- CREATE A RECOVERY DRIVE
Sure, your Windows 10 installation is working fine now, but if it ever fails to start properly, you’ll be grateful you have a recovery drive handy. Booting from this specially formatted USB flash drive gives you access to the Windows Recovery Environment (WinRE), which you can use to fix most common startup problems.
You need a USB flash drive. It should be at least 512 MB in size for a bare recovery drive and at least 8 GB if you also want to include Windows installation files.
You’ll find a shortcut to the Recovery Drive desktop app on Start, under the Windows Administrative Tools heading, or you can search for it. In either case, you’ll need to provide an administrator’s credentials to run the tool.
- SECURE YOUR USER ACCOUNT
If you use a local account, your sign-in credentials are stored locally, and there’s no way to provide a second factor for authentication.
By contrast, signing in with a Microsoft account or an Azure Active Directory account (such as the account you use for an Office 365 Business or Enterprise subscription) means you can set up two-factor authentication (2FA) that requires external confirmation from an app on your trusted mobile device.
Both types of accounts are free. If you’re worried about privacy, set up a new Microsoft account for use exclusively for this purpose, and don’t associate the @outlook.com address with any other service.
To set up 2FA for a Microsoft account, sign in at https://account.live.com/proofs. That page displays the options shown here: You can turn on two-step verification, configure a mobile authenticator app, and manage trusted devices, among other tasks.
(That’s just one of several handy shortcuts for managing a Microsoft account. For more, see Windows 10 tip: Take control of Microsoft account security and privacy settings.)
To manage security settings for an Azure AD account, go to https://portal.office.com/account, select Manage Security and Privacy, and follow the links under the Additional Security Verification heading. (To bookmark that page, use this link: https://account.activedirectory.windowsazure.com/Proofup.aspx.)
Finally, if you have the hardware to support it, turn on Windows Hello. The options for facial recognition and fingerprint identification are available under Settings > Accounts > Sign-in Options.
- TURN ON BITLOCKER DRIVE ENCRYPTION
Encrypting every drive that contains personal data is a crucial security step. Without encryption, anyone who steals that device can mount the drive in an operating system of their choosing and siphon the data away with ease. With encryption, getting to your data requires an encryption key that is effectively uncrackable.
Full-strength BitLocker encryption requires a Trusted Platform Module (TPM) chip and a business edition of Windows. On modern portable PCs running Windows 10 Home, you can enable device encryption if you’re signed in with a Microsoft account. This option protects the contents of the system drive but does not allow encryption of any secondary drives.
- CONFIGURE WINDOWS UPDATE
The good news is Windows 10 includes automatic, cumulative updates that ensure you’re always running the most recent security patches. The bad news is those updates can arrive when you’re not expecting them, with a small but non-zero chance that an update will break an app or feature you rely on for daily productivity.
On Windows 10 Pro, you can defer both types of updates.
If you’d rather let the rest of the world test each month’s security and reliability updates before you OK the install, you should be running Windows 10 Pro or Enterprise, not Home. With those business editions, you can defer updates by up to 30 days.
After you complete a Windows 10 upgrade, the first thing you should do is go to Settings > Update & Security > Windows Update and click Check for updates. Install any available updates, including updated drivers.
Next, on the Windows Update page in Settings, click Change active hours to specify your normal work hours (a window of up to 18 hours), when you don’t want to be interrupted by updates. Then click Advanced options and set your deferral periods for monthly quality updates. Note that you must be signed in as an administrator to see the options shown here, and these options are not available if you are running a Windows 10 Insider preview build.
I recommend setting a reminder in your calendar program for the second Tuesday of each month, the day on which Microsoft releases security updates for Windows. When you receive that reminder, you can choose to manually install the updates, or snooze the reminder and perform the task a few days later. Automatic updates won’t download and install until the deferral period you specify has passed.
(I also recommend that you open the Store app and click the three dots in the upper right corner, then click Downloads and updates to install any available app updates. Windows 10 will update those apps automatically, but you can speed up the process by checking manually.)
- REVIEW PRIVACY SETTINGS
By default, Microsoft collects a substantial amount of diagnostics information as you use Windows 10. That information is, according to Microsoft’s privacy policies, used exclusively for personalizing your experience with Windows and “to help [Microsoft] provide a secure and reliable experience.”
You can’t turn off the telemetry feature completely, but you can choose to send only a limited amount of data on your Windows 10 usage. To do so, go to Settings > Privacy > Diagnostics & Feedback and change the setting under the Diagnostic Data heading from Full to Basic. (Here, too, you must be running as an administrator, and this option is set to Full and can’t be changed if you’re running an Insider preview release.)
- CONNECT OTHER ACCOUNTS
The Microsoft account or Azure AD credentials that you use to sign in to Windows allow you to connect to apps using the same credentials. That makes it especially easy to get your email and schedule using the built in Mail & Calendar app.
Adding these accounts to Windows 10 makes it easier to sign in when needed.
If you have additional accounts (especially Office 365 and Gmail accounts), now is a good time to add them to Windows so that they’re available for use within apps as well. If you need to use two-factor authentication for those accounts, you can do it once here and avoid hassles later. Connecting your Office 365 account, for example, allows you to add that account to Microsoft Outlook and configure OneDrive for Business without having to enter a password or supply a 2FA prompt.
To add accounts, go to Settings > Accounts > Email & Accounts and click Add an account. Note that your options here include specific choices for Office 365, Google, Yahoo, and iCloud accounts.
- FINE-TUNE ACTION CENTER SETTINGS
One of the signature features in Windows 10 is the Action Center, a pane that appears on the right side of the display when you swipe in from the right on a touchscreen or click the notifications icon at the far right of the taskbar.
For a portable PC, I recommend customizing the Quick Action buttons at the bottom of the Action Center pane. Hide any buttons you don’t use, and make sure the four buttons you use most often are available in the top row so that you can get to them when the full set of buttons is collapsed to a single row.