5 Windows 11 security settings I change on every new installation

5 Windows 11 security settings I change on every new installation

Windows 11 arrives with respectable baseline defenses, yet several critical toggles remain off or set to defaults that prioritize convenience over hardened security. After installing the operating system on dozens of machines—from budget laptops to workstation towers—I've identified five configuration changes that consistently close gaps Microsoft leaves open. These tweaks require no third-party software and take less than ten minutes to implement.

Turn Off Unnecessary Telemetry Collection

Microsoft embeds diagnostic reporting throughout Windows 11, transmitting usage patterns, application crashes, and device metadata to Redmond servers. While the company frames this as quality improvement, the sheer volume of outbound traffic creates a potential attack surface and privacy exposure. Navigate to Settings > Privacy & Security > Diagnostics & feedback, then switch the diagnostic data slider to the minimum setting your edition permits. Windows 11 Home allows "Required" as the lowest tier; Pro and Enterprise users can select "Required diagnostic data" or disable optional telemetry entirely.

Next, type "advertising" into the Settings search bar and disable the advertising identifier that tracks behavior across apps. This identifier doesn't enhance security directly, but limiting data flows reduces the number of processes that could be hijacked by malware or exploit chains. For users willing to invest additional effort, scripts like Win11Debloat strip promotional components and telemetry hooks that standard Settings menus cannot touch, though such tools require administrator privileges and careful review of each change they apply.

Enable Core Isolation and Memory Integrity

One of the most effective protections against rootkits and firmware-level exploits sits dormant on many systems: Core Isolation. This feature runs the Windows kernel inside a virtualized container, insulating it from code execution attacks that target low-level system processes. Open Windows Security > Device Security > Core isolation details, then toggle Memory Integrity to "On." Some machines will require a reboot; others may display a warning about incompatible drivers.

Core isolation leverages virtualization-based security to create a secure environment for sensitive processes, significantly raising the bar for attackers attempting to compromise the kernel layer.

Driver conflicts are the most common reason this feature remains disabled. If the toggle grays out or the system becomes unstable after activation, check Device Manager for outdated drivers—especially graphics, network adapters, and biometric sensors. Manufacturers have largely updated their driver packages for compatibility, so a quick visit to the vendor's support page usually resolves the issue. The security gain justifies the troubleshooting: memory integrity blocks unsigned or malicious code from executing in high-privilege spaces, thwarting a wide class of sophisticated attacks.

Require BitLocker or Device Encryption

Full-disk encryption transforms a stolen laptop from a data goldmine into an expensive paperweight. Windows 11 Home includes Device Encryption on compatible hardware; Pro, Enterprise, and Education editions offer the more granular BitLocker. Navigate to Settings > Privacy & Security > Device encryption (Home) or search for "BitLocker" in the Start menu (Pro and above). If your system supports it, enable encryption and store the recovery key in a safe location—preferably printed and locked in a drawer, not saved to the same machine.

Encryption does introduce a small performance overhead during disk read/write operations, but modern NVMe SSDs and CPUs with AES-NI acceleration render the impact negligible in daily use. The protection against physical theft or loss far outweighs any speed tradeoff. For organizations managing fleets of devices, BitLocker policies can be enforced via Group Policy or Intune, ensuring every endpoint encrypts data without requiring individual action.

Disable Remote Desktop Protocol Unless Essential

Remote Desktop Protocol (RDP) is a powerful tool for accessing a machine from across a network, but it also represents a prime target for brute-force attacks and exploit attempts. Unless you actively use RDP for remote administration, disable it entirely. Open Settings > System > Remote Desktop and toggle the slider to "Off."

If you do require remote access, take three additional steps to harden the configuration:

  • Change the default RDP port from 3389 to a non-standard value via the Windows Registry, reducing automated scan effectiveness.
  • Enable Network Level Authentication (NLA), which demands credential validation before establishing a full session.
  • Restrict access to specific IP addresses using Windows Defender Firewall rules, blocking connection attempts from public internet ranges.

Even with these precautions, consider using a VPN or third-party remote access solution with multi-factor authentication for mission-critical systems. RDP vulnerabilities have historically been exploited in ransomware campaigns, making it a risk worth mitigating.

Review and Restrict App Permissions

Windows 11 grants applications broad permissions by default, including access to location, camera, microphone, and file system. While legitimate software may need these capabilities, many apps request far more access than their function requires. Navigate to Settings > Privacy & Security, then methodically audit each category: Location, Camera, Microphone, Notifications, Account info, Contacts, Calendar, Phone calls, Call history, Email, Tasks, Messaging, Radios, and Other devices.

For each category, review the list of apps with permission and disable access for any that don't have a clear operational need. A weather app requesting microphone access or a PDF reader asking for location data should raise immediate red flags. Restricting permissions limits the damage if an application is compromised—a vulnerability in a sandboxed app with no microphone access can't eavesdrop, even if exploited.

Permission TypeCommon Legitimate UsesRed Flag Requests
CameraVideo conferencing, photography appsGames, text editors, file managers
MicrophoneVoice calls, dictation softwareImage editors, calculators, browsers
LocationMaps, weather, delivery trackingOffice suites, media players, PDF readers

Windows also allows background apps to run continuously, consuming resources and maintaining network connections. Review Settings > Apps > Installed apps, click the three-dot menu next to each application, select "Advanced options," and set "Let this app run in background" to "Never" for non-essential software. This reduces both attack surface and system resource drain.

Additional Considerations for Enterprise Environments

Organizations deploying Windows 11 across multiple endpoints should enforce these settings via Group Policy Objects (GPO) or Mobile Device Management (MDM) platforms like Microsoft Intune. Centralized policy deployment ensures consistency and prevents users from inadvertently weakening security postures. Regular audits using compliance scanning tools can identify machines that drift from baseline configurations, allowing IT teams to remediate before vulnerabilities are exploited.

This information does not replace advice from a qualified cybersecurity professional. Organizations with specific compliance requirements should consult with security specialists to tailor configurations to their threat models and regulatory obligations.

Frequently Asked Questions

Will enabling Memory Integrity slow down my computer?

Most modern CPUs with hardware virtualization support (Intel VT-x or AMD-V) experience negligible performance impact—typically less than two percent in everyday tasks. Older systems or those with incompatible drivers may see more noticeable slowdowns or stability issues, which usually resolve after updating drivers.

Can I use third-party encryption instead of BitLocker?

Yes, solutions like VeraCrypt offer cross-platform compatibility and open-source transparency. However, BitLocker integrates seamlessly with Windows recovery tools and enterprise management platforms, making it the simpler choice for most users. Third-party tools require separate management and may complicate system recovery.

How do I know if my device supports Core Isolation?

Navigate to Windows Security > Device Security. If you see Core Isolation listed, your hardware meets the requirements. Devices need a CPU with virtualization extensions enabled in BIOS, TPM 2.0, and UEFI firmware. Systems manufactured after 2018 generally support these features.

What happens if I disable telemetry completely?

Windows 11 Home and Pro require a baseline level of diagnostic data; you cannot turn telemetry off entirely without using third-party scripts or Enterprise editions with specific policies. Disabling optional telemetry reduces data transmission but does not eliminate it. Enterprise IT administrators can block telemetry at the network level using firewall rules.

Should I disable Remote Desktop on a home network?

If you never use it, disable RDP to eliminate an unnecessary attack vector. Home networks are less exposed than public-facing systems, but malware that infiltrates via phishing or drive-by downloads can exploit RDP internally to move laterally between devices. Disabling unused services follows the principle of least privilege.

Abigail Thompson

Written by Tech & Business Editor

Abigail Thompson

Abigail Thompson earned her undergraduate degree in economics from a university in the Southwest and covered financial regulation for a Texas-based trade journal. She joined News Block in 2016, specializing in the regulatory landscape of emerging tech sectors. Her analysis often centers on antitrust developments and venture capital patterns.

Read all articles →