10 ways to boost Windows security
With Microsoft set to stop security updates for Windows 10 in October — unless you pay extra — security is top of mind for many businesses and individual users right now. And whether you’re planning on sticking with Windows 10 or you’ve already upgraded to Windows 11, there’s almost certainly more you can do to increase your PC’s security.
Here’s a look at some of the actual software tools you can use to make your system more secure — not basic behavioral advice like “don’t run sketchy software” or broad, theoretical tips on avoiding threats online. That’s all fine advice, but we’ve all seen it before.
Instead, we’re going to dive deep into worthwhile tweaks and critical checks in the Windows software already on your PC. They’re simple steps that’ll make an immediate impact on your system’s security and the protection of your professional and/or personal data — and they’re right there just waiting to be used.
Want more Windows PC tips? Sign up for my free Windows Intelligence newsletter. I’ll send you free Windows Field Guides as a special welcome bonus!
Windows security boost #1: Block bad apps
Windows can automatically block “potentially unwanted apps,” but it doesn’t do so by default. The phrase “potentially unwanted apps” is a euphemism for programs that aren’t technically malware or anything illegal, but they may do things you don’t want — like spy on you or show ads. Also called “potentially unwanted programs” or “PUPs,” they’ve been dubbed “malware with a legal team” — an obvious exaggeration, but not exactly wrong.
To ensure Windows is blocking these, launch the “Windows Security” app from the Start menu, select “App & browser control,” click “Reputation-based protection settings,” and ensure “Potentially unwanted app blocking” is set to “On.”
Windows can block annoying apps — but the setting isn’t on by default.Chris Hoffman, Foundry
Windows security boost #2: Check your encryption
Modern Windows PCs automatically set up “Device Encryption” when you sign into them with a Microsoft account, ensuring someone who steals your laptop can’t get access to your private files. But, again, the option might not always be activated by default out of the box. To check whether your PC storage is encrypted, open the Start menu, search for “BitLocker,” and select “Manage BitLocker.”
The BitLocker page in the Control Panel will show if your PC’s storage is encrypted.Chris Hoffman, Foundry
If you don‘t see that your PC’s storage is securely encrypted with either Device Encryption or BitLocker, there are two possible explanations:
You’ve signed in with a local account and need to sign in with a Microsoft account to activate the Device Encryption feature on your PC.
You’re using an older PC that doesn’t support Device Encryption, and you need to pay for an upgrade to the Professional edition of Windows to activate the BitLocker feature.
For what it’s worth, Device Encryption is more of a “BitLocker light” experience without all the features, while BitLocker is the full-featured, more customizable disk encryption software. However, they’re built on the same underlying technology, and both will securely encrypt PC files.
Read my BitLocker encryption guide for more information.
Windows security boost #3: Consider your syncing setup
On both Windows 10 and 11, Microsoft wants OneDrive to automatically sync folders such as your Desktop, Documents, and Pictures folders. Their contents will be stored in your Microsoft account online and synced between your PCs.
That can be convenient, but depending on the data you work with, you might not want to sync it to your Microsoft account. It’s a matter of data security — especially within organizations, which often want to maintain close control over corporate data.
To control exactly what OneDrive is doing on your PC and what it’s syncing, consult my guide to taming OneDrive on Windows.
Windows security boost #4: Turn off less secure sign-ins
Windows normally lets you sign in by typing your password. If you use a Microsoft account, that same password will be your Microsoft account’s online password. If you have a PC with Windows Hello biometric sign-in support — a fingerprint reader, facial recognition, or both — you can turn off password sign-ins and opt to sign in only with those more secure biometric methods.
To do this, head to Settings > Accounts > Sign-in options. Under Additional settings, activate, “For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device.”
Once that’s done, if someone else does gain access to your PC, they won’t be able to sign into it — even if they’ve captured your Microsoft account password. For optimal security, beyond that, be sure to use a long PIN and avoid typing it in public. (Your PC will enforce a limit on how often people can guess the PIN, so it doesn’t have to be uncrackable — just hard to guess.)
Windows security boost #5: Activate ransomware protection
Ransomware literally holds your files for ransom. The malware encrypts your files and prevents you from accessing them until you pay up — often with Bitcoin or another cryptocurrency.
To prevent ransomware from running roughshod over your files, Windows has a “Controlled folder access” feature that will keep questionable-looking apps from tampering with your Documents, Pictures, Music, and Video folders. It’s designed to let friendly apps through, but it might block apps you use and require you to let them through manually. However, it will still provide extra protection — if you’re willing to accept a little bit of extra configuration and the occasional extra bit of hassle.
Here’s what you need to know about Controlled folder access — and how to set it up.
Windows security boost #6: Double-check Office updates
Do you use Microsoft Office? If so, you should ensure it’s getting security updates. I’ve noticed many people end up with outdated versions of Office that aren’t still getting security updates — sometimes even because they (or someone) turned off the Office updates without realizing the implications. It’s important to protect Office from threats that could arrive via malicious downloaded documents, so that’s not an advisable move.
To confirm that your Office setup is in good shape, open an Office app (like Word), click “File,” and click “Account” at the bottom left corner of the window. Look at the Update Options button at the right side of the window and ensure it says “Updates are automatically downloaded and installed” — if not, you can click “Update options” to activate automatic updates.
If you’re using an outdated version of Office, it won’t warn you — it’ll just stop downloading security updates.Chris Hoffman, Foundry
You should also look at the name of your Office product at the top of the window in this same area. If it says you’re using “Microsoft 365,” then you’re using Microsoft’s subscription-based version of Office that will always get updates.
If it says a specific version (like Office 2021), be sure to consult the end of support table on Microsoft’s website for more information. (As of now, Office 2016 and Office 2019 are set to be phased out in October 2025, while Office 2021 has until October 2026. Office 2024 has until October 2029.)
Windows security boost #7: Check whether your apps are current
Windows apps don’t necessarily always update themselves with security updates. It’s one of the big security challenges on Windows, and it forces many organizations to roll their own software update strategies to monitor and deliver security patches. While Microsoft is finally moving toward fixing this, it’s still a problem.
First, ensure apps managed by the Store app are actively receiving updates. Launch the Store from the Start menu, click your profile picture, and click “Settings.” Ensure the “App updates” option is set to “On.” (Even if you don’t use the Store, many apps included with Windows can still be updated using it.)
Second, check to see whether you have vulnerable, out-of-date apps installed. You can use tools like the winget command built into Windows, the slick UniGetUI tool for it, or Patch My PC’s free Home Updater tool.
Windows security boost #8: Activate isolation
Windows has a variety of low-level system hardening features that will make the Windows system kernel — the core part of Windows — harder to exploit. They should work well with modern PCs, and many of them may be activated automatically, depending on how old your computer is. In general, if you aren’t using extremely old hardware drivers or other low-level software, they should just work — and boost your PC’s security.
To activate them or confirm that they’re active, open the Windows Security app from your Start menu. Click “Device security” and then “Core isolation details.” (This is available on both Windows 10 and 11, but you might not see it, or you might see different features — it depends on the specifics of your PC and what its hardware supports.)
The options you see on the Core isolation settings screen will depend on your PC’s hardware.Chris Hoffman, Foundry
When you activate any one of these security features, Windows will check to see whether it will work well on your system. If it won’t — for example, if you have an old hardware driver that doesn’t work properly with one of these features — Windows will generally spot the problem and turn the feature off automatically.
Windows security boost #9: Start sandboxing
While it’s always a good idea to avoid sketchy software, let’s say you do want to run a program without giving it too much access to your system. In any such scenario, I recommend using the Windows Sandbox — a feature that requires the Professional edition of Windows 10 or 11.
The Windows Sandbox creates a temporary Windows environment within Windows, letting you run software without giving it to access the rest of your files and hardware. To activate it — assuming you have the right edition of Windows — open the “Turn Windows features on or off” tool from the Start menu and install the “Windows Sandbox” feature.
Since this does require the Professional edition of Windows, many people and organizations won’t have access to it. You can always install Windows in a virtual machine like VirtualBox, too, and run software in there as an alternative.
Windows security boost #10: Consider tighter protection settings
Many years ago, I recommended installing exploit-protection software like Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) or Malwarebytes Anti-Exploit. These days, it generally isn’t necessary; Windows has integrated its own native anti-exploit protection to provide your programs with extra protection from attacks.
To see these settings, you can open the Windows Security app from the Start menu, click “App & browser control,” and click “Exploit protection settings.”
Almost everything there should be turned on by default. If you want some extra security, you could activate “Force randomization for images (Mandatory ASLR).” However, this could cause problems with some old programs, so you’ll probably want to skip it.
I recommend leaving it alone — and feeling secure that anti-exploit protection is now part of Windows and the type of thing you don’t have to hunt down separately, just like antivirus software.
Want more in-depth Windows analysis and useful PC tips? Sign up for my free Windows Intelligence newsletter today. I’ll send you three new things to try each Friday.10 ways to boost Windows security – ComputerworldRead More