Skip to main content

CompTIA A+

Windows Encryption Tools

20 min read

CompTIA A+ Core 2 (220-1202), Domain 2.0, Objective 2.2 focuses on Windows encryption choices you'll make on the exam and on the job. In this section, you'll learn when to use BitLocker vs BitLocker To Go vs Encrypting File System (EFS), what each one protects, and how to turn them on in Windows.

The exam often uses a "given a scenario" format, so the goal isn't to memorize names. Instead, you need to pick the best tool for the risk, the device, and the data. For example, full-disk encryption solves a different problem than encrypting a single folder.

BitLocker protects an entire Windows drive, which helps if a laptop gets lost or stolen. BitLocker To Go applies the same idea to removable media, like USB flash drives and external drives. EFS works at the file or folder level on NTFS, which can fit shared PCs where only certain data needs protection.

You'll also see where these settings live in Windows, including Control Panel and File Explorer actions. By the end, you should be able to choose the right option quickly, then enable it without guessing.

Protection Limits

For CompTIA A+ Core 2 (220-1202), Domain 2.0, Objective 2.2, you must match the tool to the threat. Encryption sounds absolute, but each Windows option has clear boundaries. In practice, these tools mostly protect data at rest (when the device is off or the drive is removed). Once Windows unlocks the data for an approved user, other controls must carry the load, such as strong sign-in security, least privilege, and malware protection.

BitLocker on an internal drive (full-disk protection)

BitLocker encrypts an entire internal drive, either the OS drive (where Windows runs) or a fixed data drive (an internal secondary drive). Because it covers the whole volume, it protects system files, installed apps, and user data stored on that drive. Think of it like locking the whole filing cabinet, not just one folder.

The key concept for the exam is pre-boot protection. This means the drive stays encrypted until the startup checks pass and the right unlock method is provided. Without that, an attacker cannot simply remove the drive, connect it to another PC, and browse your files. Pre-boot also helps against offline attacks, such as trying to read the disk with another operating system.

A common unlock flow uses a TPM. A TPM (Trusted Platform Module) is a small security chip that stores cryptographic keys and helps confirm the system has not been tampered with. Depending on the setup, BitLocker may unlock with:

  • TPM only: The TPM releases the key during a normal boot.
  • TPM + PIN: You enter a short PIN during startup, which adds protection if the laptop is stolen.
  • Password: Often used for fixed data drives, and sometimes in environments without a usable TPM.
  • Recovery key: A long fallback key used when Windows detects a change (for example, a firmware update or motherboard swap).

Gotcha: BitLocker mainly protects the drive when it is locked. After you sign in and the drive unlocks, BitLocker does not stop a logged-in user, or malware running as that user, from reading files.

In other words, BitLocker is excellent for lost or stolen devices, but it is not a replacement for good account security. Use strong Windows sign-in methods, and keep recovery keys stored safely (for example, in an organization directory or a protected account).

BitLocker To Go for USB drives and external storage

BitLocker To Go applies encryption to removable drives, such as USB flash drives and external hard drives. This matters because removable media is easy to lose, and it often carries the most portable data (spreadsheets, exports, client documents). Without encryption, a lost USB drive is a simple data breach.

When you plug in a BitLocker To Go drive, Windows prompts for an unlock method before it mounts the drive for normal use. Common options include:

  • Password: The usual choice for personal and small business use.
  • Smart card: More common in managed environments that already issue smart cards.

After the user unlocks the drive, it behaves like any other drive. That convenience is also the limit. Once unlocked, files are readable and writable by that user account and anything running under it.

Some environments also plan for compatibility and controlled access. For example, you can allow a read-only mode in certain situations, which helps reduce accidental changes when you only need to view files. Policies can also require encryption before users can write data to removable media. In plain terms, Windows can be set so users cannot copy files to a USB drive unless the drive is protected first.

BitLocker To Go is best understood as a safety net for real life mistakes. People forget drives in meeting rooms, airports, and labs. Encryption turns that incident into a lost object instead of a data exposure.

Encrypting File System (EFS) for file and folder encryption

EFS encrypts at the file and folder level on NTFS. Instead of locking the whole drive, it locks selected data so that only the right user can open it. This makes EFS useful on shared PCs where you want to protect a specific folder, even though other users still use the same Windows install.

EFS ties access to a user account and its EFS certificate. Windows handles most of the work in the background. When the correct user signs in, Windows can decrypt the files as they are opened. If another user signs in, those same files stay unreadable because that user does not have the required keys.

This is the exam-relevant point: even if a second user has administrator rights, they still cannot casually open an EFS-protected file without the proper EFS keys. Admin rights can grant many powers, but EFS is designed to keep the content encrypted unless the decrypting key is available.

However, EFS has a practical risk that shows up in troubleshooting scenarios: key recovery. If the original user profile is deleted, corrupted, or moved incorrectly, the encrypted files can become permanently inaccessible. In business settings, organizations may configure a recovery option so encrypted files can be recovered when a user leaves or loses access.

Treat EFS like a locked briefcase with one key. If you lose the key and no one made a spare, the contents may be gone for good.

As a result, EFS fits best when you need targeted protection on NTFS and you also have a plan for backing up user profiles and recovery keys.

Enable BitLocker

For CompTIA A+ Core 2 (220-1202), Domain 2.0, Objective 2.2, you need to know how to enable BitLocker without locking yourself out. BitLocker setup is usually quick, but small mistakes (like skipping a backup or misplacing the recovery key) can turn a routine task into data loss. Treat BitLocker like installing a deadbolt on a door: the lock is only helpful if you also keep a spare key in a safe place.

Pre-checks before you enable BitLocker (TPM, edition, backups)

Before you switch on BitLocker, confirm the basics. These checks prevent failed setup, boot issues, and accidental lockouts.

Start with the Windows edition. BitLocker management is built into Windows Pro, Enterprise, and Education. Many Home editions do not include the full BitLocker feature set in the same way. If BitLocker options are missing, the edition is often the reason.

Next, verify the TPM (Trusted Platform Module) status. BitLocker works best with a TPM because the TPM protects encryption keys and supports secure startup checks. In Windows, you can check TPM presence and readiness in the tpm.msc console (or through Windows Security). If the TPM is disabled, enable it in UEFI/BIOS firmware settings. This avoids a setup flow that forces less convenient unlock methods.

Also confirm Secure Boot if your environment expects it. Secure Boot helps block untrusted boot components. While BitLocker can work without it in some cases, Secure Boot reduces the chance of tampering that triggers recovery mode after changes.

Power stability matters too. If this is a laptop, plug it in before encrypting. Encryption can take time, and an unexpected shutdown increases the chance of a paused or confused rollout (especially on older drives).

Most importantly, create a current backup. BitLocker does not delete files, but changes to firmware, partitions, or hardware can trigger a recovery prompt. A backup protects you from the worst outcomes: drive failure during encryption, user error, or a lost recovery key.

A quick pre-check summary helps you avoid common problems:

  • Supported edition: Prevents missing BitLocker controls and dead-end setup paths.
  • TPM enabled and ready: Reduces prompts and improves pre-boot security.
  • Secure Boot understood: Lowers tamper risk and surprise recovery events.
  • Device on AC power: Prevents interruptions mid-process.
  • Fresh backup completed: Protects data if anything goes wrong.

Best practice: Assume you will need the recovery key later. Plan for that before you click "Turn on BitLocker".

Step-by-step: enabling BitLocker and saving the recovery key

You can enable BitLocker from either Control Panel or Settings.

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account