Windows 11: How to improve your security and privacy

Microsoft has made a big deal about the increased security in Windows 11. According to Microsoft, the surprisingly high system requirements that prevented many users with even fairly new computers from installing the Windows 11 are mainly due to security features. So what’s the deal and how can you make sure you benefit from it?

In this article, we provide the answers and show you how to better protect your privacy — both from Microsoft and others. The more our lives are lived digitally, the more important it is.

Many of Windows 11’s system requirements relate to security features that have been around for years in Windows 10 but few outside of corporate IT departments paid attention to. Some of these won’t turn on automatically if you update from Windows 10, but will be enabled on all new computers sold directly with Windows 11. Some are very sensible and don’t affect your computer’s performance at all, while others can have a negative impact and we’ll show you below how to turn them off if you value performance more.

To install Windows 11 on your PC at all, it needs a modern processor (Intel 8th-generation or AMD Ryzen 3000 or newer) and two security features: Secure Boot and a so-called trusted platform module (TPM).

Secure Boot has been around for many years, but most PC users haven’t had it running because it hasn’t been compulsory, and mostly felt like an unnecessary hassle. The feature is part of UEFI, the modern replacement for BIOS. It allows the computer’s basic software to detect — and stop — a modified operating system by checking its cryptographic signatures.

Enabling Secure Boot effectively stops sneaky malware that, for example, installs itself under Windows as a so-called bootkit and can covertly read everything that happens on the system. You enable Secure Boot in your computer’s BIOS settings, but activating it is not actually a requirement for installing or running Windows 11 — the requirement is for the computer to be able to use Secure Boot.

TPM, on the other hand, is a requirement for installing and running the new system. There are ways around it, but Microsoft warns that you may miss out on future updates and it’s unlikely that the TPM requirement is the only thing preventing you from installing Windows 11 as almost all Intel and AMD processors from 2013 onwards have a built-in TPM module.

Brad Chacos/IDG

Unlike Secure Boot, whose benefits are a bit more esoteric, it’s clearer why TPM is a great idea. The basic functions of TPM are the secure storage of encryption keys, certificates and the like, and the secure creation and control of new keys. For example, it could be the encryption key for Bitlocker that secures all data on your hard drive, or the encryption key used with Windows Hello for quick login with PIN or facial recognition. Third-party applications like Firefox and Chrome also use TPM if it’s present, even in Windows 10.

This works much like Apple’s “secure enclave” that has protected the iPhone and iPad for many years, and similar features in mobile processors from Qualcomm, Samsung and other manufacturers.

With a TPM enabled, Windows and individual programs that need to generate encryption keys can ask the TPM to do so. The generated keys are only stored there and can never be extracted or copied to other locations. This is much more secure than when keys are generated by the regular processor because a Trojan or other malware could theoretically intercept such keys.

Brad Chacos/IDG

A good example of how TPM protects you is Windows Hello. In Windows 11, Microsoft recommends that you use a Microsoft account and turn off sign-in with the account password so that you can only sign in with Windows Hello — normally a PIN, but you could also use facial recognition or a fingerprint scanner.

Let’s say you are hit by a malware with a keylogger that captures everything you type on your keyboard. This includes your PIN, but because the PIN is linked to an encryption key on this particular computer, the malware creators will not be able to log in to your Microsoft account on another machine. If you had logged in with your account password instead, you would have been left with only two-factor authentication to protect you from a hacked account.

Further reading: Here’s where to buy a TPM for Windows 11

The hardware requirement that is really behind Windows 11 requiring such a new computer is something called virtualization-based security or VBS. This means that the system uses the ability of modern processors to run code in virtual machines with their own separate parts of working memory.

Virtualization was first used to run other operating systems inside Windows or another system so that you can, for example, test software or run a program that doesn’t work on your regular system. A common example is Mac users running Windows with a virtual machine to access Windows-specific programs.

Virtualization-based security uses the same techniques to separate certain parts of Windows so that other parts of the system cannot access them. It consists of several different components, some of which are only available in the enterprise versions of Windows and not in the Home version.

Open Windows Security and select Device Security. If VBS is active, you will see a green tick next to Core isolation and it says “virtualization-based security protects the core parts of your device.” Click on the Core isolation information and you’ll be taken to a submenu where you can enable or disable something called Memory Integrity (the technology behind it is called “hypervisor-enforced code integrity” or HVCI).

Brad Chacos/IDG

This is one of the features VBS enables, which means that Windows places sensitive code in a virtual machine that the rest of the system cannot access, even with admin permissions. This increases security and provides better protection against some malware, but can also lead to lower performance — up to 25 percent less on some machines. Because of this, gamers or people who use their computer for intensive work often choose to disable the feature despite its security benefits.

If you have updated from Windows 10, Memory Integrity is not enabled by default. On new computers that come with the system, it is. If you are experiencing performance issues with your computer, check if the feature is active and try turning it off. If you don’t have a problem with it, it is of course best to keep it active so that your computer is as protected as possible.

One of the things Microsoft was most criticised for after the launch of Windows 10 is how the system sends analytics data to the company and how difficult it is to turn off this sharing, as well as how the Start menu was full of ads.

In Windows 11, Microsoft has listened to the criticism and the settings for privacy protection and user data sharing have been significantly improved. The settings for both Windows itself and the authorization of third-party applications to access features such as the camera and your image library are located in Settings -> Privacy & Security. Here’s how to use them and turn off any sharing you don’t want.

Brad Chacos/IDG

The settings panel has three major sections: Security, Windows Permissions, and App permissions. Security is mostly shortcuts to the separate program Windows Security, so it’s the other two that you will use the most.

General has the important setting for Advertising ID, the unique code that, if you allow it, can be used to track you, so that advertising buyers can, for example, trace a purchase of a product to an advertising banner you clicked on. If you don’t like adverts in your system, turn this off.

Inking and typing personalization: If you use a pen and sometimes write directly on the screen, this setting lets you decide whether Windows should create a customized dictionary for you.

Speech controls whether you want to use Microsoft’s more advanced online speech recognition, which of course sends what you say to Microsoft’s servers. If you switch it off, you’ll have to make do with the less advanced speech recognition directly on your computer.

Brad Chacos/IDG

Diagnostics & Feedback: Here are settings for how your use of the computer can be used for analytical purposes. The data is anonymized and is intended to help Microsoft improve Windows and other products. The system always sends “required data” but you can choose to send additional data, which is a requirement if you want to connect your computer to the Windows Insider program. An important feature here is Delete Diagnostic Data. If you have had diagnostic data sharing switched on and have now turned it off, it may be a good idea to delete all data already collected.

Activity history is a feature of your Microsoft account that allows you to continue what you have done on one device while sitting at another that is logged in to the same account. Switch it off if you only have one computer, as it is completely unnecessary if so.

Search permissions: There are two important settings here: Whether you want filtering for adult content in the Windows search function, and whether you want to save your search history so you can find things you’ve previously searched for more quickly.

Search in Windows has other settings for the search function that we don’t really think belong in the privacy settings, such as which folders should not be searched. If you’re wondering why it’s not under System in Settings, we don’t have an answer, but this is where you can set Windows Search to look for files outside your home folder.

Brad Chacos/IDG

There are a number of sub-sections for everything on your computer that relates to privacy matters. The most important ones are conveniently located at the top of the app permissions section: Location, which deals with whether Windows and applications can find out where you are, Camera and Microphone which are pretty obvious, and features like voice activation, messages (notifications) and account information.

Under Camera and Microphone, you can easily turn off or on access to individual applications. We recommend being sparing in granting access and switching off both for the applications you no longer use. The fewer programs that have access, the better.

Location data is not nearly as useful on a computer as it is on a mobile phone. For many users, the only benefit of having Windows read your location is that online stores can more easily display your nearest physical store, and web searches for shops, restaurants, and the like can instantly display results from your neighborhood. If that’s not something that appeals to you, we recommend switching off location tracking altogether.

In addition to the settings in Privacy and Security, there are a bunch of other things related to what Microsoft knows about you that you may also want to change.

Brad Chacos/IDG

Microsoft wants to know how you use Windows. The feature is called Device Usage and Microsoft uses it to customize the system — and give you advertising. You can turn it off, however.

Open Settings, Personalization and go to Device usage. Put everything in Off if you don’t want to supply this info to Microsoft.

If you want to have full control of your Microsoft account, you can visit your Privacy Panel via your browser.

Go to account.microsoft.com/privacy and sign in with your Microsoft account. At the top you can select Get started to launch a wizard that controls your settings. You can also select Manage your activity data to make the changes manually.

You can also make similar settings in other Microsoft products, such as Xbox or Microsoft Teams.

Open your Microsoft account’s privacy panel (as above) and select Privacy settings in our products.

Nowadays, Windows has a powerful cloud clipboard manager that saves the clipboards of all your device and allows you to synchronize them in a common clipboard list. It’s incredibly handy, but if this feels like a privacy issue, you can turn it off.

Brad Chacos/IDG

Open Settings, System and select Clipboard. Switch off the Clipboard history or choose not to synchronize clips between devices. You can also select Clear to delete the history in the cloud.

To be more anonymous while browsing, you can use a virtual private network (VPN) service. It makes it harder to track you and allows you to ‘switch countries’ on your connection, which can open up locked streaming services.

A VPN is a paid service that you subscribe to, however. Once you subscribe, you can install a special Windows program (or mobile app) to switch the service on or off and choose which country you want to surf in. Our guide to the best VPNs can point you in the right direction.

Windows can show what documents and other things you’ve recently opened. However, this can be hidden, which can be useful if other people you use your computer.

Open Settings and select Personalization, Start. Here you can switch off the feature Show recently opened items… As you can see, there are also other notifications you can disconnect.

A new feature in Windows deals with synchronizing software settings and other data between different computers where you are signed into the same Microsoft account. If you have a desktop and a laptop, for example, this can be very handy, but if you only have one computer, sending data to the cloud may seem unnecessary.

Open Settings and select Apps, Advanced app settings. Tap on Share across devices and switch off the feature or choose how to use it.

This article was translated from Swedish to English, and originally appeared on pcforalla.se.