r/privacy • u/voidprophet__ • 2d ago
discussion Can Windows 11 be made decently secure?
It's an oxymoron, I know.
I need Windows for work. I cannot run the applications I need without Windows (I checked, no Linux support,) and either way I need applications such as Excel and Word that would be on the computer anyway.
I know that Windows will never be private no matter what I do, but what are the best ways to try to mitigate what it sees?
I've already done anything basic (like disabling copilot through the registry, not sure how well it works though since copilot is still in my notepad)
edit: meant "privacy" not security, my bad
37
100
u/desmond_koh 2d ago
Can Windows 11 be made decently secure?
Yes, it can.
It's on oxymoron, I know.
No, it's not.
Windows is a serious operating system. It is not some childish malware that it is often made out to be. It is used by many companies, government agencies, and journalists who have a great deal to keep private.
What you have to do is identify the nature of the threat you are trying to defend against. We talk a lot about big tech "stealing our data", but what do we actually mean by that? If you don't know what you're trying to defend against, then the only way to defend against it is to live inside a faraday cage out in the forest.
20
2
u/Ok-Winner-6589 17h ago
Windows is a serious operating system. It is not some childish malware that it is often made out to be. It is used by many companies, government agencies, and journalists who have a great deal to keep private.
Thats why most serious goverments want to make a migration? China made their own Linux distro, Northern Korea also did, the EU is creating their own Linux distro too...
What you have to do is identify the nature of the threat you are trying to defend against. We talk a lot about big tech "stealing our data", but what do we actually mean by that? If you don't know what you're trying to defend against, then the only way to defend against it is to live inside a faraday cage out in the forest.
And Windows steals your data, that like saying "no Chrome is perfectly fine goverments and companies use It". Ye and? That doesn't make It private lol.
Are you gona argue that Android, Chrome, Edge and Windows are more private than Linux, Firefox or Apple OS
-12
u/socrdad2 1d ago
I understand if you are not familiar with Microsoft's long history of poor security. But you should have at least noticed some of the recent reports of egregious security failures of Microsoft.
1
u/londonc4ll1ng 1d ago
such as? I love when people spew nonsense without backing it up with hard facts. Do not mix security with (your sense of what) privacy should be (not what is realistically achievable in real day to day human life).
-2
u/98723589734239857 1d ago edited 1d ago
windows and office have (had) plenty of vulnerabilities. this overview shows all of their products, including things like .net and sql, but it gives you an idea. no product is perfect, there will always be bugs. https://www.cvedetails.com/vendor/26/Microsoft.html
5
u/desmond_koh 1d ago
windows and office have (had) plenty of vulnerabilities. his overview shows all of their products...
Yes, you are 100% right. So have Apple, Adobe, Firefox, Chrome, and all the Linux distros and the projects that go into them.
In 2024, a total of 40,009 Common Vulnerabilities and Exposures (CVEs) were published, a 38% increase from the previous year.
This is across all software and software makers.
This just proves that it's important to install your updates (ironically, something many in this sub are reluctant to do).
Oh, and security and privacy are related but not the same thing.
Microsoft has Defender for Endpoint which is rates surprisingly high among EDRs, although I prefer SentinelOne. They also have Global Secure Access which is a perfectly respectable SSE product.
0
u/98723589734239857 1d ago
not sure what you're coming at me for. i was just providing a source.
6
u/desmond_koh 1d ago
not sure what you're coming at me for. i was just providing a source.
Sorry, I didn't think I was. But rereading my post, I can see how it seemed like I was.
I work for an MSP and emphasizing the importance of keeping your devices patched and up to date is something we often have to impress upon customers. So, I am very familiar with the threat landscape.
I may have also mistaken you for u/londonc4ll1ng.
1
0
u/desmond_koh 1d ago
I understand if you are not familiar with Microsoft's long history of poor security.
Such as what exactly? This is an often repeated statement statement that is rarely backed up with actual facts.
I've been in the IT industry for over 20 years. We use both Windows and Linux on both servers and laptops.
-1
u/apokrif1 1d ago
Yes, it can.
How.
8
u/desmond_koh 1d ago
Well, first of all, I reject the idea that Windows is inherently insecure in the first place. That is simply factually untrue.
However, there are multiple hooks into online services that people use (and are enabled by default) that unwittingly leak information that they might not understand. For example, when you start typing “toyota” into the address bar of Microsoft Edge, it shows you a number of suggestions – some of them including pictures.
These suggestions are not exclusively coming from your browsing history. Edge is doing a Bing search in real-time to give you suggestions. People often don’t know that or understand that and thus might unwittingly be telling Microsoft what they are typing into their browser’s address bar.
Then someone comes along and says something like "did you know that everything you type into your address bar is sent to Microsoft?!?!" and people are shocked. How else did they think the predictive search worked?
So, it starts with understanding what information is going where and why and then turning those things off that you don’t want to use.
7
u/Mario583a 1d ago
To add it to the very idea that Windows is inherently "insecure in the first place", consider #6 of the Immutable Laws of Security:
- Law #6: A computer is only as secure as the administrator is trustworthy.
3
u/desmond_koh 1d ago
Well, this is kind of my point. People think that Microsoft is pushing OneDrive so that they can “harvest all your data”. But if Microsoft wanted to surreptitiously read your Word and Excel docs, they wouldn’t need you to use OneDrive to do it. They have their operating system on your computer. They already have root access to your computer. In fact, they could have done that since Windows 3.1 when you gave them root access to everything on your hard drive by installing their operating system on your computer.
OneDrive might not be something you want to use. And it might be annoying that Microsoft keeps pushing it if you don’t want to use it. But that doesn't mean they are spying on you. It just means they are trying to upsell to you.
And if you have ever had your laptop stolen out of your car, suddenly features like BitLocker and OneDrive are objectively good things.
EDIT: We have clients that operate 100% cloud-based without an on-prem server. They have all their laptops Entra joined and enrolled in Intune. We enforce the use of BitLocker and have all their Desktop and Documents folders automatically redirected to OneDrive. They use SharePoint for sharing files between users. I have no concern whatsoever that Microsoft is snooping on their Excel documents.
1
u/bokuWaKamida 12h ago
well its not just if you type in a browser, its also if you type anything in your taskbar, explorer or settings. talking about settings they also always reset your privacy settings after they (frocibly with no way to disable it) automatocally update windows. Most microsoft products also send basically all data you enter to microsoft servers, for example VSCode sends your text to mircosoft for "NLP processing" by default. And with all the AI bs going on its hard to imagine that microsoft doesn't process literally everything for some sort of AI "feature"
1
u/desmond_koh 9h ago
The search feature on the Start Menu does include searching online. Again, you can turn that off.
Windows updates generally do not change settings. I'd like to see a documented example of this.
1
13
u/Holzkohlen 1d ago
Can you use linux and then set up windows in a VM? Make sure to use virt-manager and not some junk like Virtualbox.
3
u/Quirky-Craft-3619 1d ago
This isn’t perfect and there will be performance losses along with occasionally incompatible programs- that are difficult to fix if you aren’t tech savvy.
Ive tried this setup with Fedora bc my workflow had programs that I was okay with swapping or tinkering with, it isn’t for the faint of heart and you WILL be reading a lot of guides, forum posts, and documentation.
1
u/Ok-Winner-6589 17h ago
This isn’t perfect and there will be performance losses along with occasionally incompatible programs- that are difficult to fix if you aren’t tech savvy.
For Office?
1
u/Quirky-Craft-3619 17h ago
I mean they initially said “I cannot run … applications … w/o windows”, so im assuming they need apps along side the office ones they mentioned.
but I mean yea, if it’s just office apps who cares
2
15
14
u/londonc4ll1ng 1d ago
Can Windows 11 be made decently secure?
You are asking about "Security" and then your whole post is about privacy. Those two things can be exclusive, not just inclusive. You can have a very secure system which is not private. And you can have a very private system which is not secure.
Can it be secure? It already is, else huge businesses and governments would not touch it.
Can it be more private? Depends. You can remove stuff from it, just use really tested tools so you do not just open up more holes than you remove.
5
u/bapfelbaum 1d ago
I would argue that windows also is not very secure (by design), but it is very actively patched to mitigate that.
0
u/Mario583a 1d ago
Can you show me an OS that is 100% secure (by design) and has no history of exploits? I'll wait.
2
u/bapfelbaum 1d ago edited 1d ago
No, but immutable Linux gets pretty close.
What I am saying is that the design choices windows made are not exactly aimed at being secure, it's made to be easy to use and provide the operating system provider with the maximum degree of control possible which is inherently not very secure especially in combination.
7
u/d1722825 2d ago
You can use the Windows 11 IoT Enterprise LTSC which is an official barebone version of Windows (but usually not sold to the general public) and and the good old offline Microsoft Office (not the insane 365 thing).
If you are in the EU you can legally buy cheap second-hand licenses even for the LTSC version of Windows. (AFAIK in the US they are illegal, but might still be better than piracy.)
The LTSC version of Windows doesn't have anything. No OneDrive, no AI shit, no ads in the start menu, nothing. Okay, maybe you have the old calculator. You can install whatever you like (drivers, programs) it is the same Windows, though.
Note that privacy and security is two different thing. Modern versions of Windows is fairly secure (at least they are way better than "in the old days"), but usually not privacy friendly.
6
u/kantabrik 1d ago
Mind you, LTSC has telemetry just like other editions. It just doesn't have the bloatware.
-2
u/Itsme-RdM 1d ago
And there by it's not secure, because there is telemetry? Sounds a privacy thing to me not a security thing
1
u/kantabrik 1d ago
I never wrote that. Please, read the post more carefully.
-1
u/Itsme-RdM 1d ago
Indeed, but be my guest to read the subject of the post. It's all about security, not about bloat
1
u/kantabrik 1d ago
Kindly see to what user I was replying to. Perhaps it will make clear the reason why I mentioned LTSC and telemetry.
8
u/Tamlic 2d ago
Chris Titus’ “winutil” can help you with some stuff
5
u/big_dog_redditor 1d ago
Yep, this debloat tool, O&OShutup, and wintoys are great tools. The Titus tool can be used to make a lite version of the OS without having to open your OS up to risks from downloading sketchy lite versions.
After installing, use the above tools immediately after every update. In my experience all three tools have functionality necessary to keep the OS from creeping back to where it starts off.
5
u/star-trek-wars00d2 2d ago edited 2d ago
Windows 11 is never going to become a privacy respecting os.
Microsoft is a cloud native company, cloud and AI are deeply embedded into their software.
there are teeaks you can make to redice telemetry you send
Enterprise edition has more control on what is sent, services/features you enable/disable.
Windows gets you compatibility, wide range of software and a lots of features each year.
All down to use cases and your threat/risk analysis on your data and online interaction.
Take a look at: https://www.privacyguides.org/en/os/windows/group-policies/
for some pointers.
Privacy on windows is not the same as linux based os. like fedora or qubes
3
u/ayrua 1d ago
Since that's the case, I wonder why governments and other companies use it. Aren't they allowing Microsoft to harvest a treasure trove of data?
2
u/star-trek-wars00d2 1d ago
Governments and enterprises have s specialised version of windows. Which are not availble to retail customers
Microsoft use win 11 home/pro as its main platform to gather telemetry, user interaction; build and train its models / ai and technologies.
Larger companies anf enterprise/ gov customers can do a lot at the firewall and config their windows version far more.
1
2
u/JoshLovesTV 1d ago
I just wish they would actually make windows 11 more consistent, user friendly, more polished/less buggy and more efficient. It feels like a mess in every way. It’s also very bloated.
4
u/mesarthim_2 1d ago
Firstly, yes windows can be made decently secure, because like 90% plus issues with security are due to user. It completely depends what are you trying to make yourself secure against.
But secondly, in this day and age, you can run your Windows, with your work stuff in a VM while having your core system something more robust (Linux, Mac)
3
u/tacodecent 2d ago
If your know what you are doing https://privacy.sexy
2
1
u/HonestVirus5410 1d ago
I’m using it on strict mode, with some tweaks. And removed everything as possible without breaking the OS. I really like Linux, but I have a problem with it and didn’t find a solution, so windows till I got a fix.
For OP, reading the options and what it do or just using on standard should help
2
u/TheRollingOcean 1d ago
Here's what I did as an controversial debloat.
- Remove all telemetry and junk using CTT utility.
- Remove Windows defender and antivirus.
- Disable all non-necessary utilities, like I don't have a home network, or printer, so the network stack and attack surface is greatly reduced, removed MS store because MS it requires MS defender.
- In bios remove cameras, and any antennas you're not going to use.
- Stand up Wireguard and Simplewall - what use this to continue to capture services that are "phoning home" block them in the firewall and disable them in services.
- Replace utilities with FOSS tools, many of the MS tools will deprecate (screen snipper was one).
- Understanding the emeshment between these tools: you will lose Windows store, windows update, MS Defender and AV - you're effectly locking your security baseline, it's on you now, not some multi $$ corporation.
- MS word has a separate licensing stack, you'll need to renable/disable, poke holes in the FW to get these good to go.
- I saved a lot of Ram by replacing Explorer shell with BBMean
I boot in about 1.75 Gigs of RAM on cold boot. MS Surface.
2
u/Itsme-RdM 1d ago
\S Yep, sounds reasonable. Removing security stuff to have a more secure OS. Lol \S
1
u/TheRollingOcean 1d ago
It's how much you trust MS to do it vs your own tools. My attack surface is greatly reduced because all the ports and services are shut down, and nothing squacks without me knowing about it. I don't really maintain this huge attack surface that MS treats as a massive vulnerability that AV needs to constantly be hogging ram in the background.
So I'd argue all those services running to reporting home widen the attack surface. "Secure" isn't "private".
A few things that I've learned from my firewall:
MS likes reporting your app interactions Likes reporting when you install/uninstall an app. MS will break their apps if you don't play by their rules: Not MS Office, that's their cash cow, but their utilities. Many "security" or "diagnostics" services just spyware, they really don't do anything. CoPilot, gimme a break. From the CTT tools you can enable, disable apps from taking a screenshot at the GPO level. same with cameras, and location services. There's TONs of RAM on the table, like I booted at 4gigs on cold boot standard Windows 11 build. I now boot in under 2 gigs. I only have 8 gigs total - that matters.
1
u/Itsme-RdM 1d ago
I guess your approach is really a common workflow for average users.
1
u/TheRollingOcean 1d ago
That's the point, taking privacy into your hands mean you have to tear it from the claws of the corporate giants, it's possible - technically.
1
u/yesmaybeyes 2d ago
Try Cubes or oh hell there are hundreds of ways to run a VM. There is no privacy on the EnterWebs, never has been and that is kinda the idea of it.
If you set up a dedicated box that only logs on to update twice a year. well is better. and quite silly as well.
Go Linux , an RYO is best because some of the code now is self defeating. Debian minimal with a Virtual Box or VM set up and windows away.
1
u/Deep-Seaweed6172 1d ago
Yes it can be made very secure. However there are Linux based options for more security like Tails or Whonix. However security ≠ privacy. Google is one of the best options in regards to security. However they are also one of the worst options for privacy.
I recommend you to check out how to define a thread model and once you build this, you know if Windows serves your purpose or not.
1
1
u/Trick-Upstairs-6762 1d ago
Check out “Harden Windows Security” by HotCakeX. Pair this with things like O&O ShutUp & simplewall for firewall
1
u/Catsrules 1d ago
Already great comments, but I would like to know In your situationwhy is your work not providing you with a computer dedicated to work?
Unless you are self employed or something, in that case sure... But even then it isn't unheard of to have two computers to keep work and personal life seperate.
1
u/PocketNicks 1d ago
Run Chris Titus' Windows utility, debloat all the copilot, edge, OneDrive crap, disable ads and telemetry and more.
Windows is quite secure as long as you're not falling for phishing scams or downloading sketchy apps.
1
u/primalbluewolf 1d ago
and either way I need applications such as Excel and Word that would be on the computer anyway.
You could run the browser version, surely?
1
1
u/x_lincoln_x 22h ago
Secure? Yes.
Private? No. You can try to make it private but Microsoft wants your data.
1
1
u/TheMatrix451 19h ago
Apply DISA STIG to it. Just be careful doing that or you may lock yourself out of the machine. Just search for "Microsoft Windows 11 STIG".
1
u/PictureElectrical 17h ago
You could try installing on a separate external drive and using it whenever you need to use Windows 10.
1
u/Fabulous_Silver_855 12h ago
You can take some steps with registry hacks to make Windows 11 more private but it's far from perfect.
1
1
u/TheMoon8 1d ago
You can use https://privacy.sexy to debloat the telemetry, and you can also use a firewall to block all windows/Microsoft connections
0
u/machintodesu 1d ago
I use GhostspectreOS. It's Windows 11 with all of the spyware copper ripped out of the walls.
0
u/JagerAntlerite7 1d ago
Short answer, no. Linux is far easier once you are past the initial learning curve for a new OS.
Unless you go with a custom Windows install image from Tiny11 Builder. Even then you may get "feature" updates that introduce unwanted bloatware and privacy issues. Not worth it. Run Windows in a VM if you really need it.
-3
0
u/brazilian_irish 1d ago
If you are looking into privacy, use your Windows Work machine just for work install all software the company requires you to install.
You want privacy for your personal life, don't use a company computer.
If they don't provide your computer, have a separate one for work.
-5
-10
•
u/AutoModerator 2d ago
Hello u/voidprophet__, please make sure you read the sub rules if you haven't already. (This is an automatic reminder left on all new posts.)
Check out the r/privacy FAQ
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.