The Microsoft Defender Features Nobody Turns On
Somewhere around a decade ago, "Windows antivirus" stopped being a punchline and nobody updated the jokes. Modern Microsoft Defender scores at or near the top of independent AV testing year after year, ships with every Windows machine, and — here's the part this article exists for — contains a set of genuinely powerful protections that are switched off by default. Off because they occasionally inconvenience software, and Microsoft optimizes defaults for nothing-ever-breaks. You can make a better trade than that. Here's the tour: five features, what each one actually does, why it ships disabled, and how to turn it on.
Controlled Folder Access — the anti-ransomware tripwire
What it does: designates your important folders (Documents, Pictures, and anything you add) as protected — and then refuses to let any app modify files in them unless that app is known-good or explicitly allowed. Ransomware's entire business model is mass-modifying your files; this turns that into a blocked operation with a notification, instead of an encrypted home folder with a ransom note. .
Why it's off: false positives. Legitimate-but-unknown programs — indie games writing saves, niche tools, your own scripts — get blocked too, and the resulting "why won't my app save" tickets made Microsoft leave it opt-in.
Turn it on: Windows Security → Virus & threat protection → Ransomware protection → Controlled folder access → On. Then live with it for a week: when something legitimate gets blocked, the same page's "Allow an app through" + Block history makes the exception a thirty-second fix. Add any folder that would hurt to lose via Protected folders. The first week has friction; after that it's silent until the day it matters.
Attack Surface Reduction rules — policy for the tricks malware loves
What they do: ASR rules block specific behaviors rather than specific malware — the techniques that real attack chains reuse endlessly. Office spawning child processes (the mechanism of a million malicious macros). Scripts launching downloaded executables. Apps reading credentials out of LSASS memory. Each rule kills a technique, and techniques age far slower than malware samples do.
Why they're off: they're shipped as enterprise tooling — Intune and Group Policy surface them; the home Windows Security app simply has no UI for them. The capability is in every Windows 11 Pro and Home install regardless; it's just PowerShell-distance away.
Turn them on: each rule has a GUID and three modes — Disabled, Audit (log what would be blocked), and Enabled. The professional habit applies at home too: audit first, then enforce. The single highest-value rule for anyone who opens email attachments is the Office child-process block:
# PowerShell (Administrator)
# Audit mode first — watch for a week:
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
-AttackSurfaceReductionRules_Actions AuditMode
# Happy with the (probably empty) audit log? Enforce:
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A `
-AttackSurfaceReductionRules_Actions Enabled
# See events under: Applications and Services Logs →
# Microsoft → Windows → Windows Defender → Operational (IDs 1121/1122)Microsoft's documentation lists the full rule set ("Attack surface reduction rules reference") — the credential-theft and script rules are sensible next additions, same audit-then-enforce rhythm. Reading those logs is a perfect use of the Event Viewer skills from my logs guide .
Memory integrity (Core isolation) — hardware walls around the kernel
What it does: uses the CPU's virtualization features to put the code-integrity checks that protect the Windows kernel inside their own isolated micro-environment, where even kernel-level malware can't tamper with them. It's the difference between a guard you can bribe and a guard behind glass — and it specifically blunts the driver-abuse tricks that ransomware crews use to shut down security tooling.
Why it's sometimes off: it refuses to start if any incompatible (almost always old) driver is present, and upgraded-from-Windows-10 machines often carry one. Fresh Windows 11 installs ship with it on.
Turn it on: Windows Security → Device security → Core isolation details → Memory integrity → On, reboot. If it names incompatible drivers, that list is worth acting on anyway — update or remove them (they're commonly leftovers of long-uninstalled hardware) — then enable.
Reputation-based protection — the PUA filter
What it does: blocks "potentially unwanted applications" — the bundleware, browser-hijacking toolbars, fake optimizers, and adware-adjacent junk that lives one notch below malware and one notch above legitimate. The category I spend the most family-tech-support time removing, blocked at download time instead.
Why it's off-ish: the apps in question are commercially gray rather than criminal, so blocking them by default invites vendor disputes. Your home machine owes them no such courtesy.
Turn it on: Windows Security → App & browser control → Reputation-based protection settings → everything on, especially Potentially unwanted app blocking with both Block apps and Block downloads ticked.
Defender Offline scan — the one to remember for bad days
Not a setting but a capability, filed here so you know it exists before you need it: Virus & threat protection → Scan options → Microsoft Defender Antivirus (offline scan) reboots into a minimal trusted environment and scans the system while the installed Windows — and any rootkit hiding inside it — is dormant. It's the answer to "Defender says it removed something but the machine still acts wrong," and to suspicion generally. Free second opinion, fifteen minutes.
Order of operations
A sane rollout for one machine, total effort under an hour spread over two weeks: reputation-based protection today (zero friction) → memory integrity today (one reboot, maybe one driver cleanup) → Controlled Folder Access this week (expect a few allow-listings) → ASR's Office rule in audit mode now, enforced next week → and file the offline scan away for the day something feels off. None of it costs money; all of it was already sitting on your disk, waiting to be switched on. While you're in a hardening mood, the account-level equivalent — locking down the Microsoft account these settings sync through — is its own fifteen minutes.