Harden Windows Host

OS Installation

Use the autounattended file for a minimal Windows setup without bloatware.

Yubikey

1. Download and install Yubikey Windows Software
2. Reboot and log in with existing credentials
3. Launch Yubico Login Configuration → Advanced → Use existing slot (Slot 1 for G1, Slot 2 for G2)

BitLocker

1. Open gpedit.msc → Computer Configuration / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives
2. Enable Require additional authentication at startup
3. Set Configure TPM startup PIN → Require startup PIN with TPM
4. Run as administrator:

manage-bde -protectors -add c: -TPMAndPIN

5. Verify status:

manage-bde -status

6. Reboot once encryption reaches 100%.