What kind of obscure insecure defaults are there?

Check out the Microsoft baseline security guidelines for Windows 11. It's about 400 entries. 400 settings that Microsoft themselves recommend changing from the defaults to achieve a baseline security.

Why does windows 11 show stock values in the task bar by default? Why does it show ads, games and yellow press headlines when you click on it? On the enterprise edition! Xbox services are installed and running by default. Why?

Direct Send was my favorite. Direct Send allows devices to send unauthenticated email to internal recipients using your organization’s domain, which can expose you to internal emails for phishing etc. It bypasses user authentication, making sender identity difficult to verify or audit. For all orgs made before mid 2025 it was enabled by default.

I saw a great Blackhat talk this year about Entra misconfiguration that got Microsoft's own sensitive internal services owned by a researcher, one of them owned by their security team. After the report they reconfigure their services, didn't pay a bounty and considered the problems solved. What about their customers making the same config errors as the Microsoft team... no changes planned.

There's much much more...

One not-so-obscure problem is how hard it is to only elevate yourself to admin when you need it (and run as a regular user the other time).

Essentially you need to pay double license for admin users so they can have two logins; and it's a pain to quickly elevate privilege to do day to day admin tasks.

So if your friendly domain admin clicks the wrong link, your entire network is owned.

Everything on by default in general has plagued them, because they don't want users to complain it doesn't work.