How To Equip Your Home Or Office Windows 10 Based PC With Military Grade Security

10 min readMay 24, 2021

So, you are paranoid about security! These days hacking tools are readily available. Add to that the fierce business competition where critical information about your business can make or break your business; it pays to be paranoid.

There are two basic ways hackers can get access to sensitive information, viz:

· Online

· Access to your physical machine

Securing Physical Access To Your Machine

This article will guide you through making an ordinary Windows 10 PC into a system sporting military-grade security. But you would need some essentials first which are as follows:

· Windows 10 Professional

· In-built fingerprint scanner or a fingerprint scanner dongle

· A blank and formatted USB drive

· Chrome or Edge Browser

Phase I- Adding A Bitlocker USB Key And Enabling Hibernate

So, here we go:

· Check If There Is A TPM Chip On Your System

This is the very first thing to do before you turn on Bitlocker for your partition or system drive. For Bitlocker, you need TPM version 1.2 or higher support though there are ways to bypass that requirement. TPM refers to the features introduced by Microsoft in Windows to facilitate hardware-based, security-related functions. The TPM chip we are talking about is a secure cryptoprocessor designed to carry out cryptographic operations.

You can check your TPM readiness by:

Press Windows+R to open the Run windows box. Type “TPM.MSC”.

If there is a TPM chip in your system, you should see a window that is something similar to this:

If your machine is really old and does not have TPM chips, you can buy one for your system here.(I receive no referral payments)

· Let’s Make Your System Ready For Bit-Locker (Without TPM Too)

Now it’s time to get down and dirty with all those security settings. First, we take a look at turning on Bitlocker for systems without TPM chips:

Press Windows + R to open the run dialog box.

Type in “gpedit.msc” and press OK.

This will take you to the local group policy editor. You can also access it by typing:

Local Group Policy Editor on the search box and open the same. It would look like this:

Now, navigate to Computer Configuration- Administrative Templates- Windows Components -BitLocker Drive Encryption- Operating System Drives.

Then double click on the option “Require Additional Authentication At Startup” and check for the following settings:

· Let’s Turn On Bit Locker

Well, this is going to be pretty straightforward, with a wizard guiding you along the way. First, open up This PC and right-click on the drive to lock and choose> Turn on BitLocker.

You may also go to the Control Panel- System and Security- Bitlocker Drive Encryption. It will look like this:

Go ahead, turn on Bitlocker, and the Bitlocker setup wizard will emerge:

Choose the first option, i.e., USB key, and follow the on-screen wizard.

Also, it can be time for some manual (read easy) coding.

Open the command prompt with administrator privileges and paste the following:

manage-bde -protectors –add c: –TPMandStartup Key x

Note: Remember to replace c with the drive letter you wish to encrypt and the x with the removable disk drive letter.

The wizard will then ask you to save your recovery key. The most popular option is to save it to your Microsoft Account. Remember, you can protect access to your Microsoft Account and services data by enabling 2FA (two-factor authentication) through the Microsoft Authenticator App.

Next, you will get the option of encrypting either the used portions of your drive or the entire drive itself. The latter is obviously more time consuming like the following screenshot will bear out:

Encryption Mode

Windows will also let you choose from traditional encryption modes and relatively more modern encryption modes. If you have a fixed drive opt for the latter:

Finally, as per your instructions, Bitlocker can also check to encrypt the drive and recover it, if required. Again, doing this is highly recommended.

Now Bitlocker will encrypt the drive.

· Hibernate

Well, the job is only one-fourth done. Remember, Bitlocker doesn’t get active if you put your computer on sleep mode. It requires you to shut down or restart your PC to spring into action. But luckily for us, there is one workaround- Hibernate.

When you put your Windows 10 PC on hibernate mode with a drive encrypted with Bitlocker, you will need your USB key to sign back again. Usually, Hibernate isn’t included in the default power options of Windows 10. But dig deep, and it is still there.

How To Enable Hibernate In Windows 10

Go To:

Control Panel- System and Security- Click on Power Options

In the left-hand side menu, select:

Choose What the Power Buttons Do

By default, the Shutdown Settings will be greyed out:

Next, click on the link below the first paragraph:

“Change settings that are currently unavailable.”

The options will become available:

Check-mark the Hibernate option to make it active:

Now every time you Hibernate your PC, you will require your USB key to log in.

· Hibernate Shortcut

Remembering the golden adage of KISS (Keep It Simple, Stupid), let’s create a shortcut icon and keyboard button combination for our new hibernate capabilities. Let’s Go!

Right-Click on the desktop, then select “New”, and finally select shortcut. This will bring up the following screen:

Type in the following location:

C:\Windows\System32\shutdown.exe /h

And finally:

Let’s add some finishing touches.

Shortcut Icon

Right-click on the icon and choose properties:

Add a shortcut key combination (make it easy to remember and execute)

Lastly, add an icon to your new shortcut. Choose the change icon option in the Properties window’s shortcut tab and choose one that suits you.

Phase II- Configure Hello In Such A Way That You Can Only Login In With Your Fingerprint

Technically speaking, you can’t configure Windows Hello in a way that will let you log in with solely your fingerprint. Now, Microsoft thinks PINs as part of their Passport system serve as an effective security measure. However, you being a hyper-paranoid person, is afraid that people with telepathic powers (just kidding) might know the PIN, thereby rendering the login security mechanism useless. The point is, PINs are just not secure enough, and it is better done without.

Usually, you can turn off Windows Hello from Group Policy Editor (like in the following screen). But doing so turns off both the fingerprint and other log in options together with the PIN. So that is hardly a way out.

Let’s talk about the essential biometric hardware first. These days a large majority of fairly advanced laptops come with fingerprint scanners. Even if your laptop or desktop doesn’t have one, you can buy one for as little as $30. This MakeUseOf review should help you in making a decision.

· Let’s set up our Windows Hello fingerprint and PIN Login

Go to

Settings- Accounts- Sign-in options

· Setting Up Fingerprint

Choose the Fingerprint Option and Click on Add

Follow the on-screen instructions!

When you set up a fingerprint profile for Windows Hello, you will be asked to register your PIN. Though Windows might not ask for it immediately always, the next time you boot, it will indeed ask for the same with a Setup Prompt Notification. So, let’s do it.

Click on the Windows Hello PIN Add button

You will be asked to verify your Microsoft Account Password, do it!

· Setting Up The PIN

Now let’s enter the PIN.

And here’s our intelligence part of the whole exercise to turn your ordinary Windows 10 PC into a device that employs military-grade security.

Go to the Secure Password Generator tool:

Click on the Generate Password Button a few times and finally copy one and set it as your 127 characters (the maximum number of characters allowed by Windows Hello) PIN. People paranoid about telepathic aliens need not even try to copy the password, remember it, or store it. If it is THAT MUCH needed, we can always recover it from our Microsoft account. This brings us to the third phase of securing our PCs to military-grade standards.

Phase III- Securing Your Microsoft Account With 2FA

Go to the security settings of your Microsoft account.

Scroll down to two-factor authentication.

Click On Set-up Two-Factor Authentication

It will ask you to check the following:

It will ask you for the following Outlook settings:

Finally, Microsoft will inform you that certain other services would still require passwords:

Finally, 2FA for your Microsoft account is set up.

Having 2FA for your Microsoft account will help make getting access to your PIN retrieval process much harder.

Phase IV- Password Managers With Biometric Logins

If you use the Chrome and Edge browsers, AutoFill is a nifty little free tool to manage your passwords. It is bundled into Edge, and you can find it at Settings — Profiles — Passwords. There is also a chrome extension which you can find here.

It will not let anyone view passwords without your Windows Hello fingerprint. While password managers may not allow you to view login password websites without verifying biometric credentials, this extension doesn’t quite enable biometric passwords.

However, for genuinely military-grade security in this respect, also we recommend Sticky Passwords. It will set you back by $30 annually for the premium version but enable biometric logins. But I am tempted to think that the military can indeed afford the thirty bucks! We mention this particular product as Sticky Passwords is featured in Giveaway of the day and other deals and freebie sites from time to time, so if you can wait, you might get the premium version for free.

There is another affordable option which we will detail in the following paragraphs- Roboform. First, you need to observe the following steps:

Visit https://www.roboform.com/download and download the latest version of the software:

Follow the onscreen instructions and create an account with a master password. Note it and store it securely. It won't be needed dailys but from time to time (30 days, Roboform tells us).

Then go to your taskbar, extend it by clicking on the upwards arrow, and right-click on the RoboForm icon(

), select options.

Choose Windows Hello as the authentication method:

Now you can log inn to sites by using your Windows Hello credential, whiche is your fingerprint.

For extra security, check-mark the auto-logout option and set the value of the number of minutes of inactivity, after which Roboform will unlock itself. Setting the value to 1 minute will mean that you will have to verify your Windows Hello credentials almost every time you log in to a site.

One crucial tip: If you plan to use Roboform on your Android device, you should install and set up the Android app before you install it on your Windows device. This is because you can get locked out of Google accounts, including Google Play Store, if you change its password and forget it.

Hopefully, now that you know all this, the FBI might call you for a Security Consultant job opportunity. :)

PS: Some of the images have been sourced from the internet. The respective copyrights rests with the owners.