Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Windows Defender provides multiple optional security features.
- Certain protective settings come turned off initially.
- Turn on additional settings gradually to prevent compatibility issues.
Keeping your Windows computer safe from online dangers is essential. You need to ensure your private documents stay protected from viruses, malware, and similar risks. But what’s the most effective way to shield yourself, your machine, and your information?
External security programs are always available. Some come at no cost, while others require payment. Some deliver basic defense, while others include advanced capabilities for handling sophisticated threats. On the other hand, Microsoft’s built-in Windows Defender can detect viruses and other hazards.
Also: Is disabling Windows Security a poor choice in 2026? A PC specialist’s verdict
In a recent Learning Center article, Microsoft explained that Defender is typically adequate as long as you maintain the default protections active, consistently apply the most recent security patches, and exercise caution regarding where and how you obtain software. Additional security software may be worthwhile if you need extra features like identity monitoring or parental controls.
Indeed, Windows Defender contains nearly all the capabilities you’d anticipate in a security application. And the essential ones are all active by default. However, that doesn’t mean you should simply ignore the program while it operates in the background. For optimal security, you should also enable several supplementary options.
I use third-party security solutions on my primary Windows machines. But I rely on Defender on my testing computers and virtual machines. That’s where I aim to configure each Windows installation with the highest level of security possible. With that approach in mind, here are five methods to ensure Windows Defender is thoroughly protecting you.
Windows Defender is included in both Windows 10 and 11, with many settings shared across both versions but with some variations. I’ll walk through the steps using Windows 11.
How to ensure Windows Defender is safeguarding your system
To begin, navigate to Settings, pick Privacy & security, select Windows Security, and then press the button to Open Windows Security. The screen that appears displays eight different sections to examine. Now, let’s get started.
Windows Defender features a type of ransomware defense called Controlled folder access. Its goal is to stop malicious or suspicious applications from modifying sensitive files within specific folders. These are files that a hacker could potentially exploit through unauthorized entry. Sounds beneficial. Absolutely, but this feature is turned off by default. The reason is that it can prevent legitimate applications from reaching files in the protected folders.
Nevertheless, if you’re worried about ransomware threats, this feature is worth testing. If any trusted programs are unable to access your protected files, you can always switch it off.
Also: Still running Windows 10? Here’s what Microsoft Defender can and can’t protect you from
On the Security at a glance screen, choose the Virus & threat protection category. Scroll down to the Ransomware protection section and select the Manage ransomware protection link. On the following screen, toggle the switch to enable Controlled folder access. Select the Protected folders link to view all the folders currently covered. These include the main folders within your user profile, along with your local OneDrive storage. From here, you can also manually include any additional folder you wish to safeguard.
Show more
A harmful program could potentially load dangerous drivers and inject malicious code into the Windows kernel. To guard against this kind of attack, Windows Defender includes a feature known as Memory integrity. With this feature, Windows leverages virtualization to verify that such drivers and code are secure before they execute. This is another capability that’s disabled by default, primarily due to potential conflicts with outdated drivers.
Still, this is another setting worth enabling, particularly if you’re working with relatively modern hardware. If you’d like to test it on an older computer and encounter any conflicts, you can always disable it.
Also: The top antivirus programs for Windows 11 in 2026: Expert tested and reviewed
To configure this, choose the Device security category. Under the Core isolation section, select the Core isolation details link. On the following screen, toggle the switch to enable Memory integrity. You’ll then be asked to restart your computer for the change to apply.
Show more
Have you ever installed software that attempts to bundle in extra add-ons? Occasionally those add-ons are harmless. In other cases, they might carry malware, adware, crypto miners, or other dangerous content. Another Windows Defender feature called Reputation-based protection shields Windows against PUAs (potentially unwanted applications). If you try to install a PUA, Defender will notify you so you can choose whether to continue or not.
Also: My 5-step security checklist for every new Windows PC
For this setting, choose the App & browser control category. Under the Reputation-based protection section, select the Reputation-based protection settings link. Scroll down to the Potentially unwanted app blocking section. You can opt to block apps, downloads, or both. Simply toggle the switch to block both categories.
Show more
Windows Defender includes a feature designed to stop untrusted or questionable applications. Called Smart App Control, this option operates differently from reputation-based protection. It’s more precise and restrictive, blocking potentially harmful or unsigned files at the binary or code level. Microsoft positions this as a defense against new and evolving threats. It also stands out in how it gets activated.
Navigate to the App & browser control section. Within Smart App Control, select the Smart App Control settings link. The feature can be in one of three modes: Off, On, or Evaluation. In Evaluation mode, Smart App Control assesses whether it can be helpful and then enables itself automatically. If not, it’s designed to disable itself automatically.
Also: How to check your Windows PC for expiring security certificates – a big one is ending soon
This is a nuanced setting, as I’d prefer to let Defender decide whether to enable or disable it automatically. I usually take the step to turn it on myself. However, this feature might interfere if you frequently download or install files from unknown sources. As always, if Smart App Control feels too restrictive, you can disable it.
Show more
Advanced malware might try to alter your security settings to bypass them. To counter this, Windows Defender offers a feature called Tamper Protection. This prevents malicious apps from changing or disabling critical security settings and features.
Also: Protect your PC as you turn it on – how to enable secure boot in Windows 11
This setting might already be enabled, but it’s still worth verifying. Go to the Virus & threat protection section. Under Virus & threat protection settings, select Manage settings. Scroll down the page and toggle Tamper Protection on if it’s currently off.
Show more
If these settings are so important, why does Microsoft turn them off by default? That’s a fair question. The reason is that some might cause false alarms or block you from opening legitimate apps or files. For this reason, I suggest enabling one setting at a time.
Also: You can fix most Windows 11 issues by double checking these 4 settings first
Use the setting for a week or more. If everything runs smoothly without disruptions or issues, then try enabling another setting. If any setting starts interfering with your normal Windows use, you can easily turn it off.
Show more
