I’ve always been paranoid about PC security. But over the years, Windows has genuinely stepped up its game with some powerful protection features that most people overlook.

These security settings are sitting right there, unused. More importantly, cybercriminals are counting on you not to find them.

4

Windows Sandbox

Keeps Suspicious Files Away From Your System

Windows Sandbox creates a completely isolated virtual environment where you can test suspicious files without risking your main system.

When you download something sketchy, you can run it in the sandbox first. If it’s malware, the damage stays contained and everything gets wiped clean when you’re done.

This feature only works on Windows 10 Pro or Windows 11 Pro, though. If you’re running the Home edition, you’ll need to rely on free online sandboxing tools instead. Here’s how to enable Windows Sandbox:

1. Press Windows + R to open the Run dialog box, then type appwiz.cpl and hit Enter.
2. Click Turn Windows features on or off on the left.
3. Check the box next to Windows Sandbox.
4. Restart your computer when prompted.

Besides that, there are other ways to enable and set up Windows Sandbox in Windows 11. Once enabled, you can launch Sandbox from the Start menu.

It boots up a clean version of Windows in seconds each time you open it. You can then download that email attachment, test a software, or click a suspicious link—if something goes wrong, just close the Sandbox and the threat disappears.

Related

How to Fix Windows Sandbox Not Working in Windows 11

Windows Sandbox is a useful tool in any PC user’s toolbox, but sometimes it needs some help getting started.

3

Core Isolation

Stops Advanced Malware in Its Tracks

Core Isolation uses your computer’s hardware to create a secure barrier around Windows’ most critical processes. The main component, Memory Integrity, prevents hackers from injecting malicious code into system memory, which is a favorite trick of advanced malware.

This feature utilizes virtualization-based security (VBS) to isolate sensitive operations from the rest of your system. Even if malware manages to infiltrate your computer, it can’t tamper with protected kernel processes. Here’s how to enable Memory Integrity:

1. Press Windows + I to open Settings, then navigate to Privacy & Security from the left sidebar.
2. Click Windows Security in the main panel and select Device Security.
3. Look for Core Isolation and then toggle on Memory Integrity.
4. Click Restart now when Windows prompts you to reboot your system.

The biggest advantage of Core Isolation is its ability to block kernel-level attacks that traditional antivirus software might miss. It works alongside your existing security software as part of Windows’ built-in defense system.

However, there are some downsides to consider. Older drivers might cause compatibility issues, and you could see slight performance drops in gaming or CPU-intensive applications. The feature also requires modern hardware with virtualization support, so older computers won’t be able to use it.

If the Memory Integrity toggle appears grayed out, your system might need driver updates or BIOS changes. With Windows security getting better with such features, you don’t need to install an antivirus on Windows 11, though that’s debatable depending on your browsing habits.

Related

7 Ways to Fix the Memory Integrity Feature Grayed Out on Windows 11

Sometimes Windows 11 will complain that the memory integrity feature is disabled, despite not giving you a way to actually turn it on.

2

App and Browser Control

Prevents Dangerous Downloads

App and Browser Control is Windows’ built-in web protection system that stops malicious downloads before they reach your PC. SmartScreen analyzes files, websites, and apps against Microsoft’s threat database in real-time.

This feature works across multiple layers—your browser, file downloads, and even Microsoft Store apps. When you try to download something suspicious, SmartScreen throws up a warning or blocks it entirely.

Most people encounter SmartScreen when it blocks legitimate software with that “Windows protected your PC” message. The temptation is to disable it, but that’s exactly what hackers hope you’ll do. Here’s how to configure App and Browser Control properly:

1. Open Windows Security through Settings > Privacy & Security > Windows Security.
2. Click App & browser control from the main dashboard.
3. Under Reputation-based protection, click Reputation-based protection settings.
4. Ensure that Check apps and files is turned on for download protection.
5. Enable SmartScreen for Microsoft Edge if you use the Edge browser.
6. Turn on Potentially unwanted app blocking to stop bundled software.

The “Potentially unwanted app blocking” setting is handy as it catches those sneaky toolbar installations and system optimizers that piggyback on legitimate downloads.

SmartScreen isn’t perfect, but it catches a surprising amount of malware that traditional antivirus programs miss. The cloud-based approach means protection updates happen instantly, not during scheduled definition updates.

You can temporarily bypass SmartScreen warnings for trusted software, but avoid making it a habit.

1

Controlled Folder Access

Blocks Ransomware

This security feature is Windows’ answer to ransomware attacks. Controlled folder access creates a protective shield around your most important folders, such as documents, pictures, desktop, and others, preventing unauthorized apps from making changes.

This feature works on a whitelist principle. Only trusted applications can modify protected folders, while everything else gets blocked. When ransomware tries to encrypt your files, it hits a wall.

Ransomware typically targets user folders first because that’s where your valuable data lives, but Controlled Folder Access stops this behavior cold. Here’s how to enable it in Windows settings:

1. Open Windows Security through Settings > Privacy & Security > Windows Security.
2. Navigate to Virus & Threat Protection from the main menu.
3. Scroll down and click Manage ransomware protection.
4. Toggle Controlled folder access to On.
5. Then click Protected folders to see which directories are secured by default.
6. Use Allow an app through Controlled folder access to allowlist trusted programs.

You’ll need to manually approve legitimate applications that want to access protected folders. This might seem annoying at first, but always enable ransomware protection on Windows as it’s one of the most effective defenses against file-encrypting malware.

The feature monitors file system activity in real-time; hence, this approach doesn’t rely on malware signatures. Some productivity apps might trigger false positives initially, but you can easily add them to the allowed list.

Related

Ransomware Is Rampant in 2025: 6 Quick Tips That’ll Protect Your Data

These security strategies can keep your data safe without requiring technical expertise.

These security features have been sitting in Windows all along. Taking just ten minutes to enable these protections could save you from a costly ransomware attack or malware infection. Your future self will definitely thank you later.