Secure your Microsoft Windows device

To prevent unwanted access to your device, it is important to secure your user account. A user account is what you use to log in to access your device. Make sure to create separate user accounts for each person in your household. Find out how to secure your user account.

To log in securely to your device, consider using the following login methods.

Biometrics

This identifies someone by physical characteristics, such as their face or fingerprint.

With Windows Hello, you are able to set up facial recognition or your fingerprint to log in to your device. Biometrics are unique to you and can be difficult to copy. Combine this with a strong password.

A strong password

Use a strong and unique password, such as a passphrase.

A passphrase has 4 or more random words like ‘crystal onion clay pretzel’. They are easy for you to remember but hard for someone to guess. The longer, more random and unique the passphrase is, the more secure. Learn more about passphrases.

You can use a reputable password manager to help you create and store your passphrases. This acts as a virtual safe for all your account login details. Learn more about password managers.

Visit Microsoft’s website for more information on Windows sign-in options.

A standard user account only has partial control of a computer. An administrator (admin) account has complete control. Cybercriminals can do a lot more damage if they get access to your admin account.

Set up a standard user account for everyday tasks such as web browsing, emailing or online shopping. Only use an admin account to perform admin tasks such as installing software.

Find out how to secure your user account. Visit Microsoft’s website for help on how to create a local user or administrator account in Windows.

You need a Microsoft account to access services offered by Microsoft. This could include Microsoft 365, Outlook, Office, Skype, Xbox and the Microsoft Store. Your Microsoft account is separate from the user account you use to log in to your device. Visit Microsoft’s guide on how to help keep your Microsoft account safe and secure.

For secure sign-in options for your Microsoft account, we recommend using the following.

Two-step verification

Two-step verification (2SV) adds an extra layer of security to your accounts. It means you need 2 steps to verify your identity before you can log in. 2SV is a common form of multi-factor authentication (MFA).

You can verify your sign in using a code from an authenticator app. Visit Microsoft’s website for advice on how to use two-step verification with your Microsoft account.

Using a security key is an optional security measure. This uses a small hardware device along with your password to log in. By using a physical security key, it provides stronger protection from targeted attacks. Visit Microsoft’s advice for how to sign in to your account with a security key.

Passwordless account

You have the option of going passwordless with your Microsoft account. This is a more easy and secure option than using a password to log in.

To go passwordless, you’ll need to use a method like an authenticator app or biometrics. Visit Microsoft’s website for how to go passwordless with your Microsoft account.

A strong password

Use a different password than the one for your user account. Follow our advice about strong passwords under Secure your user account.

Make sure to keep your device up to date. Software updates give your device the most recent security features. Delaying an update could leave your device at risk.

Check that automatic updates are on for your device. In Windows Update settings, you can set your device to automatically download and install updates. Visit Microsoft’s guide on how to get the latest Windows update.

Also, keep your installed apps and programs up to date. The easiest way is to turn on automatic updates. Visit Microsoft’s guide for how to turn on automatic app updates.

If your version of Windows has reached end of support, you will not get regular updates for your device. In this case, upgrade to a newer product. Also, review your installed apps and remove them if they are no longer supported. Check Microsoft’s list of supported versions of Windows.

Find out how to update your device and software.

Microsoft Windows includes a built-in program called Windows Security. This provides protection from malware and scans for security threats. Turn on all protection settings in Windows Security and make sure they have a green tick. Visit Microsoft’s website for how to stay protected with Windows Security.

Microsoft Defender is a security app that offers extra protections for your device. This includes web protection, identity theft monitoring and real time alerts. This app is included with a personal or family Microsoft 365 plan. Visit Microsoft’s website to learn more about getting started with Microsoft Defender.

You can also download third-party antivirus software to your device. It may offer better features than your built-in antivirus software. Make sure to research available products and choose a reputable provider. Check out our guide on antivirus software.

Make sure to download trusted software only. Follow our advice under Download software from legitimate sources.

With regular backups, you will always have access to a recent version of your files. Decide what data is important to you and include it in your backups, such as photos, email and documents.

Store a separate copy of your important files to an external storage device. Consider using reputable third-party software to help make regular backups.

You can also back up your data to OneDrive. Not all cloud backup services work the same. Choose one that can restore deleted or older versions of files. This will help you recover your data after a cyber attack such as ransomware.

Consider making system restore points. It allows you to restore to a point before a software issue occurred. This could include a failed app update or corrupted data. Visit Microsoft's website for how to use system restore.

Find out how to back up your files and devices.

Lock your device whenever you leave it unattended, even if it is only for a short period. To lock your screen, press the Windows key + L.

Make sure your devices are set to automatically lock after a short time (less than 5 minutes). You should also be careful of who has access to your device.

Dynamic Lock is a feature that can automatically lock your device whenever you move out of range. It does this by pairing your Windows device to your phone over Bluetooth. Visit Microsoft’s website to learn how to lock your Windows PC automatically when you step away from it.

To help mitigate the risk of malware, download software only from trusted sources. Use the Microsoft Store for a large range of apps that Microsoft reviews and verifies as safe.

Check user reviews before downloading software from other sources on the internet. Go to the App & browser control settings in Windows Security for more safeguards. Also follow our advice under Check Smart App Control is turned on.

Check that hard drive encryption is turned on for your device. This security feature protects the data stored on your hard drive. It means if your device is lost or stolen, only authorised users can access your data.

Visit Microsoft’s website for how to turn on device encryption.

Controlled folder access protects your system from ransomware. It sets which apps can access and make changes to your important data.

When an app wants access to your data, you can choose to allow or deny it. You can manage which apps can access your important data at any time.

Visit Microsoft’s guide for how to allow an app to access controlled folders.

Smart App Control helps to protect your device from malicious and untrusted apps. It also checks for apps that do things you don't expect, such as making your device run slowly.

This security feature checks if the apps you are trying to run are safe. If it believes an app is malicious or untrusted, Smart App Control will block it from running.

Note: only devices with new installs of Windows 11 22H2 or later have access to this feature. To turn on Smart App Control, you may need to reset your device. Visit Microsoft’s website to learn more about Smart App Control.

Secure Boot is a security feature for Windows that prevents malware from loading when your device powers on. Otherwise, malware could stay hidden on your device.

Check Secure Boot is enabled to allow only trusted software to run when you start up your device.

Visit Microsoft’s website for more information on how to enable secure boot on Windows.

Consider using privacy protections to help hide your activity and data from others. Especially for apps you often use such as your web browser or email.

Businesses often track your online activity using cookies, tracking pixels and social media icons. This includes how you interact with a website or email. Some apps may even collect your device details and location. They may use this data to target you with ads or sell it to a third party.

Review your app’s Privacy Settings for ways to help minimise tracking of your data.