There are some additional suggestions. Currently I donot have a github account so I cannot submit a pr.
- use a secured-core devices with timely firmware support. my personal reccomendation is surface for business series.
- turn on Smart App Control. if you have privacy concerns, skip this and use WDAC instead.
- configure Bitlocker to use TPM+PIN, long PIN length and 256 bit encryption
- Disable Microsoft account
- only update drivers through Windows Update or official websites. avoid softwares like Geforce Now
- do not show username on lock screen
- use yubikey as local account 2FA method
- turn off these telemetry.1 2 3
- enable complete mitigations for side channel attacks. also this
- these settings to improve security. 1 2 3 4 5