The best time to start thinking about security for the PCs on your network is right now.
When it comes to security at home and in your small business, you're on your own. Large businesses typically have dedicated IT staff tasked with ensuring the security of a corporate network and preventing outsiders from stealing data or planting ransomware. You have ... yourself.
The worst time to start thinking about security for the PCs on your network is after you've experienced a catastrophic incident. The best time is right now, which is why we've put this guide together.
Following the steps we lay out here should help you understand which security issues are most important and, based on that knowledge, to establish a security baseline. This isn't a set-it-and-forget-it task, unfortunately. Online attackers are determined, and the threat landscape is constantly evolving. Maintaining effective security requires continued vigilance and ongoing effort.
In this guide, we focus on more than just the Windows 11 device itself, because many of the threats come from outside. To stay secure, you need to pay close attention to network traffic, email accounts, authentication mechanisms, and unsophisticated users.
This guide focuses primarily on the needs of PC owners managing Windows 11 PCs in a home or small business environment, without full-time IT staff. For installations where you're required to connect to a business network, you'll need to coordinate your personal security configuration with corporate policies. In some cases, device management policies will prevent you from adjusting some settings.
Before you touch a single Windows setting, though, take some time for a threat assessment. In particular, be aware of your legal and regulatory responsibilities in the event of a data breach or other security-related event. Even small businesses can be subject to compliance requirements; if that applies to you, consider hiring a specialist who knows your industry and can ensure that your systems meet all applicable requirements.
Where can I get an overview of Windows 11 security?☑ Monitor the Windows Security app regularlyIn Windows 10, Microsoft introduced the Windows Security app, which consolidates security settings and status information into a single location. The Windows 11 version of this app adds some features and should be a regular part of your security monitoring.
From this starting point, you can inspect (and adjust) settings for antivirus and antimalware software, device security, firewall, and network protection, and other crucial security options. Green checkmarks indicate there are no issues that need immediate attention. Yellow and red icons indicate security issues that need to be addressed.
When visiting an app like this, the natural temptation is to click every category and turn on every option you see. Resist that urge, especially in the Exploit Protection section. Changes you make here can have unintended consequences in everyday activities, especially with older apps. The default settings should be adequate for most systems. If you choose to make changes here, do so gradually, and don't make any additional changes until you're certain that the previous adjustments worked as expected.
What's the best way to keep Windows 11 up to date?☑ Set an installation/deferral policy for security updatesThe single most important security setting for any Windows 11 PC is ensuring that updates are being installed on a regular, predictable schedule. That's true of every modern computing device, of course, but the "Windows as a service" model that Microsoft introduced with Windows 10 changes the way you manage updates.
Before you begin, though, it's important to understand the different types of Windows updates and how they work.
• Quality updates are delivered monthly through Windows Update on the second Tuesday of each
month. They address security and reliability issues and do not include new features. (These
updates also include patches for microcode flaws in Intel processors.) For particularly severe
security issues, Microsoft might choose to release an out-of-band update that is not tied to the
normal monthly schedule.
All quality updates are cumulative, so you no longer have to download dozens or even hundreds of updates after performing a clean install of Windows 11. Instead, you can install the latest cumulative update and you will be completely up to date.
• Feature updates are the equivalent of what used to be called version upgrades. They include new
features and require a multi-gigabyte download and a full setup. Microsoft's current policy is to
release one Windows 11 feature update per year, in the second half of the year. Feature updates
are delivered through Windows Update and are not installed automatically unless the current
version has reached the end of its support lifecycle.
Using default settings, Windows 11 downloads and installs quality updates shortly after they're made available on Microsoft's update servers. On devices running Windows 11 Home, there's no supported way to specify exactly when these updates are installed; on PCs running business editions of Windows 11 (Pro, Enterprise, or Education), you can use Group Policy settings to automatically defer installation of quality updates on PCs by up to 30 days after their release. Regardless of what edition is installed, users can manually pause all updates for up to five weeks.
As with all security decisions, choosing when to install updates involves a trade-off. Installing updates immediately after they're released offers the best protection; deferring updates makes it possible to minimize unscheduled downtime associated with those updates.
Using the Windows Update for Business features built into Windows 11 Pro, Enterprise, and Education editions, you can defer installation of quality updates by up to 30 days. You can also delay feature updates by as much as two years, depending on the edition.
Deferring quality updates by 7 to 15 days is a low-risk way of avoiding the possibility of installing a flawed update that can cause stability or compatibility problems. In Windows 11, the only way to adjust Windows Update for Business settings is by using the Local Group Policy Manager (Gpedit. msc); the relevant policies are in Computer Configuration > Administrative Templates > Windows Components > Windows Update.
On enterprise networks, administrators can manage updates using Group Policy or mobile device management (MDM) software. Updates can also be managed centrally using a management tool such as System Center Configuration Manager or Windows Server Update Services.
Finally, your software update strategy shouldn't stop at Windows itself. Make sure that updates for Windows applications, including Microsoft Office and Adobe applications, are installed automatically.
How do I configure user accounts for maximum security?☑ Sign in using a Microsoft account with multi-factor authentication☑ Create standard accounts for inexperienced users☑ Install a password manager for every user☑ Set up multi-factor authentication on all online accounts☑ For home PCs, consider setting up family safety featuresMicrosoft sparked controversy with its decision to require a Microsoft account when setting up a PC with Windows 11 Home edition for the first time. I've also seen some online angst over the recent announcement that Microsoft plans to extend that requirement to Windows 11 Pro machines set up for personal use.
If you already have a personal Microsoft account tied to services like Microsoft 365 Home or Family or an Xbox Live account, sign in with a Microsoft account makes it easy to access your Office apps and OneDrive storage and online gaming.
Even if you have no Microsoft services, however, there's a solid security benefit behind that design decision. When you sign in with a Microsoft account, the system drive is encrypted by default, and the recovery key is backed up to a secure location, accessible by signing in to that Microsoft account. That minimizes the risk that a forgotten password can lead to catastrophic data loss.
If you don't use Microsoft services, feel free to create a brand-new Microsoft account on the fly, as part of the setup process, and use that new account exclusively for signing in to Windows 11. You get the benefits of full system disk encryption, multi-factor authentication, and (if you choose to use it) 5 GB of OneDrive storage, at no extra cost. Just think of it as a local account whose username has @microsoft.com on the end.
If you're still determined to use a local account, set up using a throwaway Microsoft account first, and then make the switch to a local account. Just be aware that doing so means you'll also have to find a different encryption option, and you won't have any recovery mechanism if you forget your sign-in credentials.
With all that out of the way, do the following as well:
• Set up multi-factor authentication for your Microsoft account. (You'll find full instructions here:
"
How to lock down your Microsoft account and keep it safe from outside attackers.")
• Create standard accounts for other users (and even for yourself). Your primary account, by default,
has administrator privileges. If other people (employees or family members) use the same PC, give
them standard accounts that are unable to change system settings or install untrusted software
without your approval. You can also give yourself a standard account for everyday use, but that's a
needless precaution that will simply force you to type in a password instead of clicking OK to a User
Account Control dialog box.
• Install a password manager and make sure all your online accounts have strong, unique login
credentials
• Set up multi-factor authentication for online accounts wherever it's available. (See "
Multi-factor
authentication: How to enable 2FA to step up your security.")
For PCs at home, set up children's access using standard accounts and consider setting up the family safety features in Windows 11. You can use those options to set authorized times for young people to be online and to help keep them from straying into unsavory corners of the internet. You'll find all the links you need in the Windows Security app.
How do I keep Windows 11 hardware secure?☑ Check the status of your TPM☑ Ensure that Secure Boot is enabled☑ Turn on Windows Hello, using biometric authentication if it's availableMicrosoft's hardware compatibility rules for Windows 11 upped the security game for PCs, although not without controversy. Previously, the governing principle for every new Windows version involved maximum backward compatibility, with even 10-year-old PCs being eligible to install the new operating system.
That all changed with Windows 11. For the first time ever, the official hardware specifications were (a) dramatically increased from the previous version and (b) applied not just to new hardware from PC makers but also to upgraders.
The biggest change is the requirement for a Trusted Platform Module (TPM) version 2.0, along with the requirement to enable Secure Boot (a feature that uses cryptographic signatures to ensure that a device boots with an operating system that hasn't been tampered with. (If you're willing to make a few registry edits, you can install Windows 11 on a PC with an older TPM version and an unsupported CPU. For details, see this Microsoft support document: "
Ways to install Windows 11.")
From the Device Security page in the Windows Security app, you can check both of these settings. If you see entries for Security Processor and Secure Boot, you're good to go. If one or both of those entries are missing, you'll need to go into the device's firmware settings to re-enable the setting. Although there are advanced configurations in which you might need to disable Secure Boot for troubleshooting purposes, it's best to leave this setting alone.
Finally, set up a Windows Hello PIN and enable biometric authentication if your device has a fingerprint reader or an infrared camera that supports facial recognition.
source 
