# Basic Windows 11 Hardening

By Drew Breunig

Securing a personal PC running Windows 11, compiled from multiple best practice guides. These steps are not exhaustive and aim to strike a balance suitable for most users.

- [ ] <strong><mark>Run a malware scan.</mark> </strong>Navigate to <strong>Settings &gt; Privacy &amp; Security &gt; Windows Security &gt; Virus &amp; Threat Protection</strong>. Click on <strong>Scan Options</strong> to run one of the scans. Usually, just run <strong>Quick Scan</strong>.
- [ ] <strong><mark>Turn on Real-Time Protection.</mark></strong> In the <strong>Virus &amp; Threat Protection</strong> settings menu ensure <strong>Real-Time Protection</strong> is on.
- [ ] <strong><mark>Enable Ransomware Protection.</mark></strong> In the <strong>Virus &amp; Protection Settings &gt; Ransomware Protection </strong>menu, toggle on to allow controlled folder access.
- [ ] <strong><mark>Turn on auto-locking.</mark></strong> Under <strong>Settings &gt; Accounts &gt; Sign-In Options</strong>, set your computer to dynamically lock automatically.
- [ ] <strong><mark>Ensure only authorized devices can locate your device.</mark></strong> Go to <strong>Settings &gt; Privacy &amp; Security &gt; Find My Device</strong> and select the option to see all devices. Ensure only the devices you want are linked to your account.
- [ ] <strong><mark>Determine what activity history you want saved</mark></strong>. Go to <strong>Settings &gt; Privacy &amp; Security &gt; Activity History</strong>. Windows stores activity history, such as visited websites and the applications you use. Tune this setting to your preference.
- [ ] <strong><mark>Turn off advertising IDs.</mark></strong> In <strong>Settings &gt; Privacy &amp; Security &gt; General</strong> toggle this switch to prevent your machine from being addressable to advertisers.
- [ ] <strong><mark>Update your machine.</mark></strong> In <strong>Settings &gt; Windows Update </strong>check for any pending updates to download and install.
- [ ] <strong><mark>Encrypt your device.</mark></strong> If you have Pro or Enterprise versions of Windows 11, you can enable BitLocker to encrypt your device. Activate this in <strong>Settings &gt; Privacy &amp; Security &gt; Device Encryption &gt; BitLocker Drive Encryption</strong>.
- [ ] <strong><mark>Remove applications you don’t use or need.</mark></strong> Proceed to <strong>Settings &gt; Apps &gt; Apps &amp; Features </strong>and select the apps you want to remove, then select <strong>Uninstall</strong>.
- [ ] <strong><mark>Turn User Account Controls to maximum.</mark></strong> Open the Start menu and search for “UAC.” Open <strong>User Account Control Settings </strong>and drag the slider to the top.
- [ ] <strong><mark>Set up remote backup.</mark></strong> Set up a remote backup service like Backblaze, Acronis, or IDrive.