Last updated: June 2026

Windows 11 tips and tricks: 15 hidden features + complete B2B guide

Windows 11 is far more than a new user interface. For businesses it is a complete security platform with built-in encryption, centralised device management, and advanced threat detection. Microsoft's Digital Defense Report 2024 shows that over 99 percent of compromised accounts lacked multi-factor authentication — a feature built into Windows 11 and Microsoft 365. For SMBs, correct configuration of Windows 11 is not optional: it is the foundation of IT security.

This guide covers two audiences. IT managers and decision-makers in businesses will find a complete B2B section on access control, BitLocker, Intune, Defender, and group policy. Individuals and employees who want to use Windows 11 more efficiently will find the 15 most useful hidden features further down.

Windows 11 for businesses in 2026: what does it mean in practice?

Windows 11 was designed with the zero-trust model as its foundation — a principled approach where no device, user, or application is automatically trusted, even if it is inside the network. This differs from Windows 10, where perimeter security (a firewall around the network) was the dominant thinking.

NSM Basic Principles for ICT Security 2.1 (updated 2024) identifies four fundamental categories: identity and access management, endpoint security, application control, and maintenance. Windows 11 addresses all four with built-in tools — but they must be enabled and configured. The NorSIS Threat Landscape 2025 shows that Norwegian SMBs are among the most frequently hit by cyber incidents, precisely because basic available measures have not been implemented.

A technical requirement that distinguishes Windows 11 from its predecessor: TPM 2.0 (Trusted Platform Module). This is a dedicated security chip that stores encryption keys and verifies system integrity at startup. TPM 2.0 is a prerequisite for BitLocker, Credential Guard, and Secure Boot. Most PCs manufactured after 2018 have TPM 2.0, but it may be disabled in BIOS/UEFI and must then be enabled manually.

Access control and multi-factor authentication (MFA)

The Verizon Data Breach Investigations Report 2025 shows that compromised credentials are involved in over 50 percent of all data breaches. Multi-factor authentication (MFA) is the single most effective measure for stopping these attacks — and it is built into Windows 11 with Microsoft 365.

In Windows 11 with Microsoft 365 Business or Enterprise, Microsoft Entra ID (formerly Azure Active Directory) is the central identity service. The most important configuration points:

• MFA for all users — Microsoft Authenticator app, SMS, or hardware key (FIDO2). Microsoft recommends the Authenticator app over SMS, as SMS-based MFA is vulnerable to SIM-swapping attacks.
• Conditional access — policies that define what conditions are required for access. Example: require MFA from all locations, but block access from countries where the business does not operate.
• Privileged Identity Management (PIM) — administrator rights are granted only when needed, with time limits and approval requirements. Prevents a compromised admin account from causing unlimited damage.
• Windows Hello for Business — passwordless authentication with PIN, facial recognition, or fingerprint, cryptographically bound to the device. More secure than passwords and more convenient for daily use.

Datatilsynet (the Norwegian Data Protection Authority) emphasises in its information security guidance that GDPR Article 32 requires "adequate technical and organisational measures" to protect personal data. MFA and access control are mentioned explicitly as examples. A business that loses portable devices without MFA-protected accounts and without encryption may face a notifiable breach with potentially significant fines.

BitLocker: Encrypting your business data

A lost or stolen laptop without disk encryption is a notifiable personal data breach — Datatilsynet requires notification within 72 hours. BitLocker solves this problem: all data on the drive is encrypted with AES 256-bit, and without the correct key (stored in the TPM or Entra ID) the data is completely unreadable to whoever finds the device.

NSM Basic Principles for ICT Security 2.1 classifies encryption of mobile devices and portable workstations as a fundamental security measure. For businesses subject to GDPR that handle personal data, BitLocker is not optional.

How to enable BitLocker manually:

1. Open Settings → Privacy & security → Device encryption. If simple encryption is supported, it can be enabled directly here.
2. For full control: search for "BitLocker" in the Start menu and select Manage BitLocker. Click "Turn on BitLocker" for the desired drive.
3. Choose how to store the recovery key: save to Microsoft account (individual users) or save to Entra ID (businesses with Microsoft 365 — recommended).
4. Encryption runs in the background and takes from 15 minutes to several hours depending on disk size and amount of data.

With Intune you can enforce BitLocker encryption via compliance policies — devices without encryption are automatically blocked from company resources. Recovery keys are stored centrally and are available to the IT administrator in the Intune portal when needed. This is the gold standard for businesses with more than five devices.

Microsoft Intune: Centralised device management

Intune is Microsoft's Mobile Device Management (MDM) and Mobile Application Management (MAM) solution, included in Microsoft 365 Business Premium. With Intune, IT administrators manage all Windows, iOS, and Android devices from a single web-based console — without physically visiting individual machines.

What Intune can enforce automatically:

• Compliance policies — define requirements such as BitLocker enabled, screen lock after a maximum of X minutes, and minimum OS version. Devices that do not meet the requirements are marked as "non-compliant" and can be blocked from company systems via conditional access in Entra ID.
• App deployment — deploy required applications to all devices without visiting them. Install mandatory apps and block unapproved applications from business systems.
• Configuration profiles — set Wi-Fi settings, email configuration, VPN profiles, and certificates on all devices automatically upon enrollment.
• Remote wipe — delete company data from a lost or stolen device, or perform a full factory reset. Critical for fulfilling the obligation to limit the consequences of a personal data breach under GDPR.
• Windows Autopilot — new PCs configure themselves automatically the first time they connect to the internet, without the IT administrator needing to touch the device. Standardises configuration and saves significant time when onboarding new employees.

For a business with ten or more PCs, Intune is the standard tool. It is already included in the Microsoft 365 Business Premium licence most Norwegian SMBs use. Without Intune, IT administrators cannot guarantee a consistent security level across devices, and manual configuration of individual machines does not scale.

Windows Defender and Microsoft Defender for Business

Windows Defender Antivirus is built into Windows 11 and provides solid baseline protection. For businesses, Microsoft Defender for Business (included in Microsoft 365 Business Premium) is a significant step up: it adds endpoint detection and response (EDR), vulnerability assessment, and centralised management.

Key features in Microsoft Defender for Business:

• Behaviour-based detection — detects not only known threats (signature-based), but also suspicious behaviour that may indicate a new or unknown attack. Crucial for stopping zero-day attacks that have no known signatures.
• Automated incident response — Defender can automatically isolate a compromised device from the network, stop malicious processes, and roll back changes made by malware. Significantly limits the scope of damage.
• Vulnerability assessment (Threat & Vulnerability Management) — continuous mapping of outdated software, misconfigurations, and missing updates across all devices. Gives IT administrators a prioritised action list.
• Attack Surface Reduction (ASR) rules — blocks behaviour common in attacks, such as Office macros launching processes or JavaScript files downloading executables from the internet.
• Microsoft Secure Score — a combined score for the organisation's security level with concrete recommendations for improvement. An easy way to track progress and communicate security status to management.

The NorSIS Threat Landscape 2025 points out that Norwegian SMBs are increasingly targeted by sophisticated attacks that previously only hit large organisations. EDR functionality that was once considered enterprise technology is now available to SMBs through Microsoft 365 Business Premium — at a fraction of former costs. If you need help setting up and managing Defender for Business, see our IT security service.

Group policy and AppLocker: Centralised control

Group policy is Microsoft's mechanism for enforcing settings on all Windows machines in a domain (Active Directory) or via Intune for cloud-based environments. It is a powerful tool, but requires structure: too many overlapping policies make troubleshooting difficult and slow down startup.

Critical policies recommended by NSM Basic Principles 2.1:

• Password policy — minimum 12 characters, complexity requirements, maximum 90-day lifetime for privileged accounts. Remember that long passphrases are more secure than complex short passwords.
• Account lockout — lock the account after a maximum of 10 failed login attempts. Counters brute-force attacks and automated password-guessing.
• Disable unnecessary protocols — SMBv1, Telnet, and Remote Registry should be disabled where not in use. These are frequently exploited in network attacks and lateral movement.
• Firewall rules — enforce Windows Defender Firewall rules centrally. Block incoming connections on all profiles except explicitly allowed services.
• UAC (User Account Control) — keep UAC at the highest level. Prevents programs from gaining administrator rights without explicit user consent, and breaks many attack scenarios that rely on silent privilege escalation.

AppLocker (available in Windows 11 Pro and Enterprise) enables you to allowlist which applications can run on company machines. Only approved programs run — all other code is automatically blocked. This is one of the most effective measures against ransomware and other malware that infects through unknown executables. NSM Basic Principles categorises application control as a "high priority" measure in the endpoint security category.

Windows Update for Business: Update smarter

Patch management is one of the most underrated security tasks. A large proportion of successful attacks exploit known vulnerabilities for which an update has been available for weeks or months. The Verizon DBIR documents this year after year, and NSM points out in its 2025 risk report that outdated software is a recurring factor in Norwegian security incidents.

Windows Update for Business lets IT administrators:

• Configure update rings — test on a small pilot group for 7–14 days, then roll out to all other devices. Reduces the risk of an unstable update taking out the entire organisation's PC fleet.
• Set a maintenance window — updates are installed and machines restarted only in defined time slots outside working hours, e.g. between 02:00 and 05:00. Eliminates disruptive restarts in the middle of the working day.
• Enforce critical updates — NSM recommends that critical security updates be installed within 48 hours of publication. With Windows Update for Business this can be enforced as a mandatory policy.
• Reporting — overview of which devices are up to date, which are behind schedule, and which have failed — without visiting individual machines.

Configured via Intune under Devices → Windows → Update rings, or via Group Policy under Computer Configuration → Administrative Templates → Windows Components → Windows Update.

Windows 11 security checklist for businesses

Based on NSM Basic Principles for ICT Security 2.1 and Microsoft's Security Best Practices. Use the list as a practical starting point for assessing your organisation's current level:

Windows 11 for everyone: 15 hidden features you should know

Are you an individual user, or do you simply want to use Windows 11 more efficiently in your daily life? Here are 15 built-in features most people are not aware of. Everything is free and available without any extra installation.

1. Snap Layouts: Organise windows quickly

Hover over the maximise button in a window (or press Windows + Z) to bring up Snap Layouts. Choose where you want to place the window: half screen, third, or quarter. Windows then suggests what should fill the other positions.

You can also drag a window to the top of the screen to bring up the layout options. This is much faster than manually dragging and resizing windows.

2. Virtual desktops

Press Windows + Tab to see all open windows and virtual desktops. Click "New desktop" to add one. You can have one desktop for work, one for personal use, and one for a specific project.

Switch between desktops with Ctrl + Windows + left/right arrow. It is like having multiple monitors without multiple monitors. Gives you a better overview and reduces clutter.

3. Keyboard shortcuts that save time

Everyone should know these:

• Windows + E: Open File Explorer.
• Windows + I: Open Settings.
• Windows + L: Lock the PC.
• Windows + D: Show the desktop.
• Alt + Tab: Switch between open programs.
• Windows + Shift + S: Take a screenshot of a selected area.
• Ctrl + Shift + Esc: Open Task Manager directly.

Learn just three of these and you will save hundreds of clicks per week. Microsoft's official list of keyboard shortcuts has a complete overview.

4. Focus Assist: Avoid distractions

Focus Assist silences notifications so you can concentrate. Go to Settings, System, Focus. You can set up rules for when focus sessions activate automatically, for example during presentations or between specific times of day.

You can also start a focus session manually from the clock in the taskbar. Set a timer and work undisturbed. Notifications wait patiently until you are done.

5. Clipboard history

Press Windows + V to see the last items you have copied. Not just the most recent, but the last 25. Text, images, and links. You can also pin items you use often, such as an email address or standard text.

The feature must be enabled the first time you use it. Windows will ask automatically. Say yes. You will wonder how you managed without it.

6. Dynamic Lock: Automatic locking

Connect your phone to your PC via Bluetooth, and enable Dynamic Lock under Settings, Accounts, Sign-in options. The PC locks itself automatically when you walk away with your phone. Perfect in an office environment.

It takes approximately 30 seconds after the Bluetooth connection is lost. Not a replacement for locking manually in sensitive environments, but a good safety net.

7. Widgets: Quick overview

Press Windows + W to open the widgets panel. Here you can see weather, calendar, stocks, news, and more. Customise which widgets are shown by clicking the gear icon.

Widgets are most useful for quick information without opening an app. If you do not use them, you can hide the widgets button from the taskbar by right-clicking.

8. Night light: Protect your eyes

Night light reduces blue light from the screen in the evening. Go to Settings, System, Display, and enable Night light. Set it to turn on automatically at sunset. Your eyes will thank you.

9. Quick access to emoji and special characters

Press Windows + period (.) to open the emoji panel. Here you also find special characters, GIFs, and kaomoji. Useful when writing email or messages and you need a special character without having to look it up.

10. Power settings for performance

Go to Settings, System, Power & battery. Change the power mode to "Best performance" when plugged in. The default setting is Balanced, which throttles the CPU to save energy. On a desktop PC there is no reason not to choose full performance.

11. Customise the taskbar

Right-click the taskbar and select "Taskbar settings". Here you can remove the search bar (use the Windows key instead), hide the Copilot button, Task View, and anything else you do not use. A clean taskbar gives you a better overview.

12. Storage Sense: Automatic cleanup

Under Settings, System, Storage you find Storage Sense. Enable it and Windows automatically deletes temporary files, recycle bin contents, and old downloads. You choose how often and what should be cleaned up.

13. Dictation: Speak instead of type

Press Windows + H to start dictation. Windows types what you say. It works surprisingly well. Useful for long emails or when you want to give your fingers a rest.

14. Move windows between displays

If you have two monitors, you can drag windows between them. But did you know you can hold Windows + Shift + arrow to move the active window to another display without dragging? Much faster.

15. Use search for everything

Press the Windows key and start typing. Search finds programs, settings, files, and web results. You never need to hunt through folders or menus. Want to open Bluetooth settings? Press Windows, type "bluetooth", and press Enter. Done.

Windows Central has updated guides and news about Windows 11 for those who want to learn more.

Summary

Windows 11 is a robust platform for both personal and professional use. For businesses, the key is to enable and configure the security tools already in the platform — BitLocker, Intune, Defender, and MFA — rather than investing in overlapping third-party solutions. For individuals, the 15 tips above give the best return on effort. If you need help setting up Windows 11 securely in your business, Datafolka can help.