The 20-minute Windows 11 security check (2026), turn on ransomware protection, block risky sign-ins, and clean up app permissions

If your Windows 11 PC feels “fine,” that’s usually when it’s most exposed. Ransomware doesn’t wait for you to notice anything. Account takeovers often start with one odd sign-in you dismiss. Apps keep permissions long after you stop using them.

This Windows 11 security check is a quick tune-up you can do in about 20 minutes on common builds like 23H2 and 24H2 (and newer 2026 updates). It sticks to built-in tools, no risky registry edits, no mystery “cleaners,” and no guesswork.

Minutes 0 to 7: Verify Microsoft Defender is on, updated, and scanning

Microsoft Defender is your baseline. If it’s off, outdated, or easy to tamper with, everything else is harder.

1) Confirm real-time protection, cloud protection, and Tamper Protection

1. Open Windows Security (Start, type “Windows Security”).
2. Go to Virus & threat protection.
3. Select Manage settings under “Virus & threat protection settings.”
4. Turn on (or verify it’s on):
   • Real-time protection
   • Cloud-delivered protection
   • Automatic sample submission
   • Tamper Protection

On some PCs you’ll see an admin prompt (UAC). If your device is managed by work or school, some switches may be locked. If you use a third-party antivirus, Defender’s real-time protection may show as disabled by design.

For deeper detail on what always-on scanning covers, see Microsoft’s documentation on Defender real-time protection. For the setting that stops malware from quietly changing your security configuration, Microsoft also explains Tamper Protection.

2) Run a Quick scan (and don’t skip it)

1. In Windows Security go to Virus & threat protection.
2. Select Quick scan.

A quick scan is like checking the doors and windows, it won’t inspect every attic box, but it catches the common stuff fast. If you’ve had pop-ups, browser redirects, or a new “helper” extension you don’t remember installing, run Scan options → Full scan later when you’re not using the PC.

3) Optional, check Smart App Control (2026-friendly toggle)

On many Windows 11 systems, Smart App Control can block untrusted apps before they run.

1. Windows Security → App & browser control
2. Look for Smart App Control settings

In early 2026 updates, Microsoft made this easier to switch without a full reinstall on supported systems. If you rely on niche tools, set aside time to test, since blocking can surprise you.

Minutes 7 to 14: Turn on ransomware protection (Controlled folder access) and set a recovery path

Ransomware doesn’t “steal” your files first. It often locks them in place. Your goal is to block file tampering and make recovery boring.

1) Enable Controlled folder access (CFA)

1. Open Windows Security.
2. Go to Virus & threat protection.
3. Under “Ransomware protection,” select Manage ransomware protection.
4. Turn on Controlled folder access.

What it blocks: untrusted apps from changing files in protected folders. That includes many ransomware behaviors, but it can also block legitimate apps that write to Documents or Pictures in unusual ways.

If you want the technical background and management options, Microsoft documents CFA in Enable controlled folder access. For a plain-English walkthrough with extra screenshots, this guide on Controlled Folder Access in Windows 11 is helpful.

2) Add folders that actually matter to you

In Windows Security → Virus & threat protection → Manage ransomware protection:

1. Select Protected folders
2. Choose Add a protected folder
3. Add folders you use for work or finance (for example, a tax folder, invoicing, client docs)

Don’t protect your whole drive. CFA is meant to guard high-value folders, not everything.

3) Allow a blocked app (when you trust it)

If CFA blocks something you need (common with older accounting tools, some game launchers, and custom editors):

1. Go to Windows Security → Virus & threat protection → Manage ransomware protection
2. Select Allow an app through Controlled folder access
3. Choose Add an allowed app, then pick the exact app (.exe)

Safety note: don’t “allow” an app just because a pop-up annoyed you. If you’re unsure, cancel and update the app first.

4) Make sure you have a backup you can reach

CFA helps prevent damage, but backups are what save you when something slips through.

1. Go to Settings → Accounts → Windows backup
2. Turn on what fits your setup (folders, settings, credentials where available)
3. If you use OneDrive, confirm folder backup inside OneDrive settings (Desktop, Documents, Pictures)

If you’re running a small business, add one offline copy too (an external drive you disconnect when done). Cloud plus unplugged storage is harder for ransomware to ruin in one pass.

Minutes 14 to 20: Block risky sign-ins, harden your PC login, and clean up app permissions

Most “hacks” start as logins, not Hollywood malware. You can cut off a lot of trouble by tightening sign-in and trimming what apps can do.

1) Check your Microsoft account for risky sign-ins and unknown devices

If you sign into Windows with a Microsoft account:

1. Go to account.microsoft.com in your browser
2. Open Security
3. Review Recent activity (look for countries, devices, or times you don’t recognize)
4. If anything looks wrong:
   • Change your password to a long passphrase you haven’t used elsewhere
   • Turn on Microsoft Authenticator or another MFA method
   • Remove devices you don’t recognize in your account’s device list
   • Use “sign out everywhere” if offered, then sign back in on your own devices

Small-business note: If you use Microsoft 365 with Entra ID, your admin may also review risk signals and unblock accounts. Microsoft describes this workflow in Remediate risks and unblock users.

2) Harden Windows sign-in (Hello, timeout, Dynamic Lock)

1. Go to Settings → Accounts → Sign-in options
2. Set up Windows Hello (Face, Fingerprint, or PIN). Use a PIN you don’t reuse anywhere else.
3. Under “Additional settings,” set If you’ve been away, when should Windows require you to sign in again? to Every time
4. Turn on Dynamic lock (pairs with your phone’s Bluetooth) if it fits your routine

On some 2026 builds, Enhanced sign-in security appears here too, including support for some external fingerprint readers. If you see it, enable it and re-check Hello.

3) Clean up app permissions and background access

Over time, apps collect “forever permissions.” Trim them.

1. Go to Settings → Privacy & security
2. Review, then switch off anything you don’t use:
   • Location
   • Camera
   • Microphone
   • Contacts and Call history (if present)
3. For per-app detail, Microsoft’s guide to Windows app permissions is a solid reference, and this page on Windows privacy settings that apps use helps you spot common toggles.

Then reduce what runs when you’re not looking:

1. Settings → Apps → Startup, turn off apps you don’t need at boot
2. Settings → Apps → Installed apps, uninstall anything you don’t recognize or never use
3. For individual apps, open Installed apps → (three dots) → Advanced options, then limit background activity where Windows offers the control

Quick final verification checklist (30 seconds)

• Windows Security shows no active threats
• Defender Real-time, Cloud-delivered, and Tamper Protection are on
• Controlled folder access is on, and your key folders are protected
• You can name your backup location (OneDrive and or offline drive)
• Microsoft account Recent activity looks normal, MFA is enabled
• Windows requires sign-in immediately after sleep, Hello is set
• Startup list is trimmed, and sensitive permissions (camera, mic, location) are limited

Conclusion

This 20-minute tune-up doesn’t make you bulletproof, but it does make you harder to hit and easier to recover. The biggest wins are simple: keep Defender locked on, protect the folders that matter, and shut down sketchy sign-ins before they turn into a week-long mess. If you only do one thing after this, keep Controlled folder access and MFA enabled, then schedule a monthly check so security stays a habit, not a panic.