A guide to Windows 10 security settings

Tweak settings for passwords, Wi-Fi, Cortana, system updates, and more.

By default, Windows 10 lets your PC do some things that you might not want it to do. We've walked you through its long list of privacy settings, and now we'll take a look at your system options for security issues like updates, Wi-Fi, antivirus protection, and data backup.

Accessing security settings in Windows 10

The easiest way to reach security settings is to press the Windows key and then click or tap Settings. If you've been to this section before, you'll return to where you left off. To get back to the home window, click the gear icon in the upper left-hand corner. Then click Update and Security.

Windows Update

This is the first subsection under Update and Security. Windows 10 checks for and installs updates automatically, giving you little control, which is unfortunate, because sometimes updates cause instability or even create security holes. The most you can do is manually uninstall an update and then use this tool from Microsoft to tell your computer to ignore that update going forward.

You can also tell Windows to never automatically download and install a driver update from Microsoft. Drivers are the code that Windows uses to recognize the physical components (aka the hardware) of your PC. If a Microsoft-supplied driver appears to be causing you trouble, shut down Windows 10's automatic process by pressing the Windows key, typing "device installation" (without the quotes) and clicking the top search result. Then click the second radio button to get a list of options. Select the second option to tell Windows to never install drivers provided through Windows Update. All things being equal, leaving these settings alone will be safer for your PC. But if you're having trouble with a piece of hardware, this is one troubleshooting option. Unfortunately, you can't tell Windows to ignore a specific hardware component -- it's all or nothing.

Back in the Windows Update settings, click Advanced Options to refine how Windows delivers system updates. You can specify a time of day to install system updates or let Windows install when your PC is not in use. If you click "View your update history," there's a link at the top to manually remove a specific update, and a list of error messages below that, if any updates failed to install.

windowsupdate.png

There's also an option to receive Insider builds of Windows 10. This feature allows you to become a beta tester of Windows, but it requires you to log in with a Microsoft account and increases the amount of info that your computer gives Microsoft when you get a system error. From a security perspective, we recommend staying away from beta testing, at least on your main device.

Last but not least, there's "Choose how updates are delivered." By default, Windows 10 enables a peer-to-peer (P2P) network to distribute system updates. This takes strain off the company's data centers. It works by using other Windows 10 PCs on your local network, as well as other PCs detected over the Internet and owned by other people. If you turn this feature off, you will always get your updates directly from Microsoft.

While we'd like to help Microsoft conserve bandwidth, it's not ideal from a security perspective to pass a system update through a third party before it gets installed on your PC. There's always the possibility that these files could be tampered with. Microsoft has developed methods for verifying system file authenticity, but we're not inclined to leave P2P updating enabled. Microsoft doesn't give any information about how much of your own bandwidth is consumed by P2P updates, nor does it give you tools to adjust the size of the pipe.

Windows Defender

The second section in Update and Security (in the left-hand pane of the Settings window) manages Windows Defender, an integrated antimalware program designed and maintained by Microsoft. In the days of Windows 7, this was a standalone program known as Microsoft Security Essentials (MSE). MSE started off strong, but these days it doesn't detect and block malware as reliably as apps like Kaspersky or Bitdefender do. You can buy licenses for those at Amazon for a fraction of the retail cost and run them alongside Windows Defender.

The options in this subsection are fine to leave on by default. In fact, you can't fully disable Windows Defender here -- the real-time protection can only be temporarily toggled off, even if you have another antimalware program installed. Windows 10 doesn't specify how long it will wait before its real-time protection is re-enabled.

Backup

The Backup section controls Windows 10's built-in data-backup tools. While it's nice to have this kind of utility integrated, backups you create here are not password-protected by default, so you may be better off sticking to the backup software that comes with an external hard drive. Without passwords, your backups might be vulnerable to unauthorized access if your external drive is stolen or lost.

However, there's a tool in this section for creating a full system image, which is useful when trying to recover from serious errors. To access the tool, click More Options, scroll down to the bottom of the screen and select Advanced Settings, and click System Image Backup in the lower left-hand corner. Click "Create a system image" on the left to begin the process. You can create a system image on another drive, a USB thumb drive, or a recordable DVD.

backup.png

Password-protecting backups

Like File History data backup, the file created by the system-image backup tool is not password protected by default. But if you have Windows 10 Professional, you can do this manually. Right-click a file, select Properties, click the Advanced button, and check the box next to "Encrypt contents to secure data." To decrypt the file, you'll enter your Windows password. In Windows 10 Home, the encryption option will be grayed out, and you'll need a third-party tool like WinRAR or WinZip.

None of these options has a password-recovery feature, so your best solution is arguably a password manager that offers password recovery, such as LastPass, Blur (Chrome, Firefox, Internet Explorer), or Dashlane. Store your file passwords in one of these managers, and you'll reduce the possibility of forgetting the password and not being able to access the file. Since these three managers operate in the cloud, you can also access your password database from another device, in case your main one gets hosed.

Activation

The Activation section is pretty small and doesn't have stuff that's directly related to security. But since we're in the neighborhood, we might as well mention that people using the free upgrade to Windows 10 do not need to activate anything. In fact, once you've used the free upgrade on this device, you can do a clean install of Windows 10 using the ISO downloadable from Microsoft.

Ordinarily, a clean install wipes everything, so you may wonder how Microsoft lets you use a full ISO of Windows 10 to do a fresh install on a device that had a free upgrade to Windows 10. Well, when you install the free upgrade, Microsoft makes a record of the device that used the upgrade. This record is permanently linked to that device. So if you decide to wipe your drive later and use the full ISO to re-install Windows 10, instead of installing an older version and applying your free upgrade, the ISO installer will communicate over the Internet to Microsoft, which now has a record of that device installing Windows 10, and Microsoft will let the installation go through and activate.

The For Developers section

For home users, this section allows you to manually install something that would usually only be obtainable from the Windows Store app, such as the Windows 10 version of Minecraft. However, sideloading disables a security check that verifies the installer's authenticity. Since this method could be used to get malware onto your PC, we don't recommend sideloading unless you're prepared to handle the risks.

Managing Wi-Fi Sense

Windows 10 does some unusual things with Wi-Fi that you should familiarize yourself with. Go back to the home window of Settings, click Network & Internet, scroll the right-hand side of the window to the bottom, and click Manage Wi-Fi Settings.

There are two important choices to make here. First is the decision to connect to suggested open hotspots. Since public Wi-Fi is a popular avenue for hackers to tamper with connected devices, we recommend leaving that off. The other setting enables network sharing. Users of Skype, Outlook.com, and Facebook can share access to their Wi-Fi network with people on their friends lists. In turn, you can share this access privilege with your friends on Facebook, Skype, and Outlook.com, depending on what boxes you check when you enable network sharing.

Note that we say "access privilege" instead of "password." Your Wi-Fi password remains unknown to others using this system. However, making access to your home Wi-Fi as shareable as a tweet is pretty inadvisable from a security perspective, so we'd recommend that you never check any of those three boxes.

wifisense.png

If you've given a friend your actual Wi-Fi password, you'll need to take an additional step to prevent them from using Wi-Fi Sense to share access with other people. That requires changing the name of your Wi-Fi network. This setting is controlled by your wireless router's software, not Windows 10, so the exact method of accessing your network name, known as an SSID (Service Set Identifier), varies from one brand to another. But it usually starts with opening a Web browser, navigating to 192.168.0.1, and entering an administrator name and password. When you locate the function to change your SSID, add "_optout" at the end of it (without the quotes). So MySSID becomes MySSID_optout.

Letting other people access your Windows 10 device

Let's say you want to let a friend or family member use your Windows 10 device, but you don't want them to mess up your settings or personal files. You can create a guest account that gives them limited privileges. To do that, go to the home Settings window and click Accounts. In the left-hand pane, click "Family & other users."

You can create two types of guest account. Adding a family member and identifying them as a child allows you to filter which websites and Windows Store apps they can use. It also provides an activity log to let you monitor your child's activity. A family member added as an adult can change settings on the child's account, but that adult does not have full administrator privileges on this device. Adding a family member requires them to log in with or create a Microsoft account.

adduser.png

The "other user" type of guest account doesn't require a Microsoft account, but Windows 10 doesn't look eager to disclose this distinction. You have to insist that this user does not have an email address, and then you get the option to click a link that says "Add a user without a Microsoft account." Then you create the username and password.

Cortana and Microsoft's cloud data

Cortana is Microsoft's Siri-like helper that finds information for you based on voice and text input. It's disabled by default, and security-focused users will probably want to leave it that way. Otherwise, it will collect a lot of usage information and store it in Microsoft's cloud, where we don't know how that information will be used. However, accessing Siri's settings does give you a window into what else Microsoft knows about you, and it gives you an option to manage that info. So let's walk through that.

Press the Windows key, type "Cortana" (without the quotes), and click Cortana & Search Settings. Click "Manage what Cortana knows about me in the cloud" to open a webpage on Bing. Log in to your Microsoft account to continue. This opens up the Personalization menu on Bing. Here, you can clear your "interests," which is a record of the types of things you click when visiting Bing.com and MSN.com and when using Cortana in Windows 10.

bingsettings.png

You can also clear everything you've ever search for on Bing itself, and clear the data recorded by Cortana in Windows 10 (such as your contacts, calendar entries, browsing history, and location history). Note that the page where you clear Bing's search history also allows you to disable the search history function altogether. You can also clear data recorded in Bing Maps. At the bottom, you'll see options to manage the collected user data that's specific to Xbox, OneDrive, Outlook, and Microsoft's advertising platform.

More resources

About Tom McNamara

Tom is the senior editor covering Windows at Download.com.