How to Manage and Configure Basic Security Settings in Microsoft Windows for CompTIA A+ Core 2 (220-1102)
Introduction: Why Windows Security Settings Matter for A+ Technicians
For CompTIA A+ Core 2, Windows security is less about memorizing feature names and more about choosing the safest practical fix in a scenario. If a user cannot install software, the answer usually is not “make them local admin.” If a laptop is stolen, the answer is encryption, not just a strong password. If a shared folder fails, you need to think permissions, not malware. That’s really the mindset the 220-1102 exam wants you to have.
Once you strip away the jargon, it’s actually pretty straightforward: authentication is about proving who you are, authorization is about what you’re allowed to reach, and least privilege is what keeps the risk from getting out of hand. In Windows, those ideas show up all over the place, honestly — in standard user accounts, User Account Control, Microsoft Defender Antivirus, Microsoft Defender Firewall, Windows Update, BitLocker, and NTFS and share permissions. And when you layer those controls together, the endpoint becomes a whole lot tougher to misuse or compromise.
Account Security, Sign-In, and Least Privilege
A standard user account is the best default for daily work. An administrator account can install software, change system-wide settings, and disable protections, which is exactly why it should be limited.
| Administrator | Standard User |
|---|---|
| Can change system settings and install software for all users | Can run approved apps and perform routine work |
| Higher risk if malware runs in that context | Lower risk because changes are restricted |
| Best for IT and approved support tasks | Best for most end users |
To manage local accounts, use Settings > Accounts > Other users for adding users, or Computer Management > System Tools > Local Users and Groups > Users/Groups on supported editions. Local Users and Groups (lusrmgr.msc) and Local Security Policy (secpol.msc) are generally not available on Windows Home. You can also verify membership with net localgroup administrators or whoami /groups.
Practical workflow: keep the user standard, then elevate only the task. Use Run as administrator, approved admin credentials, or software deployment tools. That preserves least privilege without blocking support.
A local account exists only on that PC. A Microsoft account supports recovery and sync across devices. In managed business environments, you may also see organizational identities through Active Directory or Microsoft Entra ID. And this one trips people up a lot: account type and privilege level aren’t the same thing. A Microsoft account doesn’t automatically mean the user is an administrator.
For sign-in, you really want to know the difference between a password, a PIN, and biometrics.
| Password | PIN | Biometrics |
|---|---|---|
| Account secret used across services | Device-specific Windows Hello unlock method | Fingerprint or face sign-in on supported hardware |
| Used for recovery and remote sign-in | Typically tied to device-bound cryptographic material, often TPM-backed | Usually unlocks the same Hello credential |
| Should be strong and unique | Common secure choice for interactive sign-in | Fast and convenient, with password/PIN fallback |
Configure these in Settings > Accounts > Sign-in options. Windows Hello PINs aren’t just shorter passwords. They’re tied to the device itself and, when the hardware supports it, they’re often protected by TPM-backed credentials.
For lock behavior, Windows does not rely on one universal “auto-lock” switch. Instead, combine screen timeout, require sign-in on wake, optional screen saver password protection, and Dynamic Lock. Dynamic Lock is a pretty handy feature because it can lock the device automatically once the paired phone wanders far enough away. For shared workstations, I’d definitely go with short idle timeouts and make sure the system requires sign-in after sleep.
User Account Control and Local Policies
User Account Control, or UAC, helps enforce those elevation boundaries so changes don’t happen silently. It does not replace least privilege; it helps prevent silent administrative changes.
With UAC, a standard user gets a credential prompt for admin credentials. An administrator running in Admin Approval Mode usually gets a consent prompt. Configure UAC in Control Panel > User Accounts > Change User Account Control settings.
The secure desktop option dims the screen and isolates the prompt, so it makes spoofing a lot harder. Lowering UAC or disabling it removes a guardrail and is a classic bad fix.
Password and lockout policy matter too. On supported editions, secpol.msc lets you review password length, complexity, account lockout threshold, and audit policy. For A+, the big idea is pretty simple: longer passwords, lockouts after too many failed attempts, and solid logging all help harden the system. Honestly, I’d keep the Guest account disabled by default. If someone wants it turned on, there’d better be a very specific, tightly controlled reason for it.
When I’m looking at baseline protection, Microsoft Defender Antivirus and the Windows Security app are the first tools I reach for.
Windows Security is the interface. Microsoft Defender Antivirus is the antivirus engine. Open it from Settings > Privacy & Security > Windows Security.
The big things I want you to keep in your head are real-time protection, cloud-delivered protection, security intelligence updates, Tamper Protection, and the different scan options. Those are the ones that come up over and over in real support work. Those come up a lot in real tickets. Tamper Protection helps block unauthorized changes to Defender settings, and yeah, that’s honestly pretty important. If a third-party antivirus is properly registered with Windows Security Center, Microsoft Defender Antivirus may step back and run in passive or limited mode instead of being the primary AV.
Common scans:
- Quick scan: common malware locations
- Full scan: entire system, slower
- Custom scan: specific file/folder/drive
- Microsoft Defender Offline scan: useful for persistent malware and possible rootkit cases
Use Protection history to review detections, quarantines, and blocked actions. Do not restore quarantined items blindly. False positives happen, but the file should be verified first.
Also know App & browser control, which includes Microsoft Defender SmartScreen and reputation-based protection for malicious or suspicious websites, downloads, and apps. Controlled folder access can help reduce ransomware damage by blocking unauthorized apps from modifying protected folders.
If Defender looks turned off, the first things I check are pretty basic: is another antivirus installed, is a policy managing the device, and is Tamper Protection part of the story? Useful tools include services.msc, Event Viewer, and PowerShell commands such as Get-MpComputerStatus.
Microsoft Defender Firewall
Microsoft Defender Firewall is the host firewall. By default, it mainly blocks unsolicited inbound traffic and allows most outbound traffic unless outbound rules are configured. That distinction matters.
| Profile | Use | Key Point |
|---|---|---|
| Domain | When the joined device can authenticate to a domain controller | Usually centrally managed |
| Private | Trusted home or small-office network | Less restrictive than Public |
| Public | Untrusted networks such as hotels and public cafés | Most restrictive |
Use Windows Security > Firewall & network protection for status, or wf.msc for Windows Defender Firewall with Advanced Security. Advanced rules let you control executable, port, protocol, profile, local/remote addresses, and scope.
Allowing a specific app is generally safer than opening a broad port. If you must allow traffic, scope it to the correct profile and only the required protocol/ports. Example: allow a vendor support app on Private only, not on Public. For troubleshooting, confirm the active profile, review inbound rules, and if needed enable firewall logging to inspect dropped packets.
Windows Update and Managed Devices
Windows Update closes vulnerabilities and fixes reliability issues. Check it in Settings > Windows Update. For A+, distinguish:
- Quality updates: monthly security and bug fixes
- Feature updates: larger version changes
- Driver/firmware updates: hardware-related updates that may be controlled separately
In home systems, updates are usually local decisions. In managed environments, behavior may be controlled by WSUS, Group Policy, Windows Update for Business, Intune, or other MDM tools. If a setting is grayed out or keeps snapping back, I usually assume it’s being enforced by policy rather than being broken.
My basic update troubleshooting flow is pretty simple: check for a pending restart, make sure there’s enough free disk space, review update history and error codes, run the troubleshooter, and see whether policy is managing the device. And if the failure keeps coming back, Event Viewer and Reliability History usually give you the breadcrumbs you need.
BitLocker, Device Encryption, and recovery handling all come back to one big idea: protect the data even if the device gets lost, stolen, or otherwise compromised.
BitLocker protects data at rest by encrypting the drive itself, so someone can’t just yank the disk out and read the files. BitLocker and BitLocker To Go are typically available on supported editions such as Pro, Enterprise, and Education. Some Windows Home devices support Device Encryption, which is related but not the same as full BitLocker administration.
| Feature | Purpose |
|---|---|
| BitLocker | Encrypt internal OS/data drives |
| BitLocker To Go | Encrypt removable drives |
| Device Encryption | Simpler edition/hardware-dependent protection on some devices |
Common BitLocker protectors include TPM, TPM+PIN, startup key, and recovery key. Check TPM status with tpm.msc or Windows Security > Device security. Verify BitLocker with manage-bde -status or PowerShell Get-BitLockerVolume.
BitLocker recovery prompts can pop up after BIOS or firmware changes, Secure Boot changes, TPM resets, boot configuration changes, a motherboard replacement, or really any hardware change the system doesn’t trust. Before firmware work, suspend BitLocker; do not fully decrypt unless there is a specific reason. Recovery keys may be stored in a Microsoft account, Active Directory, Microsoft Entra ID, or whatever escrow process the organization uses. Encryption isn’t a backup. It protects confidentiality, not availability.
For exam clarity, distinguish BitLocker from EFS. BitLocker encrypts the whole volume. EFS encrypts individual files and folders. If the scenario is a stolen laptop, BitLocker is usually the better answer.
NTFS Permissions, Share Permissions, and Effective Access
NTFS permissions apply to local and network access on NTFS volumes. Share permissions apply only over the network. For network access, both apply, and effective access is limited by whichever set is more restrictive. Explicit Deny generally overrides Allow.
| NTFS | Share |
|---|---|
| Applies locally and over network | Applies only to shared access |
| More granular: Read, Write, Read & Execute, Modify, Full Control, special permissions | Simpler: Read, Change, Full Control |
In many environments, share permissions are broad, such as Everyone: Read or a limited group, while NTFS handles the real granularity. Use groups instead of assigning many individual ACEs directly.
Be careful with “edit but not delete” requests. That is not a simple basic-permission scenario; it often requires advanced NTFS permissions, testing, and sometimes a different workflow. For troubleshooting, use Advanced Security Settings to review inheritance, ownership, and the Effective Access tab.
Built-in Tools, Kiosk Mode, and Hardening
Know which tool matches which job:
compmgmt.msc/lusrmgr.msc: local users and groupssecpol.msc: local password, lockout, and audit policy on supported editionswf.msc: advanced firewall rulestpm.msc: TPM statusgpresult /r: Group Policy summary, but not a full MDM viewmanage-bde -status: BitLocker status
For kiosk or front-desk systems, know Assigned Access or kiosk mode. It keeps the device limited to approved apps, which is a lot better than handing out broad rights on a shared workstation.
A few other hardening basics are worth keeping in mind: leave Secure Boot enabled in UEFI when it makes sense, reduce unnecessary startup items, use SmartScreen and reputation-based protection, be careful with macros and scripts, restrict removable media when needed, and never forget that backups are absolutely essential if ransomware ever hits.
Common Troubleshooting Scenarios for the A+ Exam usually come down to matching the symptom with the right Windows tool or setting.
User cannot install an app: Verify whether the app is approved, then use Run as administrator or IT deployment. Best answer: temporary approved elevation. Tempting wrong answer: make the user local admin.
Defender says protection is off: Open Windows Security, check if a third-party AV is registered, review Tamper Protection and policy status, then confirm the device still has active protection.
App works at the office but not on public Wi-Fi: Check the active firewall profile. Public is more restrictive. Review inbound rules or app allowances before touching the firewall state.
User can see a share but cannot modify files: Review share permissions, NTFS permissions, inheritance, and group membership. Use whoami /groups if needed.
Laptop requests BitLocker recovery after BIOS update: Identify the device, retrieve the recovery key through the approved process, unlock it, then confirm BitLocker protection status. Do not try random boot workarounds first.
Security setting is grayed out: Think management. Local Policy, Active Directory Group Policy, Intune, or another MDM may be enforcing it. gpresult /r helps for Group Policy, but MDM settings may require the management console.
Exam Cram: Symptom to Best Control
- Malware symptoms: Windows Security / Microsoft Defender Antivirus
- Persistent malware or rootkit concern: Microsoft Defender Offline scan
- Blocked network app: Microsoft Defender Firewall profile/rules
- Shared folder access issue: NTFS + share permissions
- Lost or stolen laptop: BitLocker
- USB drive with sensitive files: BitLocker To Go
- User should not install software: Standard account + UAC
- Shared kiosk/front desk system: Least privilege + Assigned Access
- Grayed-out setting: Check policy/management
- Need safer sign-in convenience: Windows Hello PIN or biometrics
Final Review
For 220-1102, the secure practical answer is usually the same pattern over and over: use standard users instead of permanent admin rights, keep UAC turned on instead of disabling prompts, rely on Defender protections instead of guessing, use firewall rules instead of shutting the firewall off, patch systems instead of putting updates off, use BitLocker instead of assuming a password is enough, and apply the right permissions instead of just handing out Full Control. If you can spot the symptom, match it to the right Windows tool, and resist the tempting shortcut, you’re thinking the way a good technician should — and that’s exactly the mindset A+ wants to see.