And how would you do that? There are so many points that you can plug into legitimately, and of course a myriad of software that does it, which has updates.
Or of course you can take the trusted boot option, but then, well, you get a lot of complaints that Microsoft is trying to control your software so only Microsoft sourced programs will run.
Microsoft could include as part of the install process, a separate, trusted minimal Windows installation (there are a plethora of ways to protect it), that can be used strictly for antivirus and malware scanning. In other words, they can build in to the installation the same thing that technicians cobble together every day with Hirens or UBCD4Win for the exact same purposes. Or just extend the current system recovery image that lets you do system restore and startup file check to include the ability to run virus or malware scans.