How to Strengthen Windows 10/11 Security: A Step-by-Step Guide

Introduction / Why This Is Needed

Hackers search for new vulnerabilities in operating systems every day. As the most widespread OS, Windows is a prime target. Weakened security on your PC can lead to stolen passwords, banking data, file encryption by ransomware, or your computer being used in botnets.

This guide requires no special knowledge. You will configure built-in, yet often overlooked, security features in Windows 10 and 11 that deliver 80% of the results with minimal effort. After completing these steps, your computer will be significantly more resilient to common attacks.

Requirements / Preparation

Before you begin, ensure that:

1. You have a stable internet connection for downloading updates and antivirus definitions.
2. You are logged in with administrator privileges.
3. Your PC has a supported version of Windows 10 (20H2+) or Windows 11.
4. Important data has been backed up to an external drive or cloud storage (just in case).

Step-by-Step Instructions

Step 1: Install the Latest Windows Updates

Updates are not just about new features; they are also patches for security holes. Microsoft regularly releases fixes for discovered vulnerabilities.

1. Press Win + I to open Windows Settings.
2. Navigate to Update & Security → Windows Update.
3. Click the Check for updates button.
4. Wait for the search to complete and install all found updates, including optional updates (link at the bottom of the window).
5. Restart your computer, even if the system doesn't prompt you immediately. Some security updates only apply after a reboot.

💡 Tip: Enable automatic updates. In the same section, click "Advanced options" and ensure the "Automatically update" option is enabled.

Step 2: Configure Microsoft Defender Antivirus

The built-in antivirus (Microsoft Defender) has become very effective. The key is to ensure it is active and configured correctly.

1. In the Start menu, begin typing "Windows Security" and open the app.
2. In the "Virus & threat protection" section, check the status:
   • Real-time protection — must be enabled (green checkmark).
   • Cloud-delivered protection and Automatic sample submission — enable these for faster response to new threats.
3. Click "Scan options" and select "Full scan". This process can take from 30 minutes to several hours, but it will check all files on your computer. Run it once a month.
4. In the "Manage settings" section, ensure the option "Scan apps even if they are on the allowed list" is active. This adds an extra layer of control.

Step 3: Check and Configure Windows Defender Firewall

The firewall monitors incoming and outgoing network connections, blocking unauthorized access.

1. In the "Windows Security" app, go to "Firewall & network protection".
2. For each network type (Domain, Private, Public), ensure the firewall is on (green bar).
3. Click "Allow an app through firewall".
4. In the window that opens, review the program list. Checkmarks should be present for well-known programs (browsers, messengers). Do not remove checkmarks from programs you don't recognize.
5. If you are running a server (e.g., for development) or a game that requires open ports, add a rule manually via the "Advanced settings" link. Do not open ports without understanding the purpose.

Step 4: Enable and Configure User Account Control (UAC)

UAC is that pop-up screen that asks for confirmation before installing a program or changing system settings. Disabling it is a common mistake.

1. Open Control Panel (find it in the Start menu).
2. Go to "User Accounts" → "Change User Account Control settings".
3. Do not set the slider to "Never notify". The recommended setting is the second or third level from the bottom (the default). This means you will only be notified when programs try to make changes to your system.
4. Click OK.

Step 5: Use a Standard User Account for Daily Work

Working from an account with administrator privileges all the time is poor practice. Any malware you accidentally run will gain full control over your system.

1. Open Settings (Win + I) → "Accounts" → "Family & other users".
2. Click "Add someone else to this PC".
3. Follow the prompts to create a new local account (not a Microsoft account, unless you want to link it). Give it a name, like User.
4. After creating the account, click on the new account and select "Change account type". Set it to "Standard User".
5. Sign out of your current account (Start → Avatar → Sign out) and sign in to the newly created standard account.
6. For administrative tasks (installing software, modifying system files) right-click on the program or file and select "Run as administrator".

Step 6: Enable and Configure BitLocker Drive Encryption (If Available)

BitLocker encrypts all data on the drive, rendering it useless if your laptop is physically stolen or the drive is removed.

1. Open Settings (Win + I) → "Update & Security" → "Device encryption" (BitLocker).
2. If the option is available, click "Turn on BitLocker" for the system drive (usually C:).
3. Choose how to unlock the drive at startup (with a password or a USB key). For laptops, "Enter a PIN at startup" is often the best choice.
4. Save your recovery key. This is the most important step! Save it to your Microsoft account, a USB drive, or print it. Without this key, you will permanently lose access to your data if the system fails.
5. Start the encryption process. It will take anywhere from a few minutes to several hours, depending on the drive size. You can use the computer during encryption, but performance may be slightly reduced.

Verification

Ensure all systems are operational:

1. Updates: Settings → Update & Security. The message should read "You're up to date" or similar.
2. Antivirus: Launch the "Windows Security" app → "Virus & threat protection". The status should be "Your device is being protected".
3. Firewall: In the same app → "Firewall & network protection". All network types should show "On".
4. UAC: Try running any text editor (Notepad) as an administrator and attempt to save a file in the system folder C:\Windows. A UAC prompt should appear.
5. BitLocker: In Settings, in the BitLocker section, the status should be "BitLocker on".

Potential Issues

• Update installation error (code 0x8007045D and similar): Often resolved by running "Troubleshoot" (Settings → Update & Security → Troubleshoot → Additional troubleshooters). You can also manually clear the C:\Windows\SoftwareDistribution folder (requires administrator rights).
• Antivirus conflicts: Do not run Microsoft Defender and a third-party antivirus simultaneously. When a third-party solution is installed, Defender should disable itself automatically. If it doesn't, manually turn off real-time protection in Defender's settings.
• BitLocker not offered: This feature is only available in Windows Pro, Enterprise, and Education editions. It is not included in the Home edition. You can use third-party encryption tools (like VeraCrypt) instead, but they are more complex.
• No network access after configuring the firewall: If you created a rule for a specific application (e.g., a file manager) and lost network access, open "Windows Defender Firewall with Advanced Security" and check the Outbound Rules. Ensure outbound connections are allowed for your application.