Why Default Defender Isn't Enough
Out of the box, Microsoft Defender provides decent baseline protection. It catches known malware, runs scheduled scans, and integrates tightly with Windows. But Microsoft ships it in a deliberately conservative configuration — features are turned off to avoid false positives and support calls from less technical users.
The problem is that this leaves significant security gaps. Features like Attack Surface Reduction rules, network protection, and controlled folder access exist in every copy of Windows 10 and 11 — they're just sitting there, disabled. Enabling them transforms Defender from a basic antivirus into something that rivals paid security suites.
Here's what a default versus hardened Defender looks like:
| Feature | Default | Hardened |
|---|---|---|
| Tamper Protection | On | On |
| Cloud-Delivered Protection | On (Basic) | On (High+) |
| Block at First Sight | Off | On |
| Network Protection | Off | On |
| Controlled Folder Access | Off | On |
| ASR Rules (16 rules) | Off | On (Block/Warn) |
| PUA Blocking | Off | On |
| Script Scanning | Off | On |
| Email Scanning | Off | On |
That's a lot of red in the "Default" column. Let's fix it.
1. Enable Tamper Protection
Tamper protection prevents malware from disabling Defender itself — a common first move for any sophisticated threat. Thankfully, this is usually enabled by default on newer Windows installations, but it's worth confirming.
Open Windows Security → Virus & threat protection → Virus & threat protection settings → Manage settings. Scroll down and make sure Tamper Protection is toggled on.
2. Cloud-Delivered Protection & Block at First Sight
Cloud-delivered protection lets Defender send suspicious file hashes to Microsoft's cloud for real-time analysis. Block at First Sight takes this further — it holds unknown files for up to 10 seconds while the cloud makes a verdict, blocking execution until there's an answer.
The default cloud protection level is set to "Basic". You want it on "High+" with extended cloud check timeout.
# Set cloud block level to High+
Set-MpPreference -CloudBlockLevel 6
# Extend cloud check timeout to 50 seconds
Set-MpPreference -CloudExtendedTimeout 50
# Enable Block at First Sight
Set-MpPreference -DisableBlockAtFirstSeen $false
3. Network Protection
Network protection extends Defender's reach beyond files to network connections. It blocks outbound connections to known malicious domains and IP addresses — stopping phishing, command-and-control traffic, and exploit delivery at the network layer.
This is one of the most impactful features Microsoft ships disabled. Enable it:
# Enable network protection
Set-MpPreference -EnableNetworkProtection Enabled
AuditMode first to see what it would block without actually blocking.
4. Controlled Folder Access (Ransomware Shield)
Controlled folder access is Microsoft Defender's built-in ransomware protection. It prevents untrusted applications from modifying files in protected folders (Documents, Desktop, Pictures, etc.). If ransomware tries to encrypt your files, it gets blocked at the filesystem level.
# Enable controlled folder access
Set-MpPreference -EnableControlledFolderAccess Enabled
# Allow specific apps if they get blocked (example)
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\YourApp\app.exe"
5. Attack Surface Reduction (ASR) Rules
ASR rules are arguably the most powerful hidden feature in Microsoft Defender. They block specific behaviours that malware commonly uses — Office macros spawning child processes, credential theft from LSASS, untrusted executables running from USB drives, obfuscated scripts, and more.
There are over 16 rules, each targeting a specific attack technique. Here are the most important ones:
# Block Office apps from creating executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
# Block Office apps from injecting code into other processes
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
# Block credential stealing from LSASS
Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Enabled
# Block executable content from email client and webmail
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
# Block JavaScript/VBScript from launching downloaded content
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
# Block execution of potentially obfuscated scripts
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
# Block untrusted/unsigned processes running from USB
Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
# Block process creations from WMI event subscription
Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Enabled
And that's just eight of them. The full list includes rules for blocking Adobe Reader child processes, Win32 API calls from Office macros, persistence through WMI, and more. Each one closes a specific door that attackers commonly walk through.
6. Potentially Unwanted App (PUA) Blocking
PUA protection blocks software that isn't technically malware but is unwanted — adware, browser hijackers, bundled toolbars, cryptocurrency miners, and system "optimisers" that do more harm than good.
# Enable PUA protection
Set-MpPreference -PUAProtection Enabled
7. How to Verify Your Hardening
After applying all these settings, verify everything took effect:
# Check all Defender preferences
Get-MpPreference
# Check ASR rules specifically
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids
# Check real-time protection status
Get-MpComputerStatus
Look through the output and confirm that EnableNetworkProtection is set to 1, EnableControlledFolderAccess is 1, and the ASR rules list contains the GUIDs you enabled.
Or Skip the PowerShell — Do It in One Click
All of the settings above — every ASR rule, every protection toggle, every cloud setting — can be enabled with a single click using the Defender Hardening Console. It's free, it's private (no data collected), and it shows you exactly what's being changed.
Frequently Asked Questions
Does hardening Microsoft Defender slow down my PC?
No. Most hardening features like ASR rules and network protection run at the kernel level with negligible performance impact. Cloud-delivered protection may add a brief delay when opening unknown files for the first time, but this is typically under one second.
Can I undo these changes if something breaks?
Yes. Every setting can be reversed through the same PowerShell commands (replacing Enabled with Disabled or $false). The Defender Hardening Console also lets you toggle features on and off individually with a single click.
Do I still need third-party antivirus after hardening Defender?
For most users, a fully hardened Microsoft Defender provides excellent protection comparable to paid antivirus solutions. The hidden features, once enabled, close the gaps that previously made third-party tools necessary.
Which Windows versions support these features?
Most features work on Windows 10 version 1709 and later, and all editions of Windows 11. Some ASR rules require specific builds. The Defender Hardening Console automatically detects which features your system supports.