2.2 Given a scenario, configure and apply basic Microsoft Windows OS security settings.
📘CompTIA A+ Core 2 (220-1202)
What is BitLocker?
BitLocker is a full-disk encryption feature built into Microsoft Windows.
- It encrypts data stored on a drive
- It protects data if a device is lost, stolen, or accessed without permission
- Even if someone removes the hard drive and connects it to another computer, the data remains unreadable
For the exam, remember:
BitLocker = Drive encryption used to protect data at rest
Why BitLocker Is Important (Exam Focus)
BitLocker protects data at rest, which means:
- Data stored on hard drives, SSDs, USB drives, and external disks
It helps prevent:
- Unauthorized access to company data
- Data leaks from lost or stolen laptops
- Offline attacks on Windows systems
Versions of Windows That Support BitLocker
For CompTIA A+, you must know where BitLocker works.
Supported Editions
- Windows Pro
- Windows Enterprise
- Windows Education
Not Supported
- Windows Home (standard BitLocker not available)
⚠️ Exam tip: If a scenario uses Windows Home, BitLocker is not available
What Drives Can Be Encrypted with BitLocker?
BitLocker can encrypt:
- Operating System Drive
- Usually the C: drive
- Encrypts Windows system files and user data
- Fixed Data Drives
- Internal drives (secondary hard drives or SSDs)
- Removable Drives (BitLocker To Go)
- USB flash drives
- External hard drives
BitLocker To Go is the version used for removable media
How BitLocker Works (Simple Explanation)
BitLocker uses encryption algorithms to scramble data.
- Data is encrypted automatically in the background
- Authorized users can access data normally
- Unauthorized users see unreadable data
Encryption is transparent:
- Users don’t need to manually encrypt or decrypt files
- Windows handles encryption automatically after login
Trusted Platform Module (TPM)
What is TPM?
TPM (Trusted Platform Module) is a hardware security chip built into many computers.
TPM:
- Stores encryption keys securely
- Helps ensure the system has not been tampered with
- Improves BitLocker security
BitLocker with TPM
When TPM is available:
- BitLocker automatically unlocks the drive during boot
- No user action is required
- Most secure configuration
BitLocker Without TPM
If TPM is not available, BitLocker can still work using:
- USB startup key
- PIN at boot
This must be enabled using Group Policy
Exam keyword: BitLocker can work with or without TPM
BitLocker Authentication Methods
BitLocker can use multiple methods to unlock a drive:
1. TPM Only
- Automatic unlock
- Most common in business systems
2. TPM + PIN
- User enters a PIN during startup
- More secure than TPM alone
3. USB Startup Key
- A USB device is required to boot Windows
4. Password (Data Drives)
- Used for non-OS drives
- User enters password to unlock drive
Recovery Key
What is a BitLocker Recovery Key?
A recovery key is a 48-digit code used to unlock the drive if:
- TPM fails
- Hardware changes occur
- Boot files are modified
- User forgets the PIN
Where Recovery Keys Can Be Stored
Recovery keys can be saved to:
- Microsoft account
- Active Directory (domain environment)
- Azure Active Directory
- USB drive
- Printed copy
- File on another drive
⚠️ Exam tip: Always store the recovery key securely
BitLocker To Go
What Is BitLocker To Go?
BitLocker To Go encrypts removable storage devices.
Examples:
- USB flash drives
- External hard drives
How It Works
- Drive is encrypted when enabled
- User enters a password to unlock the device
- Drive can be read on other Windows systems
- Write access may be restricted on older systems
Enabling BitLocker (High-Level Steps)
You do not need exact click paths for the exam, but you should understand the process.
Typical steps:
- Open Control Panel
- Go to BitLocker Drive Encryption
- Select the drive
- Choose unlock method (TPM, PIN, password)
- Save recovery key
- Start encryption
Encryption runs in the background.
BitLocker Encryption Types
BitLocker supports:
- Used-space-only encryption
- Encrypts only data already on the drive
- Faster
- Full-disk encryption
- Encrypts entire drive including empty space
- More secure
Exam tip: Full-disk encryption = higher security
BitLocker and Performance
- Modern systems have minimal performance impact
- Encryption is hardware-accelerated on most systems
- Users usually do not notice slowdown
BitLocker vs EFS (Important Exam Comparison)
| Feature | BitLocker | EFS |
|---|---|---|
| Encrypts | Entire drive | Individual files |
| Protects data at rest | Yes | Partial |
| User-based | No | Yes |
| Stronger security | Yes | No |
Exam answer: BitLocker is stronger and more comprehensive than EFS
Common BitLocker Scenarios (Exam Style)
You should recognize these scenarios:
- Laptop used by employees → Enable BitLocker
- Lost or stolen device → Data remains protected
- External USB drive with sensitive data → Use BitLocker To Go
- System without TPM → Use USB key or PIN
- User cannot access encrypted drive → Use recovery key
Key Exam Terms to Remember
- Full-disk encryption
- Data at rest
- TPM (Trusted Platform Module)
- Recovery key
- BitLocker To Go
- Windows Pro / Enterprise / Education
- Operating system drive
- Removable media encryption
Summary (Exam-Ready)
- BitLocker encrypts entire drives
- Protects data if devices are stolen or lost
- Uses TPM for secure key storage (if available)
- Supports OS drives, data drives, and USB drives
- Recovery keys are critical
- BitLocker To Go is used for removable storage
- Available only on non-Home editions of Windows
