1.) Update Windows 10
In Start > Settings > Update, continue updating and rebooting Windows until there’s nothing left. I usually wait until this is done before I start installing stuff.
2.) Set UAC to full
Listen to me. UAC is a critical security control that has vast impacts you can’t see. It is not computer bubblewrap. It exists for very important reasons. You aren’t cool for turning it off.
Follow these instructions to set UAC to the highest option, “Always notify me.” Anything less allows any malware to instantly elevate to administrator level permissions. UAC isn’t magic, but it’s a layer you want to use.
3.) Enable Drive Encryption
If you have Windows 10 Home:
If you have Windows 10 Pro:
Right-click on Start > Control Panel > BitLocker Drive Encryption > Turn on BitLocker
Or why not use Veracrypt?
With SecureBoot, before your computer boots to Windows it verifies the OS hasn’t been corrupted with a bootkit that modifies Windows that lets a virus run hidden. 3rd party encryption tools break this chain of trust that flows from UEFI to Windows bootloader to BitLocker. This chain of trust is critical for preventing an entire category of attack against Windows. This is not theoretical, this stops real-life attacks.
For more info visit http://www.cans.scot