This awesome tool is highly recommend

Requirements

• Standards for a highly secure Windows 10 device
• System up2date with latest Windows 10 stable version
• (default activated) and Up2date internal Microsoft Defender protection instead of external "Security" solutions
• Latest Driver and Program updates
• No "Tuning" tools (not even stuff like Ccleaner!)
• Only necessary programs / apps / games which you realy need
• Hardware Requirements for System Guard / Hardware-based Isolation
• Hardware Requirements for Memory integrity
• Hardware Requirements for Microsoft Defender Application Guard (WDAG)
• Hardware Requirements for Microsoft Defender Credential Guard

Hardening

• set User Account Control (UAC) to maximum
• create another Admin account and transform your current one to limited/ restricted/ standard user account to reduce the attack surface enormously. Don't use Admin account for your tasks!
• use Software Restriction Policies (SRP) with a default-deny mode
• execute/ open new files with one-day-delay because after one day, the malware is not 0-day anymore
• block all incoming connections with Microsoft Defender Firewall
• Always display file type extension
• Manage Microsoft Defender Credential Guard
• Install Microsoft Defender Application Guard (WDAG)
• Enable Memory integrity (HVCI)
• Enable Network Protection (NP)
• Enable SmartScreen and enable SmartScreen Log
• Enable Controlled Folder Access (CFA)
• Enable Attack Surface Reduction rules (ASR)
• Harden Address Space Layout Randomization (ASLR)
• Enable System Guard Secure Launch
• Enable cloud-delivered protection
• Activate Potentially unwanted applications (PUA) protection
• Enable Bitlocker Encryption with TPM, optionally with Startup PIN & read about Countermeasures and reduce DMA threats
• Use Windows Sandbox for unknown/ untrusted binarys - you can use it with right click menu - or use Virtual Machine with Hyper-V
• Enable sandboxing for Microsoft Defender Antivirus
• Only elevate executables which are signed and validated
• use the only browser on Windows 10 that natively supports hardware isolation: Edge
• use EFS file encryption for very sensitive files - also compatible with Bitlocker

Further Hardening

• Specify the cloud-delivered protection level
• Configure Exploit Protection, like Edge 90+ with enforced CET
• Microsoft recommended block rules
• Control USB devices and other removable media
• UEFI Hardening (NSA Defensive Practices Guidance) PDF & Hardware-and-Firmware-Security-Guidance
• Hardware and Firmware Security Guidance for Windows & AMD CPUs - you will find more in the overview
• Deploy Windows Security Baselines and keep it up2date
• use Mandatory Integrity Control

For Enterprise/ Company only

• Application Control (WDAC)
• Enterprise Certificate Pinning
• Block untrusted fonts in an enterprise
• Web protection
• Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
• Manage Windows Hello for Business
• Protect against DLL Search Order Hijacking

Test Config

• Validate connections between your network and the Microsoft Defender Antivirus cloud service
• Verify client connectivity to Microsoft Defender ATP service URLs
• Validate Microsoft Defender Tamper protection
• Confirm and validate that Defender "Block at First Sight" (BAFS) is enabled
• Microsoft Defender Testground
• Microsoft Defender SmartScreen Demo Pages
• Validate your Kernel DMA Protection
• Test your Antimalware Scan Interface (AMSI)
• Test your Network protection
• Changelogs for Defender security intelligence updates
• check if your Bitlocker is safe against Bitleaker: Blog

Reading Material:

• Defender Firewall with Advanced Security
• https://github.com/frizb/Windows-Privilege-Escalation
• https://github.com/LOLBAS-Project/LOLBAS
• https://github.com/api0cradle/UltimateAppLockerByPassList
• https://trustedwindows.wordpress.com/
• https://docs.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware
• https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
• https://docs.microsoft.com/en-us/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10
• https://docs.microsoft.com/en-us/windows/security/
• a picture about Microsoft Defender local and cloud script protection
• a picture about Attack Surface Reduction (ASR) Rules
• Security Unlocked - The Microsoft Security Podcast
• How the hell WD works on Windows Home & Pro documentation from AndyFul
• Windows AppContainer Isolation - what it does? from AndyFul
• Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection
• Windows Defender Application Control (WDAC) Resources
• Why UAC is important at maximum (not default) level: 1, 2, 3, 4, ..
• Testing DLL Search Order Hijacking against security features from AndyFul
• Some info about training AMSI machine learning models from AndyFul
• Cheap sandboxing with AppContainers Blog
• Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs Blog
• Complete W^X implementation in Windows with ACG
• Understanding Hardware-enforced Stack Protection (CET)
• Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode Blog
• Security Unlocked - The Microsoft Security Podcast about Below the OS: UEFI Scanning in Defender
• How the (Powershell) Constrained Language Mode is enforced Blog
• Application Control denies execution of randomly generated PowerShell PS1 files Blog
• Applocker and PowerShell: how do they tightly work together? Blog
• PowerShell 5.0 and Applocker. When security doesn’t mean security Blog
• German BSI - SiSyPHuS Win10: Study on System Integrity, Logging, Hardening and Security relevant Functionality in Windows 10
• rc3 event - Breaking Thunderbolt 3 Security
• CIS Security Benchmark
• NIST Security Technical Implementation Guide
• AppLocker and WDAC help Blog
• Microsoft Defender Attack Surface Reduction (ASR) recommendations