ZDNET’s Windows Security Wake-Up Call: 5 Optional Protections You Should Turn On Now

ZDNET highlights that the most secure Windows PC often comes from correctly configuring Microsoft’s built-in Windows Security features—not from piling on third-party antivirus. Ed Bott’s article points to five commonly overlooked “optional protections” in Windows Security that may be disabled by users, updates, or driver conflicts, urging readers to recheck these settings now.

{
"title": "ZDNET’s Windows Security Wake-Up Call: 5 Optional Protections You Should Turn On Now",
"content": "ZDNET recently published a stark reminder: the most hardened Windows PC isn't the one with third-party antivirus stacked to the rafters but the one that has Microsoft's own built-in shields correctly configured. Ed Bott's latest piece, \"Windows Defender Optional Protections: 5 Switches Worth Rechecking,\" cuts through the noise and zeroes in on five settings inside Windows Security that are far too often left disabled—sometimes by the user, sometimes by a careless update, sometimes by an old driver conflict. If you haven't looked at these toggles in months, it's time.

Windows Security has evolved from a basic antivirus into a full-fledged endpoint protection platform, yet many of its most potent features remain opt-in. The default configuration stops known malware, but it won't necessarily stop a ransomware strain that silently encrypts your documents, an untrusted driver that loads into the kernel, or a sneaky adware bundle that piggybacked on a free utility. The five protections Bott highlights—Controlled folder access, Memory integrity, Potentially unwanted app blocking, Smart App Control, and Tamper Protection—each plug a specific gap. Individually they're valuable; together they form a layered defense that dramatically raises the bar for attackers.

Let's walk through each, what it actually does, how to check its status, and what trade-offs you might encounter.

Protection	Location in Windows Security	Default State	Key Benefit
Controlled folder access	Virus & threat protection > Ransomware protection	Off	Blocks unauthorized changes to documents
Memory integrity	Device security > Core isolation	Off on many systems	Prevents kernel-mode exploits
Potentially unwanted app blocking	App & browser control > Reputation-based protection	Off	Stops adware, cryptominers, etc.
Smart App Control	App & browser control > Smart App Control	Evaluation (or Off)	AI-driven app blocking
Tamper Protection	Virus & threat protection > Virus & threat protection settings	On (but verify)	Prevents malware from disabling Defender

Controlled Folder Access

Buried under Virus & threat protection > Ransomware protection, Controlled folder access is a behavioral shield that prevents untrusted applications from modifying files in protected folders—think Documents, Pictures, Desktop, and any additional folder you specify. It's one of the most effective anti-ransomware mechanisms available because it doesn't rely on signatures; even a zero-day ransomware will be blocked if it's not on the trusted list.

When an app attempts to write a change, Windows checks its reputation. Apps that are digitally signed by Microsoft or have a known good rating in Microsoft Defender's cloud intelligence slip through silently. Everything else gets a block notification. The first few weeks can be noisy: legitimate apps like QuickBooks, legacy photo editors, or custom business software will trigger alerts. Rather than turn the feature off, use the \"Allow an app through Controlled folder access\" link to whitelist the offenders. Over time the alerts dwindle, and you're left with a powerful moat around your critical data.

To verify it's on: Open Windows Security, click Virus & threat protection, scroll to Ransomware protection, and ensure the toggle is set to On. Also check protected folders; add any network shares or secondary drives that hold important files.

Trade-offs: Older software that lacks digital signatures can be a hassle. But the alternative—losing every document to a ransomware attack—is far worse. After enabling, monitor Security Center for block notifications and respond quickly.

Memory Integrity

Memory integrity, part of Core isolation in Windows Security > Device security, leverages virtualization-based security (VBS) to isolate a secure region of memory where crucial kernel-mode processes run. This prevents the most insidious malware from injecting malicious code into the Windows kernel. When an untrusted driver tries to access this secure space, the request is denied. It's a hardware-enforced barrier that makes classic rootkits and many exploit kits obsolete.

However, memory integrity is famously incompatible with older, poorly written drivers—especially those for fingerprint readers, display adapters, and virtualization software. If you've ever turned it on only to find your system booting to a black screen or certain hardware stops working, you likely have a driver conflict. The good news is that driver compatibility has improved markedly, and Windows Update now proactively flags problematic drivers via the \"Incompatible drivers\" list right in the Core isolation page.

To check: Go to Device security > Core isolation details. If the Memory integrity switch is off, expand the \"Incompatible drivers\" section to see which ones are causing the block. You may need to update or remove those drivers. On modern hardware (8th-gen Intel or Ryzen 2000 and newer), you should absolutely have this on. The performance impact is negligible for everyday tasks.

Trade-offs: The main hurdle is driver compatibility. Some gaming anti-cheat systems have also clashed, but the situation is improving. If you see a performance drop in certain workloads, test first—but for most users, the security gain far outweighs the risk.

Potentially Unwanted App Blocking

Under App & browser control > Reputation-based protection, the \"Potentially unwanted app blocking\" toggle instructs Windows to be more aggressive about blocking adware, browser hijackers, cryptominers, and other low-reputation software that doesn't quite meet the malware bar. These PUPs (or PUAs, for Potentially Unwanted Applications) are often bundled with free software and can degrade system performance or invade privacy.

By default, this setting is off. When you turn it on, you get two checkboxes: Block apps and Block downloads. The first stops PUPs from executing; the second prevents them from being downloaded in Microsoft Edge. Together they eliminate a huge class of nuisance software.

Activating PUP blocking is almost painless; false positives are rare because it relies on Microsoft's cloud-based reputation service, which has excellent accuracy. Occasionally a niche utility might get flagged, but you can override via the protection history.