Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications220-1202Exam Questions

CompTIA · Free Practice Questions · Last reviewed May 2026

220-1202 Exam Questions and Answers

150real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

90 exam questions
90 min time limit
Pass: 700/1000 / 1000
25 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Windows OS Features and Tools2. Windows Settings and Control Panel3. Windows Command-Line Tools4. Windows Administrative Tools5. macOS Features and Tools6. Linux Commands and File Permissions7. Mobile OS Features and Tools8. Virtualization and Cloud Technologies9. Physical Security Controls10. Logical Security Concepts11. Wireless Security Protocols12. Malware Types and Removal13. Social Engineering Attacks14. Windows Security Settings15. Browser and Application Security16. Data Destruction and Disposal17. Windows OS Troubleshooting18. PC Security Issue Remediation19. Mobile OS and App Troubleshooting20. Safety Procedures and Compliance21. Environmental Awareness and Impact22. Documentation and Change Management23. Remote Access Technologies24. Scripting Basics25. Communication and Professionalism
1

Domain 1: Windows OS Features and Tools

All Windows OS Features and Tools questions
Q1
easyFull explanation →

A user is unable to print to a network printer after a Windows update. Other users on the same network can print successfully. Which Windows tool should you use to view detailed error messages related to the print spooler service?

A

Device Manager

B

Services.msc

C

Event Viewer

Event Viewer records print spooler errors and warnings, making it the correct tool for troubleshooting the cause of the failure.

D

Performance Monitor

Why: Event Viewer (C) is the correct tool because it logs detailed error messages from the print spooler service (spoolsv.exe) under 'Windows Logs > System' or 'Applications and Services Logs > Microsoft > Windows > PrintService'. When a Windows update breaks printing for a single user, Event Viewer captures spooler errors such as access denied, driver conflicts, or RPC failures that are not shown in other tools.
Q2
mediumFull explanation →

A user's Windows 10 PC is infected with ransomware that has encrypted their Documents folder. You need to restore the files from a previous version that was saved by File History. Where do you access the 'Previous Versions' feature to restore these files?

A

File Explorer > Properties > Previous Versions tab

This is the correct location to view and restore previous versions of files or folders saved by File History or shadow copies.

B

Control Panel > File History > Restore personal files

C

Settings > Update & Security > Backup

D

Computer Management > Storage > Disk Management

Why: The 'Previous Versions' tab is accessible via File Explorer by right-clicking a file or folder, selecting Properties, and then clicking the Previous Versions tab. This tab lists shadow copies or File History backups of the selected item, allowing you to restore an earlier version. In this scenario, since File History was enabled, the previous versions of the Documents folder will appear here for restoration.
Q3
mediumFull explanation →

You are configuring a new Windows 10 workstation for a remote employee who will connect to the corporate VPN. The user should not be able to install software or change system settings. Which tool should you use to enforce these restrictions?

A

User Account Control (UAC) settings

B

Local Group Policy Editor

Local Group Policy Editor can enforce software installation restrictions and control panel access for specific users or groups.

C

Device Manager

D

Registry Editor

Why: Local Group Policy Editor (gpedit.msc) allows you to configure security and restriction policies on a standalone computer. You can disable the ability to install software by setting the 'Disable Windows Installer' policy and restrict access to Control Panel settings. This is the appropriate tool for a non-domain joined machine.
Q4
mediumFull explanation →

A technician needs to create a bootable USB drive that can run Windows PE to deploy a custom Windows 10 image to multiple laptops. Which Windows tool should they use to create this bootable media?

A

Windows Media Creation Tool

B

Windows System Image Manager (Windows SIM)

C

Windows ADK (Assessment and Deployment Kit)

The Windows ADK provides the tools to build a custom Windows PE image and create bootable USB drives for deployment.

D

Disk Management

Why: The Windows Assessment and Deployment Kit (Windows ADK) includes the Deployment Tools, which contain the necessary utilities (such as `copype.cmd` and `MakeWinPEMedia`) to create a bootable Windows PE USB drive. This is the correct tool for building custom WinPE media to deploy a Windows 10 image to multiple laptops, as it provides the full environment for customizing and generating the bootable image.
Q5
hardFull explanation →

You are troubleshooting a Windows 10 PC that fails to boot with the error 'Boot Configuration Data is missing.' Which built-in tool can you use from the Windows Recovery Environment to rebuild the BCD store?

A

System File Checker (sfc /scannow)

B

Diskpart

C

Bootrec.exe

Bootrec.exe with the /rebuildbcd switch scans for Windows installations and rebuilds the BCD store, fixing the missing BCD error.

D

CHKDSK

Why: Bootrec.exe is the correct built-in tool for rebuilding the Boot Configuration Data (BCD) store from the Windows Recovery Environment (WinRE). The specific command 'bootrec /rebuildbcd' scans all disks for Windows installations and allows you to rebuild the BCD store, directly addressing the 'Boot Configuration Data is missing' error. Other tools like SFC, Diskpart, and CHKDSK do not have the capability to reconstruct the BCD store.
Q6
mediumFull explanation →

After installing a new application, a user reports that their default web browser keeps changing to a different one without their consent. Which Windows feature can you use to prevent applications from changing file associations and default programs?

A

Programs and Features

B

Default Programs (Control Panel)

C

Local Group Policy Editor

Group Policy can enforce 'Set a default associations configuration file' to lock file associations and prevent changes by users or apps.

D

Registry Editor

Why: The Local Group Policy Editor (gpedit.msc) allows administrators to configure the 'Set a default associations configuration file' policy under Computer Configuration > Administrative Templates > Windows Components > File Explorer. When enabled, this policy prevents applications from changing file associations and default programs by locking the association file, overriding any user or application changes. This is the correct tool for enforcing system-wide control over default programs in Windows 10/11 Pro, Enterprise, or Education editions.

Want more Windows OS Features and Tools practice?

Practice this domain
2

Domain 2: Windows Settings and Control Panel

All Windows Settings and Control Panel questions
Q1
hardFull explanation →

A security incident occurred where an unauthorized user accessed a workstation. You need to review the event logs to determine when the breach happened. Which Control Panel applet would you use to launch the Event Viewer?

A

System

B

Security and Maintenance

C

Administrative Tools

Administrative Tools includes Event Viewer, Performance Monitor, and other system tools.

D

Device Manager

Why: Administrative Tools is the Control Panel applet that provides access to advanced system tools, including Event Viewer. To investigate a security breach, you would open Administrative Tools and then launch Event Viewer to review security logs for unauthorized access events. This is the correct path because Event Viewer is not directly listed in the main Control Panel categories; it is nested within Administrative Tools.
Q2
mediumFull explanation →

A user calls the help desk because their Windows 10 PC is not showing any sound icon in the system tray, and audio is not working. You suspect the audio service is disabled. Which Control Panel applet would you use to check and restart the Windows Audio service?

A

Sound

B

Device Manager

C

Administrative Tools

Administrative Tools contains shortcuts to Services, Event Viewer, and other system management consoles.

D

System

Why: The Windows Audio service is a background service that must be running for audio to function. The Administrative Tools applet provides access to the Services console (services.msc), where you can check the status of the Windows Audio service and restart it if it is disabled or stopped. This is the correct tool because the Sound applet only configures playback devices and volume, not service states.
Q3
hardFull explanation →

A user wants to configure their Windows 10 PC to automatically install driver updates from Windows Update. Which Settings page would you use to change the driver update behavior?

A

Update & Security > Windows Update > Advanced options

Advanced options contains a toggle for 'Receive updates for other Microsoft products' which includes driver updates.

B

System > About

C

Devices > AutoPlay

D

Update & Security > Delivery Optimization

Why: Option A is correct because the setting to control how Windows 10 handles driver updates from Windows Update is located under Update & Security > Windows Update > Advanced options. Here, you can toggle the 'Update drivers automatically' option, which determines whether Windows Update will automatically download and install driver updates for your hardware.
Q4
mediumFull explanation →

A user needs to connect to a work VPN but cannot find the VPN settings in the network tray. You need to guide them to the correct location to add a VPN connection. Where in Windows Settings would you direct them?

A

Network & Internet > Status

B

Network & Internet > Ethernet

C

Network & Internet > VPN

The VPN page allows adding and managing VPN connections.

D

Network & Internet > Proxy

Why: Option C is correct because the VPN settings in Windows are located under Network & Internet > VPN. This is the dedicated section where users can add, configure, and manage VPN connections, including setting up a new VPN profile with the server address, authentication method, and protocol (e.g., IKEv2, SSTP, or L2TP/IPsec). The network tray only shows existing connections; to add a new VPN, you must navigate to this specific settings page.
Q5
mediumFull explanation →

A user reports that their Windows 10 PC displays a 'Low Disk Space' warning on the C: drive. You want to use a built-in tool to delete temporary files and empty the Recycle Bin. Which Settings page should you open?

A

System > Storage

The Storage page shows disk usage and offers options to run Storage Sense or manually delete temporary files.

B

System > About

C

Apps > Apps & features

D

Update & Security > Windows Update

Why: The 'Low Disk Space' warning on the C: drive can be resolved by using the built-in Storage Sense or the manual 'Free up space now' feature, both accessible under System > Storage. This page provides tools to delete temporary files, empty the Recycle Bin, and remove other unnecessary data to reclaim disk space without third-party software.
Q6
easyFull explanation →

A user reports that their Windows 10 laptop shows a 'Your license will expire soon' watermark on the desktop. They recently replaced the motherboard. Which Control Panel applet should you use to re-activate Windows?

A

Device Manager

B

System

The System applet displays Windows edition, activation status, and a link to change the product key or activate.

C

User Accounts

D

Network and Sharing Center

Why: The System applet (also known as 'System Properties' or 'About' in Settings) is the correct Control Panel location to view and manage Windows activation status. After replacing the motherboard, Windows 10 detects a significant hardware change and may require re-activation. The System applet provides a 'Change product key' or 'Activate Windows' link to enter a new or existing license key, or to use the activation troubleshooter to re-activate with a digital license tied to a Microsoft account.

Want more Windows Settings and Control Panel practice?

Practice this domain
3

Domain 3: Windows Command-Line Tools

All Windows Command-Line Tools questions
Q1
easyFull explanation →

A user reports that a specific application crashes immediately on launch. You want to verify the integrity of the application's core files without reinstalling. Which command-line tool can you use to scan and repair system files that the application depends on?

A

sfc /scannow

Correct. sfc scans and repairs corrupted system files that might cause application crashes.

B

chkdsk /f

C

tasklist

D

dism /online /cleanup-image /restorehealth

Why: The System File Checker (sfc /scannow) scans protected system files and replaces corrupted ones with cached copies. If the application relies on system files, sfc can fix the issue. DISM repairs the system image itself, chkdsk checks disk errors, and tasklist lists processes.
Q2
mediumFull explanation →

During a security incident, you need to identify which processes are listening on specific network ports on a Windows server. Which command-line tool should you use?

A

nslookup

B

tracert

C

netstat -an

Correct. netstat -an displays all active connections and listening ports with numerical addresses, helping identify suspicious services.

D

ipconfig /all

Why: The netstat command with the -a (all connections) and -n (numerical addresses) options shows all listening ports and their associated processes. This is essential for security analysis. Other tools like nslookup resolve DNS, tracert trace routes, and ipconfig show IP configuration.
Q3
hardFull explanation →

A security audit reveals that a Windows 10 workstation has an unauthorized local user account. You need to remove this account from the command line without using the GUI. Which command should you use?

A

net localgroup Administrators UnauthorizedUser /delete

B

net user UnauthorizedUser /delete

Correct. net user /delete removes the specified user account from the system.

C

wmic useraccount where name='UnauthorizedUser' delete

D

gpresult /r

Why: The net user command with the /delete switch removes a local user account. For example, 'net user UnauthorizedUser /delete' deletes the account. Other commands like net localgroup manage groups, wmic useraccount can also delete but net user is the standard CLI tool. gpresult shows group policy results.
Q4
easyFull explanation →

A customer complains that their Windows 10 laptop frequently loses network connectivity. You suspect the IP address configuration is incorrect. Which command should you use to release the current IP address and request a new one from the DHCP server?

A

ping 8.8.8.8

B

ipconfig /release

Correct. ipconfig /release releases the current IP lease, and then ipconfig /renew obtains a new one from DHCP.

C

nslookup google.com

D

netstat -a

Why: The ipconfig /release command releases the current DHCP lease, and ipconfig /renew requests a new IP address from the DHCP server. This is the standard method to refresh IP configuration. Other commands like ping test connectivity, nslookup queries DNS, and netstat shows network connections.
Q5
mediumFull explanation →

A user reports that their Windows 10 PC is infected with malware that prevents the Task Manager from opening. You need to terminate a suspicious process from the command line. Which command should you use to forcefully end a process by its name?

A

tasklist /v

B

taskkill /IM malware.exe /F

Correct. taskkill /IM terminates the process by image name, and /F forces it to stop.

C

shutdown /r /t 0

D

regedit /e backup.reg

Why: The taskkill command can terminate processes by name or PID. The /F flag forces termination, which is necessary for stubborn malware. Other commands like tasklist list processes, shutdown reboots the system, and regedit edits the registry.
Q6
hardFull explanation →

After a failed Windows Update, a Windows 10 system repeatedly attempts to install the update and fails. You need to stop the Windows Update service and delete the temporary update files from the command line. Which two commands, in order, should you use? (Select the first command from the options.)

A

net stop wuauserv

Correct. net stop wuauserv stops the Windows Update service, allowing deletion of its temporary files.

B

sfc /scannow

C

dism /online /cleanup-image /restorehealth

D

taskkill /IM svchost.exe /F

Why: First, you must stop the Windows Update service using net stop wuauserv. Then, delete the contents of the SoftwareDistribution folder (e.g., del /f /s /q C:\Windows\SoftwareDistribution\*). Other commands like sfc repair system files, dism repair the image, and taskkill terminate processes but are not the correct sequence.

Want more Windows Command-Line Tools practice?

Practice this domain
4

Domain 4: Windows Administrative Tools

All Windows Administrative Tools questions
Q1
easyFull explanation →

A user reports that their Windows 10 PC is running slowly after they installed a new program. You need to identify which service or startup program is consuming the most CPU resources to troubleshoot the issue. Which administrative tool should you use?

A

Event Viewer

B

Task Manager

Task Manager's Processes tab shows CPU, memory, and disk usage for each running process, allowing you to pinpoint the culprit.

C

Services.msc

D

Performance Monitor

Why: Task Manager provides real-time performance monitoring, including CPU usage per process. This makes it the ideal tool for quickly identifying resource hogs. Other tools like Event Viewer or Services.msc are for different purposes.
Q2
hardFull explanation →

A security incident occurred where an unauthorized user gained access to a workstation. The security team needs to review detailed logs of all user logon attempts, including successful and failed logins, for the past 48 hours. Which administrative tool and specific log should you access to provide this information?

A

Event Viewer > Windows Logs > System

B

Event Viewer > Windows Logs > Security

The Security log contains audit events such as logon/logoff, account management, and policy changes.

C

Event Viewer > Applications and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager

D

Computer Management > System Tools > Shared Folders > Sessions

Why: Event Viewer's Windows Logs > Security log records all security-related events, including logon attempts (success and failure). This is the standard location for auditing user activity. Other logs like System or Application do not focus on authentication events.
Q3
easyFull explanation →

During a software deployment, you need to configure a Windows 10 workstation to automatically start a legacy application every time a specific user logs on. Which tool should you use to add this startup entry for that user only?

A

Services.msc

B

Task Manager

Task Manager's Startup tab lists user startup items and allows you to enable or disable them easily.

C

Computer Management

D

Local Group Policy Editor

Why: Task Manager's Startup tab allows you to manage per-user startup programs from a simple interface. For more control, you can also use the Startup folder or Registry, but Task Manager is the standard administrative tool for this task. Other tools like Services.msc or Group Policy are for system-wide or advanced configurations.
Q4
mediumFull explanation →

A customer reports that their Windows 11 PC is experiencing intermittent application crashes and you suspect file corruption. You need to run a system file check without using the full Windows interface. Which administrative tool can you launch from the Run dialog to open a command prompt with the necessary permissions?

A

Type 'cmd' in the Run dialog and press Enter

B

Type 'powershell' in the Run dialog and press Enter

C

Type 'cmd' in the Run dialog and press Ctrl+Shift+Enter

This launches an elevated command prompt with administrator privileges, required for SFC to repair system files.

D

Type 'msconfig' in the Run dialog and press Enter

Why: Running 'cmd' from the Run dialog opens a standard command prompt, but to run SFC with full access, you need to run it as Administrator. The correct approach is to type 'cmd' in the Run box and press Ctrl+Shift+Enter to launch as administrator, or use the Start menu. The question tests knowledge of how to access elevated command prompt. Other options like PowerShell or MSConfig are not the direct tool for this task.
Q5
mediumFull explanation →

After installing a new printer, a user reports that print jobs are stuck in the queue and cannot be deleted. You need to stop and restart the print spooler service to clear the queue. Which administrative tool allows you to manage this service?

A

Task Manager

B

Services.msc

Services.msc lists all services, including the Print Spooler, and allows you to stop, start, or restart them.

C

Device Manager

D

Event Viewer

Why: Services.msc (the Services console) is the tool for starting, stopping, and managing Windows services like the Print Spooler. It provides a graphical interface to control service status and startup type. Other tools like Task Manager or Event Viewer do not offer direct service management.
Q6
mediumFull explanation →

A user reports that their Windows 10 PC is unable to connect to shared network folders on the office server. You need to verify that the necessary network discovery and file sharing services are running. Which administrative tool should you open to check the status of services like 'Function Discovery Resource Publication' and 'SSDP Discovery'?

A

Network and Sharing Center

B

Device Manager

C

Services.msc

Services.msc allows you to view and manage the status of all Windows services, including network discovery services.

D

Task Manager

Why: Services.msc provides a complete list of all Windows services, including those related to network discovery and sharing. You can check their status and start them if they are stopped. Other tools like Network and Sharing Center or Device Manager do not offer direct service management.

Want more Windows Administrative Tools practice?

Practice this domain
5

Domain 5: macOS Features and Tools

All macOS Features and Tools questions
Q1
hardFull explanation →

A security incident has occurred: a user's Mac running macOS Ventura was infected with malware that modified system files. The technician needs to boot the Mac into a mode that loads only essential Apple-signed kernel extensions and prevents third-party software from loading, in order to safely remove the malware. Which startup mode should they use?

A

Single-user mode (Command + S).

B

Verbose mode (Command + V).

C

Safe Mode (Shift key during startup).

Safe Mode disables all non-Apple kernel extensions, startup items, and login items, providing a clean environment to remove malware. It also checks the startup disk for errors.

D

Target Disk Mode (T key).

Why: Safe Mode (holding Shift during startup) loads only essential kernel extensions and disables all third-party startup items and login items. It also performs a directory check of the startup volume. This environment is ideal for troubleshooting and removing malware without interference. Single-user mode (Command+S) boots to a command-line interface but is deprecated on Apple Silicon Macs and does not inherently prevent malware from loading.
Q2
mediumFull explanation →

A user reports that their MacBook Pro running macOS Big Sur will not boot past the Apple logo. You suspect a corrupted system file. You need to boot into a special mode to run Disk Utility's First Aid on the startup volume. Which key combination should you hold during startup?

A

Hold the Option (⌥) key.

B

Hold Command (⌘) + R.

This boots into macOS Recovery, where Disk Utility is available. Running First Aid can repair disk errors that may be preventing the system from booting.

C

Hold the Shift key.

D

Hold Command (⌘) + Option (⌥) + P + R.

Why: Holding Command (⌘) and R during startup boots the Mac into macOS Recovery, which provides access to Disk Utility, Terminal, and the ability to reinstall macOS. From there, you can run First Aid on the startup disk. Option (⌥) boots into Startup Manager, and Shift boots into Safe Mode.
Q3
easyFull explanation →

A user complains that their MacBook Air running macOS Monterey frequently runs out of memory and slows down when they have multiple browser tabs and apps open. They want to see which processes are consuming the most memory without installing third-party software. Which macOS tool should you instruct them to use?

A

Force Quit Applications window (Cmd+Option+Esc).

B

System Preferences > Memory.

C

Terminal with the 'top' command.

D

Activity Monitor from the Utilities folder.

Activity Monitor provides a graphical interface to view memory usage, CPU load, and other system metrics. It is the appropriate tool for this scenario.

Why: Activity Monitor is the built-in macOS utility that displays real-time system resource usage, including memory, CPU, energy, disk, and network. The Memory tab shows memory pressure and per-process memory consumption, helping identify memory hogs. Force Quit is only for terminating applications, not for monitoring.
Q4
mediumFull explanation →

A technician is troubleshooting a Mac that fails to connect to a Wi-Fi network. The network is visible, but entering the correct password results in an 'unable to join the network' error. The technician wants to delete the saved network configuration to start fresh. Which macOS tool or location should they use?

A

System Settings > Network > Wi-Fi > Details > Remove this network.

This is the correct graphical method to forget a Wi-Fi network. It removes the saved password and any custom network settings, allowing a fresh connection attempt.

B

Keychain Access and delete the Wi-Fi password entry.

C

Terminal with the 'networksetup -setairportnetwork' command.

D

System Information > Network > Wi-Fi.

Why: The Network pane in System Settings allows you to manage network interfaces, including Wi-Fi. By selecting the Wi-Fi interface and clicking 'Advanced' or 'Details', you can see a list of preferred networks and remove the problematic one. This clears the saved password and settings. Keychain Access stores passwords but not network configurations, and Terminal is not the standard method.
Q5
easyFull explanation →

A graphic designer needs to create a bootable macOS installer on an external SSD to deploy macOS Sonoma to multiple iMacs in the office. They have the 'Install macOS Sonoma.app' file. Which built-in macOS tool should they use to create the bootable drive?

A

Disk Utility to restore the .app file to the SSD.

B

System Information to verify the SSD is bootable.

C

Terminal with the 'createinstallmedia' command.

This is the correct built-in tool. The command syntax is 'sudo /Applications/Install macOS Sonoma.app/Contents/Resources/createinstallmedia --volume /Volumes/MyVolume'. It creates a bootable installer.

D

Migration Assistant to copy the app to the SSD.

Why: The 'createinstallmedia' command in Terminal is the official Apple tool for creating a bootable macOS installer from an application bundle. It writes the installer to the target volume and makes it bootable. Disk Utility can erase the drive but cannot create the installer media, and System Information does not have this capability.
Q6
mediumFull explanation →

A user has accidentally deleted several important files from their Documents folder on their Mac running macOS Ventura. They need to recover them immediately. Which built-in macOS tool should you guide them to use first?

A

Time Machine from the menu bar.

B

The Trash folder in the Dock.

When files are deleted normally, they are moved to the Trash. The user can open the Trash, select the files, and choose 'Put Back' to restore them to their original location.

C

Terminal with the 'cd' and 'ls' commands.

D

System Settings > General > Storage.

Why: The Trash folder on macOS stores deleted files until it is emptied. If the user has not emptied the Trash, they can simply open the Trash icon in the Dock, locate the files, and drag them back to the Documents folder. Time Machine requires a backup to exist, and Terminal commands are unnecessary here.

Want more macOS Features and Tools practice?

Practice this domain
6

Domain 6: Linux Commands and File Permissions

All Linux Commands and File Permissions questions
Q1
hardFull explanation →

A malicious script is suspected to have changed permissions on critical system files. The administrator needs to restore the /etc/passwd file to its default permissions, which are 644. The file is currently 777. Which command will set the correct permissions?

A

chmod 644 /etc/passwd

This sets owner read/write, group read, others read, which is the correct default for /etc/passwd.

B

chmod 600 /etc/passwd

C

chmod 755 /etc/passwd

D

chmod 444 /etc/passwd

Why: The correct answer is A because chmod 644 /etc/passwd sets the permissions to rw-r--r--, which is the standard for /etc/passwd. This removes the world-writable and executable bits.
Q2
mediumFull explanation →

A system administrator needs to find all files in /var/log that have been modified in the last 24 hours to check for recent activity. Which command accomplishes this?

A

find /var/log -mtime -1

This correctly finds files modified within the last 24 hours using -mtime -1.

B

find /var/log -atime -1

C

find /var/log -ctime -1

D

find /var/log -mmin -1440

Why: The correct answer is A because find /var/log -mtime -1 finds files modified less than 1 day ago. The -mtime flag with a negative number means modified within the last n days.
Q3
easyFull explanation →

A helpdesk technician is assisting a user who is unable to find a file named 'notes.txt' they saved earlier. The user is in their home directory. Which command will search the entire filesystem for this file?

A

locate notes.txt

B

grep notes.txt /

C

find ~ -name notes.txt

D

find / -name notes.txt

This searches the entire filesystem from root, making it the correct command for a full system search.

Why: The correct answer is D because find / -name notes.txt searches the entire filesystem starting from root (/) for a file with that exact name. The -name flag is case-sensitive, which is appropriate here.
Q4
easyFull explanation →

A software deployment script fails because it cannot write to the /opt/app directory. The directory currently has permissions drwxr-xr-x and is owned by root. The script runs as a non-root user. Which command would allow the script to write files without compromising security more than necessary?

A

chmod o+w /opt/app

This adds write permission for others, allowing the non-root script to write while keeping group permissions unchanged.

B

chmod 777 /opt/app

C

chown user:user /opt/app

D

chmod g+w /opt/app

Why: The correct answer is A because chmod o+w /opt/app adds write permission for 'others' (the non-root user), which is the minimal change needed. The script runs as a non-root user, so this grants write access without affecting group permissions.
Q5
easyFull explanation →

During a security audit, a Linux server is found to have a configuration file that is world-writable. The file /etc/app/config.cfg must only be readable and writable by the root user. Which command should the administrator run?

A

chmod 777 /etc/app/config.cfg

B

chmod 644 /etc/app/config.cfg

C

chmod 600 /etc/app/config.cfg

This grants read and write only to the owner (root), and no permissions to group or others, securing the file.

D

chmod 400 /etc/app/config.cfg

Why: The correct answer is C because chmod 600 sets owner read/write and removes all permissions for group and others. This matches the requirement that only root can read and write the file.
Q6
mediumFull explanation →

A user reports that a shared file on a Linux server is not accessible to their team. The file permissions are -rwxr----- and the user is a member of the group 'staff'. The file's group owner is 'admin'. Which command should the administrator run to allow the staff group to read the file?

A

chmod 755 file

B

chmod g+r file

C

chgrp staff file

This changes the group to 'staff', so the group read permission applies to the user's team, granting access.

D

chown user:staff file

Why: The correct answer is C because chgrp staff file changes the group ownership to 'staff', making the group permissions apply to the user's team. The current group is 'admin', so the staff group has no access.

Want more Linux Commands and File Permissions practice?

Practice this domain
7

Domain 7: Mobile OS Features and Tools

All Mobile OS Features and Tools questions
Q1
hardFull explanation →

A user's iPhone is running iOS 15 and they are unable to install a new app from the App Store. The error message says 'Unable to Download App. This app requires iOS 16 or later.' However, the user's iPhone model supports iOS 16. Which built-in iOS feature should the technician use to resolve this?

A

Offload the app and reinstall it.

B

Clear the App Store cache by force-closing the app.

C

Perform a factory reset.

D

Update iOS via Settings > General > Software Update.

Updating to iOS 16 via Software Update meets the app's requirement, allowing the download to proceed.

Why: This question tests iOS update management. The correct answer is 'Software Update' in Settings > General, which allows the user to upgrade to iOS 16. The error indicates the app requires a newer OS version, and updating the OS is the standard solution.
Q2
mediumFull explanation →

During a security audit, a technician discovers that an employee's company-issued iPhone has been jailbroken. The employee claims they only did it to customize the home screen. Which security risk is most directly associated with a jailbroken device in a corporate environment?

A

The device cannot receive iOS updates.

B

It voids the warranty.

C

It bypasses app sandbox restrictions, potentially exposing corporate data.

Jailbreaking removes iOS security layers, including sandboxing, allowing malicious apps to access data from other apps, which is a severe data leakage risk.

D

The device will perform slower.

Why: This question tests understanding of jailbreaking risks. The correct answer is that jailbreaking removes sandbox restrictions, allowing apps to access data from other apps, which can lead to data leakage. This is a primary concern for corporate devices handling sensitive information.
Q3
easyFull explanation →

A user is setting up a new Android tablet for a child and wants to restrict access to adult content, limit app purchases, and set screen time limits. Which built-in Android feature should the technician configure?

A

Guest Mode

B

Google Family Link

Family Link is designed specifically for parental controls, offering content restrictions, purchase approvals, and usage limits.

C

Do Not Disturb

D

Developer Options

Why: This question covers Android parental controls. The correct answer is 'Google Family Link', a dedicated app and service that allows parents to manage app permissions, content filters, and screen time across Android devices. It is the standard tool for child safety on Android.
Q4
mediumFull explanation →

A technician is tasked with deploying 50 Android tablets for a field sales team. The tablets need to have a consistent set of apps, settings, and security policies. The technician wants to avoid manually configuring each device. Which Android feature should the technician use?

A

Samsung DeX

B

Google Backup

C

Android Enterprise (Zero-Touch Enrollment)

Android Enterprise allows IT to enroll devices automatically via QR code or NFC, apply policies, and install apps remotely through an MDM.

D

Developer Options > OEM Unlocking

Why: This question tests enterprise deployment tools. The correct answer is 'Android Enterprise' (formerly Android for Work), which supports zero-touch enrollment and managed configurations via a Mobile Device Management (MDM) system. This enables bulk provisioning without manual setup.
Q5
easyFull explanation →

A technician is configuring an Android phone for a user who frequently travels internationally. The user wants to ensure that data roaming is disabled to avoid high charges, but still wants to receive calls and texts while abroad. Which setting should the technician configure?

A

Enable Airplane Mode and turn on Wi-Fi.

B

Disable Mobile Data entirely.

C

Turn off Data Roaming in the mobile network settings.

Data Roaming specifically controls cellular data while roaming; turning it off prevents data charges while voice and SMS still work.

D

Set the network mode to 2G only.

Why: This question tests Android connectivity settings. The correct answer is to disable 'Data Roaming' while keeping 'Roaming' enabled for voice and SMS. This allows calls and texts over partner networks without using mobile data, preventing unexpected charges.
Q6
easyFull explanation →

A customer reports that their Android phone's screen is unresponsive to touch after a drop. They can still hear notifications and see the display. Which built-in tool should you use to test the touchscreen functionality without relying on third-party apps?

A

Safe Mode

B

Developer Options

C

Diagnostics Mode (e.g., *#0*#)

Many Android devices have a hidden diagnostics menu (e.g., *#0*#) that includes touchscreen, display, and sensor tests, ideal for verifying hardware issues.

D

Factory Reset

Why: This question tests knowledge of Android's built-in diagnostic tools. The correct answer is the 'Diagnostics' or 'Test' mode, often accessed via the dialer code or settings, which allows hardware testing without third-party apps. This is a standard feature for verifying touchscreen integrity after physical damage.

Want more Mobile OS Features and Tools practice?

Practice this domain
8

Domain 8: Virtualization and Cloud Technologies

All Virtualization and Cloud Technologies questions
Q1
mediumFull explanation →

A small business wants to migrate its on-premises file server to the cloud to reduce hardware maintenance costs. They need low-latency access for local employees and want to avoid egress fees for large data transfers. Which cloud deployment model best meets these requirements?

A

Public cloud

B

Private cloud

C

Hybrid cloud

Hybrid cloud allows the business to keep frequently accessed data on-premises (private) for low latency and use public cloud for backup and scalability, reducing egress fees.

D

Community cloud

Why: A hybrid cloud combines private and public cloud resources, allowing sensitive or frequently accessed data to remain on-premises (private cloud) while using public cloud for scalability and backup. This reduces latency for local users and minimizes egress fees for large data transfers. Public cloud alone would introduce latency and egress costs; community cloud is for shared organizations; private cloud alone doesn't leverage cloud scalability.
Q2
easyFull explanation →

A company uses a cloud-based SaaS application for customer relationship management (CRM). Several employees report that they cannot access the CRM this morning, but internet connectivity is working. The IT support team checks the cloud provider's status page and finds no reported outages. What should the technician check next?

A

Verify that the DNS server is resolving the CRM URL correctly.

B

Check if the users' accounts have expired or if passwords need to be reset.

Expired passwords or locked accounts are common reasons for individual access failures to SaaS applications.

C

Reboot the company's firewall to clear any temporary blocks.

D

Reinstall the CRM application on the affected workstations.

Why: When a cloud service is accessible to some but not others, the issue is often local authentication or configuration. Expired credentials or browser cache problems are common causes. The cloud provider's status page shows no outage, so the issue is likely client-side. DNS and firewall settings would affect all users if misconfigured.
Q3
mediumFull explanation →

A technician is tasked with deploying a virtual machine for a new employee. The VM will run a Linux distribution and needs to be isolated from the corporate network but still have internet access for updates. Which network configuration should the technician choose for the VM?

A

Bridged networking

B

NAT (Network Address Translation)

NAT provides internet access through the host while keeping the VM isolated from the corporate network.

C

Host-only networking

D

Internal networking

Why: NAT (Network Address Translation) allows the VM to access the internet using the host's IP address while keeping it separate from the host's local network. Bridged mode would give the VM its own IP on the corporate network, violating isolation. Host-only mode blocks internet access. Internal network would also block internet access.
Q4
mediumFull explanation →

A user reports that their virtual machine running on a Type 2 hypervisor is extremely slow, especially during disk operations. The host machine has 16 GB of RAM and an SSD, but the VM is configured with 2 GB of RAM and a 100 GB dynamically expanding virtual hard disk. What is the most likely cause of the performance issue?

A

The VM has insufficient RAM allocated.

B

The host is running out of physical memory.

C

The virtual hard disk type is dynamically expanding.

Dynamically expanding disks grow on demand, causing fragmentation and slower I/O compared to fixed-size disks.

D

The VM is using an older version of the virtualization software.

Why: Dynamically expanding virtual hard disks can cause performance degradation because they grow as data is written, leading to fragmentation and increased I/O overhead. Fixed-size virtual hard disks pre-allocate space, reducing fragmentation and improving disk performance. The RAM and CPU configuration are not directly related to the disk slowness described.
Q5
easyFull explanation →

A technician is configuring a cloud-based backup solution for a company's critical data. The company wants to ensure that if the primary cloud provider experiences an outage, the data remains accessible from another provider. Which concept should the technician implement?

A

High availability

B

Cloud federation

Cloud federation enables interoperability between different cloud providers, allowing data to be replicated and accessed across them.

C

Load balancing

D

Disaster recovery plan

Why: Cloud federation allows different cloud providers to share resources and data, enabling failover and redundancy. This ensures data accessibility even if one provider goes down. High availability is a general concept, not specific to multi-provider redundancy. Load balancing distributes traffic but does not guarantee data access during a provider outage. Disaster recovery is a broader plan, but federation is the specific technology for inter-provider failover.
Q6
mediumFull explanation →

A technician needs to create a virtual machine that will host a legacy application requiring Windows XP. The host runs Windows 11. After creating the VM and installing Windows XP, the technician notices that the mouse cursor is lagging and the screen resolution is stuck at 800x600. What should the technician do to resolve this?

A

Increase the amount of RAM allocated to the VM.

B

Install the guest additions for the VM.

Guest additions install drivers that enable higher resolutions and smooth mouse integration.

C

Update the host operating system to the latest version.

D

Change the VM's network adapter from NAT to bridged.

Why: Guest additions (or integration services) contain optimized drivers for the virtual hardware, including mouse and display drivers. Without them, the VM uses basic VGA drivers, limiting resolution and causing input lag. Updating the host OS or increasing RAM won't fix driver issues. Changing the network adapter type is unrelated to display and input problems.

Want more Virtualization and Cloud Technologies practice?

Practice this domain
9

Domain 9: Physical Security Controls

All Physical Security Controls questions
Q1
easyFull explanation →

A customer reports that their laptop was stolen from their desk over the weekend. The laptop contained sensitive client data. Which physical security control should have been implemented to prevent this theft?

A

Biometric authentication

B

Cable lock

A cable lock physically secures the laptop to a desk, making theft much more difficult and time-consuming.

C

Full disk encryption

D

Smart card reader

Why: Cable locks are a simple and effective physical security control to prevent laptop theft by securing the device to a desk or fixed object. This scenario tests the understanding of basic physical deterrents against opportunistic theft in an office environment.
Q2
easyFull explanation →

During a security audit, you find that a company's server room door is propped open with a trash can to allow airflow. What is the most immediate physical security risk in this scenario?

A

Increased dust entering the server room

B

Fire suppression system may not work

C

Unauthorized personnel can enter the server room

An unsecured door allows anyone to walk in, defeating the purpose of access controls and posing a serious security threat.

D

The door closer will wear out faster

Why: Propping open a secured door completely bypasses the access control system, allowing unauthorized individuals to enter the server room undetected. This highlights the importance of maintaining door closure mechanisms to ensure physical security.
Q3
mediumFull explanation →

A company's server room has a door with a proximity card reader. Employees report that the door sometimes does not close fully, allowing it to be pushed open without a card. What is the best solution?

A

Replace the proximity card reader with a biometric reader

B

Install a door closer mechanism

A door closer automatically pulls the door shut and ensures it latches, preventing unauthorized entry through an unsecured door.

C

Add a security camera to monitor the door

D

Increase the frequency of badge audits

Why: A door closer ensures the door automatically shuts and latches after each use, preventing it from being left ajar. This addresses the root cause of the security gap by maintaining the integrity of the access control system.
Q4
hardFull explanation →

A company is designing a secure entry for a high-security lab. They need to ensure that only one person can enter at a time and that the person must be authenticated before the second door opens. Which physical security control should be used?

A

Turnstile with biometric reader

B

Security guard with logbook

C

Mantrap with smart card and biometric authentication

A mantrap uses two doors; the first door locks after entry, and the second door only unlocks after successful authentication, ensuring single-person access.

D

Cipher lock with door alarm

Why: A mantrap with two interlocking doors and authentication requirements ensures one-person-at-a-time entry, preventing tailgating and piggybacking. This is the gold standard for high-security areas requiring strict access control.
Q5
mediumFull explanation →

A technician is configuring a new server rack in a shared office space. Which physical security measure should be applied to prevent unauthorized physical access to the servers?

A

Install a door alarm on the office entrance

B

Use rack-mount locks on each server chassis

Rack-mount locks physically prevent the server from being slid out or tampered with, directly securing the hardware.

C

Enable BitLocker on all server drives

D

Configure a strong BIOS password

Why: Rack-mount locks secure the server chassis within the rack, preventing unauthorized removal or tampering with individual servers. This is a standard physical control for multi-tenant or shared spaces where racks are accessible.
Q6
mediumFull explanation →

A technician is troubleshooting why a smart card reader at a secure entrance fails intermittently. Users can sometimes enter, but other times the reader does not respond. What should the technician check first?

A

Update the smart card reader firmware

B

Replace the smart cards for all users

C

Check the cabling and connections to the reader

Intermittent connectivity often points to loose or damaged cables; verifying physical connections is a quick and effective first step.

D

Reconfigure the access control software

Why: Loose or damaged cabling is a common cause of intermittent failures in physical access control systems. Checking the physical connection is a logical first step before moving to software or configuration issues.

Want more Physical Security Controls practice?

Practice this domain
10

Domain 10: Logical Security Concepts

All Logical Security Concepts questions
Q1
mediumFull explanation →

A technician is setting up a new wireless network for a small office. They want to ensure that only company-issued devices can connect, and that data transmitted over the air is encrypted. Which combination of settings should they use?

A

WPA2 with TKIP encryption and SSID broadcast disabled.

B

WPA3 with AES encryption and MAC address filtering.

WPA3 with AES provides strong encryption, and MAC filtering restricts access to approved devices.

C

WEP with 128-bit key and a strong password.

D

Open network with a captive portal requiring employee login.

Why: WPA2 or WPA3 with AES encryption provides strong wireless security. MAC address filtering can be added as an extra layer to restrict which devices can associate. This combination meets both requirements of encryption and device restriction.
Q2
hardFull explanation →

A company's security policy mandates that all remote access connections must be authenticated using two different factors. A technician is configuring VPN access for teleworkers. Which combination meets this requirement?

A

Username and password only.

B

Smart card and PIN.

Smart card is something you have, PIN is something you know; two different factors.

C

Biometric fingerprint and a PIN.

D

Two different passwords.

Why: Multifactor authentication requires two or more factors from different categories: something you know (password), something you have (smart card, token), and something you are (biometric). A password plus a one-time code from a hardware token uses two distinct factors, satisfying the policy.
Q3
mediumFull explanation →

A user calls the help desk saying they cannot access a shared folder on the network. They can access other shares on the same server. The technician verifies the user's account is active and the folder exists. What should the technician check next to resolve the access issue?

A

Check if the user's password has expired.

B

Verify the user has been added to the local Administrators group.

C

Review the NTFS permissions on the shared folder.

NTFS permissions can deny access to specific users even if share permissions allow it, explaining the isolated issue.

D

Reboot the file server to clear any cached permissions.

Why: NTFS permissions control access at the folder level on the server. Even if share permissions allow access, restrictive NTFS permissions can block a specific user. The technician should check the effective permissions on that folder for the user.
Q4
mediumFull explanation →

A technician is configuring a new employee's laptop and needs to ensure that only approved applications can run. The company wants to prevent users from installing unauthorized software. Which security control should be implemented?

A

Enable Windows Defender real-time protection.

B

Set the user account as a Standard User.

C

Configure an application whitelist using AppLocker.

AppLocker enforces a whitelist, allowing only specified applications to run, directly meeting the requirement.

D

Disable the Windows Store.

Why: Application whitelisting allows only pre-approved programs to execute, blocking all others by default. This is the most effective way to prevent unauthorized software installation. Software Restriction Policies or AppLocker in Windows can enforce this.
Q5
mediumFull explanation →

During a security audit, it is discovered that a former employee's user account is still active and has been used to log in remotely three times in the past month. Which logical security principle has been violated?

A

Separation of duties

B

Least privilege

The former employee no longer needs any access, so the account violates least privilege by still having permissions.

C

Defense in depth

D

Mandatory access control

Why: The principle of least privilege requires that users have only the access necessary for their job. An inactive account with remote access violates this and also the principle of account lifecycle management. The immediate issue is that the account should have been disabled upon termination.
Q6
easyFull explanation →

An employee receives an email that appears to be from the CEO, asking them to urgently wire funds to a new vendor. The email address looks similar to the CEO's but has a slight typo. What type of social engineering attack is this?

A

Phishing

B

Whaling

Whaling is a targeted phishing attack against high-profile individuals like the CEO, often involving impersonation.

C

Spear phishing

D

Vishing

Why: This is a classic whaling attack, a form of phishing that targets high-level executives or impersonates them to trick employees into performing actions like wire transfers. The spoofed email address and urgent request are typical indicators. Whaling is a specific type of social engineering focused on senior staff.

Want more Logical Security Concepts practice?

Practice this domain
11

Domain 11: Wireless Security Protocols

All Wireless Security Protocols questions
Q1
easyFull explanation →

A company's IT policy requires that all wireless traffic be encrypted using the strongest available protocol. A technician is configuring a new access point that supports WPA3-SAE, WPA2-PSK with AES, and WPA2-PSK with TKIP. Which configuration meets the policy?

A

WPA2-PSK with TKIP.

B

WPA2-PSK with AES.

C

WPA3-SAE.

WPA3-SAE is the current strongest standard, offering improved security over WPA2.

D

A mixed mode of WPA2 and WPA3.

Why: WPA3-SAE is the strongest available wireless security protocol, providing forward secrecy and stronger authentication than WPA2. It is the correct choice for maximum security.
Q2
mediumFull explanation →

A technician is configuring a wireless network for a school that uses Chromebooks and iPads. The network must support fast roaming and prioritize security. The technician enables WPA2-Enterprise with 802.1X. What additional configuration is needed to ensure seamless roaming between access points?

A

Enable WPA3-SAE on all access points.

B

Configure all access points with the same SSID and passphrase.

C

Enable 802.11r (Fast Roaming) on the wireless controller.

802.11r reduces the time required for re-authentication during roaming.

D

Disable WPS on all access points.

Why: Fast roaming (802.11r) allows clients to quickly re-authenticate when moving between access points, reducing latency. WPA2-Enterprise alone does not provide fast roaming; 802.11r must be enabled on the controller and access points.
Q3
mediumFull explanation →

A customer reports that their laptop frequently disconnects from the office Wi-Fi and reconnects after a few seconds. The network uses WPA2-PSK with AES encryption. The technician checks the router logs and sees repeated '4-way handshake timeout' errors. What is the most likely cause of this issue?

A

The laptop is using an outdated WEP encryption protocol.

B

The router's DHCP lease time is set too short.

C

The laptop is too far from the access point, causing intermittent signal loss.

Weak signal can cause the 4-way handshake to time out, leading to disconnections.

D

The router is configured for WPA2-Enterprise instead of WPA2-PSK.

Why: The 4-way handshake timeout errors indicate that the laptop cannot complete the WPA2 authentication process, often due to signal interference or weak signal strength. While other options could cause connectivity issues, the specific handshake timeout points to a problem with the wireless signal or authentication process.
Q4
easyFull explanation →

A user reports that their smartphone cannot connect to the office Wi-Fi, but other devices can. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. The technician checks the phone's settings and sees that it is configured for WPA2-PSK. What is the most likely reason for the connection failure?

A

The phone's Wi-Fi antenna is damaged.

B

The phone is using the wrong security protocol.

WPA2-PSK uses a shared key, while WPA2-Enterprise uses 802.1X authentication.

C

The router's SSID is hidden.

D

The phone's MAC address is filtered.

Why: WPA2-Enterprise requires a username and password or certificate for authentication, not a pre-shared key. The phone's WPA2-PSK setting is incompatible with the network's authentication method.
Q5
hardFull explanation →

A security incident occurs where an attacker captures the 4-way handshake of a WPA2-PSK network and successfully cracks the passphrase offline. The technician is tasked with preventing this type of attack in the future. Which protocol should the technician implement?

A

WPA2-PSK with a longer passphrase.

B

WPA3-SAE.

WPA3-SAE uses SAE, which is resistant to offline dictionary attacks, even if the handshake is captured.

C

WPA2-Enterprise with PEAP-MSCHAPv2.

D

WPA2-PSK with TKIP.

Why: WPA3-SAE uses Simultaneous Authentication of Equals (SAE), which provides forward secrecy and prevents offline dictionary attacks. WPA2-PSK is vulnerable to handshake capture and offline cracking.
Q6
easyFull explanation →

A technician is setting up a wireless network for a home office. The client is concerned about neighbors accessing their internet. The technician enables WPA2-PSK with a strong passphrase. Which additional step should the technician take to ensure the network is as secure as possible?

A

Enable WPS for easy device pairing.

B

Disable SSID broadcast.

C

Disable WPS on the router.

WPS is a common attack vector; disabling it forces attackers to crack the passphrase directly.

D

Enable MAC address filtering.

Why: Disabling WPS prevents attackers from using brute-force attacks to guess the PIN and retrieve the passphrase. WPA2-PSK with a strong passphrase is secure, but WPS can bypass that security.

Want more Wireless Security Protocols practice?

Practice this domain
12

Domain 12: Malware Types and Removal

All Malware Types and Removal questions
Q1
easyFull explanation →

During a routine security audit, a technician discovers that a user's workstation has a program that records keystrokes and periodically sends the data to an external server. The user denies installing any software recently. Which type of malware is this?

A

Trojan horse

B

Worm

C

Keylogger

A keylogger specifically records keystrokes and sends them to an attacker, exactly as described.

D

Ransomware

Why: A keylogger is a type of spyware that records keystrokes to capture sensitive information like passwords. It often operates stealthily without the user's knowledge, matching the scenario where the user did not install anything. Spyware is the broader category, but keylogger is the specific variant described.
Q2
hardFull explanation →

A technician is investigating a security incident where multiple workstations on the same network are showing signs of infection: slow performance, unusual network traffic, and the presence of a file named 'svch0st.exe' in the Startup folder. The technician suspects a worm that spreads through network shares. What is the most effective containment strategy?

A

Run a full antivirus scan on all workstations simultaneously.

B

Disable network shares and isolate infected workstations from the network.

This stops the worm from spreading via file shares and prevents further infection.

C

Update the antivirus definitions on one workstation and scan it.

D

Reboot all workstations into Safe Mode with Networking.

Why: A worm that spreads via network shares requires immediate network segmentation to stop propagation. Disabling the network shares on all workstations and isolating infected systems from the network prevents the worm from reaching other devices. Patching the vulnerability used for spread (e.g., SMB) is also critical, but containment is the priority.
Q3
mediumFull explanation →

A technician is tasked with removing a persistent malware infection that survives reboots and re-infects the system even after a full antivirus scan in Safe Mode. The malware appears to hide in the Master Boot Record (MBR). Which removal method should the technician use?

A

Run a system file checker (sfc /scannow) from within Windows.

B

Use the Windows Recovery Environment to run bootrec /fixmbr.

This command rewrites the MBR, removing the malware that resides there.

C

Perform a clean installation of Windows without formatting the drive.

D

Disable System Restore and delete all restore points.

Why: MBR malware infects the boot sector, loading before the operating system, which allows it to survive standard scans and Safe Mode. The most effective removal is to use the Windows Recovery Environment (WinRE) with bootrec /fixmbr and bootrec /fixboot commands. This overwrites the infected boot sector. If that fails, a full reinstall may be necessary.
Q4
easyFull explanation →

A small business owner calls for support because all of their files on the server have been renamed with a .encrypted extension, and a text file named 'README_TO_DECRYPT.txt' appears on the desktop demanding a Bitcoin payment. What is the first step the technician should take?

A

Pay the ransom to get the decryption key immediately.

B

Disconnect the server from the network.

Disconnecting the server stops the ransomware from encrypting additional files and spreading to other systems.

C

Run a full antivirus scan on the server.

D

Restore files from a recent backup immediately.

Why: The first step in a ransomware incident is to isolate the infected system from the network to prevent the malware from spreading to other devices. Paying the ransom is discouraged as it does not guarantee data recovery and funds criminal activity. After isolation, the technician can assess the damage and attempt recovery from backups.
Q5
hardFull explanation →

A technician is dealing with a zero-day malware infection that has evaded all signature-based antivirus scans. The malware is polymorphic, changing its code each time it infects a new system. Which approach is most likely to detect and remove this type of malware?

A

Update the antivirus to the latest signature definitions and run a full scan.

B

Use a bootable antivirus rescue disk to scan the system before the OS loads.

C

Employ a heuristic-based or behavior-based malware removal tool.

Heuristic tools analyze behavior and code patterns, allowing them to detect polymorphic malware that changes its signature.

D

Reinstall the operating system from a known-good backup.

Why: Polymorphic malware changes its signature, making signature-based detection ineffective. Heuristic analysis and behavior-based detection tools, such as those used by advanced endpoint detection and response (EDR) solutions, can identify malware based on suspicious actions rather than static signatures. Running a tool that uses heuristic scanning can detect the malware's behavior, such as file encryption or unauthorized registry changes.
Q6
easyFull explanation →

A user reports that their computer is infected with a virus and they have been trying to remove it using a free online scanner, but the problem persists. The technician suspects the malware may have disabled the antivirus software. Which safe mode should the technician use to run a full system scan?

A

Safe Mode

B

Safe Mode with Command Prompt

C

Safe Mode with Networking

This mode provides network access, allowing the technician to download updated tools while keeping malware disabled.

D

Last Known Good Configuration

Why: Safe Mode with Networking allows the technician to boot with minimal drivers and services while still having network access to download updated antivirus definitions or removal tools. Safe Mode alone does not provide network access, which is often needed to get the latest malware signatures. This mode also prevents many malware variants from loading, making removal easier.

Want more Malware Types and Removal practice?

Practice this domain
13

Domain 13: Social Engineering Attacks

All Social Engineering Attacks questions
Q1
easyFull explanation →

An employee finds a USB drive labeled 'Employee Salary Info Q4' in the parking lot. Out of curiosity, they plug it into their work computer to see the contents. What type of social engineering attack is this an example of?

A

Phishing

B

Tailgating

C

Baiting

Baiting exploits human curiosity or greed by offering something desirable. The USB drive with a tempting label is a classic baiting technique.

D

Pretexting

Why: This is baiting, where an attacker leaves a physical item (like a USB drive) in a location where it is likely to be found and used. The enticing label is the 'bait' that exploits human curiosity.
Q2
mediumFull explanation →

A new employee receives an email that appears to be from the company's HR department, asking them to click a link to verify their direct deposit information for payroll. The email contains the company logo and looks professional. What is the most likely social engineering attack?

A

Whaling

B

Phishing

Phishing is a broad category of attacks that use deceptive emails to trick recipients into revealing sensitive information or clicking malicious links. This scenario is a classic phishing attempt.

C

Vishing

D

Shoulder surfing

Why: This is a phishing attack, specifically a form of spear phishing targeting a new employee. The email uses social engineering tactics (urgency, authority) to trick the recipient into clicking a malicious link that could steal credentials or install malware.
Q3
easyFull explanation →

A user calls the help desk, frantic because their banking app shows an unauthorized transfer of $500. They say they received a call earlier from 'bank security' asking them to install a remote access tool to 'verify their account'. What type of social engineering attack did the user fall victim to?

A

Phishing

B

Vishing

Vishing (voice phishing) uses phone calls to impersonate legitimate organizations and trick victims into revealing sensitive information or installing malware. This scenario perfectly matches that description.

C

Smishing

D

Shoulder surfing

Why: This is a classic vishing (voice phishing) attack combined with a tech support scam. The attacker used a phone call to impersonate a trusted entity and tricked the user into installing remote access software, giving the attacker control over the device to perform fraudulent transactions.
Q4
hardFull explanation →

A technician is troubleshooting a user's slow computer. The user mentions they received a call from 'Windows Support' saying their computer had a virus. The user gave the caller remote access to 'fix' it. Now, the computer is running slower and has strange pop-ups. What is the most likely consequence of this social engineering attack?

A

The computer is now part of a botnet used for DDoS attacks.

B

The attacker installed a keylogger to steal credentials and sensitive data.

A keylogger is a common payload in tech support scams. The attacker can capture passwords, banking info, and other sensitive data, leading to identity theft or financial loss.

C

The computer's BIOS has been corrupted.

D

The hard drive has been physically damaged.

Why: By giving remote access, the user likely allowed the attacker to install malware, such as ransomware, spyware, or a backdoor. The slow performance and pop-ups are symptoms of malware infection. The technician should immediately disconnect the computer from the network and perform a full security scan.
Q5
easyFull explanation →

A user reports receiving an email that appears to be from their CEO, urgently requesting that they purchase $500 in gift cards and reply with the codes. The email address looks slightly off (e.g., ceo@cornpany.com instead of ceo@company.com). What type of social engineering attack is this?

A

Spear phishing

B

Vishing

C

Whaling

Whaling is a phishing attack that targets senior executives (or impersonates them) to steal sensitive data or money. The email impersonating the CEO is a textbook example.

D

Tailgating

Why: This is a whaling attack, a type of phishing that targets high-profile individuals or impersonates them to trick lower-level employees. The attacker used a spoofed email address to impersonate the CEO and create a sense of urgency.
Q6
hardFull explanation →

A technician receives an email from what appears to be the company's CEO, asking for a list of all employee passwords for a 'security audit'. The email address is correct, but the tone and request are unusual. The technician suspects a social engineering attack. What is the best course of action?

A

Reply to the email asking for more details to confirm the request.

B

Forward the email to the security team and do not respond.

The correct action is to report the suspicious email to the security team for investigation and not engage with the potential attacker. This follows proper incident response protocols.

C

Provide the list as requested, since the CEO has authority.

D

Call the CEO immediately to verify the request.

Why: This is likely a whaling or spear phishing attack impersonating the CEO. The technician should never share passwords and should verify the request through a separate communication channel (e.g., phone call or in-person) before taking any action. Reporting to the security team is also critical.

Want more Social Engineering Attacks practice?

Practice this domain
14

Domain 14: Windows Security Settings

All Windows Security Settings questions
Q1
hardFull explanation →

After a security incident, a forensic analyst needs to review the event logs on a Windows 10 system to determine when a specific user account was created. The logs are intact. Which Windows security setting must be enabled to ensure that account creation events are recorded?

A

Enable 'Audit Logon Events' in Local Security Policy.

B

Enable 'Audit Account Management' in Advanced Audit Policy.

This setting specifically logs account creation, modification, and deletion events.

C

Turn on 'File and Printer Sharing' in Network and Sharing Center.

D

Configure Windows Defender to scan for new accounts.

Why: Audit Account Management policy must be enabled to log events like user account creation. This is configured in Local Security Policy or Group Policy under Advanced Audit Policy Configuration. Without this audit setting, account creation events are not recorded in the Security log.
Q2
mediumFull explanation →

A technician is configuring a Windows 10 kiosk machine that will run a single web application in full-screen mode. The machine must not allow users to access the desktop, taskbar, or other apps. Which Windows security feature should be used to accomplish this?

A

Local Group Policy to hide the taskbar.

B

User Account Control set to 'Always notify.'

C

Windows Defender Application Guard

D

Assigned Access (Kiosk Mode)

This feature locks the device to a single app, providing the required security and restriction.

Why: Assigned Access (formerly Kiosk Mode) in Windows 10/11 allows a device to run a single app in full-screen, locking down the system. It can be configured via Settings > Accounts > Other users > Set up a kiosk. This ensures users cannot exit the app or access other parts of the OS.
Q3
mediumFull explanation →

During a security audit, you discover that a Windows 10 workstation has a weak local administrator password. The company policy requires all local admin passwords to be at least 12 characters with complexity. Which tool can enforce this policy for all future password changes on that workstation?

A

Local Users and Groups (lusrmgr.msc)

B

Local Security Policy (secpol.msc)

This tool provides granular control over security policies, including password requirements.

C

Registry Editor (regedit)

D

Windows Defender Firewall with Advanced Security

Why: Local Security Policy (secpol.msc) allows configuring password policies like minimum length and complexity for local accounts. This is applied via Account Policies > Password Policy. It ensures that any new password meets the requirements.
Q4
easyFull explanation →

A small business owner wants to prevent employees from changing system time, installing printers, and modifying power settings on their Windows 10 workstations. They do not want to remove local admin rights entirely. Which Windows security tool should be used to apply these restrictions?

A

Windows Defender Security Center

B

Local Users and Groups (lusrmgr.msc)

C

Local Group Policy Editor (gpedit.msc)

Group Policy can enforce specific restrictions on user actions without removing admin rights.

D

Registry Editor (regedit)

Why: Local Group Policy Editor (gpedit.msc) allows granular control over user permissions and system settings without removing admin rights. It can restrict specific actions like changing time or installing printers via Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
Q5
mediumFull explanation →

A company uses AppLocker to control which applications can run on Windows 10 workstations. A user needs to run a portable application from a USB drive for a presentation, but it is blocked by AppLocker. The user has local admin rights. What is the best way to allow this specific application while maintaining security?

A

Temporarily disable AppLocker service.

B

Add the user to the 'Power Users' group.

C

Create a new AppLocker path rule for the USB drive.

This allows the specific app while keeping other restrictions in place.

D

Run the application as Administrator.

Why: AppLocker can be configured with rules based on file path, publisher, or hash. Creating a path rule for the USB drive or a hash rule for the specific executable allows the app while still blocking others. This is more secure than disabling AppLocker or giving the user permanent exceptions.
Q6
mediumFull explanation →

A user reports that their Windows 10 laptop shows a blue screen with an error message about 'Driver IRQL not less or equal' after connecting a new external hard drive. They need to use the drive for work. Which security setting should you check to ensure driver installation is not blocked?

A

Check if Secure Boot is enabled in UEFI.

B

Verify that User Account Control is set to 'Notify me only when apps try to make changes.'

C

Disable Driver Signature Enforcement temporarily.

This allows unsigned drivers to load, which can resolve the blue screen if the driver is the cause.

D

Run Windows Update to find a signed driver.

Why: Driver Signature Enforcement ensures that only drivers with a valid digital signature can be installed. If a driver is unsigned or has an invalid signature, Windows may block it, causing errors. This setting is part of Windows security and can be temporarily disabled for troubleshooting.

Want more Windows Security Settings practice?

Practice this domain
15

Domain 15: Browser and Application Security

All Browser and Application Security questions
Q1
mediumFull explanation →

A technician is troubleshooting a Windows 10 computer where the user cannot install a legitimate browser extension because the browser displays a warning that extensions from this source are not allowed. What setting is likely blocking the installation?

A

The browser is in private browsing mode.

B

The computer is running Windows 10 in S mode.

S mode only allows apps from the Microsoft Store, which can prevent installation of extensions from outside the store.

C

The user account does not have administrator privileges.

D

The browser's security level is set to high.

Why: Windows 10's S mode restricts app installations to the Microsoft Store, which also affects browser extensions. Disabling S mode or using a different browser that supports the extension is the solution.
Q2
hardFull explanation →

A company policy requires that all web traffic from employee computers be filtered to block known malicious sites. You need to implement this without installing client software on each machine. Which approach should you use?

A

Configure each browser's proxy settings to use a filtering proxy server.

B

Enable Windows Defender SmartScreen on each computer via Group Policy.

C

Implement a DNS-based content filtering service on the network's DNS server.

DNS filtering blocks requests to malicious domains at the network level, affecting all devices without client software.

D

Install a third-party browser extension on all browsers to block malicious sites.

Why: A DNS-based content filter (like OpenDNS or a corporate DNS server) can block malicious domains without requiring client software. This is a scalable solution for network-wide filtering.
Q3
mediumFull explanation →

A user receives an email with a link that appears to be from their bank, asking them to verify their account. The link leads to a page that looks exactly like the bank's login page. What type of attack is this?

A

A man-in-the-middle attack.

B

A phishing attack.

Phishing uses social engineering to trick users into revealing sensitive information on fraudulent sites.

C

A ransomware attack.

D

A cross-site scripting (XSS) attack.

Why: This is a phishing attack, where the attacker creates a fake login page to steal credentials. Users should be trained to verify URLs and never enter credentials from email links.
Q4
hardFull explanation →

During a security incident response, you discover that a user's browser has a rogue extension that exfiltrates data to a remote server. The extension was installed after the user clicked a fake update prompt on a website. What vulnerability was exploited?

A

A zero-day vulnerability in the browser.

B

An insecure direct object reference (IDOR) vulnerability.

C

Social engineering.

The user was manipulated into installing the extension by a deceptive prompt, which is a classic social engineering technique.

D

A cross-site request forgery (CSRF) attack.

Why: This is a social engineering attack where the user was tricked into installing malicious software. No technical vulnerability was exploited; the user's trust was manipulated.
Q5
easyFull explanation →

A user reports that their web browser frequently redirects to an unfamiliar search engine and displays pop-up ads even when no tabs are open. What is the most likely cause of this behavior?

A

The browser needs to be updated to the latest version.

B

The user has accidentally enabled a malicious browser extension.

A malicious extension can hijack browser settings, redirect searches, and inject ads. This is a common vector for browser hijackers.

C

The internet connection is unstable and causing DNS errors.

D

The browser cache is full and needs to be cleared.

Why: This scenario describes classic symptoms of a browser hijacker, a type of malware that modifies browser settings without permission. The correct action is to scan and remove the malicious software using an anti-malware tool, as simply resetting settings or clearing caches may not remove the underlying infection.
Q6
easyFull explanation →

During a security audit, you find that a user's browser has an outdated version of Adobe Flash Player installed. What is the primary security risk associated with this finding?

A

The browser will run slower and may crash frequently.

B

The user will be unable to view some web content.

C

Attackers can exploit known vulnerabilities in the plugin to install malware.

Outdated plugins have unpatched security holes that attackers frequently target to compromise systems.

D

The browser will automatically disable the plugin.

Why: Outdated plugins like Flash Player are common attack vectors because they contain known vulnerabilities that malware can exploit. Keeping software updated is a fundamental browser security practice.

Want more Browser and Application Security practice?

Practice this domain
16

Domain 16: Data Destruction and Disposal

All Data Destruction and Disposal questions
Q1
easyFull explanation →

A small business is retiring 20 old desktop PCs that contain sensitive customer data. The IT manager wants to ensure the data is unrecoverable before donating the computers to a local school. Which method should be used?

A

Perform a standard format of each hard drive.

B

Use a degausser on each hard drive.

Degaussing uses a powerful magnetic field to scramble the magnetic domains on the platters, rendering data permanently unrecoverable.

C

Delete all files and empty the Recycle Bin.

D

Run a quick disk cleanup utility.

Why: The correct answer is degaussing, which uses a strong magnetic field to destroy the magnetic media on a hard drive, making data recovery impossible. Physical destruction (shredding) is also effective but not listed. Data wiping or formatting leaves data recoverable with forensic tools. This question tests knowledge of data destruction methods for secure disposal.
Q2
mediumFull explanation →

A technician is decommissioning a server that contained encrypted patient health records. The organization's policy requires data to be destroyed beyond recovery, but the server must be returned to the leasing company. Which method should the technician use?

A

Perform a full format of all drives.

B

Use a degausser on the entire server chassis.

C

Remove the hard drives and physically shred them, then return the server without drives.

Physical destruction of the drives ensures data is unrecoverable, and returning the server without drives complies with the leasing agreement.

D

Run a disk cleanup and delete all files.

Why: The correct answer is to remove and physically destroy the hard drives, then return the server without them. Degaussing would also destroy data but may damage the server's electronics. Data wiping is not allowed per policy, and formatting is insecure. This tests understanding of disposal methods when hardware must be returned.
Q3
easyFull explanation →

A customer reports that their old laptop, which they sold online, still contains personal files that the new owner accessed. The customer had only performed a 'Reset this PC' with the 'Remove everything' option. What should the technician recommend to prevent this in the future?

A

Perform a factory reset from the recovery partition.

B

Use a third-party data wiping tool that overwrites the drive multiple times.

A wiping tool overwrites all sectors with patterns multiple times, making data recovery infeasible.

C

Remove the hard drive and physically destroy it.

D

Change the user password before selling.

Why: The correct answer is to use a drive wiping tool that overwrites all data multiple times. The 'Reset this PC' with 'Remove everything' does not securely erase data; it only resets the OS. This scenario highlights the difference between a simple reset and proper data sanitization.
Q4
mediumFull explanation →

An organization is moving to a cloud-based system and needs to dispose of several tape backup cartridges that contain years of financial data. The tapes are LTO-5 and are still readable. Which destruction method is most appropriate?

A

Overwrite the tapes with a bulk eraser or degausser.

A degausser designed for tape will destroy the magnetic data, making recovery impossible, and is a standard method for tape disposal.

B

Perform a quick format of the tapes using a tape drive.

C

Reuse the tapes for non-sensitive data after deleting the files.

D

Burn the tapes in an industrial incinerator.

Why: The correct answer is to use a degausser rated for magnetic tape, which will erase the data by randomizing the magnetic particles. Physical destruction (shredding) is also effective but may be more costly. This question tests knowledge that tape media requires specialized degaussers.
Q5
mediumFull explanation →

A customer brings in a laptop that they want to recycle, but they are concerned about personal data. The laptop has a 256GB SSD and the customer wants to keep the laptop functional for resale. Which method should the technician recommend?

A

Remove the SSD and physically destroy it, then sell the laptop without a drive.

B

Use a degausser on the SSD.

C

Perform a standard format and reinstall Windows.

D

Use the 'Reset this PC' option with the 'Remove everything and clean the drive' setting.

This option performs a secure erase that overwrites all sectors, making data recovery difficult while keeping the laptop functional.

Why: The correct answer is to use the built-in 'Reset this PC' with the 'Remove everything and clean the drive' option, which performs a secure wipe on SSDs. This ensures data is overwritten while keeping the laptop usable. Simple deletion or formatting is insufficient, and physical destruction would make the laptop unusable.
Q6
mediumFull explanation →

A company is migrating to new laptops and needs to dispose of 50 old hard drives securely. The drives contain proprietary software and client data. The IT manager wants a method that is both environmentally friendly and compliant with data protection laws. Which disposal method should be chosen?

A

Donate the drives to a local charity after wiping them with a free tool.

B

Use a certified e-waste recycler that offers secure destruction and recycling.

Certified recyclers follow standards for data destruction (e.g., shredding) and recycle materials, meeting both security and environmental goals.

C

Physically break the drives with a drill and dispose of them in the regular trash.

D

Perform a quick format and sell the drives online.

Why: The correct answer is to use a certified e-waste recycler that performs secure data destruction. This ensures data is destroyed (often via shredding or degaussing) and the materials are recycled responsibly. Simple wiping may not be sufficient for all drives, and donating without destruction risks data exposure.

Want more Data Destruction and Disposal practice?

Practice this domain
17

Domain 17: Windows OS Troubleshooting

All Windows OS Troubleshooting questions
Q1
mediumFull explanation →

A user is trying to install a legacy application on Windows 10, but the installer fails with a message about 'incompatible version'. The application is known to work on Windows 7. Which compatibility settings should you try first to allow the installation to proceed?

A

Set the installer to run as an administrator.

B

Enable the 'Reduced color mode' compatibility setting.

C

Right-click the installer, go to Properties > Compatibility, and check 'Run this program in compatibility mode for: Windows 7'.

This setting makes Windows 10 report itself as Windows 7 to the application, which is the most direct fix for a version incompatibility error during installation.

D

Use the Program Compatibility Troubleshooter from the Control Panel.

Why: Windows 10 includes compatibility modes that emulate older versions of Windows. Running the installer in compatibility mode for Windows 7 can often resolve version-check errors, as it tricks the application into thinking it is running on a compatible OS.
Q2
easyFull explanation →

A user in the accounting department cannot print to a network printer that other users can access. They are running Windows 10. When they try to print, they get a message: 'Windows cannot connect to the printer. Access is denied.' What is the most likely cause of this issue?

A

The printer driver is corrupt on the user's computer.

B

The network cable is unplugged from the user's computer.

C

The user does not have permission to use the printer.

The 'access denied' error directly points to a permissions issue; the print server or printer security settings need to be checked and the user granted access.

D

The printer is out of paper or toner.

Why: An 'Access is denied' error when other users can print indicates that the user's permissions are the problem, not the printer or driver. This usually means the user account does not have the necessary permissions on the print server or the printer itself.
Q3
hardFull explanation →

A user's Windows 10 laptop is experiencing random restarts, especially under heavy load like gaming or video rendering. The Event Viewer shows multiple 'Kernel-Power 41' critical errors. The CPU temperature is normal, and the power supply is functioning. Which component is most likely causing the issue?

A

The RAM is faulty.

B

The graphics card is overheating.

C

The motherboard is failing.

A failing motherboard can cause unstable power delivery to components, leading to random restarts under load, which matches the Kernel-Power 41 errors and the symptom pattern.

D

The Windows installation is corrupt.

Why: Kernel-Power 41 errors indicate unexpected shutdowns or restarts. Under heavy load, a failing power supply (even if it appears to function) can cause voltage drops that trigger restarts. However, if the PSU is ruled out, the most likely culprit is the motherboard, as it regulates power delivery to components and can cause instability under load.
Q4
hardFull explanation →

A company is migrating from Windows 10 to Windows 11 on 50 computers. After the upgrade, several users report that a critical line-of-business application no longer works. The application ran fine on Windows 10. You need to get it working without rolling back the entire OS. What is the most efficient solution?

A

Roll back all 50 computers to Windows 10 using the recovery partition.

B

Reinstall the application on each computer in Windows 10 compatibility mode.

Setting the application to run in Windows 10 compatibility mode often resolves compatibility issues without needing to revert the OS, making it the most efficient solution.

C

Enable Hyper-V on each computer and run the application in a Windows 10 virtual machine.

D

Use the Windows 11 'Reset this PC' feature to reinstall Windows 11 and then reinstall the application.

Why: Windows 11 includes a Windows 10 compatibility mode that can be applied to individual applications. Using the Application Compatibility Toolkit (ACT) or the built-in compatibility troubleshooter to set the application to run in Windows 10 compatibility mode is the most efficient fix, as it does not require a full OS rollback.
Q5
easyFull explanation →

A customer complains that their Windows 11 desktop suddenly shows a blue screen with the error 'CRITICAL_PROCESS_DIED' every time they try to launch a specific video editing application. Other programs work fine. What is the most likely cause and the best first troubleshooting step?

A

Run a memory diagnostic to check for faulty RAM.

B

Update the graphics card driver.

C

Reinstall the video editing application.

Reinstalling the application replaces corrupted files that are specific to that program, which is the most direct solution for an app-specific crash.

D

Perform a system restore to a point before the issue started.

Why: A 'CRITICAL_PROCESS_DIED' error that occurs only with one application suggests a problem with that application's files or its dependencies. The best first step is to reinstall the application, as this will replace any corrupted files that may be causing the crash.
Q6
easyFull explanation →

A user reports that their Windows 10 desktop is running very slowly, especially when opening multiple applications. They have 8 GB of RAM and a traditional hard drive. Task Manager shows that memory usage is consistently at 90% or higher. Which component is most likely the bottleneck and what is the best upgrade?

A

The CPU is the bottleneck; upgrade to a faster processor.

B

The hard drive is the bottleneck; upgrade to an SSD.

C

The RAM is the bottleneck; add more RAM.

High memory usage indicates the system needs more RAM; adding more will allow more applications to run without using slow virtual memory.

D

The graphics card is the bottleneck; upgrade to a dedicated GPU.

Why: High memory usage (90%+) with 8 GB of RAM indicates that the system is running out of physical memory, causing it to use the hard drive as virtual memory, which is very slow. The best upgrade is to add more RAM to reduce reliance on the slow hard drive paging.

Want more Windows OS Troubleshooting practice?

Practice this domain
18

Domain 18: PC Security Issue Remediation

All PC Security Issue Remediation questions
Q1
easyFull explanation →

A user calls the help desk saying they cannot log into their Windows 10 workstation because a message claims their files are encrypted and they must pay a ransom. What is the most effective remediation approach?

A

Pay the ransom to get the decryption key

B

Reboot into Safe Mode and run a malware scan

C

Disconnect from the network and restore files from a verified backup

This isolates the infection and recovers the data without paying, following best practices for ransomware remediation.

D

Run System Restore to a point before the attack

Why: Option C is correct because ransomware encrypts files with a key known only to the attacker, making decryption without the key impossible. Disconnecting from the network prevents the ransomware from spreading to other systems, and restoring from a verified backup is the only reliable way to recover the original files without paying the ransom.
Q2
hardFull explanation →

A company's security policy requires that all USB storage devices be blocked on company workstations to prevent data exfiltration. A manager needs to temporarily use a USB drive for a presentation. What is the best way to remediate this while maintaining security?

A

Disable the USB blocking Group Policy for the entire domain

B

Use a Group Policy to allow only the specific USB device by hardware ID, then remove the allowance after use

This maintains security by only allowing a known device, and you can revert the policy afterward.

C

Give the manager a company-approved USB drive and tell them to use it only once

D

Create a local admin account on the manager's workstation and disable the USB block locally

Why: Group Policy can be used to block all USB storage by default, but you can create an exception by allowing specific devices via device ID or by using a more granular policy. The best approach is to temporarily grant access to the specific device, then reapply the block.
Q3
mediumFull explanation →

A small business owner wants to ensure that if a laptop is stolen, the data on the drive cannot be read. The laptop runs Windows 11 Pro. What is the most appropriate remediation?

A

Set a strong BIOS password

B

Enable BitLocker on the system drive

BitLocker encrypts the entire drive, rendering data inaccessible without the key, even if the drive is removed.

C

Install an antivirus with anti-theft features

D

Use a cloud backup service

Why: BitLocker is the native full-disk encryption feature in Windows 11 Pro that encrypts the entire system drive, including the operating system, applications, and all user data. If the laptop is stolen, the data on the drive remains unreadable without the recovery key or TPM authentication, even if the drive is removed and attached to another computer. This directly addresses the requirement to prevent data access after theft.
Q4
mediumFull explanation →

A company has a policy that all workstations must automatically lock after 10 minutes of inactivity. A user complains that their computer does not lock automatically. Which setting should you check and remediate?

A

Check the power plan settings for sleep timeout

B

Verify that the screen saver is enabled and set to 'On resume, display logon screen' with a 10-minute wait

This setting locks the workstation after the specified inactivity period, meeting the policy.

C

Ensure Windows Update is fully installed

D

Disable the Fast Startup feature

Why: Option B is correct because the automatic lock behavior in Windows is controlled by the screen saver settings. When 'On resume, display logon screen' is enabled with a 10-minute wait, the screen saver triggers after inactivity and locks the workstation by requiring authentication upon resume. This is the standard mechanism for enforcing a lock timeout, not the power plan sleep timeout.
Q5
mediumFull explanation →

During a security audit, you find that several employees have been using the same weak password for their domain accounts. Which remediation should you implement first?

A

Disable the user accounts and require a manager to re-enable them

B

Configure a password policy in Group Policy requiring complexity and minimum length

A Group Policy password policy enforces strong passwords domain-wide, preventing future weak passwords.

C

Send a company-wide email reminding users to choose strong passwords

D

Install a third-party password manager for all employees

Why: Option B is correct because the most effective first step to prevent weak passwords is to enforce a strong password policy via Group Policy. This centrally mandates complexity requirements (e.g., uppercase, lowercase, digits, special characters) and a minimum length (typically 8–14 characters), which directly blocks the use of simple, common passwords at the domain level. Unlike awareness campaigns or reactive measures, this technical control proactively enforces security standards across all domain accounts.
Q6
easyFull explanation →

A technician is configuring a new Windows 10 workstation for a remote employee who will handle sensitive customer data. Which security feature should be enabled to ensure that if the laptop is lost, the data remains protected?

A

Windows Defender Firewall

B

User Account Control (UAC)

C

BitLocker Drive Encryption

BitLocker encrypts the drive, making data unreadable without the key, ideal for lost or stolen devices.

D

Windows Hello for Business

Why: BitLocker Drive Encryption (C) is the correct choice because it provides full-disk encryption using AES encryption algorithms, ensuring that if the laptop is lost or stolen, the sensitive customer data remains inaccessible without the recovery key or TPM authentication. This directly addresses the requirement to protect data at rest on a lost device.

Want more PC Security Issue Remediation practice?

Practice this domain
19

Domain 19: Mobile OS and App Troubleshooting

All Mobile OS and App Troubleshooting questions
Q1
hardFull explanation →

A technician is investigating a security incident where a user's corporate email account was accessed from an unknown device. The user's iPhone shows no suspicious apps, and the password was recently changed. Which of the following is the MOST likely cause?

A

The user's iCloud account was compromised, and the email is synced via Exchange.

B

An OAuth token or app-specific password was stolen and used to access the account.

OAuth tokens or app-specific passwords can grant persistent access to email without needing the main password, making them a common vector for continued access.

C

The user's iPhone has a jailbreak that hides malicious apps.

D

The corporate email server has a backdoor account.

Why: Option B is correct because OAuth tokens or app-specific passwords bypass the need for the primary password, allowing persistent access even after a password change. Since the user's iPhone shows no suspicious apps and the password was recently changed, a stolen token is the most plausible vector for unauthorized email access via Exchange ActiveSync or modern authentication.
Q2
easyFull explanation →

A user reports that their Android phone's battery drains rapidly after a recent app update. They have already tried restarting the device. Which of the following should a technician recommend FIRST to diagnose the issue?

A

Perform a factory reset.

B

Check battery usage in Settings to identify the app consuming the most power.

Battery usage statistics show which app or service is draining the battery, making this the logical first step in troubleshooting.

C

Replace the battery immediately.

D

Disable all background data.

Why: Option B is correct because the first step in diagnosing rapid battery drain after an app update is to use the built-in battery usage tool in Android Settings. This tool provides a per-app breakdown of power consumption, allowing the technician to identify which specific app is consuming excessive energy without making invasive changes. Restarting the device already failed to resolve the issue, so checking battery stats is the logical next step before any destructive or restrictive actions.
Q3
hardFull explanation →

A technician is configuring a kiosk mode on a company-owned Android tablet for customer use. After enabling the dedicated device management app, the tablet still allows users to exit the kiosk app by pressing the home button. Which setting did the technician MOST likely overlook?

A

The tablet's screen timeout setting.

B

The 'Lock task mode' or 'Pin app' feature.

Lock task mode (or app pinning) prevents users from leaving the designated app, which is essential for kiosk mode.

C

The tablet's Wi-Fi configuration.

D

The device's date and time settings.

Why: The technician enabled the dedicated device management app but did not activate Android's 'Lock task mode' (or 'Pin app' feature). This mode is required to pin the kiosk app to the foreground and block system navigation keys (Home, Recent Apps), preventing users from exiting the app. Without it, the Home button remains functional, allowing escape from the kiosk environment.
Q4
mediumFull explanation →

A user reports that their Android phone's Bluetooth keeps disconnecting from their car's hands-free system. The technician has already cleared the Bluetooth cache and re-paired the devices. What should the technician do NEXT?

A

Perform a factory reset on the phone.

B

Update the car's infotainment system firmware.

Many car manufacturers release firmware updates to fix Bluetooth compatibility issues, making this a targeted solution.

C

Replace the phone's Bluetooth antenna.

D

Disable Bluetooth power saving mode on the phone.

Why: Option B is correct because after basic troubleshooting (cache clear and re-pair) fails, the next logical step is to check for firmware updates on the car's infotainment system. Bluetooth connectivity issues between a phone and a car are often caused by incompatibilities or bugs in the car's Bluetooth stack, which can be resolved by updating the car's firmware. The technician should prioritize updating the car's system before considering hardware replacement or more drastic phone resets.
Q5
easyFull explanation →

A customer complains that their iPhone's Wi-Fi keeps disconnecting and reconnecting. They have already rebooted the phone and the router. Which of the following is the MOST likely cause?

A

The phone's SIM card is faulty.

B

The Wi-Fi network password was changed recently.

C

The phone's Wi-Fi profile is corrupted.

A corrupted Wi-Fi profile can cause intermittent disconnects; forgetting the network and reconnecting often fixes this.

D

The phone's operating system needs a full restore via iTunes.

Why: This scenario tests knowledge of common mobile Wi-Fi issues. After basic steps, forgetting and reconnecting to the network often resolves profile corruption or authentication problems.
Q6
easyFull explanation →

A technician is configuring a company-issued iPhone for a new employee. After setting up the email account, the employee says they cannot receive emails, but they can send them. Which setting should the technician check first?

A

The outgoing mail server (SMTP) settings.

B

The incoming mail server (IMAP/POP3) settings.

Incorrect incoming server settings prevent the phone from retrieving emails, which matches the symptom.

C

The device's date and time settings.

D

The phone's VPN configuration.

Why: The symptom—able to send but not receive emails—indicates a problem with the incoming mail server configuration. Sending uses SMTP (outgoing), while receiving uses IMAP or POP3 (incoming). The technician should first verify the incoming mail server settings (server hostname, port, SSL/TLS, and authentication) because a misconfiguration there would prevent the device from downloading new messages.

Want more Mobile OS and App Troubleshooting practice?

Practice this domain
20

Domain 20: Safety Procedures and Compliance

All Safety Procedures and Compliance questions
Q1
easyFull explanation →

A technician needs to dispose of several old CRT monitors from an office. What is the proper disposal method according to environmental safety regulations?

A

Place them in the regular dumpster for bulk trash pickup.

B

Take them to a certified e-waste recycling center.

Certified recyclers safely handle hazardous components and ensure compliance with environmental regulations.

C

Smash the glass and separate the components for metal recycling.

D

Donate them to a local school for reuse.

Why: CRT monitors contain hazardous materials such as lead, phosphor, and other heavy metals that are harmful to the environment if disposed of in landfills. Certified e-waste recycling centers follow strict environmental regulations to safely dismantle and recycle these components, preventing toxic substances from contaminating soil and groundwater.
Q2
hardFull explanation →

A technician is troubleshooting a server that repeatedly trips the circuit breaker in the data center. The server is plugged into a power strip that is also serving two other high-power devices. What is the most appropriate safety and troubleshooting step?

A

Replace the power strip with a higher-rated one and reset the breaker.

B

Move one of the other high-power devices to a different circuit and plug the server directly into a wall outlet on its own circuit.

This reduces the load on the original circuit and ensures the server has dedicated power, preventing overload.

C

Reset the breaker and use a UPS with a higher wattage rating.

D

Install a larger circuit breaker in the panel to handle the load.

Why: The repeated tripping indicates the circuit is overloaded. The safest and most effective step is to redistribute the load by moving one high-power device to a different circuit and plugging the server directly into a dedicated wall outlet. This isolates the server's power draw and prevents overloading the shared circuit, addressing the root cause without bypassing safety limits.
Q3
easyFull explanation →

During a printer toner replacement, a technician accidentally spills toner powder on the carpet. What is the correct procedure for cleaning up the spill?

A

Use a standard household vacuum cleaner to quickly remove the toner.

B

Wipe up the toner with a dry paper towel and dispose of it in the trash.

C

Use a toner-rated vacuum or a damp cloth to carefully collect the spill.

Toner-rated vacuums have HEPA filters to trap particles; a damp cloth prevents the powder from becoming airborne.

D

Pour water on the spill to dissolve the toner, then mop it up.

Why: Option C is correct because toner powder is a fine, electrically charged plastic dust that can be hazardous if inhaled or if it melts into carpet fibers. Using a toner-rated vacuum with a HEPA filter safely captures the particles without dispersing them, or a damp cloth can be used to gently lift the toner without smearing it deeper into the carpet. This procedure follows manufacturer safety guidelines and prevents damage to standard vacuums, which can ignite or spread the toner.
Q4
mediumFull explanation →

A technician is tasked with installing a new hard drive in a server rack. The rack is located in a cramped, dusty storage room with poor lighting. Which safety practice should the technician prioritize before beginning the installation?

A

Use a step stool to reach the server rack safely.

B

Wear a dust mask and use a flashlight to improve visibility.

A dust mask protects against respiratory irritation, and a flashlight ensures the technician can see clearly to avoid mistakes.

C

Remove the server from the rack and place it on the floor for easier access.

D

Disconnect all power cables in the rack to eliminate electrical hazards.

Why: The correct answer is B because the scenario describes a cramped, dusty storage room with poor lighting, which creates two immediate hazards: inhalation of dust particles and reduced visibility. Wearing a dust mask protects the technician's respiratory system from airborne particulates, while using a flashlight ensures they can see clearly to avoid accidental contact with components or cables. These measures directly address the environmental risks before any work begins.
Q5
easyFull explanation →

A technician is installing a new power supply in a desktop computer. After unplugging the system, what should the technician do before touching any internal components?

A

Wear a grounding strap and immediately open the case.

B

Press and hold the power button for 10 seconds to drain residual charge, then wear an ESD strap.

This discharges the capacitors and reduces shock risk; the ESD strap then prevents static damage.

C

Spray the interior with compressed air to remove dust before touching anything.

D

Remove the CMOS battery first to ensure no power remains.

Why: Option B is correct because pressing and holding the power button for 10 seconds after unplugging the system discharges the remaining charge in the power supply capacitors and other components, reducing the risk of electric shock or damage. Wearing an ESD strap then provides a path to ground for static electricity, protecting sensitive internal components from electrostatic discharge.
Q6
mediumFull explanation →

A technician is replacing a damaged power supply in a desktop PC. After removing the old unit, the technician notices a large capacitor on the motherboard is bulging. What should the technician do to safely handle this situation?

A

Proceed with installing the new power supply and ignore the bulging capacitor.

B

Use a screwdriver to short the capacitor leads to discharge it.

C

Wear insulated gloves and carefully remove the motherboard for replacement.

Insulated gloves protect against shock, and replacing the motherboard removes the hazard entirely, which is the safest approach.

D

Apply electrical tape over the bulging capacitor to contain it.

Why: A bulging capacitor indicates a failed or failing component that can leak electrolyte, cause further damage, or even burst. The safest course is to wear insulated gloves to avoid electric shock or chemical exposure and replace the entire motherboard, as the capacitor cannot be safely repaired in the field. Ignoring it or attempting makeshift fixes risks short circuits, fire, or injury.

Want more Safety Procedures and Compliance practice?

Practice this domain
21

Domain 21: Environmental Awareness and Impact

All Environmental Awareness and Impact questions
Q1
mediumFull explanation →

A client wants to upgrade their entire office of 50 computers and asks for advice on environmentally friendly disposal of the old units. Which approach best aligns with environmental best practices?

A

Donate the computers to a local school without wiping data.

B

Sell the computers to a scrap metal dealer.

C

Contract a certified e-waste recycling company to handle the disposal.

This is correct because certified recyclers follow regulations to safely dismantle and recycle components, minimizing pollution.

D

Have employees take the computers home for personal use.

Why: Option C is correct because certified e-waste recycling companies follow strict environmental regulations (e.g., the Basel Convention and local e-waste laws) to ensure hazardous materials like lead, mercury, and cadmium are safely extracted and disposed of, while also securely destroying data through methods such as degaussing or physical shredding. This approach minimizes environmental harm and aligns with the EPA's recommended practices for responsible electronics recycling.
Q2
hardFull explanation →

A company's IT policy requires that all disposed hard drives be physically destroyed to prevent data breaches. Which method has the least environmental impact while ensuring data destruction?

A

Use a degausser to erase the drive and then recycle it.

B

Drill holes through the platters and then dispose of the drive in e-waste.

C

Shred the hard drive using an industrial shredder and then recycle the metal fragments.

This is correct because shredding ensures complete data destruction and the metal can be recycled, minimizing environmental impact.

D

Overwrite the drive with zeros multiple times and then donate it.

Why: Option C is correct because industrial shredding physically destroys the platters into small fragments, making data recovery impossible, and the resulting metal fragments can be recycled, minimizing environmental impact. Unlike degaussing or drilling, shredding ensures complete destruction without leaving large e-waste components, and the recycling of ferrous and non-ferrous metals reduces raw material extraction.
Q3
easyFull explanation →

During a printer toner replacement, a technician accidentally spills toner powder on the carpet. What is the proper cleanup procedure?

A

Use a vacuum cleaner with a standard bag to suck up the toner.

B

Wipe the toner with a damp cloth using hot water.

C

Blot the toner with a cold, damp cloth and then use a HEPA-filter vacuum.

This is correct because cold water prevents melting, and a HEPA vacuum traps fine particles, ensuring safe and effective cleanup.

D

Sweep the toner into a dustpan and dispose of it in the trash.

Why: Option C is correct because toner powder is extremely fine and can become airborne if mishandled. Blotting with a cold, damp cloth prevents the toner from spreading, and using a HEPA-filter vacuum ensures that microscopic toner particles are trapped without being exhausted back into the environment. Standard vacuum cleaners lack HEPA filtration and can release toner dust into the air, causing respiratory hazards.
Q4
hardFull explanation →

A technician is decommissioning a server room and finds several old cathode ray tube (CRT) monitors that still work. The company wants to dispose of them responsibly. What should the technician do?

A

Sell the monitors to a local thrift store for reuse.

B

Break the glass tubes to reduce volume and then place them in a dumpster.

C

Contact a certified CRT recycler for pickup and recycling.

This is correct because certified recyclers have the equipment to safely extract lead and other materials, complying with environmental laws.

D

Donate the monitors to a school art department for projects.

Why: CRT monitors contain leaded glass and other hazardous materials (e.g., phosphors, barium) that are classified as universal waste under the Resource Conservation and Recovery Act (RCRA). Disposing of them in a dumpster or donating them for non-certified reuse can violate environmental regulations. A certified CRT recycler ensures the monitors are dismantled safely, with leaded glass separated and recycled in compliance with EPA guidelines.
Q5
easyFull explanation →

A customer reports that their laptop battery drains quickly and the device gets very hot. They want to know the safest way to dispose of the old battery after replacement. What should you advise?

A

Throw the battery in the regular trash bin.

B

Take the battery to a certified e-waste recycling center.

This is correct because certified recyclers properly handle hazardous materials, reducing environmental impact and complying with regulations.

C

Burn the battery in an open area to neutralize it.

D

Store the battery in a metal container until it stops holding a charge.

Why: Option B is correct because lithium-ion and lithium-polymer batteries contain hazardous materials that can leak and cause environmental damage if disposed of improperly. Certified e-waste recycling centers have the specialized equipment and processes to safely extract and recycle these materials, preventing toxic exposure and complying with environmental regulations like the Resource Conservation and Recovery Act (RCRA).
Q6
mediumFull explanation →

A customer complains that their computer emits a strong chemical smell and is unusually hot. After inspection, you find the power supply is failing and leaking a brown, oily substance. How should you handle the power supply disposal?

A

Place the power supply in a standard trash bag and throw it in the dumpster.

B

Put the power supply in an anti-static bag, seal it, and label it as hazardous e-waste.

This is correct because the anti-static bag prevents further leakage, and labeling ensures it is handled appropriately by recycling facilities.

C

Clean the power supply with isopropyl alcohol and then recycle it normally.

D

Disassemble the power supply to remove the leaking capacitor and then dispose of the rest.

Why: Option B is correct because a failing power supply leaking a brown, oily substance (typically from swollen or ruptured capacitors) is classified as hazardous e-waste due to toxic materials like lead, cadmium, and electrolyte fluids. Placing it in an anti-static bag prevents short circuits during transport, and labeling it as hazardous ensures proper disposal per environmental regulations such as the Resource Conservation and Recovery Act (RCRA) or local e-waste directives.

Want more Environmental Awareness and Impact practice?

Practice this domain
22

Domain 22: Documentation and Change Management

All Documentation and Change Management questions
Q1
mediumFull explanation →

A technician is deploying a new application to 20 sales laptops. The change management plan requires a pilot test on 2 laptops before full deployment. After testing, the technician finds the application works but conflicts with the VPN client. What should the technician do?

A

Deploy the application to all laptops and disable the VPN client on each.

B

Document the conflict and submit a revised change request with a resolution plan.

Proper change management requires documenting the issue and seeking approval for a revised plan before proceeding.

C

Continue with the deployment and note the conflict in the change log.

D

Uninstall the VPN client from all laptops and reinstall after the deployment.

Why: Option B is correct because the change management process requires that any issues discovered during pilot testing be formally documented and addressed before full deployment. Since the application conflicts with the VPN client, the technician must submit a revised change request that includes a resolution plan (e.g., updating the application, modifying VPN configuration, or scheduling a coordinated deployment). This ensures compliance with organizational change control policies and minimizes risk to production systems.
Q2
easyFull explanation →

A help desk technician receives a complaint that a shared network printer is no longer accessible after a scheduled firmware update was applied to the print server last night. The change was documented but no rollback plan was included. What should the technician do first?

A

Reboot the print server to clear any temporary errors.

B

Restore the print server to its previous firmware version.

Restoring the previous firmware is the most direct way to reverse the change, even though the rollback plan was missing; it should be done following proper change control.

C

Submit a new change request to update the firmware again.

D

Disable the printer in Active Directory and re-add it.

Why: Option B is correct because the scheduled firmware update directly caused the printer to become inaccessible, and without a documented rollback plan, reverting to the previous firmware version is the safest and most immediate way to restore service. This aligns with change management best practices, which prioritize backing out a failed change before troubleshooting further, as the root cause is clearly the firmware update.
Q3
hardFull explanation →

A technician is performing a routine software update on a finance department server. The change management documentation specifies that the update must be applied during a maintenance window from 2:00 AM to 4:00 AM. At 3:30 AM, the update fails with an error. The technician has no rollback plan documented. What should the technician do?

A

Attempt to roll back the update using the server’s built-in recovery options.

B

Leave the server in its current state and escalate the issue to the change manager.

Escalating ensures that the change manager can coordinate a proper response, possibly involving the CAB, and document the failure for future improvements.

C

Continue troubleshooting until the maintenance window ends, then document the failure.

D

Reboot the server to clear the error and retry the update.

Why: Option B is correct because the technician has no documented rollback plan, and the change management process requires that any deviation from the approved plan—such as a failed update—must be escalated to the change manager for a decision. Attempting an undocumented rollback or continuing to troubleshoot without authorization risks data corruption, service disruption, or violating compliance policies. The technician’s primary duty is to preserve the server’s current state and follow the escalation path defined in the change management policy.
Q4
mediumFull explanation →

A technician is configuring a new server and follows a documented standard operating procedure (SOP). After completion, the technician realizes the SOP is outdated and omits a critical security setting. What should the technician do?

A

Apply the missing setting and update the SOP to include it.

Applying the missing setting corrects the security issue, and updating the SOP ensures the documentation is accurate for future use.

B

Ignore the missing setting since the SOP was followed.

C

Submit a change request to update the SOP without applying the setting.

D

Revert the server configuration and wait for an updated SOP.

Why: Option A is correct because the technician discovered a security gap in the SOP that could leave the server vulnerable. The proper action is to immediately apply the missing critical security setting to protect the server, then update the SOP to reflect the correct procedure. This aligns with change management best practices where security findings take precedence over outdated documentation, and the SOP must be corrected to prevent future misconfigurations.
Q5
hardFull explanation →

A change advisory board (CAB) approves a network switch replacement, but the technician discovers during implementation that the new switch requires a different firmware version than documented. The change plan does not include a rollback for this scenario. What is the best course of action?

A

Proceed with the firmware update and document the change afterward.

B

Stop the implementation and contact the CAB for a revised change plan.

Halting and consulting the CAB ensures the change is properly authorized and the plan is updated to include the firmware change and rollback.

C

Use the old switch firmware on the new switch to match the documentation.

D

Implement the switch and create a separate change request for the firmware.

Why: When an undocumented deviation occurs during a change, the technician should halt the implementation and contact the CAB for guidance. Proceeding without approval risks network instability, and the CAB can provide a revised plan or approve the firmware change.
Q6
mediumFull explanation →

A security incident occurs when an unauthorized user gains access to a server because a technician left a default password unchanged after a system rebuild. The rebuild was documented, but the password change was not. What documentation failure does this highlight?

A

The change log did not include a rollback plan.

B

The change log did not list the specific configuration changes made.

The rebuild documentation should have included all configuration changes, such as password updates, to ensure security and accountability.

C

The change request was not approved by the change advisory board.

D

The technician did not perform a post-implementation review.

Why: Option B is correct because the documentation failure is that the change log did not list the specific configuration changes made. In this scenario, the system rebuild was documented, but the critical detail of changing the default password was omitted. Proper change management requires that every configuration change, including password updates, be explicitly recorded in the change log to ensure accountability and traceability. Without this record, the security incident occurred due to an undocumented deviation from security best practices.

Want more Documentation and Change Management practice?

Practice this domain
23

Domain 23: Remote Access Technologies

All Remote Access Technologies questions
Q1
easyFull explanation →

A small business owner wants to allow a remote employee to access their office desktop from home, but is concerned about security. They currently have a standard router with a public IP. Which of the following is the most secure method to enable this access?

A

Enable port forwarding on the router for TCP 3389 to the desktop's IP address.

B

Configure a VPN server on the office network and have the employee connect via VPN before using RDP.

A VPN encrypts all traffic and requires authentication, adding a layer of security before RDP access is permitted.

C

Use a third-party remote desktop service like TeamViewer without additional configuration.

D

Change the RDP port to a non-standard port number and enable port forwarding.

Why: Exposing RDP directly to the internet is risky due to brute-force attacks. A VPN creates an encrypted tunnel, authenticating the user before allowing access to the internal network, making it far more secure. This is the recommended best practice.
Q2
mediumFull explanation →

A technician is setting up remote access for a salesperson who frequently works from coffee shops. The company uses a VPN with two-factor authentication (2FA). The salesperson reports that after entering their username and password, they receive a prompt for a code but do not have their token. What should the technician do to resolve this?

A

Disable two-factor authentication for the user's account temporarily.

B

Provide the user with a one-time bypass code from the administrator console.

Most 2FA systems allow administrators to generate temporary codes for users who have lost their token, maintaining security while granting access.

C

Instruct the user to reset their password and try again.

D

Ask the user to connect from a different network location.

Why: This scenario tests knowledge of 2FA troubleshooting. The user has a token but does not have it available. The correct action is to provide a temporary bypass code, which is a standard feature of 2FA systems for such situations. Disabling 2FA would weaken security, and other options are not appropriate.
Q3
mediumFull explanation →

A company is implementing a remote access solution for employees using personal smartphones. They need to ensure that corporate email and documents are accessible but that no corporate data remains on the device if it is lost or wiped. Which technology should they use?

A

Virtual Private Network (VPN) with split tunneling.

B

Remote Desktop Protocol (RDP) to a virtual desktop.

C

Mobile Device Management (MDM) with a containerized work profile.

MDM enables IT to manage corporate data separately, enforce policies, and perform selective wipes, ensuring no corporate data remains on a lost device.

D

Third-party remote access software like LogMeIn.

Why: Mobile Device Management (MDM) with a containerized work profile creates a separate, encrypted sandbox on the smartphone that stores corporate email and documents. This container can be remotely wiped by the administrator without affecting the user's personal data, ensuring no corporate data remains on a lost or wiped device.
Q4
easyFull explanation →

A user is traveling and needs to access a file on their office computer. They have a dynamic IP address at the hotel. Which remote access technology should the technician recommend for a secure connection?

A

Configure a direct RDP connection using the user's home IP address.

B

Set up a Virtual Private Network (VPN) client on the user's laptop to connect to the office network.

A VPN client works with any internet connection, regardless of IP address, and provides encrypted access to the office network.

C

Use a remote desktop gateway that requires a static IP on the user's end.

D

Email the file to the user as an attachment.

Why: Option B is correct because a VPN client creates an encrypted tunnel between the user's laptop and the office network, allowing secure access to files regardless of the user's dynamic IP address. VPNs authenticate the user and encrypt all traffic, protecting data over untrusted networks like hotel Wi-Fi.
Q5
hardFull explanation →

During a remote troubleshooting session, a technician uses a tool that allows them to view the user's screen and control the mouse and keyboard. The user reports that the session is extremely laggy, with noticeable delay between the technician's actions and the screen update. Which of the following is the most likely cause of this lag?

A

The remote desktop software is using an outdated encryption protocol.

B

The user's computer has insufficient RAM to handle remote desktop sessions.

C

The network connection between the technician and the user has high latency or low bandwidth.

Remote desktop traffic is sensitive to latency. High latency causes noticeable delay between input and screen updates, while low bandwidth causes choppy video.

D

The technician's computer is running a different operating system than the user's.

Why: The lag described is a classic symptom of network latency or insufficient bandwidth, which directly impacts the responsiveness of remote desktop protocols like RDP or VNC. These protocols transmit screen updates and input events in real time; high latency delays the round-trip of packets, while low bandwidth can cause frame drops or compression artifacts, resulting in the noticeable delay between the technician's actions and the screen update.
Q6
hardFull explanation →

A security audit reveals that a company's remote access solution uses a VPN with pre-shared keys (PSK) for authentication. The auditor recommends upgrading to certificate-based authentication. Which of the following is the primary security advantage of certificate-based authentication over PSK?

A

Certificates are easier to configure and manage than PSK.

B

Certificates provide mutual authentication and are unique per device, reducing the risk of a single compromised key affecting all users.

Each certificate is unique and can be revoked individually. If a device is lost, only that certificate needs to be revoked, unlike PSK where the shared key must be changed for everyone.

C

Certificates eliminate the need for a VPN server.

D

Certificates are faster than PSK for establishing VPN connections.

Why: Certificate-based authentication provides mutual authentication, meaning both the VPN client and server verify each other's identity using digital certificates issued by a trusted Certificate Authority (CA). Unlike PSK, which is a shared secret that can be leaked and reused across all devices, each certificate is unique per device, so compromise of one certificate does not expose the entire VPN infrastructure. This significantly reduces the blast radius of a security breach and aligns with the principle of least privilege.

Want more Remote Access Technologies practice?

Practice this domain
24

Domain 24: Scripting Basics

All Scripting Basics questions
Q1
mediumFull explanation →

A user reports that a VBScript logon script that maps network drives stopped working after a Windows update. The script uses the MapNetworkDrive method. Other scripts on the same computer work fine. What is the most likely cause?

A

The script file was deleted by Windows Defender.

B

The update changed the default script host to PowerShell.

C

The update disabled VBScript execution for security reasons.

Microsoft has been disabling VBScript by default in some updates to improve security.

D

The network share requires SMB 2.0, which is no longer supported.

Why: Option C is correct because recent Windows updates have tightened security around legacy scripting hosts, including cscript.exe and wscript.exe. Specifically, Microsoft has introduced a default behavior that blocks VBScript execution via the Windows Script Host unless explicitly allowed by Group Policy or registry settings. Since the user reports that only the VBScript logon script fails while other scripts work, the most likely cause is that the update disabled VBScript execution, not that the script was deleted or that the script host was changed to PowerShell.
Q2
hardFull explanation →

A technician needs to deploy a script to 100 Windows 10 computers that will change the local administrator password. The script must run with elevated privileges and not leave the password visible in the script file. Which approach is most secure?

A

Store the password in a plain text file and have the script read it.

B

Use Group Policy Preferences to set the local administrator password.

Group Policy Preferences can set the password securely with encryption and no script exposure.

C

Embed the password in the script using a variable and run it from a hidden share.

D

Use a scheduled task that runs the script as SYSTEM.

Why: Group Policy Preferences (GPP) allows administrators to configure local account passwords securely by encrypting the password in the policy XML file using a 32-byte AES key (though this key is publicly documented, it still provides obfuscation). When deployed via Group Policy, the password is applied with SYSTEM privileges automatically, eliminating the need for a script with embedded credentials or a separate scheduled task. This approach meets the requirements of elevated execution and password non-visibility in a script file.
Q3
easyFull explanation →

A technician needs to deploy a configuration change to 50 Windows 10 computers using a script. The script must check if a specific registry key exists before modifying it. Which scripting construct should be used?

A

A for loop

B

A while loop

C

An if-else statement

An if-else statement allows the script to test for the registry key's existence and then act accordingly.

D

A try-catch block

Why: The script needs to conditionally execute code based on whether a registry key exists. An if-else statement is the correct construct for this because it evaluates a condition (e.g., Test-Path 'HKLM:\Software\MyKey') and executes one block if true (modify the key) and another if false (skip or create). Loops are for repetition, not conditional branching, and try-catch handles runtime errors, not existence checks.
Q4
mediumFull explanation →

A technician is writing a PowerShell script to check the last boot time of a remote computer. The script uses Get-CimInstance Win32_OperatingSystem. The script works locally but fails with an access denied error when targeting a remote machine. Both computers are domain-joined and the technician has admin rights. What is the most likely issue?

A

The remote computer does not have PowerShell installed.

B

The remote computer has Windows Firewall blocking WMI traffic.

WMI remote connections require specific firewall rules; if blocked, access is denied.

C

The script uses an incorrect namespace.

D

The technician is not a member of the Remote Management Users group.

Why: Get-CimInstance uses the WS-Management (WSMan) protocol, which relies on WinRM. By default, Windows Firewall blocks inbound WinRM traffic on port 5985 (HTTP) and 5986 (HTTPS). Even though the technician has admin rights and both machines are domain-joined, the remote firewall must allow WinRM traffic for the CIM session to succeed. The local success is because no firewall traversal is needed.
Q5
mediumFull explanation →

A technician needs to write a script that runs a specific command only if a Windows service is running. If the service is stopped, the script should start it first. Which scripting method is most appropriate?

A

Use a for loop to iterate over all services.

B

Use an if-else statement to check the service status.

An if-else statement can evaluate the service state and execute different commands accordingly.

C

Use a switch statement with multiple conditions.

D

Use a try-catch block to handle errors if the command fails.

Why: The correct answer is B because an if-else statement is the most appropriate scripting method to check the status of a specific Windows service and conditionally execute a command or start the service. In PowerShell, you can use `Get-Service` to retrieve the service status and then an if-else block to evaluate whether the `Status` property equals 'Running'. This provides clear, linear logic that directly matches the requirement without unnecessary complexity.
Q6
easyFull explanation →

A user reports that a scheduled backup script on their Windows 10 workstation runs every day but fails to complete. The script uses PowerShell to copy files to a network share. When the user runs the script manually from an elevated PowerShell prompt, it works. What is the most likely cause of the failure?

A

The script file extension is .ps1 instead of .bat.

B

The scheduled task is not set to run with highest privileges.

If the script needs admin rights, the task must be configured to run with highest privileges; otherwise it fails.

C

The network share is mapped as a drive letter, which is not available during system startup.

D

PowerShell execution policy is set to Restricted for the SYSTEM account.

Why: Scheduled tasks often run with limited permissions, so if the script requires administrative rights, it will fail when triggered automatically. The correct answer highlights the need to configure the task to run with highest privileges.

Want more Scripting Basics practice?

Practice this domain
25

Domain 25: Communication and Professionalism

All Communication and Professionalism questions
Q1
mediumFull explanation →

A technician is helping a remote user configure a VPN connection. The user is not very technical and is getting frustrated. The technician uses jargon like 'authentication protocol' and 'tunnel endpoint'. Which of the following is the BEST way to improve communication?

A

Continue using technical terms to educate the user.

B

Ask the user to share their screen so the technician can do it remotely.

C

Use simple analogies like 'a secure tunnel for your data' and guide them step by step.

This makes the concept accessible and reduces frustration.

D

Send the user a written guide and end the call.

Why: Option C is correct because it replaces confusing jargon with a simple analogy ('secure tunnel') and provides step-by-step guidance, which directly addresses the user's frustration and lack of technical knowledge. This approach aligns with the CompTIA A+ objective of adapting communication style to the audience, ensuring the user understands the VPN concept without needing to know terms like 'authentication protocol' or 'tunnel endpoint'.
Q2
easyFull explanation →

A technician receives a complaint from a user that their email account was used to send spam. The user insists they did not send the emails. What is the MOST appropriate first step in handling this security incident professionally?

A

Tell the user they must have clicked on a phishing link and it's their fault.

B

Immediately reset the user's password and check the email logs for unauthorized access.

This secures the account and gathers evidence, following security best practices.

C

Ignore the complaint because spam is common.

D

Ask the user to change their password and not worry about it.

Why: Option B is correct because the immediate reset of the user's password stops further unauthorized use of the account, and checking email logs (e.g., SMTP logs, IMAP/POP3 access logs, or Exchange/Office 365 audit logs) allows the technician to identify the source of the spam, such as a compromised credential or a malicious forwarding rule. This follows the CompTIA A+ incident response procedure of containment first, then investigation, while maintaining professional communication with the user.
Q3
easyFull explanation →

A technician is deploying 20 new laptops to a department. The manager asks the technician to install the software quickly, but the technician knows that a full deployment includes user training and data migration. Which action BEST demonstrates professional communication?

A

Agree to the manager's request and rush the installation to avoid conflict.

B

Explain the standard deployment process and offer a revised timeline that includes training.

This communicates the necessary steps and manages expectations professionally.

C

Install the software and let the users figure out the rest on their own.

D

Tell the manager that training is not part of the technician's job.

Why: Option B is correct because it demonstrates professional communication by clearly explaining the standard deployment process—which includes user training and data migration—and offering a revised timeline. This aligns with the CompTIA A+ objective of managing expectations and ensuring a complete, effective rollout rather than a rushed, incomplete installation.
Q4
mediumFull explanation →

A customer calls to report that their laptop won't turn on. The technician suspects a dead battery. Which of the following responses demonstrates proper troubleshooting and professionalism?

A

Tell the customer to buy a new battery immediately.

B

Ask the customer to plug in the charger and see if any lights appear.

This is a logical first step to determine if the battery or power adapter is the issue.

C

Say that the motherboard is likely dead and needs replacement.

D

Tell the customer to bring the laptop to the shop without further questions.

Why: A systematic approach to troubleshooting shows competence. Starting with simple checks and explaining each step keeps the customer informed and involved.
Q5
mediumFull explanation →

A technician is assigned to install new accounting software on a user's computer. The user is a senior manager who is very busy. The technician arrives and the manager says, 'Just make it work, I don't have time for questions.' Which action is MOST professional?

A

Proceed with the installation without asking any questions to respect their time.

B

Explain that you need just two quick questions to avoid problems later, and keep it brief.

This balances respect for their time with the need for accurate setup.

C

Insist on a full meeting to discuss requirements.

D

Install the software and leave a note with questions for later.

Why: Option B is the most professional action because it balances respect for the manager's time with the need to gather critical information. Asking two quick, targeted questions—such as verifying the software version compatibility with the OS or confirming the required database connection string—can prevent installation failures or post-installation issues that would waste even more of the manager's time. This approach demonstrates proactive problem-solving and aligns with CompTIA's emphasis on effective communication and professionalism.
Q6
mediumFull explanation →

A technician receives an angry email from a user claiming that the technician's previous fix made their computer worse. The technician knows the fix was correct. Which response is MOST professional?

A

Reply with a detailed technical explanation proving the fix was right.

B

Ignore the email to avoid an argument.

C

Apologize for the inconvenience and schedule a time to revisit the issue.

This de-escalates the situation and shows willingness to help, even if the original fix was correct.

D

Forward the email to the user's manager to complain about the user's tone.

Why: Option C is correct because the most professional response in this scenario is to de-escalate the situation by acknowledging the user's frustration and offering to re-engage on the issue. Even if the technician's fix was technically correct, the user's perception of a problem is a valid concern that must be addressed to maintain trust and service quality. Scheduling a follow-up allows the technician to re-evaluate the system, verify that no other changes have affected the computer, and provide reassurance, which aligns with ITIL best practices for incident management and customer service.

Want more Communication and Professionalism practice?

Practice this domain

Frequently asked questions

How many questions are on the 220-1202 exam?

The 220-1202 exam has 90 questions and must be completed in 90 minutes. The passing score is 700/1000.

What types of questions appear on the 220-1202 exam?

Multiple-choice and performance-based questions covering IT security, networking, and operations. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.

How are 220-1202 questions organised by domain?

The exam covers 25 domains: Windows OS Features and Tools, Windows Settings and Control Panel, Windows Command-Line Tools, Windows Administrative Tools, macOS Features and Tools, Linux Commands and File Permissions, Mobile OS Features and Tools, Virtualization and Cloud Technologies, Physical Security Controls, Logical Security Concepts, Wireless Security Protocols, Malware Types and Removal, Social Engineering Attacks, Windows Security Settings, Browser and Application Security, Data Destruction and Disposal, Windows OS Troubleshooting, PC Security Issue Remediation, Mobile OS and App Troubleshooting, Safety Procedures and Compliance, Environmental Awareness and Impact, Documentation and Change Management, Remote Access Technologies, Scripting Basics, Communication and Professionalism. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual 220-1202 exam questions?

No. These are original exam-style practice questions written against the official CompTIA 220-1202 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice 220-1202?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all 220-1202 questionsTake a timed practice test