Windows is the most targeted operating system on the planet — and the default settings prioritize ease-of-use over security. The good news: with about an hour of work, you can dramatically reduce your exposure. This guide covers the most impactful Windows security settings any user or administrator can configure.
1. Windows Update: Enable and Stay Current
# Via Settings:
Settings > Windows Update > Advanced options
- "Receive updates for other Microsoft products" → ON
- "Download updates over metered connections" → ON
- Configure Active Hours to prevent disruptive restarts
# Via PowerShell (run as Administrator):
# Check update status:
Get-WindowsUpdate
# Install all pending updates:
Install-Module PSWindowsUpdate -Force
Install-WindowsUpdate -AcceptAll -AutoReboot2. Microsoft Defender: Full Configuration
# PowerShell (Administrator) — Enable all protections:
# Enable real-time protection:
Set-MpPreference -DisableRealtimeMonitoring $false
# Enable cloud-delivered protection (faster detection):
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendAllSamples
# Enable exploit protection:
Set-ProcessMitigation -System -Enable DEP,SEHOP
# Enable controlled folder access (ransomware protection):
Set-MpPreference -EnableControlledFolderAccess Enabled
# Run a full scan:
Start-MpScan -ScanType FullScan
# Check Defender status:
Get-MpComputerStatus | Select-Object AMRunningMode,RealTimeProtectionEnabled3. User Account Control (UAC)
# UAC prompts when programs try to make system changes
# Default is fine for most users, but verify it's enabled:
# Check UAC level via registry:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" | Select-Object ConsentPromptBehaviorAdmin
# Values: 0=no prompt, 1=prompt for credentials, 2=prompt, 5=default
# Should be 5 (default) or higher
# Via Control Panel:
# Control Panel > User Accounts > Change User Account Control settings
# Set to: "Notify me only when apps try to make changes"4. Disable Unnecessary Services and Features
# PowerShell — disable services that increase attack surface:
# Remote Registry (allows remote registry access):
Stop-Service RemoteRegistry
Set-Service RemoteRegistry -StartupType Disabled
# Remote Desktop (if you don't use it):
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
# Print Spooler on non-print machines (PrintNightmare vector):
Stop-Service Spooler
Set-Service Spooler -StartupType Disabled
# NetBIOS over TCP/IP (older protocol, rarely needed):
# Network adapter > Properties > IPv4 > Advanced > WINS tab
# Select "Disable NetBIOS over TCP/IP"5. Enable BitLocker Disk Encryption
# BitLocker encrypts your drive — protects data if laptop is stolen
# Requirements: Windows 10/11 Pro/Enterprise + TPM chip
# Enable via PowerShell:
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
# Save recovery key to Microsoft account AND print a copy:
# Control Panel > BitLocker Drive Encryption > Back up recovery key
# Check status:
Get-BitLockerVolume | Select-Object MountPoint,EncryptionPercentage,VolumeStatus
# Windows Home doesn't have BitLocker but has Device Encryption:
# Settings > Privacy & security > Device encryption > Enable6. Configure Windows Firewall
# Enable all profiles:
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# View current rules:
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "True"} | Format-Table
# Block inbound connections by default (they already are, verify):
Set-NetFirewallProfile -Profile Public -DefaultInboundAction Block
# Disable specific risky inbound rules:
# File and Printer Sharing (disable if not needed on public networks):
Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" | Set-NetFirewallRule -Profile Public -Enabled False7. Secure Your Browser
# Microsoft Edge security settings:
# edge://settings/privacy
# - Set to "Strict" tracking prevention
# - Enable "SmartScreen" for phishing protection
# - Enable "Block potentially unwanted apps"
# Chrome security:
# chrome://settings/security
# - Enable "Enhanced protection"
# - Enable "Always use secure connections"
# Essential browser extensions (all browsers):
# uBlock Origin — blocks malicious ads/scripts (install from official store only!)
# Privacy Badger (EFF) — blocks trackers8. Audit Local User Accounts
# List all local user accounts:
Get-LocalUser | Format-Table Name,Enabled,LastLogon,PasswordRequired
# Disable the built-in Administrator account (when not needed):
Disable-LocalUser -Name "Administrator"
# Disable built-in Guest account:
Disable-LocalUser -Name "Guest"
# Ensure your daily-use account is NOT an administrator:
# Use a standard user account for daily work
# Only elevate with UAC when installing software
# Check who has admin rights:
Get-LocalGroupMember -Group "Administrators"9. Enable Audit Logging
# PowerShell — enable detailed audit policies:
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Privilege Use" /success:enable /failure:enable
auditpol /set /category:"Object Access" /failure:enable
# Increase Security event log size (default is too small):
wevtutil sl Security /ms:1073741824 # 1 GB
# View failed login attempts:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | Select-Object TimeCreated,Message -First 20Security Checklist
- ☑ Windows Update current, auto-updates enabled
- ☑ Windows Defender fully enabled with cloud protection
- ☑ UAC enabled (default level or higher)
- ☑ Unnecessary services disabled (Remote Registry, Print Spooler if unused)
- ☑ BitLocker/Device Encryption enabled
- ☑ Windows Firewall enabled on all profiles
- ☑ Browser hardened with uBlock Origin
- ☑ Only necessary admin accounts exist
- ☑ Daily work done from standard (non-admin) account
- ☑ Security audit logging enabled
Wrap Up
These changes harden Windows significantly without affecting normal day-to-day use. The most impactful single change: use a standard user account for daily work and only elevate for installations. Combined with the full checklist, you’ll be running a genuinely secure Windows environment.