Windows 11 Set-Up and Lock down 2024 edition

[Technerd108]

I wanted to post a fast guide to get your windows pc set up and locked down for average users or maybe those new to Windows or haven't used Windows in a while. There are several steps including editing the registry. Some people may feel intimidated but it is not difficult and can be fun to learn terminal commands. I am going to go through an average PC with Macafee pre-installed.

First step do you want a local account or MS login?? If local then press shift and f10 at the welcome screen. You will see a command prompt. Type in oobo\bypassnro and hit enter. It will restart. hit shift and f10 again and type ipconfig/release and hit enter. Then follow setup until the internet page. Once there scroll down and hit continue with limited setup. Now you have a local account in Windows 11.

Next remove Macafee. https://download.mcafee.com/molbin/iss-loc/SupportTools/MCPR/MCPR.exe

Use the tool above and then restart. Macafee is now completely removed.

Next search regedit. Once there navigate to HKEY_Local_Machine, then SOFTWARE, then Microsoft then to Data collection right click new d word 64 bit. Then type in AllowTelemetry. Then click again and set hexidecimal to zero. Boom you have no telemetry in Windows.

Go to setting in privacy. In general toggle off everything but last bottom toggle. Then active history. hit clear. Then turn it off. Turn find my device off and all other device tracking.

You can go into edge and limit tracking and activate secure browsing with Defender.

Make sure Windows security is on and browser security is on. You can go into ransomware setting and turn on file protection. You can turn off encryption unless you travel a lot and then run a Defender offline scan every week or so.

Make sure Windows Firewall is active.

Go into control panel and remove any bloatware from the device and it will vary from manufacturer. Do not remove drivers or software that helps control the device for example something like MyHP is something you don't want to remove but maybe you don't want onedrive or something else.

Go into settings and go to apps and remove any apps you don't want like LinkedIn etc.

Then reboot. Turn on your wifi if you setup local account and start Windows updates. Windows updates should be set not to download updates from other pcs in advanced settings. Also you want to download any additional drivers. Do not turn on get latest updates until you have completed updating everything. Then once it says up to date add get updates first and run updates again. It may take a few time and then it will update 23h2 for example. Then once all Windows updates have completed and rebooted. Go to Micrososft store in library and run updates. Let that go.

Then reboot.

One in search change how power button works. Then change setting not available. Then turn off hybrid boot. Add hibernate to list and reboot.

Now search defrag. Run optimize drive. Reboot.

If you have software from the OEM to update drivers now run that. Update drivers. Reboot.

Now you are setup and secure.

 

[maflynn]

Next remove Macafee.

I usually avoid computer makers that put bloatware on their machines, but I would recommend using Revo Uninstaller, its highly regarded. It does a much better job to cleaning up the crap that is left behind then using the simple uninstall that windows provides.

Now search defrag. Run optimize drive. Reboot.

I would forcibly recommend that you NEVER run defrag. That's a hold over to the old spinning disk days where having your data organized contiguously on the spinning platter. Which was key to good performance. The SSDs can easily read/write data randomly without waiting for the sector to come under the read/write head. Also you're needlessly incurring a lot of write cycles on your SSD for no good reason

Next search regedit.

For most people, I think safer to avoid touching the registry and not use regedit. Instead its much better and safer to use O&O Shutup 10 That app gives you complete control of how much or how little telemetry you want enabled in windows.

I also recommend Stardocks' Start11 utility to manage and control the start menu

For antivirus, there are better more robust solutions then Defender, it does a pretty good job, but I think (personal opinion) that Malware Bytes does a better job. Its funny, that most people recommend downloading the malwarebytes scanner if they think they're infected, so why not just buy/install it, so as to avoid infection

New users should consider using a password manager, many are good. I use 1Password That is subscription based, Bitwarden is very good, open source and there's a full featured free version. Password managers allow the user to protect their credentials, avoid re-using passwords, and create complex passwords that are extremely hard to brute force crack.

 

[Technerd108]

I usually avoid computer makers that put bloatware on their machines, but I would recommend using Revo Uninstaller, its highly regarded. It does a much better job to cleaning up the crap that is left behind then using the simple uninstall that windows provides.


I would forcibly recommend that you NEVER run defrag. That's a hold over to the old spinning disk days where having your data organized contiguously on the spinning platter. Which was key to good performance. The SSDs can easily read/write data randomly without waiting for the sector to come under the read/write head. Also you're needlessly incurring a lot of write cycles on your SSD for no good reason


For most people, I think safer to avoid touching the registry and not use regedit. Instead its much better and safer to use O&O Shutup 10 That app gives you complete control of how much or how little telemetry you want enabled in windows.

I also recommend Stardocks' Start11 utility to manage and control the start menu

For antivirus, there are better more robust solutions then Defender, it does a pretty good job, but I think (personal opinion) that Malware Bytes does a better job. Its funny, that most people recommend downloading the malwarebytes scanner if they think they're infected, so why not just buy/install it, so as to avoid infection

New users should consider using a password manager, many are good. I use 1Password That is subscription based, Bitwarden is very good, open source and there's a full featured free version. Password managers allow the user to protect their credentials, avoid re-using passwords, and create complex passwords that are extremely hard to brute force crack.

You are right about the ssd. I just figure during initial setup a trim of the ssd would just be good but I am old school and old habits die hard.

regedit is so easy and that command would be pretty hard to mess up but I understand what you are saying.

I was trying to write up a guide where people wouldn't need any 3rd party software and could simply use Windows tools. I think for everything but the password manager can be done with Windows for free. You can do a lot to edit and customize the start menu just within windows.

Malwarebytes free edition is great and I recommend it. BUT again Windows defender is good enough. Most AV software just doesn't work well against current threats. Back when signature based AV was effective it was worth the trade offs of AV but now even Heuristic AV can't stop all the threats. Windows Defender is top rated by AV test,

"18 points
Microsoft Defender scored a maximum of 18 points in AV-TEST's assessment, making it one of the best antivirus products on the market12. AV-TEST granted it with the “AV-TEST TOP PRODUCT” award12. Besides the Defender app, free and paid versions of Avira, AVAST, AVG, Bitdefender, ESET and some other products also reached the maximum score in testing1." From Windows Co-Pilot AI

I agree layers of security are best and that is why Malwarebytes is a good recommendation (I stick to free and scan manually) but again I was trying to write up a guide with NO 3rd party software and also show how much you can do just using Windows. Speaking of old school ditching Av for Defender was something I learned by trial and error.

I used to use Kapersky, Eset, and a couple others but almost all 3rd party AV now seems to have pop ups and ads for VPNs, upgrading to a higher tier service and other stuff. I really don't like that. I don't know what these programs are doing but they have access to all my files and firewall. I am a little paranoid and really don't trust these companies with this access. Back when you basically had to have commercial AV software or you would get a virus or other malware pretty quickly and now that just isn't the case-thank the Gods! Now you can use an AV software built into Windows by Microsoft and I don't think you will find a lighter AV on resources and be as accurate.

Password manager is good advice and we all need them!! I forget my email/password with so many online accounts.

 

[maflynn]

regedit is so easy and that command would be pretty hard to mess up but I understand what you are saying.

One aspect of my jobs, is to provide support for PCs, and regedit is one of the areas where people can easily mess up their computer. Yes, telling them to do one single action is simple enough, but then they're in there, they opened up pandora's box and they start poking around. Well bad can things happen. Even for experienced people, its better to use a tool, such as O&O Shutup, then mucking about in the registry.

As for Defender, I said it does a decent job. I've seen too many other reviews and sites that don't put it at the top. I like this channel, because the Yter, shows you the methodology of the test, why some antivirus makers pass/fail, What's good or concerning.

In both videos, defender did an ok job, at the 5:00 minute mark, the second opinion scan shows some things did sneak through but nothing major. I'm not down on Defender, I just think there are better alternatives.

 

[maflynn]

Here's an interesting video show how a certain attack vector easily bypasses Defender. I've been reading/seeing more details about executables showing up with a PDF icon, fooling the victim into thinking that is a PDF. What makes this even more insidious is that its password protected (which the hacker provides), This extra steps seems to prevent Defender from doing its job

 

[Technerd108]

Here's an interesting video show how a certain attack vector easily bypasses Defender. I've been reading/seeing more details about executables showing up with a PDF icon, fooling the victim into thinking that is a PDF. What makes this even more insidious is that its password protected (which the hacker provides), This extra steps seems to prevent Defender from doing its job

Again, my point was using tools within Windows to show how much can be done without needing anything else. Commercial AV software doesn't really work. You can show how one does a bit better than an another but at the end of the day no AV system is perfect and all have a weak point.

However, It is easy to use a Defender offline scan and it will shut everything down but the scan. It may still not find everything but it does a very good job.

To be completely honest, since Windows 98 I have been using AV software and at first it was very effective but over the years I still got infections no matter what AV I had. So in my personal experience I am very skeptical of the value of modern commercial AV. Now something like Malwarebytes is different. It is very lightweight and you can use the free version to complement Defender. I find this combination to be the best.

Ultimately though if I have some type of infection then I will need to wipe and re-install Windows fresh. No AV will clean up everything and you can never be sure once infected that it is completely gone. This is my opinion though.

Also I consider AV test to be a pretty good objective source when concerned on how to evaluate AV software.

So my question to you is even if all of what you say is true, does it make Defender and better or worse than any other high rated AV out there? If it is generally about the same then why should I pay? Why should I give a ton of file permissions and scanning to a company many times not even in the same country as I am in? A lot of AV software costs your OS 10-30% or more of processing power, lowering run time and less resources available for what a laptop is supposed to do. For the Mac fans, would you by a Mac if you knew you had to put software that will slow your laptop down by 10% or more? DO you see what I am getting at?

So I use free tools in regards to my OS security now. I get that they may not be as robust but there are tons of resources. You can use Bitdefender online scan and others without installing anything and it is free. SO it is not like if you use Defender as primary AV you don't have access to other tools for free. I have not seen any major benefit to having a paid commercial AV over Defender and some other free 3rd party tools when needed.

If I see Defender start to slide in regards to performance then I may rethink my strategy but for now I just don't see any real benefit for commercial AV and in my opinion there are more downsides than pluses. YMMV and obviously it seems it does.

I respect your opinion and appreciate the videos. The more we learn through these type of exchanges the better!!

The great thing about Window's is you have a lot of options and the old days when YOU ABSOLUTELY needed 3rd party AV are for now, over. So if you are super security concerned then cost of AV doesn't really matter as the priority is safety and security and by all means get what you like.

 

[MacCheetah3]

Back in the day, AVG Free was a great, efficient antivirus software. However, I walked away not long after Grisoft also moved into the high pressure subscription and suite arena. Honestly, the single third-party protection software I still use is Spybot, only the immunization function. It’s not an active or frequent resource hog and additionally blocks known bad domains, IP addresses, etc. Feels like a sufficient prevention method.

On the topic of registry streamlining… My PC software maintenance toolbox formerly included RegCleaner, simple and lightweight. I left it behind after a couple of “cleanings” seemingly caused problems; I worried Tweaknow was lagging behind in developing updates as new Windows versions launched. I doubt the Windows Registry is vastly different from its origins but that’s simply a guess. Anyway, now, I’d probably go for something such as Revo Uninstaller — it just seems more modern.

I’ll finish by handing off to the entertainment version of the discussion:

 

[maflynn]

I’ll finish by handing off to the entertainment version of the discussion:

I had watched that video myself and felt it could be helpful for those who are unaware of the issues with Norton and MacAfee, etc.

 

[LIVEFRMNYC]

Enable Ctrl/Alt/Delete Secure Sign.

 

[diamond.g]

I would forcibly recommend that you NEVER run defrag. That's a hold over to the old spinning disk days where having your data organized contiguously on the spinning platter. Which was key to good performance. The SSDs can easily read/write data randomly without waiting for the sector to come under the read/write head. Also you're needlessly incurring a lot of write cycles on your SSD for no good reason

Are we sure Defrag does anything on SSDs other than run garbage collection and trim?

 

[maflynn]

Are we sure Defrag does anything on SSDs other than run garbage collection and trim?

Yes, it's destructive

From Crucial: What does defragmenting do for an SSD?

To summarize, do not defrag an SSD
Defragmenting is not recommended for solid state drives.

At best, it won't do anything to help get a faster SSD drive, at worst, it will use up write cycles.
If you have already defragged your SSD a few times, it won’t harm your SSD. However, it’s not a practice you should continue..

PC Gamer: Should I defrag my SSD?

Because of the way SSDs work, not only does data not become fragmented but running a defragmentation utility will actually burn through the program/erase cycles and potentially cause premature 'death' of your SSDs.

 

[diamond.g]

Yes, it's destructive

From Crucial: What does defragmenting do for an SSD?


PC Gamer: Should I defrag my SSD?

Interesting cause as far as I could tell the defrag gui in Windows doesn't actually give the option to defragment a SSD (when it recognizes a drive is a SSD and not a HDD).

SOLVED: Does Windows Defrag SSD’s & What Is SSD Optimization? – Up & Running Technologies, Tech How To's

www.urtech.ca

Now if you are running stuff via the command line instead of defrag.exe I'd recommend (if you are going to run it at all) using powershells optimize-volume which is smart like the GUI

The Optimize-Volume cmdlet optimizes a volume, performing defragmentation, trim, slab consolidation, and storage tier processing. If no parameter is specified, then the default operation will be performed per the drive type as follows.

• HDD, Fixed VHD, Storage Space. -Analyze -Defrag.
• Tiered Storage Space. -TierOptimize.
• SSD with TRIM support. -Retrim.
• Storage Space (Thinly provisioned), SAN Virtual Disk (Thinly provisioned), Dynamic VHD, Differencing VHD. -Analyze -SlabConsolidate -Retrim.
• SSD without TRIM support, Removable FAT, Unknown. No operation.

 

[maflynn]

nteresting cause as far as I could tell the defrag gui in Windows doesn't actually give the option to defragment a SSD (when it recognizes a drive is a SSD and not a HDD).

I was addressing very bad advise and I stand by that. I think its safer for those who are not well versed in windows to avoid such things. The article you linked ends with this:

Summary of Defrag, Disk Optimization, Trim & Retrim​

For all these reasons it is important that:

1. you do NOT run defrag on your SSDs, BUT
2. you do NOT disable Windows Disk Optimization

So its best not defrag a ssd.

 

[diamond.g]

I was addressing very bad advise and I stand by that. I think its safer for those who are not well versed in windows to avoid such things. The article you linked ends with this:


So its best not defrag a ssd.

Right I was just trying to point out that the GUI for defrag doesn't actually defragment a SSD (it disables that functionality) it just runs Trim. Now the defrag.exe command-line 100% would try to defrag a SSD and I wouldn't run that command. The proper command-line command would be powershells optimize-volume, which on a SSD would just run Trim.