# Harden Windows Host

### OS Installation

Use my [autounattended ](https://github.com/0xPThree/windows-autounattended?tab=readme-ov-file)file for a minimal, non-bloated, Windows installation. 

### Yubikey

1. Download [Yubikey Windows Software](https://www.yubico.com/products/computer-login-tools/).
2. Install and reboot device. Login with previous credentials.
3. Run Yubico Login Configuration software. Advanced > Use existing (Slot 1 for G1, Slot 2 for G2)

### BitLocker

1. `gpedit.msc` > `Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives`
2. Require additional authentication at startup: Enabled. \
   Configure TPM startup PIN: Require startup PIN with TPM
3. Run CMD as admin. `manage-bde -protectors -add c: -TPMAndPIN`
4. `manage-bde -status`
5. Reboot when 100% encrypted.