Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Windows Defender offers several optional protections.
- Some security settings are disabled by default.
- Enable extra settings one at a time to avoid conflicts.
Protecting your Windows PC against security threats is critical. You want to make sure your personal files aren’t vulnerable to viruses, malware, and other threats. But how do you best defend yourself, your computer, and your data?
Third-party security tools are always an option. Some are free; others are paid. Some offer basic protection; others provide additional features to tackle more advanced threats. Alternatively, Microsoft’s own built-in Windows Defender can track down viruses and other dangers.
Also: Is turning off Windows Security a bad idea in 2026? A PC expert’s bottom line
In a recent Learning Center post, Microsoft argued that Defender is usually sufficient as long as you keep the default protections turned on, regularly install the latest security updates, and you’re careful about where and how you download software. Extra security software might be in order if you want other services, such as identity monitoring or parental controls.
Yes, Windows Defender does include most of the features you’d expect in a security tool. And the key ones are all enabled by default. But that doesn’t mean you should simply forget about the program as it runs in the background. To get the best protection, you should also activate a few additional options.
I run third-party security on my main Windows systems. But I use Defender on my test PCs and my virtual machines. And that’s where I try to set up each instance of Windows with the maximum security available. With that in mind, here are five ways to make sure Windows Defender is fully defending you.
Windows Defender is available in both Windows 10 and 11, with many of the settings the same across both versions but with some differences. I’m going to cover the steps in Windows 11.
How to make sure Windows Defender is protecting you
To get started, go to Settings, select Privacy & security, choose Windows Security, and then click the button for Open Windows Security. The resulting screen shows eight different areas to explore. Now, let’s dive in.
Windows Defender includes a form of ransomware protection known as Controlled folder access. The purpose is to prevent malicious or suspicious programs from changing sensitive files in certain folders. These are files that an attacker could potentially compromise through unauthorized access. Sounds useful. Yes, but this option is disabled by default. That’s because it can block legitimate apps from accessing files in the protected folders.
Still, if you’re concerned about the threat of ransomware, this one is worth trying. If any legitimate programs can’t access your protected files, you can always disable it.
Also: Still on Windows 10? Here’s what Microsoft Defender can and can’t do for you
At the Security at a glance page, select the category for Virus & threat protection. Scroll down the page to the section for Ransomware protection and click the link for Manage ransomware protection. At the next screen, turn on the switch for Controlled folder access. Click the link for Protected folders to see a list of all the covered folders. These include the key folders under your user profile, as well as your local OneDrive storage. Here, you can also manually add a folder that you want to protect.
A malicious program could potentially load unsafe drivers and infect the Windows kernel with harmful code. To prevent this type of compromise, Windows Defender includes a feature called Memory integrity. Here, Windows uses virtualization to ensure that such drivers and code are safe before they’re run. This is another feature turned off by default, mainly because of possible conflicts with older drivers.
However, this is another option worth turning on, especially if you’re using relatively new hardware. If you want to try it with an older PC and hardware, you can always turn it off if you run into conflicts.
Also: The best antivirus software for Windows 11 in 2026: Expert tested and reviewed
To set this up, select the category for Device security. In the section for Core isolation, click the link for Core isolation details. At the next screen, turn on the switch for Memory integrity. You’ll then be prompted to reboot your PC for the change to take effect.
Ever install software that tries to sneak in certain add-ons? Sometimes those add-ons can be harmless. Other times, they could contain malware, adware, crypto miners, or other risky content. Another Windows Defender setting called Reputation-based protection guards Windows against PUAs (potentially unwanted applications). If you attempt to install a PUA, Defender will alert you so that you can decide whether or not to proceed.
Also: My 5-step security checklist for every new Windows PC
For this one, select the category for App & browser control. In the section for Reputation-based protection, click the link for Reputation-based protection settings. Scroll down the next screen to the section for Potentially unwanted app blocking. You can choose to block apps, downloads, or both. Just turn on the switch to block both of them.
Windows Defender offers another setting that aims to block untrusted or suspicious apps. Known as Smart app control, this one works a bit differently than Reputation-based protection. Smart app control is stricter and more granular, as it blocks potentially malicious or unsigned files on a binary or code level. Microsoft describes this as a form of protection against new and emerging threats. This one is also different in the way it may be activated.
Select the category for App & browser control. Under Smart app control, click the link for Smart app control settings. The setting can be in one of three states — Off, On, or Evaluation. In Evaluation mode, Smart app control attempts to determine if it can be of assistance and then automatically turns itself on. If not, then it’s supposed to automatically turn itself off.
Also: How to check your Windows PC for expiring security certificates – a big one is ending soon
This is a tricky one, as I’d like to let Defender figure out whether to automatically turn this setting on or off. I tend to take the initiative and turn it on. However, this one can get in your way if you download or install a lot of files from unfamiliar sources. As always, if you find Smart app control too intrusive, turn it off.
Some sophisticated and advanced malware could tamper with your security settings to skirt past them. To guard against this type of exploit, Windows Defender provides a setting called Tamper protection. This one prevents malicious apps from compromising key security settings and features, ensuring that they can’t be disabled or modified.
Also: Protect your PC as you turn it on – how to enable secure boot in Windows 11
This one may already be turned on, but you should still check. Select the category for Virus & threat protection. Under Virus & threat protection settings, click the link for Manage settings. Scroll toward the bottom of the page and turn on the switch for Tamper protection if it’s off.
If these settings are important, then why does Microsoft disable them by default? That’s a good question. And it’s because some of them could trigger false positives or prevent you from easily opening legitimate apps or files. For that reason, I recommend turning on one setting at a time.
Also: You can fix most Windows 11 issues by double checking these 4 settings first
Live with the setting enabled for a week or longer. If all goes smoothly and you’re able to work without any interference or other hiccups, then try one of the other settings. If you find that any one setting is interfering with your regular Windows activities, you can easily disable it.
