You Use Windows. Be Resilient (Premium)

Thanks to last Summer’s CrowdStrike incident, Microsoft has been binging on resiliency in Windows and throughout the ecosystem. As a user, you should consider doing the same. The good news is, most of this is automatic, thanks to protections built in to Windows. But some of it is common sense. And some does require a bit of work on your part.

This is a big enough topic that it’s unlikely I can cover it all in a single article. And full disclosure, I’m not a security expert. But as a full-time industry observer with over 30 years of experience that includes being victimized by bad advice, ignorance, and bad luck, I feel like I’m in a pretty good headspace when it comes to securing personal technology devices, especially PCs. Feel free to chime in otherwise if you think differently. Just be prepared to defend your opinions: There is too much noise out there about the things that don’t matter–Recall, for example–and too little good information about those that do.

You know what Microsoft is doing.

Thanks to a series of security events that include a still-not-fully-disclosed hack of its corporate infrastructure, Microsoft created a Secure Future Initiative (SFI) by which it is securing its entire stack against cyberattacks and other security problems, both new and well-understood. And thanks to CrowdStrike, Microsoft has amped up its SFI efforts by working with the industry to better protect the entire ecosystem. This is all solid work, but it’s also mostly external to whatever we can do as individuals.

Tied to SFI, Microsoft last year announced the Windows Resiliency Initiative, which is, of course, specific to the platform I care about the most. From an end user perspective, the biggest changes that it announced at the time, perhaps, were Quick Machine Recovery (QMR), a feature that is available now through the Insider Program and will soon be updated with a simpler user interface, and Administrator protection, which we now know is coming to consumers too. But Microsoft is also wrapping in some existing Windows 11 security features–like Windows Hello Enhanced Sign-In Security (ESS)–that are either under-used or not well understood.

Today, we got a small Windows Resiliency Initiative update, but most of that is not applicable to end users. And that’s what kicked this off. We need information that is applicable to real people. Good information.

Windows 11 gets a bad rap for all kinds of reasons. Some of it is absolutely deserved, as I outlined in my Windows 11 Enshittification Checklist. Some of it is imagined or even invented, and this is where my bile rises as I watch YouTubers get cheap views by pontificating about nothing. But security, like privacy, is important. Too important for sensationalism and bad advice.

It’s also too important to get caught up in yet another 6,000 word editorial, one that many will simply skip over or maybe miss the most important points. So here, I will be as brief as possible. And I will link to things we’ve written previously on these topics, where possible.

Online account security

We all have dozens, if not hundreds, of online accounts. Each is a potential weakness in our respective attack surfaces, so to speak, and that’s especially true if you’re reusing passwords or otherwise not securing these accounts as well as possible. Complicating matters, each account offers different types of security protections, those can change over time. And some online accounts–like those that are our online identities, such as the accounts we use from Apple, Google, and Microsoft, or those that are tied to payment methods and other dangerous personal information, like Amazon–are more important than others, and require immediate attention.

Using a good password manager is key to online account security. And I strongly recommend using a good third-party password manager, and not the one built in to your web browser or OS. I use and recommend Proton Pass. But 1Password, Bitwarden, and Dashlane are all excellent, too. Each enables passwordless authentication across multiple accounts, and each offers proactive advice about those accounts that may be vulnerable and what you can do to fix that. Though implementations vary, passkeys are the most secure and seamless way to authenticate yourself online, and you should enable this option everywhere in tandem with a password manager, like Proton Pass, that is available everywhere too.

You should use a separate authenticator app for 2FA (two-factor authentication) on all accounts that support it. I strongly recommend Microsoft Authenticator for Microsoft accounts (consumer and business) and Google Authenticator for everything else: Unlike Microsoft Authenticator, it supports seamless account sync, which is crucial if you ever lose your phone, or when you replace it. (You are securing your Google account properly, too.)

Since this is a Windows-centric look at personal resiliency, you should pay particular attention to securing your Microsoft account (MSA). If you’re a Windows 11 Field Guide reader, I have covered this topic there as well. But how you use your Microsoft account is important, too. In Windows and across the Microsoft ecosystem.

Let Windows do its thing

When you first set up Windows 11, you’re prompted to sign in with a Microsoft account (or, if you have Windows 11 Pro, a Microsoft Work and School/Entra ID account instead, which is similar at a high level). In recent versions, this is pretty much a requirement, which seems to drive some people crazy even though it’s the right thing to do. There are, of course, ways to get around that and sign in with an old-school and less secure local account, and I document all that in the book, though I don’t recommend it. I also wrote about configuring a local account as securely as possible for those who just can’t wrap their heads around an MSA for whatever reasons.

But you should sign in to Windows with an MSA for all the obvious reasons. And you should let Windows do its things, so to speak, when it comes to security. By default, you’re protected with Device Encryption, a full-disk encryption feature that will prevent thieves from accessing the disk if the PC is stolen, Windows Defender antivirus and anti-malware capabilities, Secure Boot and various firmware- and kernel-level protections, an always-on firewall, and all kinds of other protections.

But you can do more.

Protect your Windows sign-in account

If you signed in with an MSA or Microsoft Work and School account, you were required to create a PIN and you sign in with that by default. PINs are widely misunderstood, but as with the passwords you use with your online accounts, you should use a different PIN on every PC and other device you use. No one does. But you should.

You should also enable every form of Windows Hello sign-in your PC supports. If it offers facial recognition, enable that, and then enable the “Enhance facial recognition” option and improve recognition, especially if you sometimes wear glasses. If it supports fingerprint recognition, enable that, and optionally set up a second finger or, oddly, use the same finger twice, which seems to improve recognition. Do not enable “Sign in with an external camera or fingerprint reader” if you’re using Windows Hello ESS. Do not disable “For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device (Recommended).” Ignore Dynamic Lock, which is borderline pointless, but do investigate whether your PC supports presence sensing and enable (and configure) that for improved security.

If your Microsoft account is set up correctly, the first time you sign in, you’ll be prompted to enter your email address only, will authenticate using your Microsoft Authenticator app, and then Windows 11 will create a passkey on the PC.

Protect yourself from apps or from those who hack apps

The Microsoft Store is among the many things that people get wrong: This is the ideal place to get, install, and manage updates for apps. Meaning, if an app is available on the web and in the Store, get the version in the Store. It will likely be safer and it will likely be updated automatically. (Developers can opt out of some Store policies now, so nothing is absolute.)

This isn’t necessarily a mainstream activity, but because I review so many laptops each year, I have a Windows Package Manager (winget) script that I use to automate my app installs. I use the Microsoft Store repository whenever possible, and the winget (web) repository if not. This is just good policy. But you also need to make sure your apps are up-to-date. A couple of points here.

• The Microsoft Store will do this automatically, but if you’re as compulsive as I am, you can manually check for updates when desired.
• You can use winget to keep (almost) all your installed apps, regardless of source, up-to-date. This is not (yet?) automated. But I open a Terminal window with Administrative privileges and type winget upgrade –all -h to do this all in one whack.
• You can configure Windows Update to update some apps, too, but this is off by default. You can find the setting “Receive updates for other Microsoft products” option in Settings > Windows Update > Advanced options.

You can also put a third brake light on app installs, of sorts, by configuring Windows to at least warn you when you try to install an app from the web and not the Store. In Settings, go to Apps > Advanced app settings and look at the options under “Choose where to get apps.”

Windows 11 has a feature called Smart App Control that’s in a weird state of flux and may or may not be configurable on your PC. Open Windows Security and navigate to App & browser control > Smart App Control, and see whether you can enable it. If you can, do so.

Protect your data

One of the many reasons you sign in to Windows with an MSA is so you can use OneDrive for your personal data, automatically syncing it to the cloud and, if you have other PCs and devices, to them as well. This means you’ll never lose anything if you experience a hard drive or other hardware failure or, in a worst-case scenario, if your PC is stolen. This isn’t backup, though that’s what Microsoft calls it. And it doesn’t require you to use OneDrive Folder backup, though most mainstream users should.

OneDrive has built-in ransomware protection so you can recover documents and other personal data in the event of a hack. But Windows 11 also has a feature called Controlled folder access that can help protect your PC (and thus you) from ransomware attacks. Like Smart App Control, it’s not enabled by default. But you can enable it in Windows Security > Virus & threat protection > Ransomware protection.

OneDrive also has a Personal Vault feature that’s ideal for your most private information because it enforces 2FA use before it can be accessed. I use it for storing account recovery keys and other similar things.

And let’s not forget Device Encryption, as noted above. Super important. And automatic with an MSA sign-in.

Secure your web browser

Web browsers are the most important app we all use. Using the right web browser matters. Using the right protections matters. And not using certain browser features matters.

I strongly recommend Brave above all other browsers because it is secure and private by default and will never cough up your personal information to a Big Tech company (Google, Microsoft) and the third-party advertisers who pay them for their enshittification. (Here’s how I configure it.) But you can use any web browser in what I’ll call a “secure enough” fashion with the right extensions. I strongly recommend Privacy Badger and AdBlock Plus. I wrote about this for Microsoft Edge, specifically, but the basic advice there is universal.

As noted above, do not use the password manager that comes with your browser. Instead, disable it, disable any features related to autofill, and delete any data the browser stores about you.

Looking ahead

There’s more. There’s always more. I didn’t recommend using a Standard account when signing in to Windows, for example, or a physical security key, mostly because each is too extreme for most people (and Administrator protection, which is coming soon, may alleviate the need for the former to some degree). Copilot or whatever AIs you use open up brand-new ways for you to be exploited, and this is such a new and fast-moving space that it’s difficult to find one’s footing. And there’s something to be said for lessening one’s exposure to Big Tech predations, and I’ve got that Online Accounts series I’m working on that’s tackling that problem.

But I wanted to focus mostly on Windows. Non-hysterically. And I probably forgot something. Maybe got some things wrong. Let’s talk about it. Let’s figure this out. And let’s see where that takes us.