You are the security administrator at Larkspur Diagnostics, a regional medical-imaging lab. The reading-room workstation RADIO-WS-12 holds locally cached patient scans, and compliance staff are worried that a stolen drive would expose that data at rest. The board has asked you to encrypt the machine's entire operating-system volume. RADIO-WS-12 has a discrete TPM 2.0 chip on the motherboard, currently switched off in firmware.
Your job: enable the TPM in firmware, then turn on BitLocker for the operating-system drive (C:), escrow the recovery key to the protected share \\VAULT-SRV\Recovery$\RADIO-WS-12, encrypt the entire drive using the new (XTS-AES) encryption mode, and run a system check before encryption begins.
Integrity note: this is a formative simulation. The checklist and score are evaluated in your browser and are therefore self-reported — fine for practice. For a graded attempt the instructor's Apps Script can re-score the submitted answers against a server-held key. No real-name data is collected. © 2026 [AUTHOR NAME]. Original clean-room lab; not affiliated with any courseware vendor.