the system believes might be harmful or unwanted, but many users find this feature intrusive and annoying. If it’s turned off, you can only enable it again by reinstalling Windows and agreeing to send diagnostic data to Microsoft. Reputation-based protection is a collection of features that protect against phishing, unwanted programs, and more. I recommend keeping all features turned on. Vulnerability protection includes more advanced protective features, and I recommend letting Windows retain the default settings here.

Device Security – Here Windows collects settings and functions regarding hardware protection, like Secure Boot and Kernel Isolation. It’s best if everything is turned on.

Device Health and Performance – Shows a “health report” for your computer. If you get any warnings here, you can follow up to see if you can address the issue, such as a warning about available free space.

Family Options – Only if you use family features.

Protection History – Here you can see if Defender or any of the other protections have recently taken action, for example if Defender has quarantined a downloaded file or blocked a program from running.

Secure DNS can Protect You from Harmful Sites and Help You Avoid Ads

If you’re using your ISP’s router and don’t make any additional settings, you will most likely be using the ISP’s DNS servers for domain name lookups. By choosing another, more secure DNS service, you can avoid letting your ISP snoop on what you’re doing online. Additionally, you can get extra protection against harmful and unwanted websites.

Secure DNS

Windows 11 has built-in support for encrypted DNS using the DNS over HTTPS (DoH) technology. Open Settings and go to Network & Internet. Click on Properties next to your current connection (at the top). Then, click Edit next to the DNS settings further down. Fill in the address of a DNS service you trust and select On (Automatic Template) under DNS over HTTPS. My recommendation is 1.1.1.1 (Cloudflare), but there are other good ones too. Save.

Once you’ve turned on encrypted DNS, your computer will resolve domain names via encrypted HTTP traffic, which the ISPs along the way cannot differentiate from other traffic. This doesn’t mean you are entirely anonymous, as ISPs can still see the IP addresses of the servers you connect to.

Some DNS services also offer filtering of various kinds. For instance, Cloudflare offers 1.1.1.2, which blocks malware, and 1.1.1.3, which blocks malware and adult content. Another reputable service is Adguard DNS, which blocks harmful sites, tracking, ads, and more.

Why Microsoft is So Insistent on the Requirement for Secure Boot and TPM

You’ve probably noticed that one of the reasons Windows 11 has significantly higher system requirements than Windows 10 is that Microsoft requires the computer to support the BIOS feature Secure Boot and include a security processor called TPM. Since version 24H2, a sufficiently modern processor is also required, making these two functions nearly always included.

The company’s insistence that all users have a computer with TPM is because it significantly enhances the security of sensitive encryption keys. For example, when you enable Windows Hello for easy login with a PIN, a key that can unlock the computer (and device encryption/BitLocker if you have it) is stored in the TPM chip.

When you enter the PIN, it is sent to the TPM chip, which verifies it and sends back a code that the system can use to unlock the system. Neither your account password nor the encryption key for the hard drive is ever stored on the hard drive or in RAM.

The TPM chip also allows you to securely store login keys (passkeys) for websites on the computer without needing to use your mobile device to log in.

In addition to these functions, the TPM chip also plays a role in protecting Windows. When the system starts, the TPM chip works with Secure Boot to attest that the system has not been modified.

Further Protect Yourself with Third-Party Programs

In addition to Windows’ built-in security features, there are third-party programs that can protect you in various ways. Be careful about what you install and who the developer is – “security programs” that are actually cloaked malware are an old trick.

This mostly involves antivirus/security packages, as I mentioned earlier in the article, but there are also other categories of programs that protect you in different ways.

GlassWire

With an application firewall, you can prevent individual programs from connecting to the internet, thus protecting yourself from programs that “phone home” to developers despite the program itself not having any functions that should require an internet connection. GlassWire is a reasonable option and is easy to use, but to access features like “ask for connection,” you’ll need to get a subscription. Safing Portmaster is completely free for personal use but is significantly more complicated to get started with.

VPN services also often have standalone programs that make it easy to choose a server and manage features like a “kill switch,” which blocks all internet traffic if the VPN connection drops.

The aforementioned GlassWire also functions as a network monitor, a type of program that shows all processes and against which servers they are connected. This capability is included in the free version of the program and can still help you keep track of how installed programs behave.