Back when Microsoft announced Windows 11, it proclaimed the new operating system to be the most secure version of Windows yet. The company’srequirements certainly imply that Windows 11 outdoes its predecessor, given the need for a trusted platform module (TPM) 2.0 and Secure Boot in order to achieve full compatibility—as well as a guarantee of future security updates.
But Microsoft touting Windows 11 as more secure is having an unintended effect. Some people now believe they don’t need to do anything beyond meeting those hardware and security requirements. And that’s not true.
TPM and Secure Boot only protect against two types of threats. A TPM stores information related to encryption or authentication (like Windows Hello biometric data). To keep it safe, it monitors your hardware configuration—if it notices a change, it’ll lock you out until you provide a recovery key or use an alternative method for login. For its part, Secure Boot makes sure that the signature of the BIOS (technically, UEFI) drivers and operating system are valid and trusted before control is given over the OS.
These defenses stand against newer kinds of attacks, but older, more commonly known threats still exist, like malware targeting your activity within the operating system. You probably already know how to protect yourself against these dangers, and in Windows 11, you should still be vigilant. Once you’ve got these locked down, you can then move on to more fun things, like Windows 11’s best hidden features or the six new features you should try in Windows 11.
What you choose to do on your PC directly affects your level of risk. Clicking on links, downloading files, installing programs, or plugging in external USB drives without first thinking about where they originally came from—and what they might gain access to—can create the problems that security hardware and software try to shield you from. Just because the person who passed it to you is a trusted source doesn’t mean the link, program, or drive itself is trustworthy.
The same goes for giving out personal information that can be used to get into your accounts, like your birth date, location, phone number, social security number, and the like. This is less to do with Windows security specifically, but it can create headaches with access to your linked Microsoft account and other services. In a similar vein, don’t store this kind of sensitive information in a non-encrypted file (e.g., Word doc) or share it over non-encrypted forms of communication like email or text message.
Viruses and malware
Elchinator / Pixabay
Those bad links you might accidentally click on, or those programs you downloaded thinking they were legit? Yeah, you still need to watch out for those. The best defense against those threats is to be careful in your daily routine, but you can’t ward off everything. Sometimes you have an oops—or sometimes you do nothing at all, and there’s a discovered vulnerability in hardware or software. (Remember that time when CCleaner, a well-regarded program, pushed a compromised update?)
So yes, you still need antivirus software in Windows 11. That said, Microsoft provides a solution as part of the operating system: Windows Security. It’s a good basic option that should work fine for people who navigate the internet with security in mind. Just make sure it’s turned on; it should be by default.
You can choose to instead install third-party software, but it’s not strictly necessary. Some PCWorld staff members pair Windows Security with a more malware-specific program for a little more coverage. But two programs is the most any of us do—you don’t want to go overboard on layering them, as they can end up fighting with each other and canceling out the overall effectiveness.
Side note: For anyone wondering if virtualization-based security eliminates the need for antivirus software, it doesn’t. VBS is a different kind of protection than antivirus. Antivirus scans for user-level malicious programs, while VBS screens for operating-system (kernel-level) threats. You might be thinking of virtual machines, which you can create in Windows 10 and 11 to run programs that seem suspicious but you want to try out anyway.
Open incoming ports
Viktor Forgacs / Unsplash
Having no firewall software on your PC is similar to leaving all of a house’s external doors wide open. Incoming ports are left completely exposed, which means anyone on the internet can then attempt to exploit services on your computer available through those ports. As you would guess, if such probing is successful, problems can result.
A firewall blocks access to those ports—it’s the equivalent of placing something around your house so that no one can get in. Someone can ping your PC on those ports (the equivalent of knocking on the door), but they’ll never get an answer. They can’t make mischief as a result.
Many home routers have a built-in hardware firewall, but you can’t rely on that as the sole means of protection for your PC. You still want individual devices to be guarded, not just the network as a whole. Your home network could still become compromised. More commonly, though, if you’re a laptop user, it’s the other networks you connect to when you’re not at home that could be vulnerable.
The good news is that, just like its predecessors, Windows 11 provides sufficient built-in firewall protection. Just make sure it’s turned on in the Windows Security app.
Pete Linforth / Pixabay
Breaches and leaks are an unfortunate part of regular life nowadays. Windows 11 might be secure enough, but if the password you use for your linked Microsoft account is the same as for other services, the operating system’s protections aren’t going to save you from unauthorized account access.
First and foremost, don’t reuse passwords. You should use a strong, random, and unique password for every service and website, and you should also change your password for anywhere that’s reported a breach or leak. A password manager can keep track of all of those random character strings in a way that’s safe and doesn’t require you to remember them individually. And since free password managers exist, there’s no excuse not to do it.
Enabling two-factor authentication also helps shore up your defenses against data leaks. Even if your password or recovery information becomes public, adding a second step to the login process can thwart attempts at accessing your account. The most secure method is a hardware dongle, but most people will find using a mobile app that generates a code the best balance between security and convenience. Even 2FA over text message is better than nothing.
People spying on your internet traffic
Gerd Altmann / Pixabay
On any network, it’s possible to see what data is being requested and sent to individual devices. (This is known as packet sniffing.) The more open the network, the easier it is for this to happen.
As you might guess, public Wi-Fi has the greatest potential for this kind of activity. Any stranger can hop on and see what device and applications you’re using, sites you’re visiting, and your overall behavior during that session. And if the data is unencrypted, they can also see the exact information you’re transmitting as well, which doesn’t bode well if any of it is sensitive.
Since you can be compromised with any of that information—you’re not anonymous even when on encrypted sites—you need to route that traffic in a way that won’t reveal too much about you. Enter a Virtual Private Network, or VPN.
A VPN creates a secure tunnel through which all your traffic is funneled. Only you and the VPN provider know what you’re up to, rather than any number of people on the same network as you. Use a VPN on your devices (PC, mobile, tablet) whenever you’re on public Wi-Fi, or when it’s otherwise important to keep your activity private.
When choosing a VPN service, keep a few things in mind. First of all, a free VPN costs nothing for a reason—you’re the product. If privacy is what you want, you’re not going to get it with a free provider. Second, choose a paid service that’s well-regarded. Policies on logging and data retention should be clearly spelled out, for example. (Need a quick set of suggestions? Check out our list of the best paid VPNs.) And finally, a VPN doesn’t make you completely anonymous. At minimum, the service knows the device you connected with and where your traffic requests originated.