De-Enshittify Windows 11: Make Windows 11 More Secure ⭐

Note: This is an early peek at a chapter from my new book, De-Enshittify Windows 11.  –Paul

—

In sharp contrast with its approach to privacy, Windows 11 security is in a good place, with no major enshittification issues. However, security is too big an issue to ignore, and Windows 11 ironically doesn’t always provide the most secure possible default configure in the name of—wait for it—privacy. And so it’s important to make sure that Windows 11 is as secure as possible.

✅ Tip: If you are buying a new PC, the most secure and reliable option is a Copilot+ PC using a Qualcomm Snapdragon X-series processor that runs Windows 11 on Arm. All Copilot+ PCs, including the less reliable x64 models with Intel- or AMD-based processors, offer dramatic security improvements over normal Windows 11 PCs. But Windows 11 on ARM with Snapdragon X is the best choice overall.

Fortunately, most people reading this will sign into Windows 11 using a Microsoft account. Doing so will configure your PC in a reasonably secure manner, though there are additional steps to consider. But some power users may prefer to sign in using a local account that is specific to that PC and is too easy to configure in a non-secure manner. So let’s look at account security first.

⛔ The problems with not using a Microsoft account

When you first set up Windows 11 on a new or recently reset PC, you complete the Windows Setup Out of Box Experience (OOBE), during which you typically sign in with a Microsoft account. Doing so is nearly mandatory, but it comes with some pros and cons, the latter of which are tied to enshittification via online tracking, targeted advertising, upsells, and more. Those behaviors can be overcome, at least, and signing in with a Microsoft account comes with important security advantages that I feel outweigh the problems.

These advantages include:

• Your Microsoft account can (and should) be secured with two-factor authentication (2FA), a form of passwordless authentication that is more secure than using just a password.
• Windows 11 creates a device-bound passkey for your Microsoft account when you sign in that way, and this is used for passthrough authentication to in-box apps and experiences like OneDrive, the Microsoft Store, Microsoft Edge, and more.
• Your Microsoft account can be recovered if it is compromised.
• Your Microsoft account automatically backs up some Windows 11 configurations to the cloud so that they can be recovered and automatically reused when you sign into a different PC or reset this PC.
• The disk on which Windows 11 is installed is automatically encrypted when you sign in with a Microsoft account, protecting your private data and other contents if the PC if ever lost or stolen. The recovery key for that encrypted disk is automatically stored in the OneDrive cloud storage associated with your Microsoft account.
• Windows 11 will automatically configure OneDrive Folder Backup when you sign in with a Microsoft account to ensure that any documents or other files you save to the Desktop, Documents, and Pictures folders on your PC are automatically synced to the cloud, ensuring that they will be secure and available on other PCs and devices.

Power users often cite the forced Microsoft account sign-in as a key example of enshittification, and while there is some truth to that, the local account alternative is less secure, especially if you don’t take steps to correct that. Key issues with a local account include:

• A local account is local to that one PC only, so it can’t be recovered if it’s compromised.
• A local account can be configured without a password, which is inherently insecure and all too easy to do.
• A local account without a password can’t be configured to use a PIN, an additional layer of security that Windows 11 requires of any account with a password.
• A local account can’t be configured with 2FA or any other passwordless authentication system, any of which are more secure than using just a password.
• A local account can’t take advantage of key Windows 11 security features, including automatic full disk encryption, Windows Hello biometric authentication, and OneDrive Folder Backup unless you take additional steps after the fact.

Though I don’t recommend using a local account, this chapter will explain how to properly secure Windows 11 regardless of which type of sign-in account you choose.

? Windows 11 security first steps

Ideally, you will properly secure Windows 11 when you configure a new or newly reset PC. But you can also do so later. In Start Fresh with a New Install of Windows 11, there’s a short section about some of the initial configuration tasks you will undergo after clean installing Windows 11. Among those tasks are some related to securing the PC.

Take any actions suggested by Windows Security

Windows Security is a dashboard for most of Windows 11’s security features. It auto-runs at boot time, and you will find an icon for this app in the hidden icons pop-up to the left of the system tray in the Taskbar. To see it, click “Show hidden icons” (“^”).

When there are no suggested or required actions, the Windows Security icon will display a green checkmark overlay indicating “No actions needed.” But you may see a yellow “bang,” a yield sign-like overlay, indicating a “Recommended action” or, worse, a red “bang” indicating a “Required action.”

In either case, click the Windows Security icon to launch the app, which displays a grid of top-level security areas in its default Home view. Here, you will typically see one or more items that need attention.

On most PCs, you will see at least one security feature, “App & browser control,” that needs to be enabled. You should click “Turn on” to enable this feature.

You should likewise enable any other features that are flagged by Windows Security as recommended. For example, if Local Security Authority protection is disabled, there’s no “Turn on” button in the Home view. But if you click “Go to settings,” Windows Security will display the Device security view where you can enable the option “Kernel-mode Hardware-enforced Stack Protection.” When you do so, Windows Security will prompt you to reboot the PC so that this feature is properly enabled. Do that.

➡️ Learn more: There are other features in Windows Security you should consider enabling. Those features are discussed later in this chapter.

Correctly configure device encryption

If you signed in with a Microsoft account (or a Microsoft Work or School account), Windows 11 will automatically configure a full disk encryption feature called Device encryption that automatically protects the data stored on your PC from physical attacks if it’s lost or stolen. If you signed in with a local account, this feature is not automatically enabled and you will need to do so manually.

To check the status of Device encryption, open the Settings app and navigate to Privacy & security > Device encryption.

If “Device encryption” is configured to “On,” you’re all set: The disk is encrypted and your data is safe.

A few related tasks include:

Know how to access your recovery key. If your PC experiences issues in the future, you may be asked to supply a recovery key, a 48-character numeric code, to regain access to the encrypted disk. This key is stored in your Microsoft account, and you can find it by navigating to aka.ms/myrecoverykey with your web browser. The number of keys you will see on this page will vary by the individual, but you can find the correct key by searching for the PC’s name or key ID, the latter of which Windows 11 will prompt you for if required.

✅ Tip: If you signed in with a Microsoft Work or School account, the recovery key is available at aka.ms/aadrecoverykey.

Local account only: Enable Device encryption and back up your recovery key. If you sign into Windows 11 with a local account, Device encryption is not fully enabled by default because doing so requires you to back up your recovery key first. If you are running Windows 11 Home, you can only save this recovery key to a Microsoft account, so you will need to click “Sign in” in the yellow infobar that reads “Sign in with your Microsoft account to finish encrypting this device.”

✅ Tip: If you have Windows 11 Pro, however, you can click the “BitLocker drive encryption” link instead to launch the BitLocker Drive Encryption control panel, where you can click “Back up your recovery key” and then choose where to save the recovery key as noted below.

✅ Tip: As a workaround to the above, I recommend that those who wish to use a local account with Windows 11 initially sign-in with a Microsoft account. This will enable Device encryption automatically and then you can convert the Microsoft account to local account (in Settings > Accounts > Your info). Or, you can add a local sign-in account (in Settings > Accounts > Other users), change its account type to “Administrator,” sign in with that account, and then delete the initial Microsoft account (also in Settings > Accounts > Other users).

Windows 11 Pro only: Further configure Device encryption with the BitLocker Drive Encryption control panel. If you’re running Windows 11 Home, there’s nothing further to do. But if you have Windows 11 Pro, you can run the BitLocker Drive Encryption control panel to back up your recovery key to another location, add BitLocker To Go encryption to removable USB storage, and perform other disk encryption-related tasks. There’s a link to this app in the Device encryption page in Settings, or you can find it using Start Search.

? Improve your sign-in account security

If you sign into Windows 11 using a Microsoft account, it will typically have an associated password and Windows Setup requires you to create a PIN. And if your PC supports Windows Hello facial and/or fingerprint recognition, you were prompted to configure one of those authentication methods as well.

If you sign into Windows 11 using a local account, it’s possible you didn’t even configure a password, let alone a PIN.

Whatever you chose during Setup, you can configure account sign-in options at any time. I recommend you do so now to improve security. To get started, open Settings and navigate to Account > Sign-in options.

There are several relevant options to consider and configure here.

Facial recognition (Windows Hello)

If your PC supports Windows Hello facial recognition, you can enroll here to sign into Windows 11 using your face. Or, if this feature is already configured, you can (and should) perform two important additional steps:

• Enhance facial recognition protection. Enable this option to help improve Windows Hello’s spoofing protection, which will prevent others from masquerading as you to attempt to get into your computer. When you enable this option, you will need to restart the PC.
• Make your sign-in more personal. If you switch between contacts (or not wearing glasses) and glasses, click the “Improve recognition” button to (re)enroll your face with or without glasses. That is, you should scan your face once with glasses and once without.

Fingerprint recognition (Windows Hello)

If your PC supports Windows Hello fingerprint recognition, you can enroll one or more fingers here to sign into Windows 11 using your finger. Or, if this feature is already configured, you can perform one or more additional steps:

• Set up another finger. You can click an “Add a finger” button to enroll another finger so that you have multiple options for fingerprint recognition.
• Set up the same finger again. Less obvious, you can also use “Add a finger” to re-enroll the same finger you already enrolled to make recognition more accurate. This is an undocumented but useful option if you find that fingerprint recognition often fails.

✅ Tip: If your PC supports facial and fingerprint recognition, I recommend enabling both so that you have multiple options for signing in, each of which is faster and more convenient than typing a password or PIN.

PIN (Windows Hello)

If you signed in with a Microsoft account (or a Microsoft Work or School account), or if you signed in with a local account and created a password, you were prompted to create a PIN during Windows Setup. This PIN is an additional layer of security and a convenience since it will typically be faster to sign-in this way than typing a full password.

✅ Tip: Few people do this, but if you have multiple PCs and/or other devices, you should use a different PIN on each PC/device to improve security.

If you signed in with a local account but didn’t create a password, do so now (in Settings > Accounts > Sign-in options > Password). Then, create a PIN here. Once you do so, you can enable Windows Hello facial and/or fingerprint recognition, depending on which your PC supports. Be sure to do so now, as described above.

Enhanced sign-in security

If you have a Copilot+ PC or another PC that supports Windows Hello Enhanced Sign-in Security (ESS), this option will be enabled and the option “If you’ve been away, when should Windows require you to sign in again?” will be grayed out and automatically configured to “Every Time.” This is the correct configuration.

For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device (recommended)

By default, this option will be configured to “On” when you sign-in with a Microsoft account. This is the correct configuration.

? Configure additional security features Windows Security

As noted previously, I recommend taking any recommended or required actions in Windows Security when you first set up Windows 11. But there are additional security features in Windows Security that aren’t usually enabled by default that you should at least consider as well.

They are:

Controlled folder access. If you sign-in with a Microsoft account, you get automatic ransomware protection through OneDrive when you store your files there and real-time protection against malware and other malicious software. But if you navigate to Virus & threat protection > Ransomware protection > Controlled folder access, you can enable an additional layer of protection against malicious apps that attempt to modify your files and the PC’s memory. To enable this feature, click “Manage controlled folder access” and turn it on. By default, Windows 11 will protect files stored in your Desktop, Documents, Pictures, Music, and Videos folders, but you can add other folders and unblock apps you trust that were flagged by Controller folder access.

Smart App Control. This feature provides another layer of protection against malicious or suspicious apps. By default, Smart App Control is configured in an evaluation mode when you first bring up a new Windows 11 installation, and it will either silently disable itself if it never detects any questionable app behavior or enable itself and alert you with a pop-up notification. Unless you are a developer, you should enable Smart App Control. To do so, navigate to App & browser control > Smart App Control and change the setting to “On.”

? Remove third-party security apps

Many PCs come with third-party security apps like McAfee that are superfluous because of the strong built-in protections in Windows 11. Worse, these solutions often require an unnecessary paid subscription to keep the protection active. You can safely remove these apps, and you should.

How you do so will vary by app. But the best way to remove most third-party security apps is to open Settings, navigate to Apps > Installed apps, and locate the offending app in the list. Then, click its “More options” (“…”) link and select “Uninstall” from the pop-up menu that appears. After confirming that you really do want to uninstall this app, you will likely have to put up with some nonsense from the app’s maker. Ignore its pleading and the Windows Security notification that claims your virus protection is turned off, as the built-in protections will automatically enable. Then,  reboot when prompted.

You may not be done. Some security solutions, like McAfee, install a second superfluous security app that isn’t visible in the Installed apps list in Settings, a behavior one might logically characterize as malicious. To check for this, open Control Panel (which you can find with Start Search), click “Uninstall a program” (under “Programs”), and look at the list of apps it presents. Here, for example, you can see WebAdvisor by McAfee. Right-click it, choose “Uninstall/Change,” and get rid of this nonsense for good.

Other security apps, like HP Wolf, have multiple entries in the Installed apps list that you will need to uninstall. After you uninstall HP Wolf and reboot, open Settings again, navigate to Apps > Installed apps, and uninstall the related apps, in this case HP Security Update Service and HP Wolf Console.

Yes, these companies purposefully make this process difficult.

? Keep Windows 11 up-to-date

In Start Fresh with a New Install of Windows 11, there’s a short section about some of the initial configuration tasks you will undergo after clean installing Windows 11. Among those tasks are some related to updating Windows and its in-box apps using Windows Update (Settings > Windows Update) and the Microsoft Store app, respectively. But it’s important to keep Windows 11 fully up-to-date at all times, so there are some additional steps to take.

Properly configure Windows Update

Microsoft updates Windows 11 on an aggressive schedule through a feature called Windows Update, with new features and security fixes appearing at least once each month via what’s now (erroneously) called a Security Update. These are cumulative updates, meaning that each builds on the previous month’s Security Update, dating back to the previous annual feature update that usually arrives each October. And they typically appear on the second Tuesday or each month, on what’s called Patch Tuesday, though Microsoft also sometimes ships out-of-band Security Updates if there is a serious issue to address.

Security Updates are mandatory for individuals. That is, there is no option to skip a Security Update, though Windows Update lets you pause updates temporarily, for one week at a time.

In between the monthly Security Updates, Microsoft also ships a Preview Update, usually on the fourth Tuesday of the month. This doesn’t have a fun name, but we often refer to these updates, which are optional, as “Week D” updates, because of Microsoft’s update schedule. (The Patch Tuesday update typically occurs on “Week B.”) These Preview Updates are literally an early peek at the next month’s Security Update, and they are made available for anyone who wishes to get new features as quickly as possible.

Which is ironic because most of the new features that Microsoft ships in its Security Updates, Preview Updates, and annual feature updates are delivered via a technology called Controlled Feature Release (CFR). That’s another horrible name: These features are rolled out randomly on no schedule whatsoever, so those with multiple PCs will often, if not always, see different mixes of features on each.

Windows Update is available in the Settings app: Just navigate to Windows Update and click “Check for updates” if it doesn’t automatically do so. But given the chaotic nature of Windows 11 updates, you should spend a few minutes to configure how the system installs updates so you’re not disrupted by an unexpected reboot while you’re working.

I recommend the following configuration changes in Windows Update > Advanced options:

Get me up to date. Configure this to “Off” so that Windows Update doesn’t restart your PC to install updates as quickly as possible.

Notify me when a restart is required to finish updating. Configure this to “On” so that Windows Update doesn’t simply restart the PC when it wants to install updates, which can lead to data loss if you have unsaved documents.

Active hours. Windows Update won’t restart your PC to install updates during active hours, which is configured to be between 7:00 am and 10:00 pm. This is likely a good schedule for most, but if you work evenings or odd hours, you may want to adjust it.

Delivery optimization. By default, Windows Update is configured to “allow downloads from other devices,” which seems like a good idea: One PC on your network could download available updates from Windows Update and then others could get those updates from the PC on the network instead of from Microsoft over the Internet. But in practice, this can cause bandwidth issues on your PCs, and so I recommend disabling this feature.

✅ Tip: If you’re familiar with the Win11Debloat utility I recommend elsewhere in this book, you can use it to make three of the four changes recommended above.

Keep apps up-to-date

As a Windows user, you will typically install apps from the web or from the Microsoft Store. Apps downloaded from the web typically have their own updating mechanisms and will often alert you when there is an update. And apps downloaded from the Store will typically update through the Store, though there are exceptions. Either way, you don’t have to think too much about app updates. They will occur automatically in the background, or apps will alert you when there’s a pending update.

That said, you may want to keep certain apps as up-to-date as possible. And in addition to using the Store to check for app updates when you first configure Windows 11, you may want to check manually from time-to-time as well. There are different ways to do so, only one of which is obvious.

Microsoft Store. You can check for app updates in the Microsoft Store app by navigating to Downloads and clicking “Check for updates.” Most apps with pending updates will update automatically, but in some cases, like Microsoft PowerToys, you will have to manually click an “Update” button to trigger an update.

Store CLI. Microsoft recently introduced a command line Store CLI app, store, that you can run from Terminal. Among its many uses, you can use this app to update an individual app or, better still, use the command store updates to update all apps with pending updates. These updates happen in the background, so you don’t have to babysit them in any way.

Windows Package Manager. Windows 11 includes another command line app, the Windows Package Manager, which can be used to install and update apps from the web and the Microsoft Store. To see all pending app updates across both sources, you can use the command winget update in Terminal. And to update them all at once, you can use winget –all –silent. (The –silent bit requires a Terminal window with administrator privileges.)

Because the Windows Package Manager offers the broadest coverage, I recommend using it to check for app updates when you want to make sure everything is as up-to-date as possible. I do this approximately once each week.