Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications220-1102Exam Questions

CompTIA · Free Practice Questions · Last reviewed May 2026

220-1102 Exam Questions and Answers

24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

90 exam questions
90 min time limit
Pass: 700/1000 / 1000
4 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Operating Systems2. Security3. Software Troubleshooting4. Operational Procedures
1

Domain 1: Operating Systems

All Operating Systems questions
Q1
easyFull explanation →

A user reports that their Windows 10 computer is running slowly and they see a 'Low memory' message when opening applications. What should the technician check first to diagnose the issue?

A

Check for malware using anti-malware software

B

Increase virtual memory in System Properties

C

Check RAM usage in Task Manager

Task Manager provides real-time memory usage data, helping to identify if the system is low on RAM or if a specific application is consuming excessive memory.

D

Run Disk Cleanup to free up space

Why: Option C is correct because the 'Low memory' warning and slow performance when opening applications directly indicate that the system is running out of available RAM. The first step in diagnosing this issue is to check RAM usage in Task Manager (Performance tab) to see if memory is fully utilized, which would confirm a physical memory shortage before considering other causes like malware or disk space.
Q2
mediumFull explanation →

A technician needs to dual-boot Windows 10 and a Linux distribution on a UEFI-based system. Which partition style is required for the boot drive?

A

MBR

B

GPT

GPT is required for UEFI boot, as it supports the EFI System Partition and secure boot features.

C

FAT32

D

NTFS

Why: GPT (GUID Partition Table) is required for UEFI-based systems because UEFI firmware mandates GPT for booting in native mode, as it supports the EFI System Partition (ESP) and provides features like Secure Boot. MBR (Master Boot Record) is limited to legacy BIOS boot and cannot be used with UEFI boot without a Compatibility Support Module (CSM), which is often disabled in modern systems.
Q3
mediumFull explanation →

A user reports that Windows Update on a Windows 10 Pro workstation has been stuck on 'Downloading updates 0%' for several hours. The technician has already run the Windows Update Troubleshooter, which reported no issues. Which command-line tool should the technician use NEXT to attempt to resolve the problem by repairing potential system file corruption affecting the update process?

A

sfc /scannow

B

dism /online /cleanup-image /restorehealth

DISM with /restorehealth checks the component store for corruption and repairs it using Windows Update or a local source. This addresses the root cause of many Windows Update failures and is the appropriate next step after the troubleshooter.

C

net stop wuauserv && net start wuauserv

D

wuauclt /detectnow

Why: The Windows Update Troubleshooter already ran without finding issues, but the update is stuck at 0%. This often indicates underlying system file corruption that the troubleshooter cannot detect. DISM with /restorehealth repairs the Windows system image and component store, which is a prerequisite for SFC to work correctly, making it the appropriate next step before running SFC.
Q4
easyFull explanation →

A Linux administrator needs to change the permissions of a script file named 'script.sh' so that the owner has read, write, and execute permissions; the group has read and execute permissions; and all other users have no permissions. Which of the following commands will achieve the desired permissions?

A

chmod 750 script.sh

750 sets owner to rwx (7), group to r-x (5), others to --- (0). This matches the requirement exactly.

B

chmod 755 script.sh

C

chmod 754 script.sh

D

chmod 751 script.sh

Why: The command 'chmod 750 script.sh' sets the permissions to rwxr-x---, which grants the owner read, write, and execute (7), the group read and execute (5), and others no permissions (0). This matches the requirement exactly because the numeric mode 750 uses octal notation where each digit represents the sum of read (4), write (2), and execute (1) permissions for owner, group, and others respectively.
Q5
mediumFull explanation →

A technician needs to configure a Windows 10 workstation that will be used by multiple employees who share the same physical device. Each employee should have their own personalized settings and files, and must be able to log in with their own domain credentials. Which of the following should the technician implement?

A

Join the computer to a workgroup and create local user accounts.

B

Join the computer to the domain and allow domain user logins.

Domain join enables users to authenticate with their domain credentials. Windows automatically creates roaming or local profiles per user, allowing personalized settings and file storage.

C

Enable Guest access for all employees.

D

Configure Windows 10 as a Remote Desktop server and have employees log in remotely.

Why: Joining the computer to a domain allows each employee to log in using their own domain credentials, which provides personalized settings and files through roaming profiles or folder redirection. This meets the requirement for multiple users sharing a single physical device while maintaining separate, secure user environments.
Q6
mediumFull explanation →

A technician is setting up a Windows 10 system to run as an informational kiosk in a hotel lobby. The computer must automatically log into a standard user account without requiring a password after any restart or power failure. Which of the following tools should the technician use to configure this behavior?

A

Local Group Policy Editor (gpedit.msc)

B

The User Accounts tool (netplwiz)

netplwiz provides the 'Users must enter a user name and password to use this computer' checkbox. Clearing it and entering the account credentials configures automatic logon.

C

Task Scheduler (taskschd.msc)

D

Registry Editor (regedit)

Why: The correct tool is the User Accounts tool (netplwiz). This utility allows you to configure automatic logon by unchecking 'Users must enter a user name and password to use this computer' and entering the credentials for the standard user account. This ensures the system logs in automatically after any restart or power failure without requiring a password.

Want more Operating Systems practice?

Practice this domain
2

Domain 2: Security

All Security questions
Q1
mediumFull explanation →

A helpdesk technician receives a call from a user who reports that their antivirus software is disabled and cannot be re-enabled. Additionally, the user's files have been renamed with a '.encrypted' extension. Which type of malware is most likely responsible?

A

Trojan

B

Worm

C

Ransomware

Ransomware disables security tools and encrypts files, demanding payment for the decryption key.

D

Rootkit

Why: C is correct because ransomware is a type of malware that encrypts the user's files, appending a '.encrypted' extension, and often disables security software like antivirus to prevent removal or remediation. The symptoms of files being renamed with '.encrypted' and the inability to re-enable antivirus are classic indicators of a ransomware attack, which demands payment for the decryption key.
Q2
hardFull explanation →

A small business owner calls a technician after discovering that all files on their Windows 10 workstation have been renamed with a '.crypt' extension. A ransom note demands payment in Bitcoin within 72 hours or the files will be permanently lost. The business has no recent backups. Which action should the technician take FIRST?

A

Advise the owner to pay the ransom to recover the files quickly.

B

Run a full antivirus scan on the affected system.

C

Disconnect the affected system from the network immediately.

Disconnecting the system halts the spread of ransomware to other network shares or computers. This is the first step in incident response to contain the threat.

D

Attempt to restore files from Shadow Copies using Previous Versions.

Why: The immediate priority in a ransomware incident is containment. Disconnecting the affected system from the network (Option C) prevents the ransomware from spreading laterally to other devices, encrypting additional files, or communicating with its command-and-control server. This step preserves the integrity of the rest of the network and gives the technician a safe environment to begin remediation without risking further data loss.
Q3
easyFull explanation →

A user receives an email that appears to be from their bank, stating that their account has been compromised and they must click a link to verify their identity. The user notices the sender's email address does not match the bank's official domain. What is the BEST immediate action for the user to take?

A

Reply to the email asking the sender to verify their identity

B

Click the link to see if the page looks legitimate

C

Forward the email to the bank's official customer service or security team

Reporting the suspicious email to the official contact allows the bank to verify the communication and warn other customers. This is a safe and responsible action that helps combat phishing.

D

Delete the email and ignore it

Why: Option C is correct because the user should immediately forward the suspicious email to the bank's official security team, who can investigate the phishing attempt and take appropriate action. This aligns with security best practices for handling suspected phishing, as defined in the CompTIA 220-1102 objectives for social engineering and email security. The user should never interact with the email (reply or click links) because the mismatched sender domain is a clear indicator of a phishing attack.
Q4
mediumFull explanation →

A security administrator notices that a user's workstation is sending outbound traffic to a known malicious IP address at regular intervals. The user reports no unusual activity. The technician has already run a full antivirus scan with no detections. Which of the following should the technician do NEXT to investigate the persistent network connection?

A

Run a network packet capture to analyze the traffic content.

Packet capture provides detailed visibility into the actual data being transmitted, helping to identify the nature of the communication (e.g., command and control traffic or data exfiltration). This is the best investigative step.

B

Disable the network adapter and disconnect the workstation from the network.

C

Reimage the workstation immediately.

D

Check the Windows Firewall logs for blocked connections.

Why: A network packet capture (e.g., using Wireshark or tcpdump) allows the technician to inspect the actual payload and protocol headers of the outbound traffic. Since the antivirus scan found no malware, the connection may be using a legitimate process that has been hijacked or is beaconing to a C2 server. Analyzing the traffic content can reveal the destination port, application-layer data, and whether the communication is encrypted or contains command-and-control patterns.
Q5
mediumFull explanation →

A user reports that their Windows 10 workstation suddenly cannot access any network resources. A technician remotely views the system and notices a popup that mimics a Windows Security alert, stating the system is infected. The technician checks the IP configuration and sees the workstation has an APIPA address (169.254.x.x). The network adapter shows no physical link issues. Which of the following is the MOST likely cause of the issue?

A

A rogue DHCP server is issuing invalid IP addresses on the network.

B

An ARP poisoning attack is redirecting network traffic, causing the system to lose its lease.

C

Malware is disabling the DHCP client service to block internet access as part of a scareware campaign.

Scareware often disables network services to create a sense of urgency. APIPA results when the DHCP client fails, and the fake security popup is a classic tactic of scareware.

D

A DNS hijack is preventing the workstation from resolving network names, so it falls back to APIPA.

Why: The APIPA address (169.254.x.x) indicates the workstation failed to obtain a DHCP lease. The popup mimicking a Windows Security alert is a classic scareware tactic. Malware that disables the DHCP Client service prevents the system from renewing or obtaining an IP address, effectively cutting off network access to pressure the user into purchasing fake security software.
Q6
hardFull explanation →

A security audit reveals that a legacy application running on a Windows 10 workstation transmits sensitive data over an unencrypted protocol. The application is critical for business operations and cannot be updated or replaced. The workstation is located in a secured server room with restricted physical access. Which of the following would BEST mitigate the risk of data interception for this legacy application?

A

Implement an IPsec policy on the workstation to encrypt all network traffic.

IPsec provides end-to-end encryption at the network layer, securing all communications from the workstation regardless of application protocol. It can be enforced via Group Policy or local settings.

B

Install a VPN client on the workstation and connect to a corporate VPN server.

C

Change the application configuration to use HTTPS for communication.

D

Place the workstation on an isolated VLAN that has no access to external networks.

Why: Option A is correct because IPsec can be configured on the Windows 10 workstation to encrypt all outbound and inbound network traffic at the IP layer, regardless of the application protocol. This provides transparent encryption for the legacy application's unencrypted data without requiring any changes to the application itself, which is critical since the application cannot be updated or replaced.

Want more Security practice?

Practice this domain
3

Domain 3: Software Troubleshooting

All Software Troubleshooting questions
Q1
mediumFull explanation →

A user reports that after installing a new printer driver on a Windows 10 computer, the system blue screens whenever they attempt to print. The computer boots normally but crashes during the print job. Which of the following should the technician do FIRST to resolve the issue?

A

Run the System File Checker (sfc /scannow) from the Command Prompt.

B

Boot into Safe Mode and roll back the printer driver.

Safe Mode loads minimal drivers, allowing the technician to access Device Manager and roll back the driver that is causing the blue screen. This directly addresses the problem.

C

Use System Restore to revert the system to a point before the driver installation.

D

Perform a repair installation of Windows 10 using installation media.

Why: The computer boots normally but crashes only during printing, which isolates the issue to the newly installed printer driver. Booting into Safe Mode loads only essential drivers and services, bypassing the problematic third-party driver, allowing the technician to safely roll back to the previous driver version. This is the quickest and least invasive method to restore functionality without affecting other system settings or files.
Q2
mediumFull explanation →

A user's Windows 10 computer displays the error 'Invalid system disk' after a power outage. The computer previously booted normally. Which of the following is the MOST likely cause of this error?

A

The Boot Configuration Data (BCD) is corrupted.

B

The hard drive has failed completely.

C

The BIOS boot order has changed due to the power outage.

Power outages can cause the CMOS battery to lose power temporarily, resetting BIOS settings. The boot order may default to a non-bootable device, causing the error.

D

The operating system files are missing or damaged.

Why: Option C is correct because a power outage can cause the BIOS/UEFI to reset to default settings, which may change the boot order. If the system tries to boot from a non-bootable device (e.g., a USB drive or network) before the hard drive, it will display 'Invalid system disk'. This is a common symptom after an unexpected power loss, not a sign of data corruption or drive failure.
Q3
hardFull explanation →

A technician updates the graphics driver on a Windows 10 workstation. After restarting, the computer boots to a black screen with only a mouse cursor. The technician is able to boot into Safe Mode by pressing F8 during startup (assuming legacy boot). Which of the following should the technician do FIRST to resolve the issue?

A

Use System Restore to revert to a previous restore point

B

Roll back the graphics driver in Device Manager

In Safe Mode, Device Manager is functional. The Driver Roll Back feature reverts to the previously installed driver version, which should restore normal operation. This is the quickest and most specific fix.

C

Use the Last Known Good Configuration option

D

Boot into Safe Mode and run sfc /scannow

Why: The correct first step is to roll back the graphics driver in Device Manager. Since the issue began immediately after updating the graphics driver and the technician can boot into Safe Mode (which loads only basic drivers), the most likely cause is a faulty or incompatible driver update. Rolling back restores the previous working driver version, directly addressing the root cause without unnecessary steps.
Q4
mediumFull explanation →

A user reports that a critical application crashes every time they attempt to save a file to a network drive. The application works fine when saving locally. The network drive is accessible and other users can save files to it without issues. Which of the following steps should the technician take FIRST?

A

Reinstall the application.

B

Check the disk space on the network drive.

Insufficient disk space or a quota limit can cause save operations to fail. This is a common cause and should be verified first. The technician can check via the drive properties or server management.

C

Run chkdsk on the local drive.

D

Update the network driver.

Why: The application crashes only when saving to the network drive, not locally, and other users can save to the same drive without issues. This points to a client-side or user-specific problem, but the most common cause for a single user experiencing a crash on save is insufficient disk space or quota limits on the network share. Checking disk space on the network drive is the quickest, least disruptive step to rule out a full volume or quota restriction before escalating to more invasive fixes.
Q5
mediumFull explanation →

A user reports that Microsoft Word 2019 crashes every time they attempt to open a specific .docx file. Other Word documents open without issue. The technician has already booted Word in Safe Mode and the crash still occurs when opening this file. Which of the following should the technician do NEXT to resolve the issue?

A

Reinstall Microsoft Office from the installation media.

B

Run the System File Checker (SFC) utility from an elevated command prompt.

C

Use the Open and Repair feature in Word to attempt to recover the file.

Open and Repair is specifically designed to repair corrupted Office documents. It is the appropriate next step after safe mode fails to isolate the issue to the file itself.

D

Check for Microsoft Office updates and install any available patches.

Why: The issue is isolated to a single .docx file, and Word Safe Mode also crashes, which rules out add-ins or configuration problems. The 'Open and Repair' feature in Word is designed to repair corrupted document files by extracting readable content, making it the logical next step before attempting broader repairs or reinstallation.
Q6
easyFull explanation →

A user reports that a Windows 10 application frequently crashes with an error indicating that a required DLL file is missing. The technician has verified that the application worked previously. Which of the following should the technician do FIRST?

A

Reinstall the application

B

Run SFC /scannow

SFC scans and repairs corrupted system files, which is a logical first step for a missing DLL error when system files may be involved.

C

Update the graphics driver

D

Perform a System Restore

Why: The SFC (System File Checker) utility scans for and restores corrupted or missing protected system files, including DLLs. Since the error indicates a missing DLL and the application worked previously, the most likely cause is a corrupted system file rather than an application-specific issue, making SFC /scannow the appropriate first step.

Want more Software Troubleshooting practice?

Practice this domain
4

Domain 4: Operational Procedures

All Operational Procedures questions
Q1
easyFull explanation →

A technician is decommissioning several hard drives that contained sensitive client data. The drives are still functional but need to be disposed of securely. Which method ensures the data cannot be recovered?

A

Quick format the drives and then sell them.

B

Delete all files and empty the Recycle Bin.

C

Use a degausser to demagnetize the platters.

Degaussing destroys the magnetic field that stores data, making recovery impossible. This is an industry-standard method for secure disposal of magnetic media.

D

Perform a standard format and then reuse the drives.

Why: Option C is correct because degaussing uses a strong magnetic field to randomize the magnetic domains on the hard drive platters, rendering the data permanently unrecoverable. This method meets the security requirement for disposing of drives containing sensitive client data, as it physically destroys the magnetic storage medium without requiring the drive to be functional afterward.
Q2
easyFull explanation →

A technician receives a report that several employees have received an email appearing to be from the company's IT department asking them to click a link and enter their login credentials. The technician suspects a phishing attack. What is the FIRST step the technician should take according to incident response procedures?

A

Identify the affected users and determine if any credentials have been compromised.

Identifying affected users is the initial step to assess the impact. This allows the technician to understand the extent of the breach before taking further action.

B

Report the incident to management immediately.

C

Block the sender's email address and delete the email from all inboxes.

D

Send a company-wide email educating users on how to spot phishing emails.

Why: Option A is correct because, according to incident response procedures, the first step after confirming a suspected phishing attack is to identify the affected users and determine if any credentials have been compromised. This aligns with the 'Identification' phase of the NIST SP 800-61 incident response lifecycle, where the scope and impact must be assessed before any containment or eradication actions are taken. Without knowing which users clicked the link or entered credentials, further steps like blocking or reporting would be premature and could destroy forensic evidence.
Q3
mediumFull explanation →

A small business is upgrading its office equipment and needs to dispose of several old CRT monitors and LCD displays. Which of the following is the MOST environmentally responsible method of disposal for these electronic devices?

A

Place them in the regular trash dumpster

B

Sell them to a scrap metal recycler

C

Donate them to a local charity

D

Take them to an e-waste recycling center

E-waste recycling facilities are designed to safely dismantle and process electronic devices, recovering materials while minimizing environmental harm. This is the most responsible disposal method.

Why: CRT monitors and LCD displays contain hazardous materials such as lead, mercury, and cadmium, which can leach into the environment if disposed of in landfills. E-waste recycling centers are specifically designed to safely dismantle these devices, recover valuable materials, and ensure toxic components are handled according to environmental regulations. This method complies with the EPA's Responsible Recycling (R2) standards and is the most environmentally responsible choice.
Q4
easyFull explanation →

A technician is setting up a secure disposal plan for old laptops. Which of the following procedures BEST ensures that all sensitive data is irretrievable before disposal?

A

Deleting all files and emptying the recycle bin.

B

Performing a standard format of the hard drive.

C

Using disk encryption software that meets industry standards.

D

Physically destroying the hard drive platters.

Physical destruction (e.g., shredding, drilling through platters, or incineration) makes data recovery impossible, providing the highest level of security for disposal.

Why: Physical destruction of the hard drive platters (Option D) is the only method that guarantees data irretrievability because it mechanically disrupts the magnetic medium, making it impossible to reconstruct data even with advanced forensic tools like electron microscopes or magnetic force microscopy. Deleting files, formatting, or encryption alone leave data recoverable through software or hardware techniques, which is unacceptable for secure disposal.
Q5
easyFull explanation →

A technician is decommissioning several old laptop batteries that are no longer holding a charge. Which of the following is the MOST appropriate method of disposal for these batteries?

A

Place them in the regular office trash for collection.

B

Recycle them through an approved electronics recycling vendor or battery drop-off program.

Proper recycling ensures hazardous materials are handled safely and valuable materials are recovered. This is the environmentally responsible and often legally required method.

C

Incinerate them at a licensed waste-to-energy facility.

D

Donate them to a local school for use in demonstrations.

Why: B is correct because lithium-ion and other rechargeable batteries contain hazardous materials that require special handling. Disposing of them through an approved electronics recycling vendor or battery drop-off program ensures compliance with environmental regulations and prevents fire hazards in landfills.
Q6
mediumFull explanation →

A technician is documenting a recurring issue where users lose network connectivity after a specific software update is installed. The technician has identified the root cause and implemented a temporary workaround. According to change management best practices, what is the NEXT step the technician should take?

A

Inform all users of the workaround

B

Submit a request to deploy a permanent fix through the change control process

Change management dictates that any permanent fix must go through the change control process for review, approval, and scheduled deployment.

C

Revert the update on all affected systems

D

Escalate the issue to the vendor for a patch

Why: After identifying the root cause and implementing a temporary workaround, the next step per change management best practices is to submit a formal request to deploy a permanent fix through the change control process. This ensures the permanent solution is reviewed, tested, and approved before production deployment, minimizing risk and maintaining documentation integrity.

Want more Operational Procedures practice?

Practice this domain

Frequently asked questions

How many questions are on the 220-1102 exam?

The 220-1102 exam has 90 questions and must be completed in 90 minutes. The passing score is 700/1000.

What types of questions appear on the 220-1102 exam?

Multiple-choice and performance-based questions covering IT security, networking, and operations. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.

How are 220-1102 questions organised by domain?

The exam covers 4 domains: Operating Systems, Security, Software Troubleshooting, Operational Procedures. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual 220-1102 exam questions?

No. These are original exam-style practice questions written against the official CompTIA 220-1102 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 90 220-1102 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all 220-1102 questionsTake a timed practice test