Was she cold-called 'by Microsoft', followed their instructions and then found herself in trouble? (Note: this never happens for real, nordo MS pay you/charity for every forwarding of an email, etc. Unless you have a specific service agreement already in place they wouldn't know your contact details if if your machine somehow 'calls home' to tell MS that there's a problem needing fixing.)
If this was the case then it really only gets prevented by knowing that this is a scam in advance. Those who fall for it (there's always a period in everyone's life when they never knew about this kind of thing, and some people also forget or don't remember/associate this as the thing they experience, afterwards, too) can often be asked to turn off any safeguards they may have had installed against hijacking.
If it was the machine that told her to call 'microsoft', then some malware or malware-gateway leaked through. For the former, up-to-date AV is a good protection (but there's always "zero day" or otherwise unrecognised methods around to avoid detection) and should always be considered checking to make sure it isn't lapsed/inactive.
The version where clickbait pop-up/email gets the user to install the problem (it may have been a "Microsoft alert" or "Document from someone you know" or "100 Millionth visitor!" or "Couples in you area", whatever it took to get you to succumb) is a bit of both issues. If you had not clicked then it would not have needed to be detected by the AV you ought to have had. But as both stages are fallible then there's enough possibility of jumping through both the hoops to make it worth someone's while.
Then there's the payload. If it is "lockdown ransomware" then the realistic solutions generally are one or a combination of:
1) take the hit, new machine or entirely new install (sufficient to override the altered boot-state) and trust to backups and recovered account details to bring you back to how you were,
2) Find a reputable de-ransoming solution (may not exist, but some don't do the public-encrypt/private-decrypt whole hog, and may have a reversal engineered by white-/grey-hats, or even other black-s, but they're probably not to be trusted), but make sure it is reputable, don't trust the machine online, make whatever backups/installation notes you need and then take the opportunity to refresh or replace the machine, restore everything legitimate (no possible remnants of the original problem) and move on,
X) NEVER take the option to pay the ransomwarer. It 'legitimises' their efforts, and you have no guarantee that they are willing, able or even the right person to 'repair' your machine. Even if it is unlocked, it may still be 'held on account' as a botnet assett or future "has paid, will pay again" victim. But should this be the way you go (DON'T!) and you're lucky enough to be given access then DO still take stock of your backups/etc and renew/replace the machine.
If it's not debilitating ransomeware, but just "pestering" notifications (probably trying to get you to install actual ransomware as the 'solution') then a quick fix is more possible without having to get around the worst of the above, but still you need to consider deep-cleaning with whichever AV you can (one 'active' one at a time), malware scanners, even manual checking.
It's not a "do this and it will be solved" thing, though. Far too many variations. If you do not already know how to solve it, better to get in contact with a local Tech Guy of known repute to assess the situation and discuss the possible fixes/fix-it-uppers. It's been a few years since I've had to deal with a fully-ransomed Windows machine (luckily, with a trivially simple 'lock' on it) or really bad virus, so I'm maybe not familiar with the very latest threats and need to ask people I know to assist/take over for me in awkward cases. And for the Mac I'd definitely defer to an Apple Store service desk unless I could get hold of the one guy I know who might have an immediate solution at hand.
I'm not entirely sure MS will have good news for you, when you talk to them. They'll have some generic fixes, but it really needs hands-on to deal with. But good luck with all that anyway. If nothing else, let everyone learn from this experience, and 'innocculate' themselves against this same/similar threat in the future, hopefully.
All the best.