Podcast Summary: Hands-On Windows 159 – Microsoft's Silent Security Updates
Host: Paul Thurrott
Release Date: September 25, 2025
Podcast Network: TWiT.tv
Theme: Mid-year Windows 11 Security Checkup—Hidden Security Features & Practical Tips
Episode Overview
In this episode, Paul Thurrott provides a follow-up security checkup for Windows 11 users, spotlighting important security features that aren't enabled by default. He details what these options do, how to activate them, and why users should take the extra steps for improved protection. Paul also shares personal experiences, practical tips, and highlights subtle but useful security tweaks that often go unnoticed.
Key Discussion Points & Insights
1. Why Revisit Windows 11 Security?
- Security is an evolving area, with new features and updates rolling out throughout the year.
- Many built-in Windows 11 security protections aren't enabled by default but can make a significant difference in safety.
2. Three Crucial, Underenabled Windows 11 Security Features
A. Smart App Control
- Location: App and Browser Control in the Security App
- What It Does: Monitors how you install/use apps, automatically enables itself if suspicious behavior is detected.
- Quirk: Once disabled, cannot be easily re-enabled through the interface—it’s greyed out, but a registry hack exists.
- Tip: Most users benefit from having Smart App Control on for extra protection against malicious/unsigned apps.
- Paul's Note:
"The weird thing about this particular feature is that, as you can see, this is all grayed out. So I can't actually go back and re-enable this. You can Google this. There's actually a registry key you can change." (05:32)
- Development Oddity: Particularly impacts developers using Visual Studio; may lead to partial app shutdowns.
- Recommendation: Enable unless you routinely run unsigned/test software.
B. Ransomware Protection
- Location: Virus & Threat Protection – Ransomware Protection section
- Default State: Off
- How It Works:
- Microsoft’s main built-in option is via OneDrive backup for consumers.
- Additional local protection via "Controlled Folder Access", which shields selected folders and memory regions from ransomware attacks.
- Paul's Insight:
"In my experience, this has never been problematic. ...This one to me should be enabled and you can do that easily." (09:13)
- Speculation: Microsoft's privacy stance likely factors into why it isn’t on by default.
C. Administrative Protection
- Location: Account Protection section (appearing in Windows 11 24H2/25H2 updates)
- Default State: Off
- Function:
- Tightens admin account controls, replacing User Account Control pop-ups with more frequent and cumbersome Windows Hello prompts.
- Intended to combat the prevalence of users running as administrators.
- Warning for Developers:
"If you're doing anything with Visual Studio or writing apps or whatever you're doing software development wise, do not enable this. This will be horrible." (12:42)
- Long-Term Outlook: Will eventually be enabled by default, Microsoft gradually transitioning toward stricter controls.
3. Biometric Security Enrollment Improvements
- Location: Settings > Accounts > Sign-in Options
- Options: Facial recognition & fingerprint recognition.
- Accuracy Tip:
- Re-enroll your face with and without glasses for better reliability.
- For fingers, you can re-enroll the same finger to improve recognition.
- Paul's Practical Advice:
"If you do that twice or more often, that will actually, in my experience anyway, improve that reliability as well." (17:25)
4. Seamless Two-Factor Codes with Phone Link
- Feature: Phone Link notifications bring SMS verification codes directly to your PC screen.
- How It Helps:
- Saves time typing out codes—just click to copy, then paste into the website/app.
- Demo Moment:
"The nice thing about getting it on your computer is that you get this little box down here, we can click it to copy it to the clipboard." (20:05)
- Automation Note: Generally enabled by default when using Phone Link but can be configured.
5. General Security Tips & Reminders
- Stick to Microsoft account sign-ins for best built-in protections.
- Use the default app source restrictions and browser protections, especially with Edge.
- Disk encryption (BitLocker) via Microsoft account is typically on by default.
- Many other protections already kick in automatically, but a few worthwhile extras need manual activation.
Notable Quotes & Memorable Moments
-
On odd feature defaults:
"It's just things that I don't know why it's not like this by default, but you can make that fix yourself and then have a more secure version of Windows." (25:17)
-
Microsoft's privacy contradiction:
"Microsoft always violates your privacy without telling you. But then when you can see that they're using something that might be private, they tend to have a control up and or they don't enable that feature by default for some reason." (09:52)
-
On developer impact:
"This is an even bigger problem than Smart App Control, especially if you're doing software development... do not enable this. This will be horrible." (13:04)
Timestamps for Important Segments
- [01:20] – Start of security feature walkthrough
- [03:35] – Smart App Control overview & re-enabling tips
- [09:00] – Ransomware Protection explained
- [12:40] – Administrative Protection: Who should (and should not) use it
- [16:00] – Face & fingerprint recognition enrollment tips
- [19:35] – Phone Link 2FA code copy feature demonstration
- [23:50] – Recap and summary of recommendations
Conclusion
Paul Thurrott highlights three key Windows 11 security features that most users overlook—Smart App Control, Ransomware Protection, and Administrative Protection—explains how to activate them, and provides extra tips for getting the most out of Windows Hello and Phone Link. The result: practical ways to silently improve your Windows security with just a few tweaks.
Action Steps:
- Audit these security features on your machine
- Enable as suits your workflow and privacy preferences
- Regularly revisit security settings for new options in Windows updates
Find more from Hands-On Windows and the TWiT network at TWiT.tv.