core isolation/memory integrity is the HVCI feature i mentioned a while back, though like all things Microsoft there's a lack of consistency and even the link i gave is now broken haha
it can be enabled regardless of third party AV and its actually enabled by default on new/compatible devices so i see no reason to discourage it's usage, it may break some older drivers but only because they are doing things they shouldn't be, potentially worth noting that the feature has also been bypassed so its usefulness is questionable

the DEP setting mentioned is outdated, despite the wording apps do run with DEP enabled by default

one thing to note about third party AV is that most lack support for vital features like AMSI and ELAM which defender has enabled by default, you should check with your AV provider to see if these are implemented and encourage them to do so if they havent

main thing i've not mentioned that i do suggest looking into is "Attack Surface Reduction rules", ASR rules are part of windows defender but they are off by default, they are a collection of features blocking the most common behaviours seen in the wild, they will genuinely save you from spear & phishing attacks that wont be picked up by any AVs for about a week after its too late, they also seem to add a new one with each release of windows 10
you can learn about them here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/a...
to enable the current ones without the hassle of figuring it out i refer to the powershell in my comment here: https://techcommunity.microsoft.com/t5/Windows-10-security/Harden-Windows-10/m-p/475686

im not trying to argue or anything, i have no conflict with most of what you're saying

1 correct, i was adding that this is what used to be known as HVCI, it was a more up and coming feature that didnt exist as core isolation at the time and now it does, memory isolation also has more features that arent exposed in the GUI so it may be useful for some to know

2 DEP as a memory feature isn't outdated, that GUI setting and its wording however is, if you want a gui to manage it the correct place to configure it now is via the "exploit protection" area of the security centre where you will also see that it is on by default

3 when i clear my microsoft account privacy settings it deletes my tech community account, the posts themselves would be deleted if there were any issues

4 again, not trying to argue, but since you bring it up i will say i am a kaspersky customer and my opinion is that kaspersky is generally as good as windows defender, their database is historically the best though defender in the last year has definitely caught up and is in second place, but toward my point: Kaspersky does indeed support AMSI and ELAM which most other AVs do not, Kaspersky also treats unknowns just as defender does which is why they pick up wrapped variants very quickly, but i maintain that it is impossible to catch everything the first time its ever seen, such as your example stuxnet was caught after the damage was done, not before, and something preventative like ASR could have prevented it ever getting into the supplier's systems

5 exactly, i just ask that you be less hostile, theres enough testosterone fuelled cesspits on the internet already

sorry i should be clearer, it is not third party, and it is not implemented the same way, i am talking about the below image, built into windows 10 for free

technically it is a replacement of a previously optional windows 7 tool known as "EMET" which itself was a gui tool for multiple exploit mitigations (not just DEP)

in current windows 10 DEP is enabled by default by this new implementation for applications despite of what you see in that older interface, hence i try to explain that the setting you are advising doesn't have the assumed impact as the outdated wording is misleading

that old interface is from 2003 and you will see in the new one that there are a whole 20 more configurable exploit mitigations (the ones pictured can be configured as system wide defaults, the rest have to be configured on an app by app basis)

i hope this information is interesting and valuable <3

but it does not even matter, changing that option does not do that, it does not function like it says, i dont know how else to explain this to you, seriously

what i have shown is not part of windows defender, DEP is part of windows itself, the security centre GUI is just a way to manage some windows security features AND windows defender features, and it has the same TWO DEP options:
ON: this is the SAME as: "Turn on DEP for all programs and services" except it actually WORKS
OFF: this is the SAME as: "Turn on DEP for essential Windows programs and services only" except it actually WORKS

THE DEFAULT IS ON

but as you have noticed by default the OLD setting is set to "Turn on DEP for essential Windows programs and services only" which is the same as OFF

how can DEP be ON and OFF for any application at the same time?

simple: it cannot, it is either off or it is on, and it is ON because

THE NEW SETTING WORKS

THE OLD SETTING DOES NOT

how can you suggest that i "really cant tell the difference" when i am wasting my time trying to explain this to you that what you SEE is a misconception

theres many obscure features in windows that have been depreciated, buttons that connect to nothing, text that is incorrect

the option you place trust in is 15 years old, yes it has two options, but DEP has four states

DEP is already enabled, for all programs and services, even though that option is not selected

because that option is overridden by the ON setting in the GUI in the image i showed you

it is YOU that cannot tell the difference

manual exceptions is the only reason why that old interface is still there, because sometimes you need to opt out of this 15 year old security feature to run even older software

but even that is essentially broken too as manual exceptions is replaced by application opt outs

DEP is already enabled, for all programs and services, with application opt outs instead of manual exceptions

enabling the option you are suggesting, only disables those application opt outs causing some old software to be unable to run, thats why its NOT SELECTED BY DEFAULT

things are the way they are for a reason, Microsoft did not spend the last fifteen years doing random engineering for the fun of it

to put it in your own words, "Windows is constantly changing and getting better. it's the duty of system admins to stay up to date." and im not even sure you are a system admin

stuff changes, the best option changes, new becomes old
using windows 7 changing the option is better than the default, feel free to enable it, i encourage it
using windows 10 changing the option is worse than the default, leave it alone, you dont understand what you are breaking

only reason i am responding at all is because there is so much outdated windows advice that people still follow and share online to the detriment of many

@Daniel Westerdale 

Why not buy Windows Secured-core C instead of some random Dell ?

https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers

Much better start.

Anyway you should use Bitlocker with TPM.