Top 24 Security Settings to Adjust on Windows 11 for Enhanced Protection (2025)

Top 24 Security Settings to Adjust on Windows 11 for Enhanced Protection (2025)

UPDATED 2/20/2025: Windows 11 is heralded as the most secure version of Microsoft’s operating system. However, you can further boost your device’s security with several custom configurations and best practices tailored for 2025.

Among the best security practices are routine system updates, virus scans, and the configuration of essential security features such as ransomware protection, phishing shields, firewalls, biometric authentication, and sophisticated controls like Smart App Control and Core Isolation.

For moments when you need to access potentially unsafe websites, the Microsoft Defender Application Guard enables a secure browsing environment. Additionally, Windows Sandbox allows for the installation and testing of applications from untrusted sources without endangering your primary system.

This guide explores an array of optimal security settings for Windows 11 in 2025.

Best Security Settings for Windows 11 in 2025

As you explore the following settings, remember to implement the configurations that best meet your individual needs and circumstances:

1. Keep Your System Updated

Regularly installing system updates is crucial for maintaining device security, as these updates address bugs, strengthen security protocols, and enhance performance.

To manually install updates on Windows 11, follow these steps:

  1. Open the Settings app.
  2. Select Windows Update.
  3. Click the Check for updates button.
  5. (Optional) Toggle the switch for “Get the latest updates as soon as they’re available”.
  6. If prompted, click “Download and install”.
  7. Click the Restart now button to complete the update.

After following these steps, any available updates will automatically download and install on your Windows 11 device.

2. Conduct Regular Virus Scans

Equipped with Microsoft Defender Antivirus, Windows 11 can effectively detect and eliminate various forms of malware, including ransomware and spyware. If you suspect a breach, performing a full or offline scan is essential.

How to Perform a Full Virus Scan:

  1. Open the Start menu.
  2. Search for and launch Windows Security.
  3. Select Virus & threat protection.
  4. Under “Current threats, ”click on Scan options.
  6. Choose the Full scan option to scan your entire system.
  8. Click Scan now.

Microsoft Defender will initiate a scan for malware on your system. Should any threats be detected, the software will either eliminate them or quarantine them based on severity.

How to Run an Offline Virus Scan:

  1. Open Windows Security again.
  2. Navigate to Virus & threat protection.
  3. Select Scan options.
  5. Check the Microsoft Defender Offline scan option.
  7. Click Scan now.
  8. Confirm the scan initiation.

The computer will reboot into recovery mode to conduct the offline scan, ensuring a thorough check for threats.

Enable Periodic Scanning:

To enhance security even with third-party antivirus software, enabling periodic scanning allows Windows Defender to conduct scans for threats that may be overlooked.

  1. Open Windows Security.
  2. Select Virus & threat protection.
  3. Navigate to Microsoft Defender Antivirus options.
  4. Turn on Periodic scanning.

By enabling this feature, periodic scans will run at optimal times, balancing performance with security.

3. Activate Ransomware Protection

Controlled Folder Access in Windows 11 serves as a crucial defense against ransomware attacks, monitoring applications that modify files in protected folders. If a blacklisted application tries to make changes, you’ll receive a warning.

  1. Open Windows Security.
  2. Go to Virus & threat protection.
  3. Select Manage ransomware protection.
  5. Toggle the Controlled folder access switch to activate.

Once implemented, Microsoft Defender will monitor the specified folders and notify you of any unauthorized attempts to access your files. You can customize what applications are allowed to access these folders.

4. Implement Phishing Protection

Enhanced Phishing Protection uses Microsoft Defender SmartScreen to alert users about risky sites and apps, safeguarding sensitive information such as passwords. This feature performs the following actions:

  • Untrusted Site Warnings: Notifies you when entering passwords on suspicious websites.
  • Plain Text Password Alerts: Warns you about storing passwords in plain text.
  • Password Reuse Notifications: Cautions against using the same passwords across different accounts.

For users needing password security, this feature works only when passwords are being used, meaning if you’re leveraging Windows Hello, this may need adjustments.

  1. Access Settings.
  2. Go to Accounts.
  3. Navigate to Sign-in options.
  4. Disable “For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device”.
  5. Remove any active Windows Hello options (facial recognition, fingerprint, etc.).

After following the above steps, you will receive phishing warnings while browsing, enhancing your password security.

5. Create Passkeys for Enhanced Security

Passkeys provide a secure alternative to traditional passwords, leveraging public key cryptography for authentication. This technology significantly reduces the chance of unauthorized account access.

To set up a passkey, navigate to the account security settings of a service supporting this feature:

  1. Open Microsoft Edge or Google Chrome.
  2. Access your Google Account.
  3. Head to the account settings.
  4. Enable the “Passkey sign-in” option.
  5. Click “Create a Passkey”.
  7. Follow the prompts to complete the setup.

Once configured, your passkeys sync across all your devices using your Microsoft account, allowing easy access.

6. Review Firewall Settings

The Microsoft Defender Firewall is a vital feature in controlling network traffic. Always ensure that it’s enabled to block unauthorized access.

  1. Open Windows Security.
  2. Go to Firewall & network protection.
  3. Select your active network.
  5. Toggle the switch for Microsoft Defender Firewall to enable.

This ensures your device is safeguarded against unauthorized access and potential threats.

7. Enable DNS Over HTTPS (DoH)

To bolster your security and privacy while surfing the web, enable DNS over HTTPS.

This protocol encrypts DNS queries, protecting them from inspection and manipulation. To enable DoH:

  1. Open Settings.
  2. Navigate to Network & internet.
  3. Select Wi-Fi or Ethernet.
    4. Quick note: For Wi-Fi, access connection properties.
  4. Click Edit under the DNS server assignment settings.
  6. Set Manual for DNS settings.
  7. Enable IPv4 and input supported DoH IP addresses (e.g., Cloudflare: 1.1.1.1).
  9. Select On (automatic template) for DNS over HTTPS.
  10. Disable the Fallback to plaintext option.
  11. Click Save.

This will encrypt your DNS traffic, enhancing both security and privacy while browsing.

8. Utilize Windows Hello for Secure Logins

Windows Hello adds an extra security layer by allowing biometric authentication using facial or fingerprint recognition.

Enable Face Recognition:

  1. Open Settings.
  2. Click on Accounts.
  3. Select Sign-in options.
  4. Choose Facial recognition (Windows Hello).
  5. Click on Set up.
  7. Confirm with your current password. Follow on-screen prompts.

Once completed, simply look into the camera to unlock your device.

Enable Fingerprint Recognition:

  1. Open Settings.
  2. Click Accounts.
  3. Select Sign-in options.
  4. Choose Fingerprint recognition.
  5. Click on Set up.
  7. Follow the on-screen instructions to capture your fingerprint.

Biometric sign-in offers quick access while ensuring that your device is secure from unauthorized users.

9. Enable Dynamic Lock

Dynamic Lock secures your device by automatically locking it when an associated Bluetooth device (like your smartphone) is out of range.

  1. Turn on Bluetooth on your peripheral device.
  2. Open Settings on your Windows 11 device.
  3. Select Bluetooth & devices.
  4. Enable Bluetooth on your PC if it’s not already.
  5. Click Add device to pair your device.
  7. Follow the pairing instructions.
  8. Navigate back to Accounts.
  9. Click on Sign-in options.
  10. Under Dynamic lock, enable the setting to allow locking.

This feature ensures that your system remains secure whenever you step away.

10. Manage Unwanted Apps

Windows Security includes a feature called reputation-based protection that prevents harmful apps from running on your system.

  1. Open Windows Security.
  2. Go to App & browser control.
  3. Select Reputation-based protection settings.
  5. Turn on Potentially unwanted app blocking.
  7. Choose options to block apps and downloads.

By enabling this feature, Windows 11 will actively block and warn you about low-reputation applications.

11. Protect Your Data with BitLocker

BitLocker encryption protects your data from unauthorized access by encrypting your entire hard drive, available in the Pro, Enterprise, and Education versions of Windows 11.

How to Enable BitLocker:

  1. Open Settings.
  2. Select Storage.
  3. Click on Advanced storage settings.
  4. Go to Disks & volumes.
  6. Select the drive you want to encrypt.
  7. Click Turn on BitLocker.
  9. Follow the prompts to set up encryption.

Enable encryption for additional drives and USB devices for comprehensive data protection.

12. Activate Smart App Control

Smart App Control prevents the execution of untrustworthy apps by allowing only trusted software with valid certificates, securing your device from unwanted behavior.

  1. Open Windows Security.
  2. Navigate to App & browser control.
  3. Select Smart App Control settings.
  5. Choose the Evaluation option to begin.

This feature assesses apps over time and will enable if they function as expected, providing strong protection against unauthorized applications.

13. Enable Core Isolation

Core Isolation enhances system security by blocking malware from accessing high-security processes in memory. This feature is generally enabled by default in Windows 11.

  1. Search for Windows Security in the Start menu.
  2. Select Device Security.
  3. Click on Core isolation details.
  5. Turn on Memory integrity.
  7. Restart your computer.

Once enabled, this feature provides additional protection against malware attacks targeting memory.

14. Use Microsoft Defender Application Guard

This feature creates a secure, virtualized instance of Microsoft Edge for browsing untrustworthy websites, available in Windows 11 Pro.

To activate this feature:

  1. Open Settings.
  2. Go to System.
  3. Choose Optional features.
  5. Click More Windows features.
  7. Check the Microsoft Defender Application Guard option.
  9. Click OK and restart.

Upon restarting, you can browse untrusted sites without compromising system security.

15. Utilize Windows Sandbox

Windows Sandbox provides a safe environment for testing potentially harmful applications without risking your main system setup.

  1. Launch Settings.
  2. Navigate to System.
  3. Open Optional features.
  5. Click More Windows features.
  7. Check the Windows Sandbox option.
  9. Click OK, then restart.

After restarting, you can run Windows Sandbox from the Start menu to safely test applications.

16. Conduct Full Backups Regularly

Full system backups preserve your data against ransomware attacks, hardware failures, or other catastrophic issues. For peace of mind, you can create a system image backup.

  1. Open Start.
  2. Search for Control Panel.
  3. Click on System and Security.
  4. Go to File History.
  5. Select System Image Backup.
  7. Click Create a system image.
  9. Choose an external drive to save the backup.
  11. Proceed by clicking Next and Start backup.

Regular backups, combined with cloud storage options, help guard against data loss from system failures or attacks.

17. Switch to a Standard User Account

Using a Standard User account, rather than an Administrator account, mitigates risks associated with unintended changes to system settings or installations.

Creating a Local Administrator Account:

  1. Open Start.
  2. Search for Settings.
  3. Click on Accounts.
  4. Navigate to Other users.
  5. Click Add account.
  7. Choose I don’t have this person’s sign-in information.
  8. Select Add a user without a Microsoft account.
  9. Create the account with a name and password.
  11. Proceed to set security questions, then click Next.
  12. Select the account, and click Change account type.
  14. Choose Administrator from the dropdown menu and click OK.

Switch the Existing Account to Standard User:

  1. Sign out of your current account.
  2. Log in to the newly created administrator account.
  3. Open Settings.
  4. Go to Accounts.
  5. Select Other users.
  6. Choose the primary account and click Change account type.
  7. Select Standard User and click OK.

This will enforce security by restricting access and requiring administrator credentials for specific system changes.

18. Disable Remote Desktop

Remote Desktop can expose your system to security risks. If you don’t utilize this feature, it’s best to turn it off.

  1. Open Settings.
  2. Select System.
  3. Go to Remote Desktop.
  4. Turn off the Remote Desktop toggle switch.
  6. Click Confirm.

This step ensures your machine isn’t accessible through potentially vulnerable remote access protocols.

19. Sync Time and Date Automatically

Having the correct date and time settings can prevent security issues, including trouble signing into services due to discrepancies.

  1. Open Settings.
  2. Go to Time & language.
  3. Select Date & time.
  4. Toggle the Set time automatically switch to enable.
  5. Click Sync now under the additional settings.

This step will ensure accurate timekeeping on your device, reducing potential login obstacles.

20. Create a System Restore Point

Creating restore points guards your system against unauthorized changes and allows you to revert to prior states in case of system failures.

  1. Open Start.
  2. Search for Create a restore point.
  3. Select your system drive (usually C) and click Configure.
  5. Turn on System protection.
  7. Click Apply followed by OK.
  8. Click Create to make a restore point.
  10. Name the restore point and click Create.
  11. Click Close when complete.

Creating restore points regularly can help safeguard your system settings and critical files.

21. Disable Windows Recall

Windows Recall takes snapshots of your activity, which raises privacy concerns. If you find this feature unnecessary, consider disabling it.

  1. Open Settings.
  2. Navigate to Privacy & security.
  3. Select Recall & snapshots.
  5. Toggle off Save snapshots.
  7. (Optional) Click to delete existing snapshots.
  8. Confirm deletion by clicking Delete all.

Disabling this feature greatly enhances your privacy and reduces your digital footprint.

22. Use MAC Address Randomization

Randomizing your MAC address enhances privacy by reducing your device’s trackability over Wi-Fi networks.

  1. Open Settings.
  2. Select Network & internet.
  3. Go to Wi-Fi.
  4. Enable the Random hardware addresses option.

Once enabled, your computer will use a random MAC address for each connection, making it more difficult to be traced.

23. Activate Scareware Blocker in Microsoft Edge

The Scareware Blocker uses AI technology to protect against common online scams by identifying patterns often seen in scareware attacks.

  1. Open Microsoft Edge.
  2. Click “Settings and more”.
  3. Navigate to Settings.
  4. Go to Privacy, search, and services.
  5. Click on Security.
  6. Enable Scareware blocker.
  8. Ensure that Microsoft Defender SmartScreen is also enabled.

Enabling these features provides an extra layer of defense against online threats while browsing.

24. Utilize Presence Sensing Features

Presence Sensing improves device security by automatically managing aspects like display dimming or shutting down when a user is away.

  1. Open Settings.
  2. Navigate to System.
  3. Select Power & battery.
  4. Click on Screen, sleep, & hibernate timeouts.
  5. Enable the option to Turn off my screen when I leave.
  7. Configure the distances and timeout durations as needed.

This functionality conserves power while ensuring that your computer remains secure when you step away.

What security settings do you plan to adjust on Windows 11? Share your thoughts and experiences in the comments below!

Update February 20, 2025: This guide has been meticulously revised to ensure accuracy and reflect the latest developments concerning Windows 11 security practices.

Additional Insights

1. How often should I update my Windows 11 system?

It’s recommended to check for updates at least once a month, or enable automatic updates to keep your system secure and optimized continuously.

2. What should I do if Windows Defender detects a threat?

If Windows Defender identifies a threat, follow the prompts to quarantine or remove it. Always run a full system scan after to ensure no residual malware remains.

3. Can I revert changes made by the Smart App Control feature?

While Smart App Control evaluates apps based on behavior, if it restricts an application you trust, you may need to disable it temporarily or adjust its settings for that specific app.

Source & Images

Related Articles:

Enable Multiple Apps to Access Camera on Windows 11
Beta Channel Release of Windows 11 Build 22635.4950 (KB5052078)

Leave a Reply

Your email address will not be published. Required fields are marked *