description: Windows is a traditonal operating system developed by Microsoft that provides a platform for running software applications and managing computer hardware.
Installing updates is crucial. Windows Update delivers updates to Windows automatically. You can also manually check for updates in Start → Settings → Windows Update → Check for Updates. You should [update](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-update-to-winre?view=windows-11#apply-the-update-to-a-running-pc) Windows Recovery Environment (Windows RE) by yourself. If you have other Windows installation media, such as Windows Preinstallation Environment (Windows PE) or Windows RE that is not recognized by the current Windows operating system, you should [update](https://learn.microsoft.com/en-us/windows/deployment/update/media-dynamic-update) them manually.
You can track update packages for Windows operating system, Windows RE and Windows PE using [this](https://support.microsoft.com/en-us/feed/rss/4ec863cc-2ecd-e187-6cb3-b50c6545db92) RSS feed. *Compatibility update for installing and recovering Windows* denotes updates for Windows RE. *Setup Dynamic Update for Windows* denotes updates for Windows PE. You can download update packages from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx).
You should also enable automatic updates in Microsoft Store in Start → Microsoft Store → Personal Profile → Settings → App Updates. You can also obtain drivers and firmware updates from original equipment manufacturers (OEMs).
**Feature updates** are released annually to add new features and functionality to Windows.
**Quality updates**, which encompass security and non-security fixes such as security updates, critical updates, servicing stack updates, and driver updates, are typically released on the second Tuesday of each month but can be released at any time.
- [Download](https://www.microsoft.com/en-us/download/details.aspx?id=55319) the following files: `Windows 11 v23H2 Security Baseline.zip` and `LGPO.zip`.
- Unzip both files. In `LGPO\LGPO_30`, copy `LGPO.exe` to `Windows 11 v23H2 Security Baseline\Scripts\Tools`.
- In `Windows 11 v23H2 Security Baseline\Scripts`, execute the following command from an elevated command prompt:
You can track security baseline updates using [this](https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Microsoft-Security-Baselines) RSS feed.
Most applications on Windows are not sandboxed. In Microsoft Store, only the apps without the permission "This app can access all your files, peripheral devices, apps, programs, and registry" are sandboxed. If you sideload apps, only those with the file extensions `.msix`, `.msixbundle`, `.appx`, `.appxbundle`, and without the permission "This app can access all your files, peripheral devices, apps, programs, and registry" are sandboxed.
Smart App Control can check the security of apps while they are running. You should enable Smart App Control in Start → Windows Security → App & Browser Control → Smart App Control.
You can also use Windows Sandbox to run untrusted apps. Enable Windows Sandbox in Start → Settings → System → Optional Fetures → More Windows Features. Open Windows Sandbox in Start → Windows Sandbox. You can transfer files and apps into Windows Sandbox by copying them.
BitLocker is a disk encryption feature. Before enabling Bitlocker, you should configure it to use stronger encryption methods as well as allow for more secure unlocking methods:
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)` and set the options to `XTS-AES 256-bit`, `XTS-AES 256-bit`, `AES-CBC 256-bit` respectively.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup` and set the options to unchecked, `Allow TPM`, `Allow startup PIN with TPM`, `Allow startup key with TPM` and `Allow startup key and PIN with TPM` respectively.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup`.
You should enable Bitlocker in Start → Windows Security → Device Security → Data Encryption. You should set a strong PIN for BitLocker and encrypt the entire disk space.
- Enable `Block all inbound connections` options in Start → Windows Security → Firewall and Network Protection → Public Network/Private Network/Domain Network.
- Check if `Memory access protection` is displayed in Start → Windows Security → Device Security → Core Isolation. If not, enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Disable new DMA devices when this computer is locked`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Turn on e-mail scanning`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Scan removable drives`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Scan network files`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Run full scan on mapped network drives`.
You should use a local user account for daily tasks. Use complex passwords for your accounts. You can create a local user account in Start → Settings → Accounts → Other users → Add account → I don't have this person's sign-in information → Add a user without a Microsoft account. You should add security questions to your local account in case you forget your password in Start → Settings → Accounts → Sign-in options → Update your security questions. You can also create a password reset disk for your local account. In the search box on the taskbar, type `Control Panel`, and then choose it from the list of results. In the Control Panel search box, type `create password reset`. Select `Create a password reset disk`, and follow the remaining instructions.
You can hide your account info when logging in by enabling the Group Policy `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don’t display last signed-in` and `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don’t display username at sign-in`. You can also find the related option in Start → Settings → Accounts → Sign-in Options → Show account details such as my email address on the sign-in screen.
- Disable all options in Start → Settings → Network & Internet → Advanced Network Setings → Advanced Sharing Setings → Private Networks/Public Networks. Set options in Start → Settings → Network & Internet → Advanced Network Setings → Advanced Sharing Setings → All Networks to disable public folder sharing, use 128-bit encryption and enable password protected sharing.
- Enable MAC Address Randomization in Start → Settings → Network & Internet → Wi-Fi → Random Hardware Addresses and set the option in Start → Settings → Network & Internet → Wi-Fi → (Your Network Display Name) → Random Hardware Addresses to `Change every day`.
- Turn off Bluetooth when not in use. Disable device discovery in Start → Settings → Devices → Devices → More Bluetooth Settings.
- Set your encrypted DNS in Start → Settings → Network & Internet → Wi-Fi → (Your Network Properties) → DNS Server Assignment → Edit → Manual.
- Disable Remote Assistance. In the search box on the taskbar, type `remote assistance`, and then select `Allow Remote Assistance invitations to be sent from this computer` from the list of results. Then, on the `Remote` tab, unselect the Allow Remote Assistance connections to this computer check box, and then select OK.
- Uninstall features you won't use like Internet Explorer mode in Start → Settings → System → Optional Fetures and Start → Settings → System → Optional Fetures → More Windows Features.
- Enable the Group Policy `Computer Configuration\Administrative Templates\MS Security Guide\Enable Certificate Padding`.
- Add additional attack surface reduction rules and set them to warn mode. Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack surface reduction\Configure Attack Surface Reduction rules`. Select `Show...` and add the following [rule IDs](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#asr-rule-to-guid-matrix) in the Value Name column. Then change the status of all rules to 6 in the Value column.
```
56a863a9-875e-4185-98a7-b882c64b5ce5
d1e49aac-8f56-4280-b9ba-993a6d77406c
01443614-cd74-433a-b99e-2ecdc07bfc25
```
- Execute the following command from an elevated command prompt:
- Enable [additional mitigations](https://support.microsoft.com/en-us/topic/kb4073119-windows-client-guidance-for-it-pros-to-protect-against-silicon-based-microarchitectural-and-speculative-execution-side-channel-vulnerabilities-35820a8a-ae13-1299-88cc-357f104f5b11) against silicon-based microarchitectural and speculative execution side-channel vulnerabilities without disabling Hyper-Threading (also known as Simultaneous Multi Threading (SMT)) in Intel processors by executing the following command from an elevated command prompt.
Enable additional mitigations against silicon-based microarchitectural and speculative execution side-channel vulnerabilities with Hyper-Threading disabled in Intel processors by executing the following command from an elevated command prompt.
Enable additional mitigations against silicon-based microarchitectural and speculative execution side-channel vulnerabilities in AMD processors by executing the following command from an elevated command prompt. To be fully protected, you might also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)).
Enable additional mitigations against silicon-based microarchitectural and speculative execution side-channel vulnerabilities in ARM processors by executing the following command from an elevated command prompt. To be fully protected, you might also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)).
Windows collects [three categories](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1iLkl) of personal data to send to Microsoft: Windows Diagnostic Data, Account Data, and Windows Required Service Data.
Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Data Collection And Preview Builds\Allow Diagnostic Data` and set it to `Diagnostic data off (not recommended)`.
Use local accounts instead of online accounts like Microsoft accounts to sign in to your devices and enable the Group Policy `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts` and set it to `Users can’t add Microsoft accounts`. You can still log on apps likw Microsoft Store with Microsoft accounts. If you have logged on apps using a Microsoft account, you can limit its use in Start → Settings → Accounts → Email & accounts → (Your Microsoft Account) → Sign-in Options and select the option to `Apps need to ask me to use this account`.
If the Group Policy `Accounts: Block Microsoft accounts` is set to `Users can’t add or log on with Microsoft accounts`, attempting to restore the System in Windows Recovery Environment (Windows RE) will [fail](https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference?view=windows-11#known-issue) with the error message "You need to sign in as an administrator to continue, but there aren't any administrator accounts on this PC."
</details>
### Windows Required Service Data
Some Required Service Data is necessary for Windows security and should be retained.
- Uninstall pre-installed apps you won't use in Start → Settings → Apps → Installed Apps and Start → Settings → System → System Components.
- Disable all options in Start → Settings → Privacy & Security → Windows Permissions.
- Disable suggestions and recommendations in Start → Settings → Personalization → Start.
- Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana`.
- Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cloud Search`.
- Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Search\Do not allow web search`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results in Search`.
- Enable all Group Policy objects under `Computer Configuration\Administrative Templates\Windows Components\Cloud Content`.
- Enable the Group Policy `User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not use diagnostic data for tailored experiences`.
- Enable the Group Policy `User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight`.
- Enable the Group Policy `User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off cloud optimized content`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Windows Error Reporting`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Software Protection Platform\Turn off KMS Client Online AVS Validation`.
- Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Messaging\Allow Message Service Cloud Sync`.
- Execute `reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Messaging" /v CloudServiceSyncEnabled /t REG_DWORD /d 0 /f` from an elevated command prompt.
- Execute `reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT" /v DontReportInfectionInformation /t REG_DWORD /d 1 /f` from an elevated command prompt.
- Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Windows Defender Antivirus\Reporting\Configure Watson events`.
- In Start → Settings → Apps → Advanced app settings, set `Choose where to get apps` to `Anywhere`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization\Download Mode` and set it to `Simple (99)`.
- Execute `reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnableFeeds" /t REG_DWORD /d 0 /f` from an elevated command prompt.
- Execute `setx /M DOTNET_CLI_TELEMETRY_OPTOUT 1` from an elevated command prompt.
- Execute `setx /M POWERSHELL_TELEMETRY_OPTOUT 1` from an elevated command prompt.
- Execute `setx /M MSEDGEDRIVER_TELEMETRY_OPTOUT 1` from an elevated command prompt.
- Disable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\Widgets\Allow Widgets`.
- If you are using a Input Method Editors (IME), disable the option in Start → Settings → Time & Language → Language & Region → (Your Language) → Language Options → (Your IME) → Keyboard Options → Lexicon and Self-Learning → Try text suggestions from Bing.
- You can manage Copilot in Windows by configuring the Group Policy `User Configuration\Administrative Templates\Windows Components\Windows Copilot\Turn off Windows Copilot`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Windows Components\OneDrive\Prevent OneDrive from generating network traffic until the user signs in to OneDrive`.
- You can track security baseline updates using [this](https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Microsoft-Security-Baselines) RSS feed.
- [Download](https://www.microsoft.com/en-us/download/details.aspx?id=55319) the following files: `Microsoft Edge v117 Security Baseline.zip` and `LGPO.zip`.Unzip both files. In `LGPO\LGPO_30`, copy `LGPO.exe` to `Microsoft Edge v117 Security Baseline\Scripts\Tools`. In `Microsoft Edge v117 Security Baseline\Scripts`, execute the following command from an elevated command prompt:
- Enable the option(s) `Allow extensions from other stores` in `edge://extensions/`. Prioritize installing extensions from Chrome Web Store, as Chrome Web Store more aggressively uses Manifest V3.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Configure browser process code integrity guard setting` and set it to `Enable code integrity guard enforcement in the browser process`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Enable online OCSP/CRL checks`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Enable the network service sandbox`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Restrict exposure of local IP address by WebRTC` and set it to `Use TCP unless proxy server supports UDP`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Configure Automatic HTTPS` and set it to `All navigations delivered over HTTP are switched to HTTPS`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Control the mode of DNS-over-HTTPS` and set it to `Enable DNS-over-HTTPS without insecure fallback`. Configure the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Specify URI template of desired DNS-over-HTTPS resolver` according to your needs.
For diagnostic data, enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Send required and optional diagnostic data about browser usage` and set the option to `off`.
For account data, use local profiles instead of online accounts like Microsoft accounts to sign in to Microsoft Edge. Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Browser sign-in settings` and set the option to `Disable browser sign-in`. Then disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Configure whether a user always has a default profile automatically signed in with their work or school account`.
For required service data:
- Disable the option(s) in `edge://settings/profiles/rewards`.
- Disable the option(s) in `edge://settings/profiles/multiProfileSettings`.
- Disable the option(s) in `edge://settings/profiles/localBrowserDataShare`.
- Disable the option(s) in `edge://wallet/settings`.
- Enable the option(s) `Tracking Prevention` in `edge://settings/privacy` and set the option to `Strict`.
- Enable the option(s) in `edge://settings/clearBrowsingDataOnClose`.
- Enable the option(s) `Send "Do Not Track" requests` in `edge://settings/privacy`.
- Disable the option(s) `Allow sites to check if you have payment methods saved` in `edge://settings/privacy`.
- Disable the option(s) `Allow sites to check if you have payment methods saved` in `edge://settings/privacy`.
- Disable the option(s) `Help improve Microsoft products by sending the results from searches on the web` in `edge://settings/privacy`.
- Disable the option(s) `Allow Microsoft to save your browsing activity including history, usage, favorites, web content, and other browsing data to personalize Microsoft Edge and Microsoft services like ads, search, shopping and news.` in `edge://settings/privacy`.
- Disable all option(s) under the `Services` section in `edge://settings/privacy`.
- Disable the option(s) `Show me search and site suggestions using my typed characters` in `edge://settings/searchFilters`.
- Disable the option(s) `Show me suggestions from history, favorites and other data on this device using my typed characters` in `edge://settings/searchFilters`.
- Disable the option(s) `Personalize my top sites in customize sidebar` in `edge://settings/sidebar`.
- Disable the option(s) `Allow Microsoft to access page content` and `Show shopping notifications` in `edge://settings/sidebar/appSettings?hubApp=cd4688a9-e888-48ea-ad81-76193d56b1be`.
- Disable the option(s) `Allow access to page URLs` in `edge://settings/sidebar/appSettings?hubApp=96defd79-4015-4a32-bd09-794ff72183ef`.
- Disable the option(s) `Preload your new tab page for a faster experience` in `edge://settings/startHomeNTP`.
- Configure the option(s) `Customize your new tab page layout and content` in `edge://settings/startHomeNTP` according to your needs.
- Enable the option(s) `Block third-party cookies` in `edge://settings/content/cookies`.
- Disable the option(s) `Preload pages for faster browsing and searching` in `edge://settings/content/cookies`.
- Disable the option(s) `Use text prediction` in `edge://settings/languages`.
- Disable the option(s) `Enable grammar and spellcheck assistance` or enable it with `Basic` in `edge://settings/languages`.
- Configure the option(s) `Share additional operating system region` to `Never` in `edge://settings/languages`.
- Disable the option(s) `Get image descriptions from Microsoft for screen readers` in `edge://settings/accessibility`.
- Disable the option(s) `Allow identifiers for protected content (computer restart may be required)` in `edge://settings/content/protectedContent`.
- Configure `edge://flags/#edge-widevine-drm` according to your needs.
- Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Enables default browser settings campaigns`.
- Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Edge 3P SERP Telemetry Enabled`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Enable network prediction` and set it to `Don’t predict network actions on any network connection`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Secure mode and Certificate-based Digital Signature validation in native PDF reader`.
- Disable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Content settings\Choose whether users can receive customized background images and text, suggestions, notifications, and tips for Microsoft services`.
- Enable the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Configure InPrivate mode availability` and set it to `Forced`.
- You can manage Copilot in Windows by configuring the Group Policy `Computer Configuration\Administrative Templates\Microsoft Edge\Show Hubs Sidebar`.
- Copy `(Extracted Files)\admx\(Your Office Apps).admx` to `C:\Windows\PolicyDefinitions`. Copy `(Extracted Files)\admx\(Your locale ID)\(Your Office Apps).adml` to `C:\Windows\PolicyDefinitions\(Your locale ID)`.
- You can track security baseline updates using [this](https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Microsoft-Security-Baselines) RSS feed.
<summary>Install and Activate Office 2021</summary>
You can buy and download [Office Home & Student 2021](https://go.microsoft.com/fwlink/?linkid=2022066), [Office Home & Business 2021](https://go.microsoft.com/fwlink/?linkid=2022187) or [Office Professional 2021](https://go.microsoft.com/fwlink/?linkid=2022071) online.
To install Office LTSC 2021, download the [Office Deployment Tool](https://www.microsoft.com/en-us/download/details.aspx?id=49117) and execute it to extract the files. Create and download a configuration file using the [Office Customization Tool](https://config.office.com/deploymentsettings). Copy `your-created-config-file.xml` to `(Extracted Files Folder)`. In `(Extracted Files Folder)`, execute the following command from an elevated command prompt:
```
setup /download your-created-config-file.xml
```
For Key Management Service (KMS) activation, execute the following command from an elevated command prompt:
```
cd "c:\Program Files\Microsoft Office\Office16"
cscript ospp.vbs /sethst:your.kms.server.here
cscript ospp.vbs /act
```
For Multiple Activation Key (MAK) activation, execute the following command from an elevated command prompt:
- [Download](https://www.microsoft.com/en-us/download/details.aspx?id=55319) the following files: `Microsoft 365 Apps for Enterprise 2306.zip` and `LGPO.zip`.Unzip both files. In `LGPO\LGPO_30`, copy `LGPO.exe` to `Microsoft 365 Apps for Enterprise 2306\Scripts\Tools`. In `Microsoft 365 Apps for Enterprise 2306\Scripts`, execute the following command from an elevated command prompt:
For diagnostic data, enable the Group Policy `User Configuration\Administrative Templates\Microsoft Office 2016\Privacy\Trust Center\Configure the level of client software diagnostic data sent by Office to Microsoft` and set the option to `Neither`.
For required service data, disable the Group Policy `User Configuration\Administrative Templates\Microsoft Office 2016\Privacy\Trust Center\Allow the use of connected experiences in Office` and `User Configuration\Administrative Templates\Microsoft Office 2016\Privacy\Trust Center\Enable Customer Experience Improvement Program`.
