Set the boot password (and add it to your password manager)
Get the Windows OS Key and store it somewhere safe.
Open a command prompt with administrator permissions.
enter the command "wmic os get serialnumber" and your Windows OS Key will
be returned.
Create a recovery drive of the factory backup.
This will allow you to recover your software should the system refuse to boot
due to a virus infection, or after the hard drive is replaced.
Set boot to use PIN rather than password (more secure)
Enable Windows Secure Login (CTRL-ALT_DEL)
Consider increasing system security with two-factor authentication (2FA) via a physical security key
Check Windows OS for updates, and review the settings.
Create a System Restore Point (Windows settings)
Disable BIOS fast boot.
(if enabled, boot from network and other drives are disabled until OS loads)
Enable Boot Menu
Configure BIOS password (prevents unauthorized entry into the BIOS utility).
Disable Windows Fast Startup.
(The hibernation state can adversely effect a Windows update, and it
will lock your hard drive, preventing a dual boot option).
Uninstall all of the bloatware you don't intend to use
Install virus protection software
Install your favorite internet browser
Enable Encrypted DNS.
(encrypts DNS queries)
Install any custom software you desire, including a video player,
file compression (7-Zip), etc.
Copy over any personal data (My Documents) that you want
Create and implement a backup system for your data
Create a second recovery drive of your custom configured system