We don’t mean to be scaremongers, but they are out to get you. Computer attacks continue to increase in number and severity each year. And while the big data breaches—the loss of millions of credit card numbers from a major retailer or the loss of millions of personnel records from the U.S. government—command the most media attention, don’t think that the bad guys wouldn’t like to get into your computer, too. Whether it’s to steal your valuable personal data or hold it for ransom, appropriate your computing resources and bandwidth, or use your PC as a pathway into a bigger target with whom you do business, there are plenty of actors with bad intent.
In this chapter, we examine the types of threats you’re likely to face at home and at your office and then introduce the security tools and technologies in Windows 11—many of which are in layers you can’t see, such as hardware-based protection that operates before Windows loads.
All currently supported retail and OEM versions of Windows 11 include the Windows Security app, which functions as a dashboard for common security functions. It also offers access to other visible security features, including Windows Defender Firewall, Microsoft Defender Antivirus, and Microsoft Defender SmartScreen. This chapter covers all of these tools as well as other, related security features, including Windows Update, User Account Control, and BitLocker Drive Encryption.
Understanding security threats
A decade ago, the threat landscape for Windows users was dominated by viruses and worms. Ah, for the good old days! The modern threat landscape is much more complex and, unfortunately, more insidious. Today, an attacker is likely to be part of an organized crime ring or even acting on behalf of a state-sponsored organization, and attacks are typically designed to go unnoticed for as long as possible.
A rogue program, installed without your knowledge and running without your awareness, can perform malicious tasks and transfer data without your consent. This category of software is often referred to as malware.
The goal of the bad guys is to get you to run their software. They might, for example, convince you to install a Trojan—a program that appears legitimate but actually performs malicious actions when it’s installed. This category of malware doesn’t spread on its own but instead uses social engineering (often using popular social networking sites such as Facebook and Twitter) to convince its victims to cooperate in the installation process. As part of its payload, a Trojan can include a downloader that installs additional malicious and unwanted programs. Some Trojans install a “back door” that allows an outside attacker to remotely control the infected computer.
What’s in it for the bad guys? Money, mostly, gathered in various ways, depending on how the attackers got through your defenses. Here are just a few examples:
A password stealer runs in the background, gathers usernames and passwords, and forwards them to an outside attacker. The stolen credentials can then be used to make purchases, clean out bank accounts, or commit identity theft.
Bad guys prey on fear with rogue security software (also known as scareware), which mimics the actions and appearance of legitimate antivirus software. If you install their program, it inevitably reports the presence of a (nonexistent) virus and offers to remove the alleged malware—for a fee, of course. A related category includes tech-support scams, in which a Windows user receives a phone call from a scammer masquerading as a Microsoft support professional.
The fastest rising star in the malware hall of shame continues to be ransomware, a form of digital extortion in which a program encrypts all your data files and offers to unlock them only upon payment of a ransom.
Phishing attacks, which use social engineering to convince visitors to give away their sign-in credentials, are a separate but potentially devastating avenue to identity theft that can strike in any browser using any operating system.
You can review lists of current malware threats, along with links to details about each one, at the Microsoft Security Intelligence site, https://bit.ly/malware-encyclopedia. For a more comprehensive view of the changing threat landscape, Microsoft Security issues occasional reports, using data from hundreds of millions of Windows users and other sources. The most recent Microsoft Digital Defense Report (November 2022) is available at https://bit.ly/digital-defense-report.
Monitoring your computer’s security
You can open Windows Security directly from its place on the Start menu’s app list, or use the slightly unconventional navigation options in Settings > Privacy & Security > Windows Security. That Settings page includes a prominent Open Windows Security button and seven headings, each of which opens or switches to the corresponding page in the Windows Security app. Figure 12-1 shows the Windows Security home page, displaying the status of those seven groups of security-related settings, plus an additional Protection History option.
Figure 12-1 The Windows Security dashboard offers a consolidated view of security status. Clicking any item provides access to settings for that group of features.
Windows Security provides status information even when it’s not open. A badge over the app’s icon in the system tray shows the current security status with a green check mark, a yellow exclamation point, or a red X and, if necessary, options for resolving problems. Additional notifications of activity (results of recent virus scans, for example) appear in the notification center. Click the gear icon in the lower-left corner of the Windows Security app window to configure these options, as shown in Figure 12-2. (Note that making changes here requires that you provide an administrator’s credentials.)
Figure 12-2 If you don’t want to be bothered with noncritical notifications from Microsoft Defender Antivirus, such as successful scans that detect no threats, clear the Recent Activity And Scan Results check box.
We cover individual settings available via Windows Security later in this chapter. But first, we discuss the most important security feature of all—Windows Update.
Keeping Windows up to date
Windows Update runs as a service that is set to start as needed; its associated services, including the Background Intelligent Transfer Service (BITS), also run automatically, with little or no attention required from you other than an occasional restart. We strongly suggest checking in at regular intervals to confirm that updates are being delivered as expected and that the various Windows Update services are working properly. To do this, go to Settings > Windows Update. Figure 12-3 shows what you see if Windows has pending updates available.
Figure 12-3 When updates are available, you can view their installation status on this page. If a restart is required, you see an option to restart immediately or schedule a more convenient time.
The text below the Windows Update heading tells you whether your system was up to date as of the most recent check. If updates are ready to install, you can do so immediately. For updates that require a restart, you can take advantage of the scheduling options we describe later in this chapter. (See “Choosing when and how updates are installed.”)
Windows Update checks daily to see whether new updates are available, so you don’t ordinarily need to use the Check For Updates button. If you’re preparing for travel, you might want to make a manual check before your departure to avoid having to deal with pending updates while on the road.
What you get from Windows Update
When you check for new updates in Windows 11, even on a device that hasn’t been updated in many months, you are likely to see, at most, only a handful of updates. These updates fall into the following categories.
Quality updates
Windows 11 receives so-called quality updates, which fix security and reliability issues, in cumulative packages targeted at each supported version. (This category includes the fixes delivered like clockwork on the second Tuesday of each month, also known colloquially as Patch Tuesday or, more formally, Update Tuesday.) Each newly released cumulative update supersedes all previous updates for that version. When you install the latest cumulative update, it applies the most recent revision of all quality updates that apply to your Windows version.
Feature updates
Feature updates are the equivalent of major version upgrades. For Windows 11, they are released annually in the second half of the calendar year. Because these updates are much larger than quality updates and take significantly longer to install, they have their own set of management options, which we describe later in this chapter.
Servicing stack updates
The servicing stack is the code that installs operating system updates to Windows. It also includes the component-based servicing stack (CBS), which powers several Windows-based deployment and management features, including the Deployment Image Servicing and Management command-line tool (DISM.exe); the System Integrity Check and Repair tool (Sfc.exe), a direct descendant of the Windows XP-era System File Checker tool; and the Windows Features tool (OptionalFeatures.exe).
Servicing stack updates are delivered on an as-needed basis (typically not every month) and include reliability and security fixes. They are version-specific, with separate servicing stack updates available depending on the currently installed Windows version. They are typically delivered along with, but separate from, the cumulative quality updates in a given month.
If you are manually installing updates from the Microsoft Update Catalog as part of setting up a new Windows installation, Microsoft recommends installing the most recent servicing stack update before downloading the latest cumulative update. Manually installing the most recent servicing stack update is also a recommended step for troubleshooting Windows Update problems.
Driver updates
Microsoft delivers some device drivers and firmware updates through Windows Update. All Microsoft Surface devices, for example, receive hardware-related updates through this channel. Windows Update provides some third-party drivers to complete setup for devices that are not available in the Windows installation package, as well as occasional replacements for installed device drivers that have been deemed to be the source of significant reliability issues.
Microsoft Defender Antivirus security intelligence updates
Microsoft Defender Antivirus has its own update mechanism that regularly downloads security intelligence updates—typically several times each day. If you manually check Windows Update, it downloads and installs any available security intelligence updates that have been released since the most recent check by Microsoft Defender Antivirus.
Malicious Software Removal Tool
The Malicious Software Removal Tool (MSRT) is typically delivered monthly, on Update Tuesday. Its purpose is to detect and remove prevalent malware from Windows computers; it is not a substitute for the comprehensive antimalware code included as part of Microsoft Defender Antivirus. MSRT runs automatically in the background; it generates a log file automatically and saves it as %windir%\debug\mrt.log.
All editions of Windows 11 include a group of settings that give you control over how Windows Update works. Click Advanced Options to see these settings, as shown in Figure 12-4.
Figure 12-4 The options shown here are available in all editions of Windows 11.
If you turn the Receive Updates For Other Microsoft Products switch to On, Windows Update expands its scope to include other products developed by Microsoft, such as perpetual-license versions of Microsoft Office. (Microsoft 365 installations use a separate update mechanism.)
The Get Me Up To Date switch bypasses some of the normal precautions against unexpected restarts when updates are ready to install. It’s an appropriate option when you’re working with a PC that hasn’t been used in several months and is well behind on updates.
The third option, Download Updates Over Metered Connections, applies only if you have configured a metered data network connection, such as an embedded LTE modem or a mobile phone configured as a Wi-Fi hotspot. In those circumstances, Windows normally refrains from downloading updates to avoid racking up unexpected charges for what is often a pay-as-you-go data plan. Turn this switch to On if you’re comfortable that updates won’t overrun your data budget. (For details, see “Mobile hotspots and other metered connections” in Chapter 11, “Configuring Windows networks.”)
The final switch, Notify Me When A Restart Is Required To Finish Updating, provides one extra confirmation before Windows automatically restarts to install updates. Use this option to minimize the possibility of losing any work when a restart is required.
If Windows needs to restart your system to complete the installation of an update, you have the option to restart immediately or specify a time when you want the system to restart. If you do neither of these things, Windows Update restarts at a time outside your active hours. By default, Windows automatically adjusts the allowable update times based on its observations of your activity. If you prefer to set these times yourself, change the Adjust Active Hours setting to Manually; then set start and end times that are no more than 18 hours apart.
When installing an update entails a restart of your system, Windows normally requires you to sign in before the installation finishes. If you’re away from your PC while an upgrade is in progress, you might find the system waiting at the sign-in screen when you return, with additional setup tasks (and additional wait time) after you sign in. You can streamline the process by clicking Restart Apps (under the Additional Options heading); that action takes you to Settings > Accounts > Sign-in Options. Make sure the Use My Sign-In Info To Automatically Finish Setting Up After An Update option is turned on.
If Windows requires a restart to install one or more updates, you see a banner in the notification center and on the main Windows Update page.
Restarting immediately, by clicking Restart Now, might be the ideal option if you know you’re going to be away from the PC for a meeting or lunch break that will last longer than the few minutes it takes to install a batch of updates. (But watch out for feature updates, which are equivalent to full upgrades and might take as much as an hour or even longer, depending on your hardware.) Save your existing work, close any open files, and then click Restart Now. Be sure to wait for all open apps to close before you head out the door. It’s annoying (and a big drag on productivity) to come back from a meeting and discover that the restart hasn’t taken place because a dialog was open, waiting for your approval.
If instead you want to specify a restart time, click Schedule The Restart. Pick the exact date and time (up to one week from the current day) when you want your PC to restart and begin installing the updates.
Deferring and delaying updates
The level of control that administrators have over how and when updates are installed on a device depends on which edition of Windows is installed on that device. Note that the following rules apply to public releases of Windows 11 and are not applicable to Insider Preview builds.
On devices running Windows 11 Home, all updates are delivered automatically on a schedule defined by Microsoft’s update servers. No options to defer updates are available on this edition, although you can pause updates for up to five weeks, one week at a time, as described in the previous section. You don’t need to take any additional action aside from observing the occasional reminders to restart your computer and, if you choose, to schedule a restart.
On devices running Windows 11 Pro, Enterprise, and Education, the default settings are the same as those in Windows 11 Home. As an administrator, however, you can take advantage of additional options, available as part of Group Policy; these settings allow you to delay installation of quality updates by up to 30 days after they are initially available from Microsoft and to defer installation of feature updates by up to 365 additional days.
To apply these Windows Update settings, you must use Group Policy, either as part of a Windows domain using Active Directory or using the Local Group Policy Editor, Gpedit.msc. These policy settings are available in Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage Updates Offered From Windows Update. Figure 12-5 shows an example of these policies.
Figure 12-5 Using Group Policy, you can adjust Windows Update settings to defer quality and feature updates. The options shown here defer a quality update until 14 days after Microsoft releases it to Windows Update.
The policies available for configuration are as follows:
Select When Preview Builds And Feature Updates Are Received Configure this policy to defer feature updates and, for devices enrolled in the Windows Insider Program, preview builds. You can then specify an amount of time to defer the update after it’s released. This value is entered in days, with deferral periods up to 365 days allowed for feature updates in the General Availability channel and 14 days for all prerelease channels.
Select When Quality Updates Are Received With this policy, you can defer the regular cumulative updates (which include security, reliability, and driver updates) for up to 30 days. Deferring quality updates requires a balancing act: Configuring this policy gives you an opportunity to test the latest update on a subset of PCs in your organization before deploying the update widely; that delay can also put your other machines at risk because they haven’t received potentially important security fixes.
Disable Safeguards For Feature Updates Normally, Microsoft blocks installation of a feature update on devices that are known to have compatibility issues. This policy is for administrators and developers who want to evaluate a feature update on such a device, perhaps because they’ve deployed a workaround or other form of mitigation for the issue.
Do Not Include Drivers With Windows Updates Turn this policy on to ensure that Windows Update doesn’t deliver any driver updates to the device.
Manage Preview Builds This policy includes the options to choose one of the three Windows Insider Program prerelease channels. A fourth option allows you to specify that you want to receive only quality updates from the Release Preview channel.
Select The Target Feature Update Version Use this policy to define a specific feature update that you want Windows Update to offer to a device or a group of devices; use the version information as it appears under the Windows 11 Release Information heading at https://aka.ms/WindowsTargetVersionInfo. Note that Windows Update overrides this policy if the specified version has reached its end-of-service date.
An additional group of policies under the Manage End User Experience heading are roughly equivalent to those in Settings > Windows Update. In addition, administrators who want to keep a fleet of machines up to date can remove user access to the Pause Updates feature.
Finding technical information about updates
The information that appears in the list of available updates and in your update history is brief and often less than informative. Why, exactly, are you being offered a particular update? Which reliability and security issues, exactly, are addressed in the latest quality update?
For the answers, prepare to do some clicking. Start with Settings > Windows Update > Update History. That opens a categorized list of all updates installed on the current system, similar to the one shown in Figure 12-6.
Figure 12-6 Click the Learn More link alongside any entry in the Update History list to see additional details about a quality update.
Each cumulative update listed under the Quality Updates heading includes a descriptive title and the number associated with a related Knowledge Base (KB) article. For releases in the General Availability channel, clicking the Learn More link opens that KB article, which in turn typically contains a list of key changes—security updates and quality improvements that are new in that cumulative update, along with a listing of any known issues for the update. It also includes a link to the Microsoft Update Catalog, where you can download a standalone package that allows you to install the updates manually. A File Information section provides a link to a list of files and version information associated with the update (in CSV format). (Note that much of this information is unavailable if you’re running a Windows Insider Program preview release.)
For cumulative updates that include security content, the associated KB article typically does not include detailed information about those fixes. Instead, the KB article includes a link to release notes that are part of the Microsoft Security Update Guide, which includes listings for all Microsoft products. These release notes are not associated with a KB number.
Every cumulative update, complete with KB number and minor build number, is also listed on the Windows 11 Update History page. That index is categorized by version; the most recent updates are listed at https://aka.ms/Windows11UpdateHistory, with specific versions (21H2 and 22H2) available for selection in the navigation pane on the left of the page.
Security updates include a rating of the threat’s severity. These are the four ratings that are used, listed in order of severity (with the most severe first):
Critical A critical vulnerability can lead to code execution with no user interaction.
Important An important vulnerability is one that can be exploited to compromise the confidentiality or integrity of your data or to cause a denial-of-service attack.
Moderate A moderate vulnerability is one that’s usually mitigated by default settings and authentication requirements. In other words, you’d have to go a bit out of your way for one of these to damage your system or your data.
Low A vulnerability identified as low usually requires extensive interaction or an unusual configuration to cause damage.
For vulnerabilities with a rating of Critical or Important, Microsoft provides an Exploitability Index that estimates the likelihood that a vulnerability addressed in a security update will be exploited. This information is intended to help Windows administrators prioritize their deployment of updates.
The Exploitability Index includes four values:
0 – Exploitation Detected The vulnerability is actively being exploited.
1 – Exploitation More Likely There is a strong likelihood that attackers could consistently exploit this vulnerability, making it an attractive target.
2 – Exploitation Less Likely Attackers would have difficulty creating exploit code, making it a less attractive target.
3 – Exploitation Unlikely Successfully functioning exploit code is unlikely to be utilized in real attacks, and the full impact of exploitation is likely to be limited.
In our experience, Windows Update is generally reliable, but problems can and do occur. These problems fall into a handful of categories: updates that cause stability problems; updates that fail to install properly; and general problems with Windows Update.
For updates that cause problems, the first step is to remove the offending update. (For particularly nettlesome problems, this might require booting into Safe Mode.) Go to Settings > Windows Update > Update History to display the list of installed updates (as described in the previous section) and then click the unobtrusive Uninstall Updates link at the bottom of that page.
Doing so takes you to an Uninstall Updates page that lists recent updates that can safely be uninstalled. Click the Uninstall link to the right of the update you want to remove.
That action (after a restart) removes the immediate problem. But because of the way Windows Update works, the unwanted item will reappear the next time Windows checks for updates. You can interrupt this cycle by pausing updates (as described earlier in this chapter) while you troubleshoot the issue. For serious problems, you might need to contact Microsoft Support.
Configuring privacy options
You don’t need to be a conspiracy theorist to be concerned about privacy. Some companies abuse your trust by taking your information—often without your knowledge or consent—and sharing it with others who hope to profit from that information. Even a trustworthy third party can slip up and allow your private information to be stolen from its servers in a security breach. In the European Union, the General Data Protection Regulation (GDPR) requires organizations (including Microsoft) to follow strict privacy controls when collecting, processing, and storing personal data within the EU. In the United States, the State of California recently passed a similarly comprehensive privacy law. Some privacy advocates have argued that these protections should be extended worldwide.
Because Windows 11 is tightly integrated with cloud services, some of your information is stored, with your permission, on Microsoft-owned servers. Likewise, Microsoft requests permission when you first set up a user account to use some of your information to provide personalized suggestions. In addition, Windows 11 shares what Microsoft calls diagnostic data (sometimes called telemetry data) for the purpose of improving the reliability of the operating system.
Diagnostic data, which is collected by the Connected User Experiences And Telemetry service, includes information about the device and how it’s configured, including hardware attributes such as CPU, installed memory, and storage. This data also includes details about quality-related events and metrics, such as uptime and sleep details and the number of crashes or hangs. Additional required information includes a list of installed apps and drivers. For systems that are set to send optional diagnostic data in addition to required data, the information collected includes events that analyze the interaction between the user and the operating system and apps.
Microsoft insists that its diagnostic-data system is designed to prevent any privacy issues. “We collect a limited amount of information to help us provide a secure and reliable experience,” the company says. “This includes data like an anonymous device ID and device type.… This doesn’t include any of your content or files, and we take several steps to avoid collecting any information that directly identifies you, such as your name, email address or account ID.”
Note
For a full discussion of how Windows diagnostic data works, with an emphasis on how to manage settings for collecting diagnostic data in an organization, see https://bit.ly/configure-telemetry.
Some of your personal information is used to provide more relevant advertising in apps. If you opt to turn off that personalization, you’ll still see ads, but those ads will not be based on your browsing history or other information about you. Regardless of your privacy settings, Microsoft does not use the contents of your email, chat, files, or other personal content to target ads.
A single privacy statement covers most of Microsoft’s consumer products and services, including Windows 11 and related services. For information about the privacy policy and to make choices about how Microsoft uses your data, visit https://privacy.microsoft.com. (A direct link to the Windows section of the Microsoft privacy statement is also available at Settings > Privacy & Security > General page.)
More important still, Windows includes a raft of options for controlling your privacy. You’ll find them under the Privacy & Security heading in Settings, where you can specify which apps are allowed to use each of your computer’s many devices, whether to disclose your location, whether to allow Windows to use cloud-based speech recognition, and so on.
For each privacy option, you’ll find a link to the Microsoft privacy statement and links to additional information as well as the controls for viewing and changing settings. The privacy statement is detailed yet clearly written, and it’s an important aid for deciding which options to enable. You should examine each of these options carefully and decide for yourself where the proper balance is between your personal privacy and convenience.
To minimize the collection of diagnostic data, for example, go to Settings > Privacy & Security > Diagnostics & Feedback. Under the Diagnostic Data heading, shown in Figure 12-7, set the Send Optional Diagnostic Data switch to Off. (Note that on PCs that are configured as part of the Windows Insider Program, turning this setting off prevents the PC from receiving Insider preview builds; a message at the top of the section appears if you choose this configuration.)
Figure 12-7 If you’d prefer to share the minimum amount of diagnostic data with Microsoft’s telemetry servers, set the Send Optional Diagnostic Data switch to the Off position.
Using Group Policy and device management software, it’s possible to disable diagnostic data collection. Note that this setting applies only to devices running Windows Enterprise and Education editions; if you select it on a device running Windows 11 Pro, Windows ignores the policy and uses the Send Required Diagnostic Data setting. Because this policy setting also disables Windows Update, it is not recommended and should be used only when an alternative update mechanism such as Windows Server Update Services is available.
To view and configure these settings, open the Local Group Policy Editor, Gpedit.exe, and navigate to Computer Configuration > Administrative Templates > Windows Components > Data Collection And Preview Builds. Double-click Allow Diagnostic Data and set its value to Enabled to see all three levels under Options.
Two advanced tools allow you to inspect and manage diagnostic data on your computer. These tools are available on all currently supported Windows 11 editions.
The first is Diagnostic Data Viewer, an app that displays the collected data so you can see for yourself exactly what is going to Microsoft. To use Diagnostic Data Viewer, go to Settings > Privacy & Security > Diagnostics & Feedback, expand the View Diagnostic Data section, and set the associated switch to On. Then click the Open Diagnostic Data Viewer button. The Diagnostic Data Viewer app includes search and filtering capabilities to help you narrow the display of diagnostic information.
From that same Settings page, you can also request that Microsoft erase diagnostic data that has been collected from the current device. To do so, expand the Delete Diagnostic Data section and then click Delete. After you make this request, Windows displays the Last Delete Request date to the right of the Delete button.
Preventing unsafe actions with User Account Control
User Account Control (UAC) intercedes whenever a user or an app attempts to perform a system administrative task, requiring the consent of a computer administrator before commencing what could be risky business. UAC was widely scorned when it was introduced as part of Windows Vista in 2006, but the feature has since been tuned to become an effective security aid—without the annoyance factor that plagued the original implementation.
UAC works in conjunction with a feature called Mandatory Integrity Control, which assigns a measure of trust called an integrity level to every system object, including processes and registry keys. Processes that run at the System integrity level cannot be directly accessed by any user account. A process with a High integrity level is one that is capable of modifying system data and requires an administrator access token. Most normal processes run with a Medium integrity level and require a standard user access token. (Store apps run with the AppContainer integrity level, and web browsers run at Low or Untrusted integrity levels. A standard user account can run either type of app, but the lower integrity level effectively creates a “sandbox” that prevents those apps from modifying objects with higher integrity levels.)
In Windows 11, standard user accounts can carry out all the usual daily computing tasks but are prevented from running any process with a High integrity level. These restrictions apply not just to the user; more importantly, they also apply to any programs launched by the user.
At sign-in, Windows creates a token that’s used to identify the privilege levels of your account. Standard users get a standard token, but administrators get two: a standard token and an administrator token. (This dual-token configuration is called Admin Approval Mode.) The standard token is used to open Explorer.exe (the Windows shell), from which all subsequent programs are launched. Child processes inherit the token of the process that launches them, so by default, all applications run as a standard user—even when you’re signed in with an administrator account. Any activity that runs a process with a High integrity level requires an administrator token; if your account provides that token, the program runs. This process is called elevation. Note that an elevated process can, in turn, run additional processes as an administrator.
For information about user accounts, see Chapter 11. For a detailed technical discussion of UAC, see “How User Account Control Works,” at https://bit.ly/how-UAC-works.
Most modern Windows desktop programs and all Store apps are written so that they don’t require administrator privileges for performing everyday tasks. Programs that truly need administrative access (such as utility programs that change computer settings) request elevation—and that’s where UAC comes in.
What triggers UAC prompts
The types of actions that require elevation to administrator status (and therefore display a UAC elevation prompt) include those that make changes to systemwide settings or to files in %SystemRoot% or %ProgramFiles%. (On a default Windows installation, these environment variables represent C:\Windows and C:\Program Files, respectively.) Among the actions that require elevation are the following:
Installing and uninstalling most desktop applications (except those converted into app packages and delivered through the Microsoft Store, or those that install completely into the user profile)
Installing device drivers that are not included in Windows or provided through Windows Update
Installing ActiveX controls (which are still supported in Windows 11 in Microsoft Edge Internet Explorer mode)
Changing settings for Windows Defender Firewall
Changing UAC settings
Configuring Windows Update
Adding or removing user accounts
Changing a user’s account type
Running Task Scheduler
Editing the registry
Restoring backed-up system files
Viewing or changing another user’s folders and files
Within the classic Windows desktop interface (including the remnants of Control Panel that have yet to migrate to Settings), you can identify in advance many actions that require elevation. A shield icon next to a button or link indicates that a UAC prompt will appear if you’re using a standard account.
If you sign in with an administrator account (and if you don’t change the default UAC settings), you’ll see fewer consent prompts than if you use a standard account. That’s because the default setting uses Admin Approval Mode, which prompts only when a program tries to install software or make other changes to the computer, but not when you make changes to Windows settings—even those that would trigger a prompt for a standard user with default UAC settings. Windows uses this automatic elevation, without the expected UAC prompt, for certain programs that are part of Windows. Programs that are elevated automatically are from a predefined list; they must be digitally signed by the Windows publisher, and they must be stored in certain secure folders.
Dealing with UAC prompts
When you attempt to run a process that requires elevation, UAC evaluates the request and then displays an appropriate prompt. If you signed in to the current session with an administrator account, the most common prompt you’re likely to see is the consent prompt, which is shown in Figure 12-8. Check the name of the program and the publisher, and click Yes if you’re confident that it’s safe to proceed. (Note that the default action is No; if you absentmindedly press Enter, Windows cancels the elevation request.)
Figure 12-8 For a program that’s digitally signed, clicking Show More Details displays a link to the associated certificate.
If, on the other hand, you signed in to the current session with a standard account, any attempt to run a program that requires elevation displays the credentials prompt, which is shown in Figure 12-9. The user must provide the credentials of an administrator (that is, username and password, smart card, or biometric authentication, depending on how sign-in options are configured on the computer); after entering those credentials, the application opens using the administrator’s access token.
Figure 12-9 To perform an administrative task when signed in with a standard user account, you must enter the full credentials for an administrator account.
By default, the UAC dialog sits atop the secure desktop, which runs in a separate session that requires a trusted process running with System privileges. (If the UAC prompt were to run in the same session as other processes, a malicious program could disguise the UAC dialog, perhaps with a message encouraging you to let the program proceed. Or a malicious program could grab your keystrokes, thereby learning your administrator sign-in password.) When the secure desktop is displayed, you can’t switch tasks or click any open window on the desktop. (In fact, in Windows 11, you can’t even see the taskbar or any other open windows. When UAC invokes the secure desktop, it displays only a dimmed copy of the current desktop background behind the UAC dialog.)
Note
If an application other than the foreground application requests elevation, instead of interrupting your work (the foreground task) with a prompt, UAC signals its request with a flashing taskbar button. Click the taskbar button to see the prompt.
It becomes natural to click through dialogs without reading them or giving them a second thought. But it’s important to recognize that security risks to your computer are real and that actions that trigger a UAC prompt are potentially dangerous. Clearly, if you know what you’re doing, and you click a button to open Registry Editor or run a desktop program you just downloaded from a trusted location, you can blow past that security dialog with no more than a quick glance to be sure it was raised by the expected application. But if a UAC prompt appears when you’re not expecting it—stop, read it carefully, and think before you click.
Modifying UAC settings
To review your User Account Control options and make changes to the way it works, type uac in the search box in Start or in Settings, and then click Change User Account Control Settings. A window similar to the one shown in Figure 12-10 appears.
Figure 12-10 We don’t recommend changing the default UAC settings unless you fully understand the consequences.
Your choices in this window vary slightly depending on whether you started the current session using an administrator account or a standard user account. For standard user accounts, the top setting is the default; for administrator accounts, the second setting from the top is the default. Table 12-1 summarizes the available options.
Table 12-1 User Account Control settings
Slider position
Prompts when a program tries to install software or make changes to the computer
Prompts when you make changes to Windows settings
Displays prompts on a secure desktop
Standard user account
Top (default)
✓
✓
✓
Second
✓
✓
Third
✓
Bottom (off)
Administrator account
Top
✓
✓
✓
Second (default)
✓
✓
Third
✓
Bottom (off)
To make changes, move the slider to the position you want. Be sure to take note of the advisory message at the bottom of the box as you move the slider. Click OK when you’re done—and then respond to the UAC prompt that appears. Note that when you’re signed in with a standard user account, you can’t select one of the bottom two options, even if you have the password for an administrator account. To select one of those options, you must sign in as an administrator and then make the change.
Regardless of your UAC setting, the shield icons still appear throughout Control Panel, but you don’t see UAC prompts if you’ve lowered the UAC protection level. Clicking a button or link identified with a shield immediately begins the action. Administrators run with full administrator privileges; standard users, of course, still have only standard privileges.
Caution
Don’t forget that UAC is more than annoying prompts. Only when UAC is enabled does an administrator run with a standard token. Only when UAC is enabled do web browsers run at Low or Untrusted integrity levels to thwart web-based attacks. Only when UAC is enabled does Windows warn you when a rogue application attempts to perform a task with system-wide impact. And, crucially, disabling UAC also disables file and registry virtualization, which can cause compatibility problems with applications that use fixes provided by the UAC feature. For all these reasons, we urge you not to select the bottom option in User Account Control Settings, which turns off UAC completely.
Blocking malware
The best way to fight unwanted and malicious software is to keep it from being installed on any PC that’s part of your network. You can install third-party software for this task, or you can use Microsoft Defender Antivirus, which is included with every edition of Windows 11.
Microsoft Defender Antivirus runs as a system service (two services, to be precise: Microsoft Defender Antivirus Service and Microsoft Defender Antivirus Network Inspection Service); it uses a scanning engine to compare files against a database of virus and spyware definitions. It also uses heuristic analysis of the behavior of programs to flag suspicious activity from a file that isn’t included in the list of known threats. It scans each file you access in any way, including downloads from the internet and email attachments you receive. (This feature is called real-time protection—not to be confused with scheduled scans, which periodically inspect all files stored on your computer to root out malware.)
Using Microsoft Defender Antivirus
In general, you don’t need to “use” Microsoft Defender Antivirus at all. As a system service, it works quietly in the background. The only time you’ll know it’s there is if it finds what it believes to be an infected file; one or more notifications will pop up to alert you to the fact.
Nonetheless, there are a few settings you can tweak and a few tasks you can perform manually. In the Windows Security app, open the Virus & Threat Protection page to see details about the most recent scan (manual or automatic). Under normal circumstances, this number should be zero; if Microsoft Defender Antivirus detected a threat, it displays the details and offers options for dealing with the threat.
Click Manage Settings, under the Virus & Threat Protection Settings heading, to open a page containing a group of switches for adjusting the behavior of Microsoft Defender Antivirus.
Slide the Real-Time Protection switch to Off to temporarily disable protection (an option you should use only for short periods and only if you’re absolutely certain you’re not allowing malware to sneak onto your PC as a result of actions that would otherwise be blocked). The Cloud-Delivered Protection and Automatic Sample Submission options work together to help block threats that have not yet been identified in the latest security intelligence update. Most people should keep these options turned on. Tamper Protection prevents malicious apps from changing Microsoft Defender Antivirus settings.
Finally, in the Exclusions section, you can specify files, folders, file types (by extension), or processes you want Microsoft Defender Antivirus to ignore. This option is especially useful for developers working with files that might otherwise trigger alarms.
Manually scanning for malware
The combination of real-time protection and periodic scheduled scanning is normally sufficient for identifying and resolving problems with malware and spyware. However, if you suspect that a PC you manage has been compromised by malware, you can initiate a scan on demand. To immediately scan for problems, open the Virus & Threat Protection tab in Windows Security and click Quick Scan. This option kicks off a scan that checks only the places on your computer that malware and spyware are most likely to infect, and it’s the recommended setting for frequent regular scans.
For a more intensive (or more focused) inspection, click Scan Options, which leads to a page containing three additional options. Choose Full Scan if you suspect infection (or you just want reassurance that your system is clean) and want to inspect all running programs and the complete contents of all local volumes. Click Custom Scan if you want to restrict the scan to any combination of drives, folders, and files. The Microsoft Defender Offline Scan option is useful for removing persistent infections that are able to successfully block normal operation of Microsoft Defender Antivirus. It requires a restart and can take a significant amount of time.
Dealing with detected threats
If Microsoft Defender Antivirus detects the presence of malware or spyware as part of its real-time protection, it displays a banner and a notification and, in most cases, resolves the problem without requiring you to lift a finger.
To learn more about its findings, open Windows Security and, on the Virus & Threat Protection tab, click Protection History. Windows Security shows the name, severity level, and detection date of each blocked or quarantined item. Click an entry for additional information about detected threats and a list of actions you can take.
Blocking ransomware with controlled folder access
One of the pernicious threats in recent times is ransomware. Typically, this type of malware works in the background to encrypt all your documents and other files. Upon completion, the program displays a digital ransom note that says, in effect: If you ever want to see your files again, send us money. Supposedly, after you pay up (usually via untraceable digital currency), the hijacker sends you a decryption key and instructions for recovering your files.
The Controlled Folder Access feature is designed to stop ransomware attacks by preventing malicious and suspicious apps from making changes to any files stored in designated folders—typically, all your document folders. To enable this feature, open the Virus & Threat Protection page in Windows Security and then click or tap Manage Ransomware Protection. Turn on Controlled Folder Access to enable this feature and its two configurable settings. The Protected Folders link allows you to view and modify the list of folders monitored by this feature. A second link, Allow An App Through Controlled Folder Access, leads to a page where you can allow an app that you know to be safe. You need to do this only if Controlled Folder Access blocks an app you trust; most legitimate apps are on a known-good list and need no further clearance to go about their work.
On this same page are details about file recovery options for OneDrive and OneDrive for Business accounts.
Protecting Windows from exploits
One group of settings in Windows Security deserves special mention here, primarily so that we can encourage you to leave them alone.
If you go to the App & Browser Control page and click Exploit Protection Settings (under the Exploit Protection heading), there is a group of advanced settings. Here, you can adjust features that control how program code is allowed to execute in memory. Data Execution Prevention (DEP), for example, is a hardware feature that marks blocks of memory so that they can store data but not execute program instructions. Address Space Layout Randomization (ASLR) randomizes the location of program code and other data in memory, making it difficult for malware to carry out attacks that write directly to system memory because the malware can’t find the memory location it needs.
These settings were previously available only as part of a separate download called the Enhanced Mitigation Experience Toolkit, intended for use by administrators in enterprise deployments. Although it’s possible to change each of these settings on a systemwide basis or on a per-application basis, we suggest that you avoid experimenting with these settings unless you understand exactly what the effects are likely to be. For full documentation, see https://bit.ly/win10-exploit-protection. (Be sure to use the navigation pane on the left to view more detailed pages in this topic.)
Stopping unknown or malicious programs with Microsoft Defender SmartScreen
Microsoft Defender SmartScreen, which has been a part of Windows for more than a decade, puts up a roadblock whenever you try to run a program that is unknown or has a questionable reputation based on the experience of other users. It does so by comparing a hash of a downloaded program with Microsoft’s application-reputation database. (It also checks web content used by Microsoft Store apps.)
This reputation check occurs when you download a program using Microsoft Edge. SmartScreen also kicks in when you attempt to run a program you downloaded from the internet—regardless of what browser you use.
Programs with a positive reputation run without fuss. Programs that are known to be bad or that have not yet developed a reputation are blocked. In Microsoft Edge, the notice that a potentially dangerous program has been blocked might appear in the details for the download that appear at the bottom of the screen. If you download a file using another browser and then try to run it, you might see a message that tells you “Windows protected your PC.”
Ironically, you might see this sort of block even when running code written and distributed by Microsoft, if the code is too new to have earned a positive reputation. If you’re certain that a program is safe, you can override the block by clicking the Run Anyway button. With default settings in place, you then need the approval of someone with an administrator account before the program runs. Don’t say you weren’t warned.
To configure Microsoft Defender SmartScreen settings, including those for Microsoft Edge and for app content in Microsoft Store apps, open Windows Security, click App & Browser Control, and then click Reputation-Based Protection Settings.
A related feature called Smart App Control is new in Windows 11 version 22H2. It uses a similar cloud-based reputation feature to predict whether an app is safe to run. This feature can only be enabled on a clean install of Windows 11. For more details, see https://bit.ly/smart-app-control.
Encrypting information
The increased mobility of PCs also increases the risk of theft. Losing a computer is bad enough, but handing over all the data you’ve stored on the computer is potentially a much greater loss. Windows 11 includes a variety of data protection features to ensure that a thief can’t access your data:
Device encryption On devices that support InstantGo, data on the operating system volume is encrypted by default. (Formerly called Connected Standby, InstantGo is a Microsoft hardware specification that enables advanced power-management capabilities. Among other requirements, InstantGo devices must boot from a solid-state drive.) The encryption initially uses a clear key, but when a local administrator first signs in with a Microsoft account, the volume is automatically encrypted. A recovery key is available when you sign in using that Microsoft account at https://onedrive.com/recoverykey; you need the key if you reinstall the operating system or move the drive to a new PC.
BitLocker Drive Encryption This feature protects data by encrypting the entire contents of any hard-disk volume, not just the system drive, and on corporate networks, it allows centralized management. By linking this encryption to a key stored in a Trusted Platform Module (TPM), BitLocker reduces the risk of data being lost when a computer is stolen or when a hard disk is stolen and placed in another computer. A thief’s standard approach in these situations is to boot into an alternate operating system and then try to retrieve data from the stolen computer or drive. With BitLocker, that type of offline attack is effectively neutered.
BitLocker To Go This feature extends BitLocker encryption to removable media, such as USB flash drives.
Encrypting File System (EFS) This technology, which predates BitLocker, encrypts the contents of files and folders rather than entire volumes. The files are readable only when you sign in to the computer or network with a user account that has access to the certificate used to encrypt them. If you lose that certificate, the data cannot be recovered.
Note
The BitLocker Drive Encryption and Encrypting File System features are not available in Windows Home edition. Using BitLocker To Go to encrypt a removable drive requires Windows Pro, Enterprise, or Education; the resulting encrypted drive can be unlocked and used to read and write files on a device running any edition of Windows 7 or later.
Encrypting with BitLocker and BitLocker To Go
BitLocker Drive Encryption can encrypt entire NTFS volumes, which provides excellent protection against data theft. BitLocker can secure a drive against attacks that involve circumventing the operating system or removing the drive and placing it in another computer. Because Windows 11 requires a Trusted Platform Module (TPM), BitLocker can use the TPM to store the encryption key and ensure that a computer has not been tampered with while offline.
To apply BitLocker Drive Encryption to the system drive, right-click the drive in File Explorer and then click Turn On BitLocker. (If you see the menu option Manage BitLocker instead, the drive is already encrypted.) Before proceeding, the software prompts you to back up your recovery key, as shown in Figure 12-11. (Note that the PC in this example is connected to an Azure AD account; if you’ve signed in using a Microsoft account, the first option offers to save the encryption key to that account.)
Figure 12-11 The option of saving the recovery key to an Azure AD or Microsoft account makes it much easier to find this key when you need it.
Your recovery key is a system-generated, 48-character, numeric backup password. You need that recovery key if you lose the ability to log in to your PC and need to reinstall Windows or access the drive’s encrypted data from another PC. BitLocker offers to save that key in a plain text file or cloud storage; you should accept the offer and store the file in a secure location. We recommend also printing the recovery key, labeling it with a descriptive name, and storing it in a secure location (such as a locked file cabinet) alongside the recovery keys for secure websites that are protected with multifactor authentication.
With all preliminaries out of the way, BitLocker begins encrypting your media. This process takes a few minutes, even if the disk is freshly formatted. However, if you’re in a hurry, you can opt to encrypt only the used space on the drive. This choice can save you a considerable amount of time if your disk contains only a small number of files. The security risk, of course, is that any old data in the erased portion of the drive might still be recoverable by an attacker with physical access to the device.
To remove BitLocker encryption from a disk, use the Manage BitLocker option, select the encrypted drive, and click Turn Off BitLocker. The software decrypts the disk; allow some time for this process.
With BitLocker To Go, you can encrypt the entire contents of a USB flash drive, SD card, or other removable storage device, assigning a strong password to unlock its contents. If the drive is lost or stolen, the thief will be unable to access the data without the password.
To encrypt a removable drive using BitLocker To Go, hold down the Shift key as you right-click the drive in File Explorer, click Turn On BitLocker, and then follow the prompts. The procedure is similar to the one you follow when encrypting the system drive on a Windows 11 PC, with one noteworthy exception: Instead of unlocking the drive’s contents by signing in with your Windows credentials, you assign a password that’s used as the decryption key. (There’s also an option to use a smart card, but that technology is used primarily in enterprise deployments.)
After encryption is complete, make sure to back up the recovery key to a safe place; then use the drive as you normally would.
To read a BitLocker-encrypted removable disk, you need to unlock it by entering your password. The drive icon in File Explorer has a padlock to indicate it’s encrypted. Double-click that icon to display the dialog shown in Figure 12-12. Enter your password and click Unlock to decrypt the drive and work with it as normal.
Figure 12-12 When you insert an encrypted removable drive into a Windows PC, you must supply a password to unlock it.
On a trusted PC, you can avoid the hassle of entering your password every time you want to use that removable drive by clicking Automatically Unlock On This PC before clicking the Unlock button. With that option set, you no longer have to enter your password on that PC. If you change your mind and want to turn this feature off, right-click the removable drive’s icon in File Explorer, choose Manage BitLocker, and then click Turn Off Auto-Unlock for that drive.
If you plug in an encrypted drive and discover that you have lost or forgotten the password, click More Options and then click Enter Recovery Key. Find your recovery key backup and enter the 48-digit key here. In case you have several recovery-key text files, BitLocker To Go gives you an eight-character Key ID that can help you locate the right one.
If you signed in to Windows with a Microsoft account, your recovery key might be available online. Look for the entry on OneDrive (https://onedrive.com/recoverykey); if you saved the recovery key as a text file or printout, look for that key ID, and then enter the recovery key in the BitLocker dialog. You’re granted temporary access to the files, which is good until you remove the disk or restart the computer. Before going any further, change the password; right-click the drive in File Explorer and click Manage BitLocker. Select the encrypted removable drive and then click Change Password.
Using the Encrypting File System
As we mention at the beginning of this section, EFS is a legacy technology that provides a secure way to store sensitive data in files, folders, or entire drives on PCs running Windows 11 Pro, Enterprise, or Education. Windows creates a randomly generated file encryption key (FEK) and then uses the FEK to encrypt the data transparently, as the data is being written to disk. Windows then encrypts the FEK using your public key. (Windows creates a personal encryption certificate with a public/private key pair for you the first time you use EFS.) The FEK, and therefore the data it encrypts, can be decrypted only with your certificate and its associated private key, which are available only when you sign in with your user account. (Designated data-recovery agents can also decrypt your data.) Other users who attempt to use your encrypted files receive an “access denied” message. Even administrators and others who have permission to take ownership of files are unable to open your encrypted files.
You can encrypt individual files, folders, or entire drives. (You cannot, however, use EFS to encrypt the boot volume—the one with the Windows operating system files. For that, you must use BitLocker.) We recommend you encrypt folders or drives instead of individual files. When you encrypt a folder or drive, you can choose to encrypt the files it already contains, and new files you create in or copy to that folder or drive are encrypted automatically.
To encrypt a folder, follow these steps:
In File Explorer, right-click the folder, choose Properties, click the General tab, and then click Advanced, which displays the dialog shown in Figure 12-13. (If the properties dialog doesn’t have an Advanced button, the folder is not on an NTFS-formatted volume, and you can’t use EFS.)
Figure 12-13 Click the Encrypt Contents To Secure Data check box to encrypt a folder using EFS.
Select Encrypt Contents To Secure Data. (Note that you can’t encrypt compressed files. If the files are already compressed, Windows clears the compressed attribute.)
Click OK twice. If the folder contains any files or subfolders, Windows then displays the confirmation message shown in Figure 12-14.
Figure 12-14 Choose the bottom option here to ensure that files already in the folder will be encrypted properly.
Note
If you select Apply Changes To This Folder Only, Windows doesn’t encrypt any of the files currently in the folder. Any new files you create in the folder, however, including files you copy or move to the folder, will be encrypted. We don’t recommend this option, which is needlessly confusing.
Click OK to finish encrypting the folder and its files. A Windows notification urges you to back up your FEK. Click the notification to launch a wizard that helps you create a copy of the certificate and save it in a safe place (in cloud storage or on removable media).
After a file or folder has been encrypted, File Explorer displays its name in green. This minor cosmetic detail is the only change you’re likely to notice. Windows decrypts your files on the fly as you use them and reencrypts them when you save.
Caution
Before you encrypt anything important, you should back up your file-recovery certificate and your personal encryption certificate (with their associated private keys), as well as the data-recovery-agent certificate, to a USB flash drive or to your OneDrive. Store the flash drive in a secure location. To do this, open User Accounts in Control Panel, click User Accounts to make changes to your own account, and then click Manage Your File Encryption Certificates.
If you ever lose the certificate stored on your hard drive (because of a disk failure, for example), you can restore the backup copy and regain access to your files. If you lose all copies of your certificate (and no data-recovery-agent certificates exist), you won’t be able to use your encrypted files. To the best of our knowledge, there’s no practical way for anyone to access these encrypted files without the certificate. (If there were, it wouldn’t be very good encryption.)
To encrypt one or more files, follow the same procedure as for folders. You see a different confirmation message to remind you that the file’s folder is not encrypted and to give you an opportunity to encrypt it. You generally don’t want to encrypt individual files because the information you intend to protect can too easily become decrypted without your knowledge. For example, with some applications, when you open a document for editing, the application creates a copy of the original document. When you save the document after editing, the application saves the copy—which is not encrypted—and deletes the original encrypted document. Static files that you use for reference only—but never for editing—can safely be encrypted without encrypting the parent folder. Even in that situation, however, you’ll probably find it simpler to encrypt the whole folder.
Blocking intruders with Windows Defender Firewall
Typically, the first line of defense in securing your computer is to protect it from attacks by outsiders. Once your computer is connected to the internet, it becomes just another node on a huge global network. A firewall provides a barrier between your computer and the network to which it’s connected by preventing the entry of unwanted traffic while allowing transparent passage to authorized connections.
Using a firewall is simple, essential, and often overlooked. You want to be sure that all network connections are protected by a firewall. You might be comforted by the knowledge that your portable computer is protected by a corporate firewall when you’re at work and that you use a firewalled broadband connection at home. But what about the public hotspots you use when you travel?
And it makes sense to run a software-based firewall on your computer even when you’re behind a residential router or corporate firewall. Other people on your network might not be as vigilant as you are about defending against viruses, so if someone brings in a portable computer infected with a worm and connects it to the network, you’re toast—unless your network connection has its own firewall protection.
Windows includes a two-way, stateful-inspection, packet-filtering firewall called, cleverly enough, Windows Defender Firewall. (This product is labeled Microsoft Defender Firewall if you dig deep enough in the Windows Security app, but Microsoft has not extended that rebranding consistently.) This protection is enabled by default for all connections, and it begins protecting your computer as it boots. The following actions take place by default:
The firewall blocks all inbound traffic, with the exception of traffic sent in response to a request by your computer and unsolicited traffic that has been explicitly allowed by creating a rule.
All outgoing traffic is allowed unless it matches a configured rule.
You notice nothing if a packet is dropped, but you can (at your option) create a log of all such events.
Using Windows Defender Firewall with different network types
Windows Defender Firewall maintains a separate profile (that is, a complete collection of settings, including rules for various programs, services, and ports) for each of three network types:
Domain Used when your computer is joined to an Active Directory domain. In this environment, firewall settings are typically (but not necessarily) controlled by a network administrator.
Private Used when your computer is connected to a home or work network in a workgroup configuration.
Public Used when your computer is connected to a network in a public location, such as an airport or a library. It’s common—indeed, recommended—to have fewer allowed programs and more restrictions when you use a public network.
If you’re simultaneously connected to more than one network (for example, if you have a Wi-Fi connection to your home network while you’re connected to your work domain through a virtual private network, or VPN, connection), Windows uses the appropriate profile for each connection with a feature called multiple active firewall profiles (MAFP).
You make settings in Windows Defender Firewall independently for each network profile. The settings in a profile apply to all networks of the particular type to which you connect. (For example, if you allow a program through the firewall while connected to a public network, that program rule is then enabled whenever you connect to any other public network. It’s not enabled when you’re connected to a domain or private network unless you allow the program in those profiles.)
Earlier in this chapter, we describe the Windows Security app, which includes Firewall & Network Protection as one of the categories it monitors. The icon on that app’s home page displays the current status of Windows Defender Firewall; a green check mark means that Windows Defender Firewall is on and protecting the current network connection.
Clicking the Firewall & Network Protection icon offers access to additional status information as well as links to advanced configuration options. Click any of the three network entries to see a status page for that connection, with a simple on/off switch for the firewall for that network type, as shown in Figure 12-15.
Figure 12-15 Each network profile—Public, Private, and Domain—has its own control page.
In general, the only reason to turn off Windows Defender Firewall is for brief (and extremely cautious) troubleshooting purposes, or if you have installed a third-party firewall that you plan to use instead of Windows Defender Firewall. Most compatible third-party programs perform this task as part of their installation.
The Blocks All Incoming Connections check box provides additional protection from would-be intruders. When it’s selected, the firewall rejects all unsolicited incoming traffic—even traffic from allowed programs that would ordinarily be permitted by a rule. Invoke this mode when extra security against outside attack is needed. For example, you might block all connections when you’re using a suspicious public wireless hotspot or when you know that your computer is actively under attack by others.
Note
Selecting Blocks All Incoming Connections does not disconnect your computer from the internet. Even in this mode, you can still use your browser to connect to the internet. Similarly, other outbound connections—whether they’re legitimate services or some sort of spyware—continue unabated. If you really want to sever your ties to the outside world, open Settings > Network & Internet and disable each network connection. Alternatively, use brute force: physically disconnect wired network connections and turn off wireless adapters or access points.
As you’ll discover throughout Windows Defender Firewall, domain network settings are available only on computers that are joined to a domain. You can make settings for all network types—even those to which you’re not currently connected. Settings for the domain profile, however, are often locked down by the network administrator using Group Policy.
The traditional alternative for monitoring the status of Windows Defender Firewall is the Control Panel application of the same name. That dashboard is still available, but its primary tasks—allowing a program through the firewall or blocking all incoming connections—are now accessible directly from links at the bottom of the Firewall & Network Protection page in Windows Security. Click Allow An App Through Firewall, for example, to display a list of allowed apps and features like the one shown in Figure 12-16.
Figure 12-16 Click Change Settings, and then select or clear a check box to control connections over each network type by a specific app or feature.
The Allowed Apps And Features list includes programs and services that are installed on your computer; you can add others, as described in the following section. In addition, program rules are created (but not enabled) when a program tries to set up an incoming connection. To allow connections for a program or service that has already been defined, simply select its check box for each network type on which you want to allow the program. (You need to click Change Settings and approve a UAC consent request before you can make changes.)
In each of these cases, you enable a rule in Windows Defender Firewall that opens a pathway in the firewall and allows a certain type of traffic to pass through it. Each rule of this type increases your security risk to some degree, so you should clear the check box for all programs you don’t need. If you’re confident you won’t ever need a particular program, you can select it and then click Remove. (Many items on this list represent apps or services included with Windows and don’t allow deletion, but as long as their check boxes are not selected, these apps present no danger.)
The first time you run a program that tries to set up an incoming connection, Windows Defender Firewall asks for your permission by displaying a dialog. You can add the program to the allowed programs list by clicking Allow Access.
When such a dialog appears, read it carefully:
Is the program one that you knowingly installed and ran?
Is it reasonable for the program to require acceptance of incoming connections?
Are you currently using a network type where it’s okay for this program to accept incoming connections?
If the answer to any of these questions is no—or if you’re unsure—click Cancel. If you later find that a needed program isn’t working properly, you can open the allowed apps list in Windows Defender Firewall and enable the rule.
Restoring default settings
If you’ve played around a bit with Windows Defender Firewall and perhaps allowed connections that you should not have, you can get back to a known secure state by opening the Firewall & Network Protection page in Windows Security and clicking Restore Firewalls To Default. Be aware that doing so removes all rules you’ve added for all programs. Although this gives you a secure setup, you might find that some of your network-connected programs no longer work properly. As that occurs, you can re-create the Allow rules for each legitimate program, as described on the previous pages.
For information about uninstalling a problematic device driver, see “
