How to set up new Windows 11 computer securely?

What do you want advice about?
I will be buying a new computer for college and it is a requirement to use Windows 11 Pro on the computer. I would like to have the computer set up in a secure way as it will be a “fresh start” from the current one I have been using for 8 years. I already use lots of open-source software like Firefox, Filezilla, ShareX, and Bitwarden among others I forgot the name of. I have heard about how uBlock Origin can also be used like NoScript and load different websites (like twitter.com/* to nitter.net/*) I have also heard of people using standard accounts with an admin account made so the password has to be entered every time something changes to the system.

What have you considered or looked at already?
I have tried searching for resources about setting up Windows securely but all that shows up is how to set up windows with secure boot. I also found a tool from ChrisTitusTech but I am unsure if it is good to use.

In brief, tell us about your privacy threat model?
My threat model is to keep as much information and data as I don’t want to share as far away from individuals and companies while sectioning off areas on the internet (EX: internet social, real-life social, work social). If it is possible to host the information myself, I would generally do it unless it is a core target like Email hosting.

Here’s what I do, on pretty much every personal Windows install.

I want to install Windows without an internet connection, and MS Account (even Pro requires it now). With a little effort this can still be done.

  1. Completely unplug your device from the internet. No Ethernet or WiFi.
  2. Go through the setup until it wants to connect to the internet.
  3. Press “Shift + F10”
  4. In the command prompt type “OOBE\BYPASSNRO”. This will make the installer go to the legacy OOBE (Out Of Box Experience).
  5. Finish setup, before finally connecting to the internet.

Once setup is done, I install:

  1. Run a privacy.sexy script. Though, I do find o&oShutup10++ to be better, for some things… it is proprietary, though.
  2. Portmaster = This is your FOSS firewall, and DNS resolver. It does have issues with some VPNs, check that here.
  3. VPN of choice.
  4. Configure and run HardenTools. This is pretty much one of the best FOSS security tools I’ve found. Be careful, it can make the system a pain to use if it’s a personal PC. Think before you click.
  5. ThisIsWin11 = A FOSS Windows tweaker.

Then install whatever else is needed. You should have pretty darn good privacy and security on Windows. It’s not the best setup, but as far as I’m aware, it’s the best you’ll get on Windows.

2 Likes

With privacy.sexy should I use the “strict” mode and even with the suggested fixes I can not seem to get Mullvad VPN working when using Portmaster

Some settings to tweak :

Source: The new oil - desktop settings
PS: these settings were intended for W10 however I believe you may still find some useful info.

  • System: Notifications & actions: Show notifications on the lock screen: Off
  • System: Shared experiences: Share across devices: Off
  • Devices: Typing: Everything off
  • Devices: AutoPlay: Off
  • Phone: Do not link
  • Network & Internet: Wi-Fi: Use random hardware addresses: On
  • Apps: Apps & features: Uninstall anything you don’t use
  • Apps: Apps & features: Default apps: Email: Thunderbird; Music player: VLC; Photo viewer: ImageGlass; Video player: VLC; Web browser: Brave/Firefox
  • Accounts: Sign-in options: Require sign-in: When PC wakes up from sleep
  • Accounts: Sign-in options: Password: Use a passphrase
  • Accounts: Sign-in options: Privacy: Show account details on sign-in screen: Off
  • Privacy: General: All off
  • Privacy: Speech: Online speech recognition: Off
  • Privacy: Inking & typing presonaliziatoin: Getting to know you: Off
  • Privacy: Diagnostics & feedback: Diagnostic data: Required diagnostic data
  • Privacy: Diagnostics & feedback: Improve inking & typing recognition: Off
  • Privacy: Diagnostics & feedback: Tailored experiences: Off
  • Privacy: Activity history: Send my activity history to Microsoft: Off
  • Privacy: App permisions: Review each setting and disable accordingly
  • Update & Security: Windows Security: Open Windows Security: Virus & Threat Protection: All protections on
  • Update & Security: Windows Security: Open Windows Security: Firewall & Network Protection: All firewalls on
  • Update & Security: Backup:
  • Download WindowsSpyBlocker and run it. Select option 1 “Telemetry,” then option 1 “Firewall,” and finally options 1 and 2, “Add extra rules,” and “Add spy rules.” After that’s done, type “back” to go back to the previous menu, then select option 2 “NCSI,” then select either option 2 or option 3, “Apply Debian NCSI” or “Apply Firefox NCSI.”
  • If you don’t plan to use a VPN, then I encourage you to use an Encrypted DNS Resolver. Follow these instructions to change your DNS. Select “Encrypted preferred, unencrypted allowed” if the option is available. If the option is not available, the rest of the steps should still apply.
  • Advanced users who want more granular control and feel comfortable making extreme changes may want to look into W10Privacy and Bulk Crap Uninstaller to remove additional, pre-installed bloatware and Portmaster or Simplewall for additional firewall controls to block outoing connections and further reduce data collection by Microsoft and other third parties.

If you’re using privacy.sexy, I’d advise not using the Presets. At the very least go through the options, and see what you’re doing. Each option is catagoriesed, and they have notes/links for more information. Yes, it can take awhile, but once you’re done, you’re done. You can copy/paste the file on any machine, and the script will just run. You only need to create the file, the one time.