A fresh Windows install is the best chance you’ll ever have to build a secure, private, and durable workstation. Before you install apps or sync data, spend an hour hardening the OS. The payoff: dramatically lower malware risk, fewer privacy leaks, and fewer troubleshooting headaches later.
This guide takes you from a clean ISO to a locked-down daily driver. It’s structured in layers—start with the essentials, then add advanced hardening if you want “defense in depth.” Where relevant, you’ll see precise Settings paths, Group Policy paths, command-line snippets, and recommended software.
Enter firmware setup (usually Del, F2, or F10 on boot) and:
Choose Custom install, delete existing partitions on the target disk, and let Windows recreate them. This prevents lingering bootkits or misconfigured boot records.
Windows 11 pushes Microsoft accounts. For privacy-driven builds, create a local account during installation (you can add a Microsoft account later for Store/OneDrive).
Immediately after first boot:
Tip: Keep OEM utilities minimal. If you need vendor drivers (chipset, GPU, audio, LAN), fetch them from the hardware vendor directly, not from random driver packs.
Command-line alternative (Pro/Enterprise):
manage-bde -status<br>manage-bde -on C: -rp<br>
Windows Defender is a solid baseline if you enable the right modules and pair it with good hygiene.
Windows Security → Virus & threat protection → Manage settings
Windows Security → App & browser control
Windows Security → Virus & threat protection → Ransomware protection
Windows Security → Device security → Core isolation
Windows Security → App & browser control → Exploit protection → Program settings
On Business/Enterprise SKUs or with Defender for Business/Endpoint, enable ASR rules (block Office child processes, block credential theft, etc.). For home users, you can approximate with Controlled Folder Access and strict SmartScreen.
Settings → Privacy & security
These are safer than random “debloat” scripts and let you roll back changes if necessary.
Settings → Apps → Installed apps
Run PowerShell as Administrator:
Get-AppxPackage *xbox* | Remove-AppxPackage<br>Get-AppxPackage *skype* | Remove-AppxPackage<br>Get-AppxPackage *bing* | Remove-AppxPackage<br>
Be conservative; don’t remove components you don’t recognize.
Run services.msc and set to Manual if unused:
Do not indiscriminately disable core networking, Windows Update, or Defender services.
Attackers routinely abuse double extensions (e.g., “invoice.pdf.exe”).
These simple toggles prevent a common social-engineering trick.
Pick one secure browser and harden it thoroughly. Edge, Firefox, and Brave are excellent choices.
Avoid stacking many “security” extensions—they can slow browsing and increase attack surface.
Create separate profiles for:
Windows 11: Settings → Network & Internet → (Wi-Fi/Ethernet) → Hardware properties → DNS server assignment → Edit → Manual
Windows 10: Use per-browser DoH or configure at the adapter level and rely on browser-level DoH.
Windows Security → Firewall & network protection
Power users can enforce outbound rules so only approved apps reach the internet:
Outbound control is powerful but can be noisy—deploy gradually.
Application allowlisting stops most malware cold.
Settings → Privacy & security → Windows Security → App & browser control → Smart App Control
Pro/Enterprise feature for enforcing code integrity policies. This is the gold standard for allowlisting but requires careful planning and testing.
On Pro/Enterprise:
If you use Microsoft Office or other suites:
Unpatched third-party apps are a common entry point.
Options:
Keep your footprint small. Every app you install is a potential vulnerability and background process.
Follow the 3-2-1 rule:
Recommended tools:
Also consider enabling Previous Versions/Shadow Copies for quick rollbacks of changed files, and keep Controlled Folder Access on to blunt encryption attempts.
Good logs make investigations and cleanups faster.
gpedit.msc → Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration
Then enable command-line logging:
Disable Remote Assistance:
Security is not a “set and forget” project. Build routines:
Keep your stack lean and reputable. The following are widely used, well-maintained, and appropriate for a hardened setup:
Note: Windows Home lacks the Group Policy Editor. For Home, set equivalent registry values only if you’re confident, or use the recommended tools that safely toggle these settings.
If you perform only the basics—full disk encryption, Windows Security tuned correctly, SmartScreen and Controlled Folder Access turned on, strong passwords with a password manager, a hardened browser, and reliable backups—you’ve already outpaced the vast majority of Windows users for both security and resilience.
Layer in allowlisting (SRP/WDAC/SAC), exploit mitigations, system-wide encrypted DNS, and routine maintenance, and you’ve built a workstation that is genuinely hard to compromise. Most attacks today rely on misconfiguration, weak passwords, macros, outdated software, and users running as admin. This guide removes those easy wins for attackers.
Lock it down now, while the system is clean—and keep it that way with steady, predictable maintenance. Your future self will thank you the day something goes wrong and you restore a clean image in minutes, instead of rebuilding from scratch again.
This guide takes you from a clean ISO to a locked-down daily driver. It’s structured in layers—start with the essentials, then add advanced hardening if you want “defense in depth.” Where relevant, you’ll see precise Settings paths, Group Policy paths, command-line snippets, and recommended software.
1) Start Right: Clean Media, UEFI Settings, and First Boot
1.1 Use official, verified installation media
- Download the Windows ISO directly from Microsoft.
- Create media using the Media Creation Tool or Rufus.
- Optionally verify the ISO’s SHA-256 hash before use.
1.2 Configure UEFI/BIOS security before installing Windows
Enter firmware setup (usually Del, F2, or F10 on boot) and:
- Enable UEFI boot (not Legacy/CSM).
- Enable Secure Boot.
- Enable TPM 2.0 (often called PTT on Intel, fTPM on AMD).
- If available: enable Virtualization (Intel VT-x/AMD-V) and IOMMU; required by some security features (VBS/HVCI).
- Set a strong UEFI/BIOS admin password to prevent offline tampering.
1.3 Wipe old partitions during setup
Choose Custom install, delete existing partitions on the target disk, and let Windows recreate them. This prevents lingering bootkits or misconfigured boot records.
1.4 Consider a local account for setup
Windows 11 pushes Microsoft accounts. For privacy-driven builds, create a local account during installation (you can add a Microsoft account later for Store/OneDrive).
2) Patch Completely Before Anything Else
Immediately after first boot:
- Go to Settings → Windows Update → Check for updates until there are no more updates (including optional/driver updates you actually need).
- Reboot as many times as required.
- Set Active hours so reboots don’t hit in the middle of your work.
Tip: Keep OEM utilities minimal. If you need vendor drivers (chipset, GPU, audio, LAN), fetch them from the hardware vendor directly, not from random driver packs.
3) Storage Encryption, Accounts, and Sign-In Security
3.1 Turn on full-disk encryption
- Windows 11/10 Pro: Control Panel → BitLocker Drive Encryption → Turn on BitLocker for the system drive (and for data drives).
- Windows 11 Home: Settings → Privacy & security → Device encryption (if hardware supports it).
- Store your BitLocker recovery key in a safe location (offline or password manager).
Command-line alternative (Pro/Enterprise):
manage-bde -status<br>manage-bde -on C: -rp<br>
3.2 Use a strong passphrase, not a short password
- 16+ characters, unique, not reused anywhere.
- Consider a passphrase (four or five unrelated words plus symbols).
3.3 Add Windows Hello where possible
- Settings → Accounts → Sign-in options: Enable PIN, fingerprint, or face recognition. Credentials are stored in the TPM for added protection.
3.4 Run daily as Standard User
- Create a secondary local Administrator account for maintenance only.
- Use your main account as Standard User. This single step eliminates an entire class of drive-by installs and privilege-abuse malware.
4) Turn Windows Security Into a Real Shield
Windows Defender is a solid baseline if you enable the right modules and pair it with good hygiene.
4.1 Core protection
Windows Security → Virus & threat protection → Manage settings
- Real-time protection: On
- Cloud-delivered protection: On
- Automatic sample submission: On
- Tamper protection: On
4.2 SmartScreen and reputation-based controls
Windows Security → App & browser control
- Reputation-based protection settings: On (including Potentially Unwanted App blocking)
- SmartScreen for Microsoft Edge: On
- SmartScreen for Microsoft Store apps: On
- Check apps and files: On
4.3 Ransomware mitigation (Controlled Folder Access)
Windows Security → Virus & threat protection → Ransomware protection
- Controlled folder access: On
- Add trusted apps that must write to protected folders (for example, backup tools, creative apps).
4.4 Core isolation / Memory integrity (HVCI)
Windows Security → Device security → Core isolation
- Memory integrity: On (may require updated drivers).
This defeats a class of kernel-level exploits and unsigned driver tricks.
4.5 Exploit protection (fine-grained)
Windows Security → App & browser control → Exploit protection → Program settings
- System settings: keep DEP, CFG, ASLR, and SEHOP enabled.
- For high-risk apps (office suites, PDF readers, media players), ensure mitigations are on. Test line-of-business apps for compatibility.
4.6 Advanced: Attack Surface Reduction (ASR) rules
On Business/Enterprise SKUs or with Defender for Business/Endpoint, enable ASR rules (block Office child processes, block credential theft, etc.). For home users, you can approximate with Controlled Folder Access and strict SmartScreen.
5) System Privacy and Telemetry
5.1 Built-in settings
Settings → Privacy & security
- Diagnostics & feedback: Required data only; disable tailored experiences; clear diagnostic data.
- Activity history: Disable storing on this device if you don’t need it.
- Location: Off globally unless needed; otherwise per-app.
- Camera/Microphone: Off by default; allow per-app.
- Background apps: Restrict to essentials.
5.2 Trusted privacy tuning tools (optional)
- O&O ShutUp10++: One-click privacy hardening with reversible changes.
- O&O AppBuster: Remove unwanted inbox apps cleanly.
These are safer than random “debloat” scripts and let you roll back changes if necessary.
6) Remove Bloat and Reduce Attack Surface
6.1 Uninstall what you don’t use
Settings → Apps → Installed apps
- Remove trial antivirus, OEM updaters you won’t use, game preinstalls, and communications apps you don’t need.
6.2 PowerShell removal of specific inbox apps (optional)
Run PowerShell as Administrator:
Get-AppxPackage *xbox* | Remove-AppxPackage<br>Get-AppxPackage *skype* | Remove-AppxPackage<br>Get-AppxPackage *bing* | Remove-AppxPackage<br>
Be conservative; don’t remove components you don’t recognize.
6.3 Disable risky or unused services
Run services.msc and set to Manual if unused:
- Remote Registry
- Remote Desktop Services (if you don’t use RDP)
- Xbox services
- Bluetooth Support (if you don’t use Bluetooth)
Do not indiscriminately disable core networking, Windows Update, or Defender services.
7) Show File Extensions and Other Explorer Tweaks
Attackers routinely abuse double extensions (e.g., “invoice.pdf.exe”).
- File Explorer → View → Show → File name extensions: On
- View → Show → Hidden items: Optional (helps during forensics)
- Folder Options → View: Disable “Hide extensions for known file types”
These simple toggles prevent a common social-engineering trick.
8) Browser Hardening: Where Most Attacks Start
Pick one secure browser and harden it thoroughly. Edge, Firefox, and Brave are excellent choices.
8.1 Baseline browser settings
- Block third-party cookies (or “Strict” tracking protection).
- Send “Do Not Track” (privacy preference; not always honored).
- Disable background sync and autoplay.
- Review site permissions (location, camera, mic, notifications) and set them to Ask or Block by default.
8.2 Must-have extensions
- uBlock Origin: Ad/tracker/script blocking with sane defaults.
- Password manager extension (Bitwarden or 1Password).
- Malwarebytes Browser Guard (optional extra phishing/malvertising filter).
Avoid stacking many “security” extensions—they can slow browsing and increase attack surface.
8.3 Separate profiles by task
Create separate profiles for:
- Banking/finance (no extensions except the password manager).
- Work.
- General browsing.
This isolates cookies, tokens, and extensions per context.
8.4 Edge/Chrome “Enhanced protection”
- In Chromium browsers, enable the strictest safe-browsing mode you can tolerate.
- In Edge, enable Enhanced security mode for unfamiliar sites.
9) Network and DNS Security
9.1 Router hygiene
- Change the router’s admin password from defaults.
- Disable remote administration from the WAN.
- Use WPA3 (or WPA2-AES if older clients require it). Never WEP.
- Update firmware quarterly.
9.2 System-wide DNS with encryption
Windows 11: Settings → Network & Internet → (Wi-Fi/Ethernet) → Hardware properties → DNS server assignment → Edit → Manual
- Set IPv4 DNS (e.g., 9.9.9.9/149.112.112.112 for Quad9, or 1.1.1.1/1.0.0.1 for Cloudflare)
- Turn on DNS over HTTPS (DoH) for each entry.
Windows 10: Use per-browser DoH or configure at the adapter level and rely on browser-level DoH.
9.3 Public Wi-Fi
- Prefer mobile hotspot or a trusted VPN provider (ProtonVPN, Mullvad).
- Never accept unknown certificate prompts.
10) Windows Firewall: Inbound Quiet, Outbound Sensible
10.1 Baseline
Windows Security → Firewall & network protection
- Ensure firewall is On for Domain, Private, and Public profiles.
- Inbound connections: Block by default.
10.2 Optional outbound controls
Power users can enforce outbound rules so only approved apps reach the internet:
- Windows’ Advanced Security firewall snap-in (wf.msc).
- Or a helper like TinyWall or GlassWire for easier app-based control.
Outbound control is powerful but can be noisy—deploy gradually.
11) Software Whitelisting and Application Control (Advanced)
Application allowlisting stops most malware cold.
11.1 Smart App Control (Windows 11)
Settings → Privacy & security → Windows Security → App & browser control → Smart App Control
- Set to On if available (requires clean install). It allows only trusted/signed apps to run. Evaluate compatibility with your workflows.
11.2 WDAC (Windows Defender Application Control)
Pro/Enterprise feature for enforcing code integrity policies. This is the gold standard for allowlisting but requires careful planning and testing.
11.3 Software Restriction Policies (SRP) via Group Policy
On Pro/Enterprise:
- gpedit.msc → Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies
- Create new policies. Set Default Security Level = Disallowed.
- Add Path Rules to Allow:
- %ProgramFiles%
- %ProgramFiles(x86)%
- %SystemRoot%
- Add Disallowed Path Rules:
- %USERPROFILE%\AppData\Local\*
- %USERPROFILE%\AppData\Roaming\*
- %TEMP%\*
This prevents executables from running out of user-writable locations where most droppers land. Test thoroughly before rolling this into daily use.
12) Office and Document Macro Defenses
If you use Microsoft Office or other suites:
- In Office, set Disable all macros with notification. Newer Office builds block internet-originated macros by default; don’t lower this.
- Use Protected View for files opened from the internet.
- Prefer PDF over Office formats when you only need to read a document.
- Consider a dedicated, unprivileged profile for opening unsolicited documents.
13) External Devices and Removable Media
- Disable AutoPlay:
- gpedit.msc → Computer Configuration → Administrative Templates → Windows Components → AutoPlay Policies → Turn off AutoPlay = Enabled (All drives)
- Scan all USB storage with Defender or Malwarebytes before opening.
- For shared USB sticks, consider models with write-protect switches.
14) Keep Third-Party Software Patched
Unpatched third-party apps are a common entry point.
Options:
- Patch My PC Home Updater (recommended) for automated updates of dozens of popular apps.
- winget (built-in Windows package manager):
- List upgrades: winget upgrade
- Upgrade all: winget upgrade --all
- Ninite for safe bulk install/update without bundled extras.
Keep your footprint small. Every app you install is a potential vulnerability and background process.
15) Backups: Your Ransomware and Disaster Insurance
Follow the 3-2-1 rule:
- 3 copies of your data (1 primary, 2 backups)
- 2 different media (e.g., internal disk + external HDD or NAS)
- 1 offsite (cloud or a drive stored elsewhere)
Recommended tools:
- Macrium Reflect (Home; Free edition was discontinued but still widely used) for full system images.
- Veeam Agent for Microsoft Windows (Free) or AOMEI Backupper for scheduled backups.
- Test restores quarterly. A backup you can’t restore is not a backup.
Also consider enabling Previous Versions/Shadow Copies for quick rollbacks of changed files, and keep Controlled Folder Access on to blunt encryption attempts.
16) Logging, Auditing, and Visibility (Advanced)
Good logs make investigations and cleanups faster.
16.1 Enable key audit policies (Pro/Enterprise)
gpedit.msc → Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration
- Audit Process Creation: Success
- Audit Logon/Logoff: Success/Failure
- Audit Object Access (selective as needed)
- Audit Policy Change: Success/Failure
Then enable command-line logging:
- gpedit.msc → Computer Configuration → Administrative Templates → System → Audit Process Creation → Include command line in process creation events = Enabled
16.2 PowerShell logging (Advanced)
- Module logging and Script block logging (Group Policy under Administrative Templates → Windows Components → Windows PowerShell). This adds visibility into script-based attacks.
16.3 Sysinternals tools
- Autoruns: inventory and prune startup entries.
- Process Explorer: detailed process tree for investigations.
- TCPView: watch network connections.
- Sigcheck: verify file signatures and hashes.
17) RDP and Remote Access Hardening
- Disable Remote Desktop if you don’t use it:
- Settings → System → Remote Desktop → Off
- If you must use RDP:
- Require Network Level Authentication (NLA).
- Restrict RDP to a VPN; don’t expose 3389 to the internet.
- Use a non-default port only as obscurity; it is not a security control.
- Enforce strong passwords and account lockout policies.
Disable Remote Assistance:
- Control Panel → System → Remote settings → Allow Remote Assistance unchecked.
18) SMB and Legacy Protocol Hygiene
- Disable SMBv1 (obsolete and dangerous):
dism /online /norestart /Disable-Feature /FeatureName:SMB1Protocol<br> - Use modern SMB with signing where possible.
- Avoid anonymous/guest shares.
19) Daily Security Hygiene and Maintenance
Security is not a “set and forget” project. Build routines:
Weekly
- Run Windows Update.
- Perform an on-demand scan with Malwarebytes Free or Emsisoft Emergency Kit.
- Verify backups completed successfully.
Monthly
- Update all third-party apps via Patch My PC or winget upgrade --all.
- Review browser extensions and startup apps; remove anything unused.
Quarterly
- Test restore from your backup image.
- Change router admin password if shared with others or if any unusual activity was noticed.
- Export your password manager vault (encrypted) to an offline archive.
Annually
- Audit installed software; remove cruft.
- Re-evaluate your allowlisting/SRP rules and firewall exceptions.
20) Minimal, High-Trust Software Recommendations
Keep your stack lean and reputable. The following are widely used, well-maintained, and appropriate for a hardened setup:
- Core AV: Windows Defender (built-in)
- On-demand malware cleanup: Malwarebytes Free; Emsisoft Emergency Kit; AdwCleaner
- Privacy & debloat: O&O ShutUp10++; O&O AppBuster
- Password manager: Bitwarden (open-source, cloud sync) or 1Password; KeePassXC for local-only
- Backup: Macrium Reflect (Home), Veeam Agent for Windows (Free), AOMEI Backupper
- Update automation: Patch My PC; winget; Ninite
- Firewall helpers (optional): TinyWall; GlassWire
- Sysinternals: Autoruns, Process Explorer, TCPView, Sigcheck
- DNS: Quad9 or Cloudflare with DoH
- Browser: Edge, Firefox, or Brave with uBlock Origin and your password manager extension
- Document viewer: SumatraPDF (lightweight) instead of heavy, feature-ridden readers
21) Appendix: Useful Group Policy Paths (Pro/Enterprise)
- Block removable storage execution (SRP)
Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies - Audit process creation + include command lines
Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies → Detailed Tracking
and
Computer Configuration → Administrative Templates → System → Audit Process Creation - Disable AutoPlay
Computer Configuration → Administrative Templates → Windows Components → AutoPlay Policies → Turn off AutoPlay = Enabled (All drives) - Windows Update without drivers (if you prefer vendor drivers)
Computer Configuration → Administrative Templates → Windows Components → Windows Update → Do not include drivers with Windows Updates = Enabled - SmartScreen/Exploit Protection visibility (varies by build)
Computer Configuration → Administrative Templates → Windows Components → Windows Security → App & Browser protection
Note: Windows Home lacks the Group Policy Editor. For Home, set equivalent registry values only if you’re confident, or use the recommended tools that safely toggle these settings.
22) Appendix: Practical Command Snippets
- Check Defender status:
Get-MpComputerStatus
- Quick Defender scan:
Start-MpScan -ScanType QuickScan
- Update Defender signatures:
Update-MpSignature
- Disable SMBv1:
dism /online /norestart /Disable-Feature /FeatureName:SMB1Protocol
- Show all startup items (use Autoruns for GUI):
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location
23) Troubleshooting Notes and Compatibility Tips
- Memory Integrity (HVCI) won’t enable: Update or replace problematic drivers (old audio, storage, or GPU drivers are frequent culprits).
- Controlled Folder Access blocks a trusted app: Add the app as an allowed app within Ransomware Protection. Avoid turning CFA off globally.
- SRP breaks line-of-business apps: Loosen path rules in a targeted way (e.g., allow %LOCALAPPDATA%\Programs\YourApp\*). Test changes on a non-admin account before trusting them.
- Allowlisting (WDAC/SAC) too restrictive: Start in audit/evaluation mode, study logs, then enforce policies gradually.
24) Executive Checklist (Copy/Paste for Your Runbook)
- UEFI: Secure Boot, TPM, firmware password; virtualization on.
- Clean install from official ISO; wipe old partitions.
- Patch everything via Windows Update (repeat until clean).
- BitLocker/device encryption on; store recovery key.
- Create Standard User for daily use; keep a separate local Admin.
- Defender: real-time, cloud, sample submission, tamper protection on.
- SmartScreen + reputation-based protection fully enabled.
- Core isolation (Memory integrity) on; test drivers.
- Controlled Folder Access on; allow trusted apps.
- Exploit protection on systemwide; review program settings.
- File extensions visible; hidden items optional.
- Browser hardened; uBlock Origin + password manager; separate profiles.
- Router: new admin password; WPA3/WPA2-AES; remote admin off; firmware updated.
- System DoH and secure DNS configured.
- Remove bloat; disable unneeded services.
- Optional: SRP/WDAC/SAC allowlisting after testing.
- Office macros disabled; Protected View on.
- AutoPlay off; scan USBs; SMBv1 disabled.
- Patch third-party software with Patch My PC or winget.
- Backups on a schedule (3-2-1); test restores quarterly.
- Enable key audit policies (Pro/Enterprise); consider Sysinternals tools.
Conclusion
If you perform only the basics—full disk encryption, Windows Security tuned correctly, SmartScreen and Controlled Folder Access turned on, strong passwords with a password manager, a hardened browser, and reliable backups—you’ve already outpaced the vast majority of Windows users for both security and resilience.
Layer in allowlisting (SRP/WDAC/SAC), exploit mitigations, system-wide encrypted DNS, and routine maintenance, and you’ve built a workstation that is genuinely hard to compromise. Most attacks today rely on misconfiguration, weak passwords, macros, outdated software, and users running as admin. This guide removes those easy wins for attackers.
Lock it down now, while the system is clean—and keep it that way with steady, predictable maintenance. Your future self will thank you the day something goes wrong and you restore a clean image in minutes, instead of rebuilding from scratch again.
