These 5 critical Windows Defender settings are off by default - turn them on ASAP

Tech Why you can trust ZDNET : ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission. Our process

'ZDNET Recommends': What exactly does it mean?

ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.

When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.

ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.

Close Home Tech Services & Software Operating Systems Windows Windows 11 These 5 critical Windows Defender settings are off by default - turn them on ASAP Windows Defender has several security settings, including some you need to switch on to get the utmost protection. Here's why.

Written by Lance Whitney, ContributorContributor May 5, 2026 at 9:03 a.m. PT

Microsoft Surface Laptop in Sapphire — Kyle Kucharski/ZDNET

Follow ZDNET: Add us as a preferred source on Google.

ZDNET's key takeaways

Windows Defender offers several optional protections.
Some security settings are disabled by default.
Enable extra settings one at a time to avoid conflicts.

Protecting your Windows PC against security threats is critical. You want to make sure your personal files aren't vulnerable to viruses, malware, and other threats. But how do you best defend yourself, your computer, and your data?

Third-party security tools are always an option. Some are free; others are paid. Some offer basic protection; others provide additional features to tackle more advanced threats. Alternatively, Microsoft's own built-in Windows Defender can track down viruses and other dangers.

Also: Is turning off Windows Security a bad idea in 2026? A PC expert's bottom line

In a recent Learning Center post, Microsoft argued that Defender is usually sufficient as long as you keep the default protections turned on, regularly install the latest security updates, and you're careful about where and how you download software. Extra security software might be in order if you want other services, such as identity monitoring or parental controls.

Yes, Windows Defender does include most of the features you'd expect in a security tool. And the key ones are all enabled by default. But that doesn't mean you should simply forget about the program as it runs in the background. To get the best protection, you should also activate a few additional options.

I run third-party security on my main Windows systems. But I use Defender on my test PCs and my virtual machines. And that's where I try to set up each instance of Windows with the maximum security available. With that in mind, here are five ways to make sure Windows Defender is fully defending you.

Windows Defender is available in both Windows 10 and 11, with many of the settings the same across both versions but with some differences. I'm going to cover the steps in Windows 11.

How to make sure Windows Defender is protecting you

To get started, go to Settings, select Privacy & security, choose Windows Security, and then click the button for Open Windows Security. The resulting screen shows eight different areas to explore. Now, let's dive in.

1. Protect your files against ransomware

Enable Controlled folder access

Windows Defender includes a form of ransomware protection known as Controlled folder access. The purpose is to prevent malicious or suspicious programs from changing sensitive files in certain folders. These are files that an attacker could potentially compromise through unauthorized access. Sounds useful. Yes, but this option is disabled by default. That's because it can block legitimate apps from accessing files in the protected folders.

Still, if you're concerned about the threat of ransomware, this one is worth trying. If any legitimate programs can't access your protected files, you can always disable it.

Also: Still on Windows 10? Here's what Microsoft Defender can and can't do for you

At the Security at a glance page, select the category for Virus & threat protection. Scroll down the page to the section for Ransomware protection and click the link for Manage ransomware protection. At the next screen, turn on the switch for Controlled folder access. Click the link for Protected folders to see a list of all the covered folders. These include the key folders under your user profile, as well as your local OneDrive storage. Here, you can also manually add a folder that you want to protect.

Protect your files against ransomware — Screenshot by Lance Whitney/ZDNET

2. Prevent malware from hijacking your PC

Enable Memory integrity

A malicious program could potentially load unsafe drivers and infect the Windows kernel with harmful code. To prevent this type of compromise, Windows Defender includes a feature called Memory integrity. Here, Windows uses virtualization to ensure that such drivers and code are safe before they're run. This is another feature turned off by default, mainly because of possible conflicts with older drivers.

However, this is another option worth turning on, especially if you're using relatively new hardware. If you want to try it with an older PC and hardware, you can always turn it off if you run into conflicts.

Also: The best antivirus software for Windows 11 in 2026: Expert tested and reviewed

To set this up, select the category for Device security. In the section for Core isolation, click the link for Core isolation details. At the next screen, turn on the switch for Memory integrity. You'll then be prompted to reboot your PC for the change to take effect.

Prevent malware from hijacking your PC — Screenshot by Lance Whitney/ZDNET

3. Combat adware and other unwanted apps

Enable Potentially unwanted app blocking

Ever install software that tries to sneak in certain add-ons? Sometimes those add-ons can be harmless. Other times, they could contain malware, adware, crypto miners, or other risky content. Another Windows Defender setting called Reputation-based protection guards Windows against PUAs (potentially unwanted applications). If you attempt to install a PUA, Defender will alert you so that you can decide whether or not to proceed.

Also: My 5-step security checklist for every new Windows PC

For this one, select the category for App & browser control. In the section for Reputation-based protection, click the link for Reputation-based protection settings. Scroll down the next screen to the section for Potentially unwanted app blocking. You can choose to block apps, downloads, or both. Just turn on the switch to block both of them.

Combat adware and other unwanted apps — Screenshot by Lance Whitney/ZDNET

4. Block suspicious or malicious apps

Enable Smart app control

Windows Defender offers another setting that aims to block untrusted or suspicious apps. Known as Smart app control, this one works a bit differently than Reputation-based protection. Smart app control is stricter and more granular, as it blocks potentially malicious or unsigned files on a binary or code level. Microsoft describes this as a form of protection against new and emerging threats. This one is also different in the way it may be activated.

Select the category for App & browser control. Under Smart app control, click the link for Smart app control settings. The setting can be in one of three states -- Off, On, or Evaluation. In Evaluation mode, Smart app control attempts to determine if it can be of assistance and then automatically turns itself on. If not, then it's supposed to automatically turn itself off.

Also: How to check your Windows PC for expiring security certificates - a big one is ending soon

This is a tricky one, as I'd like to let Defender figure out whether to automatically turn this setting on or off. I tend to take the initiative and turn it on. However, this one can get in your way if you download or install a lot of files from unfamiliar sources. As always, if you find Smart app control too intrusive, turn it off.

Block suspicious or malicious apps — Screenshot by Lance Whitney/ZDNET

5. Prevent your security settings from being disabled or modified

Enable Tamper protection

Some sophisticated and advanced malware could tamper with your security settings to skirt past them. To guard against this type of exploit, Windows Defender provides a setting called Tamper protection. This one prevents malicious apps from compromising key security settings and features, ensuring that they can't be disabled or modified.

Also: Protect your PC as you turn it on - how to enable secure boot in Windows 11

This one may already be turned on, but you should still check. Select the category for Virus & threat protection. Under Virus & threat protection settings, click the link for Manage settings. Scroll toward the bottom of the page and turn on the switch for Tamper protection if it's off.

Prevent your security settings from being disabled or modified — Screenshot by Lance Whitney/ZDNET

Tip: Enable one at a time

If these settings are important, then why does Microsoft disable them by default? That's a good question. And it's because some of them could trigger false positives or prevent you from easily opening legitimate apps or files. For that reason, I recommend turning on one setting at a time.

Also: You can fix most Windows 11 issues by double checking these 4 settings first

Live with the setting enabled for a week or longer. If all goes smoothly and you're able to work without any interference or other hiccups, then try one of the other settings. If you find that any one setting is interfering with your regular Windows activities, you can easily disable it.