Microsoft is adding the Enhanced Phishing Protection to the Windows 11 2022 Update (version 22H2) (opens in new tab). The feature is part of the SmartScreen technology, and when enabled, it can determine whether you typed your Windows password on an untrusted application or website. If the feature detects an insecure app or site, you will receive a warning about the risk.
The warning will include an option to change your Windows account password immediately to minimize the risks of an attacker gaining access to your account. The feature works whether you have a Microsoft Account, Active Directory, Azure Active Directory, or local password.
The Enhanced Phishing Protection can also alert you when trying to reuse the same password on other accounts since it could make it easier for attackers to gain unauthorized access to other profiles if the password gets stolen.
Furthermore, the feature can warn you not to save your passwords into a text editor like Notepad or Office apps since storing passwords in plain text without protection is unsafe.
How to enable phishing protection on Windows 11
To enable phishing protection on Windows 11 (version 22H2), use these steps:
- Open Start.
- Search for Windows Security and click the top result to open the app.
- Click on "App & browser control."
- Click the "Reputation-based protection settings" option.
- Turn on the Phishing protection toggle switch.
- Check the "Warm me about malicious apps and sites" option to allow Windows 11 to show a warning dialog when you may be on an untrusted application or website.
- Check the "Warm me about password reuse" option to prevent repeating the exact password when setting up a new account or updating credentials on an app or website.
- Check the "Warm me about unsafe password storage" option to receive a reminder that saving passwords in plain text on a text editor application is not safe.
- Sign out of your account.
- Quick note: The feature is currently available when you are signed in with a password, not Windows Hello. If you use Windows Hello (including a PIN), sign out and sign in with your password instead. It's important to note that at the time of this writing, Microsoft says that only the typed password used to log into Windows can be protected.
- Sign back in with your password.
Once you complete the steps, Windows 11 will be able to warn you about malicious sites (using Microsoft Edge or Google Chrome) and apps.
If you have also chosen the option to receive a warning of unsafe password storage, the system will show you a dialog warning when it detects that you are trying to save your Windows 11 account password in plain text on Notepad, OneNote, or in an Office app or any other text editor.
Disable Windows Hello
Since this feature only works when using a password, you would need to disable Windows Hello before the system can detect and warn you of the danger.
To disable Windows Hello on Windows 11, use these steps:
- Open Settings.
- Click on Accounts.
- Click the Sign-in options page on the right side.
- Under the "Additional settings" section, turn off the "For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device" toggle switch (if applicable).
- Click the Windows Hello setting that you use. For example, PIN (Windows Hello).
- Click the Remove button.
- Confirm your Microsoft account password.
- Click the OK button.
After you complete the steps, sign out and sign back into the account, and if you have already enabled the phishing protection feature, Windows 11 should be able to alert you when trying to use your account password on an insecure site or app.
Mauro Huculak is technical writer for WindowsCentral.com. His primary focus is to write comprehensive how-tos to help users get the most out of Windows 10 and its many related technologies. He has an IT background with professional certifications from Microsoft, Cisco, and CompTIA, and he's a recognized member of the Microsoft MVP community.
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.