(These settings are pre-configured in the case of managed HSLU/PHLU devices.)
1) Updates
Activate the automated Windows updates to always remain at the latest security level. These monthly Windows updates fix many known vulnerabilities. Once the updates have been installed, your computer is protected from these security gaps.
Also make sure to activate automated updates of any installed applications. Application software is just as vulnerable and therefore also requires regular updates to protect the system from current threats.
2) Antivirus Software
Antivirus software protects your computer from known viruses and therefore must be active on every device. In the case of Windows 10, an antivirus software is pre-installed by default in the shape of Windows Defender. However, you may choose to rely on antivirus software by third party providers.
3) Windows Firewall
Activate your Windows Firewall to protect your device from unauthorised access. The Windows Firewall automatically blocks incoming network connection attempts and offers the possibility to filter incoming and outgoing connections. The default activated Windows Firewall increases the security of any Windows system.
4) Backups
Make regular backups of your local data and system preferences. In case of an emergency, a backup may be used to restore a previous system status or to restore individual files. Regular backups are an elementary data security measure. Always store your backups on an external drive and keep it in a secure location.
5) User Account Control (UAC)
Activate the Windows UAC feature. UAC is part of the Windows Security System, which prevents applications from making changes to the system. UAC prevents malware from damaging it. UAC ensures that applications and tasks always run in the security context of a non-administrator account (unless an administrator explicitly enables administrative systems access). UAC can block automated installations of non-authorised applications and prevent inadvertent changes to the system preferences. If a software attempts to make changes to system-relevant parts of the registry or file system, windows displays a UAC confirmation box for the user to confirm or reject the changes.
6) User Management
Work with a standard user account exclusively and avoid working with admin rights. Given administrators’ extended rights, admin user accounts are more vulnerable than standard user accounts. Malicious code is mostly executed with standard user rights - in a standard user account it has fewer opportunities to inflict damage than within an admin user account.
In addition, always make sure to choose adequately complex and secure passwords.
7) Cortana
Cortana is a digital assistant with voice recognition. It is generally active in the background. In order to produce adequate (i.e. personalised) results for search requests, Cortana accesses data such as recent Bing searches, browser history, diary entries, phone book contacts, emails and locations or routes taken. All this data is sent to Bing, which constitutes a threat to user privacy. In addition, Cortana can be linked to a specific Microsoft account to facilitate personalisation. Fully deactivate Cortana if possible.
8) Data Protection & Privacy
Many Windows features are activated by default and therefore continually send data to Microsoft. This is a threat to user privacy. Deactivate all types of access (data protection options) found in the data protection settings in order to minimise the data volume sent to Microsoft.
9) Hidden File Extensions
If file extensions such as txt, doc, docx, exe, cmd are not displayed by default, certain files will be able to camouflage themselves. A file without file extension may be a malicious (executable) file, which might go unnoticed if file extensions are not displayed. This is why you should enable the display of known file extensions.
10) Use Secure Network Connections
Only use known and secure networks to connect with your computer. Hackers may use public hotspots and similar networks to access your data. The Windows 10 Wi-Fi optimization function simplifies connecting with public Wi-Fi networks, which are generally deemed unsafe. It is therefore crucial you deactivate Wi-Fi optimization.
For detailed information about the settings discussed above and about complementary settings, refer to the document "Sicherheitseinstellungen Windows 10".