Let me tell you what happens to most people’s Windows 11 computers.
They buy it. They set it up. Windows Defender is running — green checkmark, everything looks fine. They assume they’re protected.
They are. A little. The baseline protection is real. But it’s like locking your front door and leaving every window wide open. Windows 11 ships with some seriously powerful security features that Microsoft, for reasons that continue to baffle me, leaves turned off by default.
I’m not talking about buying expensive antivirus software. I’m talking about features already sitting on your computer right now, waiting to be switched on. Features that block ransomware from encrypting your files. Features that stop untrusted apps from ever running. Features that prevent malware from tampering with critical system processes.
Five settings. All free. All built in. Let’s turn them on.
The Threat Landscape Has Changed
Before we get into the settings, you need to understand why this matters more now than it did two years ago.
Ransomware attacks increased by more than 40% across all data breaches in the past year. That’s not just big corporations getting hit. Regular people are losing family photos, tax documents, and years of work because ransomware encrypted everything on their hard drive and demanded payment to unlock it.
The attacks are smarter now too. Phishing emails generated by AI are nearly impossible to distinguish from real ones. Voice cloning scams can mimic a family member’s voice over the phone. And infostealers — a category of malware designed specifically to harvest saved passwords and browser cookies — compromised over a billion credentials in the first half of 2025 alone.
Your front door is locked. Let’s close the windows.
Setting 1: Controlled Folder Access — Your Ransomware Shield
This is the single most important setting on this list, and almost nobody knows it exists.
Controlled Folder Access does exactly what the name says: it controls which apps can access and modify files in your important folders. Documents, Pictures, Desktop, Videos, Music — all protected. If an unauthorized app tries to write to these folders, Windows blocks it.
That includes ransomware. When ransomware runs, the first thing it does is encrypt your files one by one. With Controlled Folder Access enabled, the ransomware literally cannot touch your protected folders. It gets blocked at the door.
Turn it on:
Windows Security → Virus & threat protection → Ransomware protection → Manage ransomware protection → Turn ON Controlled folder access
The first time you enable this, some of your regular apps might get blocked. Your image editor might not be able to save to Documents. A game might fail to save progress. Don’t panic — this is the system working correctly. It’s blocking anything that isn’t explicitly trusted.
Allow specific apps:
Windows Security → Ransomware protection → Allow an app through Controlled folder access → Add an allowed app
Browse to the application’s .exe file and add it. You only need to do this once per app. After that, it works normally while everything else stays blocked.
Add extra folders to protect:
The default list covers your main user folders. But if you keep important files elsewhere — maybe a separate partition or a project folder on your desktop — you can add those too:
Windows Security → Ransomware protection → Protected folders → Add a protected folder
This is real, tested ransomware protection. Not a marketing claim from an antivirus company. It’s built into Windows and it’s free. The only cost is spending two minutes allowing your regular apps when they first get blocked.
Setting 2: Core Isolation and Memory Integrity
This one sounds technical, and it is — but you don’t need to understand the technical details to use it.
Here’s the simple version: some advanced malware doesn’t just run as a regular program. It injects itself into Windows’ own processes — the core system services that manage everything. Once it’s inside those processes, traditional antivirus can’t see it because it looks like Windows itself.
Memory Integrity prevents this. It uses your computer’s hardware virtualization (the same technology that runs virtual machines) to create an isolated space where critical Windows processes run. Nothing else can touch them. If malware tries to inject code into these processes, the hardware itself blocks the attempt.
Turn it on:
Windows Security → Device security → Core isolation details → Turn ON Memory integrity
You’ll need to restart your PC.
The catch: Memory Integrity requires all your drivers to be compatible with hardware-based virtualization security. Most modern drivers are fine. But if you have an old printer, a legacy scanner, or an outdated audio interface, Windows might warn you about incompatible drivers.
If you see a warning, you have two options. Either update the flagged driver from the manufacturer’s website, or check whether you actually still use that device. In my experience, the incompatible driver is almost always for something the user forgot was even installed — a printer they sold two years ago, a scanner that’s been in a closet since last summer.
Update or remove the incompatible driver, restart, and Memory Integrity stays on. The protection is worth the five minutes it takes to resolve driver issues.
Setting 3: Smart App Control and SmartScreen
Windows 11 has a feature called Smart App Control that’s genuinely impressive — when it’s available. It uses Microsoft’s cloud intelligence to check every app before it runs. If the app is known and trusted, it runs. If it’s unknown or flagged as malicious, it’s blocked. If it’s somewhere in between, you get a warning.
Check if Smart App Control is available:
Windows Security → App & browser control → Smart App Control settings
Here’s the thing — Smart App Control is only available on a fresh Windows 11 installation. If you upgraded from Windows 10 or have been running your current installation for a while, you might see it set to “Off” with no option to turn it on. That’s because once it’s turned off, it requires a clean install of Windows to re-enable.
If Smart App Control isn’t available, you still have SmartScreen — and it’s nearly as good for everyday protection.
Enable SmartScreen protections:
Windows Security → App & browser control → Reputation-based protection → Reputation-based protection settings
Turn on all of these:
- Check apps and files — Blocks known malicious downloads
- SmartScreen for Microsoft Edge — Warns about dangerous websites
- Phishing protection — Warns when you type passwords on suspicious sites
- Potentially unwanted app blocking — Blocks bundleware and junkware that comes packaged with legitimate-looking downloads
That last one deserves special attention. “Potentially unwanted apps” are the reason your aunt’s computer has three browser toolbars and a search engine she’s never heard of. These apps aren’t technically viruses, but they slow down your computer, inject ads, and collect data. Blocking them before they install is far easier than removing them afterward.
Setting 4: DNS over HTTPS — Invisible but Important
Every time you visit a website, your computer first asks a DNS server to translate the domain name (like quickfixlab.online) into an IP address. By default, this request is sent completely unencrypted. Anyone monitoring your network — a hacker on public WiFi, your ISP, even a compromised router — can see every website you visit.
Worse, attackers can intercept DNS requests and redirect you to fake websites. You type your bank’s URL, but your DNS request gets hijacked and you end up on a phishing page that looks identical to the real thing. Your browser might even show the correct URL because the attack happened at the DNS level.
DNS over HTTPS encrypts these requests. Nobody can see them. Nobody can tamper with them.
Set it up:
Settings → Network & Internet → WiFi (or Ethernet) → [your network name] → Hardware properties → DNS server assignment → Edit
Switch from Automatic to Manual. Enable IPv4 and enter:
For Cloudflare (recommended — fastest):
- Preferred DNS: 1.1.1.1
- Alternate DNS: 1.0.0.1
For Google:
- Preferred DNS: 8.8.8.8
- Alternate DNS: 8.8.4.4
Under each DNS entry, find the DNS over HTTPS dropdown and select “On (automatic template)” or “On (manual template)”.
Click Save. That’s it. Your DNS queries are now encrypted.
You won’t notice any difference in speed. The encryption overhead is negligible. But your privacy improves significantly, and DNS hijacking attacks become impossible against your connection.
Setting 5: The Standard Account Trick Nobody Uses
This is the oldest security trick in the book, and almost nobody does it because it feels inconvenient. But the protection it provides is enormous.
When you set up Windows 11, the account you create is an Administrator account. This account can install software, change system settings, modify the registry, disable security features — basically anything. When you’re logged in as Administrator and you accidentally run malware, that malware inherits your permissions. It can do anything you can do.
The fix: create a separate Standard user account for daily use.
Settings → Accounts → Other users → Add account
Create a local account. Don’t give it Administrator privileges. Use this account for browsing, email, social media, watching videos — everything that doesn’t require installing software.
When you need to install something or change a system setting, Windows will prompt you for Administrator credentials. Enter them, do what you need to do, then go back to your Standard account.
What this prevents:
If you accidentally click a malicious link or download an infected file while logged into a Standard account, the malware runs with limited permissions. It can’t install itself as a system service. It can’t disable Windows Defender. It can’t modify protected system files. It can’t add itself to startup. Its damage is contained to your user profile — which is bad, but recoverable. Compared to malware running with full Administrator access, which can compromise your entire system beyond easy repair, this is a massive difference.
Is it slightly less convenient? Yes. You’ll occasionally need to type your admin password when installing updates or software. But that ten-second interruption is the price of making your system dramatically harder to compromise.
Bonus: The Quick Security Audit
After enabling the five settings above, do a quick health check:
Run a full scan:
Windows Security → Virus & threat protection → Scan options → Full scan → Scan now
A Quick Scan checks common locations. A Full Scan checks every file on your system. Run one now and then schedule it monthly.
Check Windows Update:
Settings → Windows Update → Check for updates
Security patches fix known vulnerabilities. Most major cyberattacks exploit vulnerabilities that were already patched — the victims just hadn’t installed the update. Keep automatic updates enabled and restart when prompted.
Review installed apps:
Settings → Apps → Installed apps
Scroll through the list. Anything you don’t recognize? Anything you haven’t used in months? Uninstall it. Every installed app is a potential attack surface. The fewer apps on your system, the fewer ways malware can get in.
Check browser extensions:
Open your browser’s extension page. Remove any extension you don’t actively use. Browser extensions have access to everything you do in your browser — every page you visit, every form you fill in, every password you type. A malicious extension is essentially a keylogger with full access to your browsing session.
What About Third-Party Antivirus?
Here’s my honest take: for most people, Microsoft Defender with the settings in this guide enabled is better than most paid antivirus products.
Independent testing labs consistently rate Defender in the top tier for malware detection. It doesn’t slow down your system like many third-party solutions. It doesn’t nag you with pop-ups trying to upsell premium features. It doesn’t install a browser extension that tracks your activity. And it updates automatically through Windows Update — you never have to think about it.
Third-party antivirus has its place. If you’re a business handling sensitive data, an endpoint security solution with centralized management makes sense. If you need specific features like VPN, dark web monitoring, or identity theft protection, some suites bundle those.
But if you’re a regular person who wants their PC protected from viruses, malware, and ransomware? Turn on the five settings above and keep Windows updated. That’s genuinely all you need.
The Habits That Keep You Safe
No security setting can protect you from yourself. These habits matter more than any software:
Think before you click. If an email creates urgency — “Your account will be closed in 24 hours!” — that’s almost certainly a scam. Real companies don’t threaten you into clicking links. Hover over any link to preview the actual URL before clicking.
Download from official sources only. Get your software from the developer’s website or the Microsoft Store. Never from random download sites. “Free” versions of paid software are the number one malware delivery method.
Use unique passwords. If you use the same password everywhere and one service gets breached, attackers will try that password on every other service you use. A password manager solves this. Windows 11 has a basic password manager built into Microsoft Edge, or use a dedicated one like Bitwarden which is free.
Keep everything updated. Not just Windows — your browser, your apps, your drivers. Updates fix security vulnerabilities. Delaying updates is leaving known holes open for attackers to walk through.
Back up your data. If everything fails — if ransomware gets through, if your hard drive dies, if you accidentally delete something critical — a backup saves you. The 3-2-1 rule: 3 copies of your data, on 2 different types of storage, with 1 copy stored offsite or in the cloud.