Windows 10 Security And Privacy Guide 2020

Microsoft Windows is the dominant desktop operating system (OS), running on over 65% of desktops and laptops in the US, and over 77% in the world. That’s a lot of Windows PCs! You store a lot of data on your PC, and use it to access your online data, so you must set your security and privacy settings.

Windows 10 collects much more data about its users than previous versions of Windows. Fortunately, there are changes you can make to increase your Windows 10 security and privacy.

For some settings, I don’t have a recommendation related to security or privacy, so I don’t describe them in this guide. For those, feel free to keep the default, or choose based on your preferences.

Each new version of Windows 10 (1903, 1909, 2004, etc.) includes new settings and may change your existing settings, so be sure to go through this guide each time you upgrade Windows to a new version.

This guide was last updated for Windows 10 version 1809. The settings and steps may differ based on the version of Windows and the device.

Note: This page contains affiliate links. As an Amazon Associate, I earn from qualifying purchases. Please see Affiliate Disclosure.

Improve Windows 10 Security and Privacy Using Windows Settings

To open Windows Settings, click the Start button (Windows icon) in the lower-left corner of the screen, then click the Settings (gear) icon above it. We’ll go through the settings it contains in order.

Windows Settings icon
Windows Settings screen

System

From Windows Settings, click System. On the left, click Notifications & actions. I recommend toggling Off Show notifications on the lock screen and Show reminders and incoming VoIP calls on the lock screen, because notifications can reveal sensitive data (messages, calendar reminders, etc.).

Personalization

On the left, click Home to return to Windows Settings. Then, click Personalization. On the left, click Lock screen. At the bottom of the screen, click Screen timeout settings.

Set the screen to turn off after a few minutes. This will lock the screen, preventing others from using your account.

Apps

On the left, click Home to return to Windows Settings. Then, click Apps.

Set Installing apps to Warn me before installing apps from outside the Store. Getting apps from outside the Microsoft Store, such as from a third-party website, is riskier.

Go through the Apps & features list and for any that you don’t truly need, click the app, then click Uninstall. Apps and features that are built in to Windows can’t be uninstalled, so the button will be grayed out.

Accounts

On the left, click Home to return to Windows Settings. Then, click Accounts.

To log into Windows, you can use a Microsoft account or a local account. A Microsoft account syncs many of your settings to Microsoft’s servers, which is convenient. However, it also allows Microsoft to collect a huge amount of data about you and how you use your PC. I highly recommend using a local account. Another option is to create a separate Microsoft account that you use just for Windows, and don’t use it for anything else (not for Outlook.com, Skype, etc.).

If your account is already a Microsoft account, you can switch it to a local account by clicking Sign in with a local account instead.

On the left, click Sign-in options. Set Require sign-in to When PC wakes up from sleep. That will require your password when the PC wakes up. For an easier way to sign in to your PC, set up Windows Hello or picture password. If you choose a picture password, choose a complex pattern with a mix of circles, lines, and taps. If you use a traditional password that you type in, set a long, strong password (20+ characters, with a mix of uppercase, lowercase, numbers, and special characters). You’ll need to memorize it, but I recommend saving it in a password manager, such as LastPass, in case you forget it.

LastPass: Secure Password Management
Free

LastPass helps you remember and manage your secure passwords all in one place. Never forget a password again.

We may earn a commission if you click this link and make a purchase at no additional cost to you.

Cortana

Cortana is Microsoft’s digital assistant; the equivalent of Amazon’s Alexa, Apple’s Siri, and Google’s Google Assistant. To work, Cortana sends a lot of data about what you say, type, and do to Microsoft. 

Unfortunately, Windows 10 doesn’t have an option to disable Cortana. The easiest way to get close is to remove the search bar from the taskbar. Right-click the taskbar, click Cortana, then Hidden. Now, you’ll need to do more clicking to navigate around. You can also still search within File Explorer.

Hide Cortana Windows 10

If you truly want to rid your PC of Cortana, you can do it by modifying the registry. Be extremely careful!

If you choose not to do that, then I highly recommend that you limit Cortana’s functionality.

On the left, click Home to return to Windows Settings. Then, click Cortana.

Let Cortana respond to “Hey Cortana”: toggle Off to prevent Cortana from constantly listening.

Let Cortana listen for my commands when I press the Windows logo key + C: toggle On if you want to use Cortana but control when it listens.

Use Cortana even when my device is locked: toggle Off to prevent others from using Cortana when your screen is locked.

On the left, click Permissions & History. Click Manage the information Cortana can access from this device. Toggle Off any items that you don’t want Cortana to have access to.

Click the back arrow in the top left of the screen to go back to Permissions & History. Toggle Off any items that you don’t want Cortana to have access to.

To provide you with personalized experiences, Cortana learns from certain data about you, such as your searches, calendar, contacts, and location. You’re in control of how much data you share with Cortana. …

When you use your voice to say something to Cortana or invoke skills, Microsoft uses your voice data to improve Cortana’s understanding of how you speak, as well as to improve other Microsoft products and services that use speech recognition and intent understanding. This may include transcription of audio recordings by Microsoft employees and vendors, subject to procedures designed to protect users’ privacy, including taking steps to de-identify data …

On occasion, when the “Hey Cortana” feature is on Cortana may inadvertently be activated in response to misunderstanding words being spoken. …

Signing out of Cortana on your device stops Cortana’s data collection and use on that device and clears the interests and data on that device, but signing out won’t clear the data that’s already saved in the Notebook or the Privacy Dashboard. …

On Windows, even after you’ve signed out of Cortana, characters you type into the taskbar search box are automatically sent to Bing to help enable better search recommendations. … If you would prefer not to send any character data to Microsoft, you can choose not to use the search box. You can also hide Cortana in Windows

Microsoft
Windows Manage the information Cortana can access from this device

Windows 10 Privacy

Windows Settings Privacy

On the left, click Home to return to Windows Settings. Then, click Privacy.

Let apps use advertising ID to make ads more interesting to you based on your app activity: toggle Off to reduce the amount of data Microsoft collects about you.

I recommend toggling Off the other items on the General screen, unless you truly need them.

On the left, click Speech. Toggle Off unless you want to speak to Cortana or dictate to Windows.

When you use Microsoft’s cloud-based speech recognition service, Microsoft collects and uses your voice recordings to create a text transcription of the spoken words in the voice data.

Microsoft

On the left, click Inking & typing personalization. Toggle Off to prevent Microsoft from collecting what you type and handwrite.

On the left, click Diagnostics & feedback. I generally like to share data that helps make software and services better, as long as my data is anonymized. However, I’m not comfortable with Microsoft’s privacy statement about this diagnostic data, so I recommend choosing Basic and toggling Off all options. You can scroll down and click Delete to delete the diagnostic data Microsoft has.

This data is transmitted to Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device’s service issues and use patterns.

Microsoft

On the left, click Activity history. I recommend unchecking all boxes, unless you truly need them. You can click Clear to delete activity history.

On the left, click Location. It will show if the location is on or off. Click Change if you want to change the setting. Note that location must be on for Find my device to work (which lets you remotely locate and lock your PC). Toggle Off Allow apps to access your location, unless you truly need it. Click Clear if you want to clear location history. In the list of apps, toggle Off all except those that truly need your location.

The steps for the next few screens are the same: in the list of apps, toggle Off all except those that truly need the access. Or, to completely disable the access, change access to Off. Follow these steps for the following (listed on the left):

  • Camera
  • Microphone
  • Account info
  • Contacts
  • Calendar
  • Call history
  • Email
  • Tasks
  • Messaging
  • Radios

On the left, click Other devices. If you won’t be pairing your PC to other devices, toggle Off. Otherwise, configure this screen as needed.

The steps for the next few screens are the same: in the list of apps, toggle Off all except those that truly need the access. Or, to completely disable the access, change access to Off. Follow these steps for the following (listed on the left):

  • Documents
  • Pictures
  • Videos
  • File system

Windows 10 Update And Security

On the left, click Home to return to Windows Settings. Then, click Update & Security.

Click Advanced options. Toggle On the following:

  • Give me updates for other Microsoft products when I update Windows.
  • Show a notification when your PC requires a restart to finish updating.

Click the back arrow in the top left of the screen to go back to Update & Security. Click Windows Security. If any of the icons shows a yellow warning icon, click it to see what needs to be done. Windows 10 has an optional feature called Controlled Folder Access that can be annoying, but increases protection against ransomware. To use it, see the Protect files from unauthorized access section on this page.

On the left, click Backup. If you have an external drive you can back up to, connect it, then click Add a drive and select it.

On the left, click Find my device. This allows you to remotely find or lock your PC, if it’s broken, lost, or stolen. I recommend setting this to On. Note that this requires location and that you sign in to Windows with a Microsoft account (not a local account).

Microsoft Privacy Dashboard

The Microsoft Privacy Dashboard lets you see and delete a lot of data that Microsoft collects about you.

Click the My activity tab. On the left, click Apps and services. On the right, you can click Clear to clear an individual item, or Clear activity to clear all activity on the screen. Repeat for each other data type (Voice, Search, Browse, Media, Locations).

Click the Cortana’s Notebook tab. Review the data. On the right, you can Clear Cortana data if you want. Repeat for each other category (Commute & traffic, Cortana tips, etc.).

Click the Ad settings tab. Toggle Off to reduce the amount of data Microsoft collects about you.

Microsoft Privacy My activity
Microsoft Privacy Cortana's Notebook

Back-Up Your Windows 10 PC

Back-up regularly. I recommend backing up to an external drive and the cloud. Why an external drive? If you need to restore a lot of data, it’s much faster to restore from an external drive than download from the cloud. Why cloud backup? If your PC is hit by fire, a flood, or other disasters, or it’s stolen, your external drive will likely suffer the same fate. 

As I mentioned above, I recommend using Windows’ File History to back up to an external drive. I recommend doing this at least weekly.

IDrive: Online Cloud Backup and Storage
Free

With IDrive, you can backup unlimited PCs, Macs, iPhones, Ipads, and Android devices into a single account securely. Files and folders will be synced in real-time across all the devices.

We may earn a commission if you click this link and make a purchase at no additional cost to you.

There are many cloud backup providers. Choose one that lets you set your own private encryption key. I recommend IDrive, but you can also look at the following:

Windows 10 Anti-Malware

Windows Defender, built into Windows, has earned high ratings from independent test labs. It’s sufficient for most users.

It’s a good idea to run Windows Defender Offline (WDO) monthly, to check for rootkits. Click Start, Settings, Update & Security, Windows Security, Virus & threat protection, and Scan options. Then select Windows Defender Offline scan and click Scan now.

If you visit shady websites or install shady software, or your kids use your PC, you may want to use third-party anti-malware. Here’s the Windows anti-malware that has the best test results from the independent test labs AV-Comparatives, AV-TEST, Virus Bulletin, and SE Labs. These are in alphabetical order. These are all paid, except for Avast Free Antivirus and AVG Free Antivirus.

Bitdefender’s software has consistently earned high ratings from multiple organizations over the years, and I recommend it.

BitDefender Mobile Security: Protect Your Mobile Devices Against Threats
Free

BitDefender is the best protection for your Android smartphone and tablet. Includes secure VPN for a fast, anonymous, and safe experience while surfing the web.

We may earn a commission if you click this link and make a purchase at no additional cost to you.

Disk Encryption

Encrypting your entire disk is one of the best things you can do to secure your PC, because it means that if someone steals your PC, they won’t be able to see or copy your data off the disk.

Windows 10 offers two forms of disk encryption: device encryption and BitLocker. Device encryption is a simpler version of BitLocker.

Your PC may come with device encryption or BitLocker enabled. If it doesn’t, you can try to enable device encryption by clicking Start, Settings, Update & Security, Device encryption. If you don’t see Device encryption, it isn’t available for your PC.

Next, if you have Windows 10 Pro (not Home), or upgrade to Windows 10 Pro, you can enable BitLocker. Type BitLocker into the search box, or press the Windows and X keys to open Control Panel, then click System and Security, then BitLocker Drive Encryption, then Turn on BitLocker.

I recommend that you don’t store your BitLocker recovery key in your Microsoft account, but that you instead save it in a password manager that you can access from a different device (such as LastPass), or save it to a USB drive or memory card you can securely store in a safe, or print it on paper that you put in a safe.

If none of the above options work for you, you can use the free VeraCrypt to encrypt your entire disk.

Windows 10 BitLocker Drive Encryption

Microsoft Family Parental Controls

If your kids will use a Windows PC, you can use parental controls to set screen time limits and restrict access to content.

Using Windows 10 Safely

Install all software updates (for Windows and apps) as soon as they’re available. You should set your device to do this automatically (see settings above), but also watch for any update prompts.

Install software only from the Microsoft Store, and only install software from outside it if you truly trust it. Before installing any software, check its ratings and reviews, and search online for reviews from reputable tech sites.

Be careful what access you grant to apps. When an app asks for access to your camera, microphone, contacts, location, etc., think carefully about whether it truly needs that access. You can always grant access later if you change your mind.

Use a standard account, not an administrator account, for your regular use. This limits the damage that malware (or you, accidentally!) can do to your PC. You can create a standard account for yourself or others by clicking Settings, Accounts, Family & other users, Add someone else to this PC. You can change the account type of an existing account by, on that Family & other users screen, clicking Change account type below a user.

Don’t use public Wi-Fi for anything sensitive, because you’re using an insecure, untrusted network. Instead, use your device’s mobile/cellular data, or use a VPN (virtual private network) to protect your traffic when using public Wi-Fi. I like ProtonVPN.

ProtonVPN: Secure and Free VPN Service
Free

ProtonVPN offers secure VPN through an encrypted VPN tunnel, so your passwords and confidential data stay safe, even when you are using public or untrusted Internet connections.


We may earn a commission if you click this link and make a purchase at no additional cost to you.

Regularly delete unnecessary apps. This decreases your “attack surface”; it limits the ways your PC could be compromised.

Be sure to also configure security and privacy settings for your Microsoft account. Set a strong password and enable two-factor authentication.

Erase your PC before you sell or donate it. Use Windows’ Reset this PC feature, with the Remove Everything option, and the Remove files and clean the drive option. Here are detailed instructions.

Additional Resources

Leave a Comment