Hidden Security Features Most Windows Users Never Touch
Windows 10 and 11 ship with a surprisingly robust set of security features — many of which are either disabled by default or buried deep in settings menus. Enabling the right ones can make a significant difference in your protection without spending a penny on third-party software.
Here are 10 settings worth enabling today.
1. Core Isolation / Memory Integrity
Memory Integrity (part of Core Isolation) uses hardware virtualization to protect core Windows processes from being tampered with by malware. It's one of the most powerful defenses against sophisticated attacks.
How to enable: Windows Security → Device Security → Core Isolation Details → toggle Memory Integrity to On.
Note: Some older drivers may be incompatible. Windows will warn you if this is the case.
2. Tamper Protection
Tamper Protection prevents malicious software from disabling Windows Defender settings from outside the Windows Security app. Without it, malware can silently turn off your antivirus.
How to enable: Windows Security → Virus & threat protection → Manage settings → toggle Tamper Protection to On.
3. Controlled Folder Access (Ransomware Protection)
Blocks unauthorized apps from modifying files in protected folders — a direct defense against ransomware.
How to enable: Windows Security → Virus & threat protection → Manage ransomware protection → toggle Controlled folder access to On.
4. SmartScreen for Apps and Files
SmartScreen checks downloaded files and apps against Microsoft's database of known malicious software before they run.
How to enable: Windows Security → App & browser control → Reputation-based protection → turn on all SmartScreen options.
5. Exploit Protection
Applies memory exploit mitigation techniques (like DEP and ASLR) to system processes and individual apps, making it harder for exploits to succeed.
How to access: Windows Security → App & browser control → Exploit protection settings. Review the defaults and apply as needed.
6. Automatic Lock Screen Timeout
If you step away from your PC without locking it, anyone nearby can access your data. Set a short auto-lock timeout.
How to set: Settings → Personalization → Lock screen → Screen timeout settings. Set to 5 minutes or less.
7. Dynamic Lock
Windows can automatically lock your PC when your paired Bluetooth device (e.g., your smartphone) moves out of range — great for office environments.
How to enable: Settings → Accounts → Sign-in options → Dynamic lock → check "Allow Windows to automatically lock your device when you're away."
8. Two-Factor Authentication on Your Microsoft Account
If your Microsoft account is compromised, attackers can access OneDrive, Outlook, and potentially unlock your PC. Enable 2FA immediately.
How to set up: Visit account.microsoft.com → Security → Advanced security options → enable Two-step verification.
9. DNS over HTTPS (DoH)
By default, DNS queries are sent in plain text — meaning your ISP (and anyone on the same network) can see every website you visit. DNS over HTTPS encrypts these requests.
How to enable: Settings → Network & internet → Wi-Fi (or Ethernet) → your network → DNS server assignment → set to Manual, enter a DoH-compatible DNS (e.g., Cloudflare: 1.1.1.1, Google: 8.8.8.8) and select "Encrypted only."
10. File History (Automatic Backups)
File History automatically backs up files in your Documents, Pictures, Music, and Videos folders to an external drive. It's not a full system backup, but it's a fast safety net for your most important files.
How to enable: Settings → Update & Security → Backup → Add a drive → select your external drive → toggle Automatically back up my files to On.
Quick Reference Table
| Setting | What It Protects Against | Location |
|---|---|---|
| Memory Integrity | Kernel attacks | Windows Security → Device Security |
| Tamper Protection | Malware disabling Defender | Windows Security → Virus protection |
| Controlled Folder Access | Ransomware | Windows Security → Ransomware protection |
| SmartScreen | Malicious downloads | Windows Security → App & browser control |
| 2FA (Microsoft Account) | Account takeover | account.microsoft.com |
| DNS over HTTPS | ISP snooping | Network settings |
Each of these settings takes just a minute or two to enable. Together, they build a much stronger defense than the out-of-the-box Windows configuration provides.