CompTIA A+ Core 2 220-1202 (220-1202) — Questions 676750

750 questions total · 10pages · All types, answers revealed

Page 9

Page 10 of 10

676
MCQeasy

A technician needs to deploy a PowerShell script to 50 Windows 10 workstations that will install a security update silently. The script must run with administrative privileges. Which method should the technician use to ensure the script executes properly without user interaction?

A.Double-click the script file on each workstation
B.Run the script via 'powershell.exe -ExecutionPolicy Bypass -File script.ps1' from an elevated command prompt
C.Use the 'Start-Process' cmdlet without elevation
D.Copy the script to the Startup folder
AnswerB

This command bypasses the execution policy and runs the script silently with administrative rights.

Why this answer

Option B is correct because running 'powershell.exe -ExecutionPolicy Bypass -File script.ps1' from an elevated command prompt bypasses PowerShell's execution policy for that session and ensures the script runs with administrative privileges. This combination allows silent, unattended execution of the security update installation across multiple workstations without user interaction.

Exam trap

CompTIA often tests the misconception that double-clicking a .ps1 file executes it like a batch file, when in reality it opens in an editor, and that 'Start-Process' without elevation is sufficient for administrative tasks.

How to eliminate wrong answers

Option A is wrong because double-clicking a .ps1 file opens it in Notepad by default on Windows 10, not executing it; even if execution policy allowed it, it would require user interaction and does not guarantee elevation. Option C is wrong because 'Start-Process' without elevation (e.g., missing the '-Verb RunAs' parameter) runs the script with the current user's privileges, which may lack the administrative rights needed to install a security update. Option D is wrong because copying the script to the Startup folder runs it at user logon with the user's privileges (not elevated), and the execution policy may block it; it also requires user logon, not a silent deployment.

677
MCQeasy

A user reports that their Windows 10 PC is running slowly and they suspect a background process is consuming excessive memory. Which command-line tool should you use to identify the process by name and memory usage?

A.tasklist
B.ipconfig
C.chkdsk
D.sfc
AnswerA

Correct. tasklist lists all running processes with memory usage, allowing you to identify the culprit.

Why this answer

The `tasklist` command displays a list of all currently running processes on a Windows system, including their process ID (PID), session name, session number, and memory usage. By default, it shows memory consumption in kilobytes, allowing you to identify which process is consuming excessive memory by name. This makes it the correct tool for diagnosing a memory-hungry background process.

Exam trap

CompTIA often tests the distinction between system information commands (like `systeminfo` or `tasklist`) and network or disk utilities; the trap here is that candidates may confuse `ipconfig` (a network tool) or `sfc` (a system file checker) with a process management tool, or assume `chkdsk` can show memory usage because it reports disk-related resource consumption.

How to eliminate wrong answers

Option B (ipconfig) is wrong because it displays TCP/IP network configuration values (IP address, subnet mask, default gateway) and has no capability to list processes or memory usage. Option C (chkdsk) is wrong because it checks the file system integrity of a volume for logical and physical errors, not for running processes or memory consumption. Option D (sfc) is wrong because it scans and verifies the integrity of all protected system files, replacing incorrect versions with correct Microsoft versions, and does not provide any process or memory information.

678
MCQhard

A technician is setting up a virtual machine for a software developer who needs to test an application on multiple operating systems. The host runs Windows 10 Pro with 32 GB of RAM and a quad-core CPU. The developer wants the VM to have direct access to a USB security dongle. Which configuration step is essential to meet this requirement?

A.Configure the VM to use dynamic memory.
B.Enable virtualization extensions (VT-x/AMD-V) in the host BIOS.
C.Install the guest additions or integration services in the VM.
D.Enable USB controller passthrough in the VM settings.
AnswerD

USB passthrough allows the VM to directly control the USB device, which is required for a security dongle.

Why this answer

Option D is correct because USB passthrough (or USB controller passthrough) allows the virtual machine to directly access and control a physical USB device, such as a security dongle, bypassing the host operating system. This is essential for applications that require direct hardware-level communication with the dongle for licensing or authentication.

Exam trap

The trap here is that candidates often confuse VM enhancements (like shared folders and mouse smoothing) with the ability to pass through hardware devices, leading them to select Option C instead of the correct USB passthrough configuration.

How to eliminate wrong answers

Option A is wrong because dynamic memory adjusts the amount of RAM allocated to the VM based on demand, but it has no effect on USB device access or passthrough capabilities. Option B is wrong because enabling virtualization extensions (VT-x/AMD-V) in the host BIOS is necessary for running any 64-bit or hardware-assisted virtual machines, but it does not enable USB passthrough; it is a prerequisite for virtualization itself, not a specific step for USB access. Option C is wrong because guest additions or integration services improve performance, clipboard sharing, and display resolution, but they do not provide direct USB device access; USB passthrough is configured at the hypervisor level, not through guest software.

679
MCQmedium

A company’s change management policy requires that all changes be categorized as standard, emergency, or normal. During a server migration, a technician discovers a critical security patch must be applied immediately to prevent a data breach. Which type of change should the technician request?

A.Standard change
B.Emergency change
C.Normal change
D.Service request
AnswerB

An emergency change is designed for situations that require immediate action to prevent major issues, like a security breach.

Why this answer

The scenario describes a critical security patch that must be applied immediately to prevent a data breach, which aligns with the definition of an emergency change. Emergency changes are pre-approved or fast-tracked to address urgent threats or service outages, bypassing the normal change advisory board (CAB) review process. This ensures the patch can be deployed without delay to mitigate the risk.

Exam trap

CompTIA often tests the distinction between 'emergency' and 'standard' changes by presenting a time-sensitive scenario where candidates mistakenly classify a critical patch as a standard change because it is a routine security update, ignoring the 'immediate' and 'critical' context.

How to eliminate wrong answers

Option A is wrong because a standard change is a low-risk, pre-approved change that follows a documented procedure (e.g., applying routine OS updates), not an urgent security patch requiring immediate action. Option C is wrong because a normal change requires full CAB review and scheduling, which would introduce unacceptable delay for a critical security vulnerability. Option D is wrong because a service request is a user-initiated request for information, access, or a standard service (e.g., password reset), not a change to the IT infrastructure like applying a security patch.

680
MCQeasy

During a security incident, a user's files have been renamed with a '.encrypted' extension, and a ransom note demands Bitcoin to restore them. The user has no backups. What is the most appropriate immediate action?

A.Pay the ransom to regain access quickly.
B.Disconnect the computer from the network immediately.
C.Run a full antivirus scan to remove the malware.
D.Restart the computer in Safe Mode and attempt file recovery.
AnswerB

Isolating the system stops the ransomware from encrypting network drives or spreading to other devices.

Why this answer

Ransomware encrypts files, and paying the ransom does not guarantee decryption. The correct first step is to isolate the infected system to prevent the malware from spreading to network shares or other devices.

681
MCQeasy

During a software deployment, you need to ensure that all users on a Windows 10 workstation have the company logo as their desktop background. Which Control Panel applet would you use to set a mandatory desktop background?

A.Ease of Access Center
B.Personalization
C.Display
D.Folder Options
AnswerB

Personalization includes options for desktop background, colors, lock screen, and themes.

Why this answer

The Personalization applet in Control Panel allows you to set a desktop background image. To enforce a mandatory background for all users, you would configure a Group Policy setting (via gpedit.msc) that references the Personalization category, specifically the 'Desktop Wallpaper' policy under User Configuration > Administrative Templates > Desktop > Desktop. This overrides individual user settings and locks the background.

Exam trap

CompTIA often tests the misconception that the Display applet controls desktop backgrounds because it deals with visual output, but Display strictly handles resolution and scaling, not wallpaper.

How to eliminate wrong answers

Option A is wrong because the Ease of Access Center is designed to configure accessibility features like Narrator, Magnifier, and high-contrast themes, not desktop wallpaper settings. Option C is wrong because the Display applet manages screen resolution, scaling, and multiple monitor configurations, not desktop background images. Option D is wrong because Folder Options controls file explorer behaviors such as view settings, search options, and file associations, not desktop personalization.

682
MCQmedium

During a network upgrade, a technician needs to run new Ethernet cables through a drop ceiling. The technician notices that some existing cables are resting on the ceiling tiles and are not secured. What safety concern should the technician address?

A.Leave the cables as they are and run the new cables alongside them.
B.Secure all cables to the ceiling grid using appropriate cable supports.
C.Use zip ties to attach the cables to the sprinkler pipes for stability.
D.Remove the existing cables and replace them with the new ones.
AnswerB

Proper cable management prevents tiles from being dislodged and ensures cables are not a fire or tripping hazard.

Why this answer

Unsecured cables on ceiling tiles can cause the tiles to fall, creating a head injury risk and damaging equipment. Cables should be secured to the building structure using J-hooks or cable trays. This also prevents tripping hazards and maintains fire code compliance.

683
MCQhard

A data center manager wants to implement a physical security control that can detect if a server chassis has been opened without authorization. Which control should they use?

A.Intrusion detection system (IDS) on the network
B.Chassis intrusion switch
C.Tamper-evident seals
D.Video surveillance
AnswerC

Tamper-evident seals are placed over chassis screws or seams; any attempt to open the case will break or distort the seal, providing clear evidence of tampering.

Why this answer

Tamper-evident seals are a physical security control that provide visual evidence of unauthorized access. When a server chassis is opened, the seal is broken, indicating tampering. This is the correct choice because the question specifically asks for a control that can detect if a chassis has been opened, and tamper-evident seals are designed for this purpose.

Exam trap

The trap here is that candidates may confuse a chassis intrusion switch (an electronic detection mechanism) with a physical security control that provides tamper evidence, but the question specifically asks for a control that can detect if a chassis has been opened, and tamper-evident seals are the correct physical control for this purpose.

How to eliminate wrong answers

Option A is wrong because an Intrusion Detection System (IDS) on the network monitors network traffic for malicious activity, not physical chassis access. Option B is wrong because a chassis intrusion switch is an electronic sensor that can detect when a chassis is opened, but it is not a physical security control that provides tamper evidence; it is an electronic detection mechanism that can be bypassed or disabled. Option D is wrong because video surveillance can monitor physical access to the server room but does not directly detect if a specific server chassis has been opened; it requires continuous monitoring and review of footage.

684
MCQmedium

A user reports that their iPad will not rotate the screen when they turn the device sideways. The rotation lock icon appears in the status bar. What is the most likely cause?

A.The accelerometer is faulty.
B.The app being used does not support rotation.
C.Rotation lock is enabled in Control Center or via the side switch.
D.The device needs a software update to fix a rotation bug.
AnswerC

The rotation lock icon confirms the feature is on; disabling it will restore rotation.

Why this answer

The rotation lock icon indicates the feature is enabled. On an iPad, this can be controlled via the Control Center or a physical switch on the side. The technician should disable rotation lock before any other troubleshooting.

685
MCQeasy

A user reports that a PowerShell script they wrote to rename multiple files in a folder works on their desktop but fails with a 'permission denied' error when run from a network folder. The user has full control of the network folder. What is the most likely cause?

A.The script uses a cmdlet that is not available on the network drive.
B.The execution policy is set to RemoteSigned, which blocks scripts from network locations.
C.The network folder has a space in its name.
D.The user is not running PowerShell as an administrator.
AnswerB

RemoteSigned requires scripts from the internet or network to be signed, causing the failure.

Why this answer

The PowerShell execution policy controls which scripts can run and from where. The RemoteSigned policy requires that scripts from the internet (including network shares) be digitally signed, and it treats network drives as an 'internet' zone. When the script is run from a network folder, the policy blocks execution unless the script is signed, resulting in a 'permission denied' error, even though the user has full NTFS permissions.

Exam trap

CompTIA often tests the misconception that 'permission denied' always relates to NTFS or share permissions, when in fact PowerShell's execution policy can block scripts from network locations even if the user has full control.

How to eliminate wrong answers

Option A is wrong because cmdlets are part of the PowerShell module and are available regardless of the drive location; a missing cmdlet would produce a 'command not found' error, not a 'permission denied' error. Option C is wrong because a space in the folder name would cause a syntax error or path resolution issue, not a 'permission denied' error, and PowerShell handles spaces correctly with quoting or escaping. Option D is wrong because running as administrator is not required for renaming files in a folder where the user already has full control; the 'permission denied' error here is due to the execution policy, not a lack of administrative rights.

686
MCQeasy

A customer reports that their Windows 10 laptop is displaying pop-up ads even when no browser is open. They suspect a malware infection. Which of the following should you do first to remediate this issue?

A.Run a full antivirus scan while the system is connected to the internet.
B.Disconnect the network cable, boot into Safe Mode, then run a full antivirus scan.
C.Perform a System Restore to a point before the pop-ups started.
D.Immediately reinstall Windows 10 to ensure complete removal.
AnswerB

This is the correct sequence: disconnecting the network stops remote communication, Safe Mode limits malware activity, and scanning identifies and removes the threat.

Why this answer

The first step in malware remediation is to disconnect from the network to prevent further communication with command-and-control servers. Then boot into Safe Mode to prevent malicious processes from loading, and run a full antivirus scan. This isolates the threat before attempting removal.

687
MCQmedium

A user reports that their laptop frequently disconnects from the office Wi-Fi and reconnects after a few seconds. The network uses WPA2-Enterprise with PEAP-MSCHAPv2. Other users do not experience this issue. What is the most likely cause?

A.The laptop's wireless driver is outdated.
B.The RADIUS server is rejecting the laptop's certificate intermittently.
C.The office Wi-Fi channel is congested.
D.The laptop's power saving mode is turning off the Wi-Fi adapter.
AnswerA

An outdated wireless driver can cause intermittent connectivity issues, such as frequent disconnects and reconnects, on a single device.

Why this answer

The most likely cause is an outdated or incompatible wireless driver. This can cause intermittent connectivity issues on a single device. Other users are unaffected, and since the network uses WPA2-Enterprise with PEAP-MSCHAPv2, which relies on username/password authentication, the RADIUS server does not reject client certificates.

Channel congestion would affect multiple users, and power saving mode typically turns off the adapter after inactivity, not causing frequent reconnects.

Exam trap

Candidates may incorrectly attribute a single-user issue to server-side authentication problems, but in this case the RADIUS server does not use client certificates in PEAP-MSCHAPv2, so the correct cause is a local driver issue.

How to eliminate wrong answers

Option A is wrong because an outdated wireless driver would typically cause persistent connectivity issues, frequent drops without automatic reconnection, or driver crashes, not a pattern of disconnection and reconnection every few seconds that only affects one user. Option C is wrong because channel congestion would affect all users in the same area, not just one laptop, and would manifest as slow speeds or intermittent connectivity for everyone, not a specific reconnection pattern. Option D is wrong because power saving mode turning off the Wi-Fi adapter would cause the laptop to disconnect and not reconnect automatically for several seconds, and this behavior would be consistent and not intermittent; moreover, power saving features typically do not cause a reconnection after a few seconds without user intervention.

688
MCQhard

A server administrator needs to grant a junior technician the ability to reset user passwords on a Windows Server 2019 domain controller, but without giving them full administrative rights. Which administrative tool should be used to delegate this specific permission?

A.Local Security Policy to assign the 'Reset passwords' user right.
B.Active Directory Users and Computers and use the Delegation of Control Wizard.
C.Group Policy Management Console to create a policy that allows password resets.
D.Computer Management to add the technician to the 'Account Operators' group.
AnswerB

Correct. ADUC's Delegation of Control Wizard allows granting specific permissions like password reset on selected OUs or users.

Why this answer

The Delegation of Control Wizard in Active Directory Users and Computers is the correct tool because it allows an administrator to grant specific permissions, such as resetting user passwords, to a non-administrative user without granting full administrative rights. This wizard modifies the ACL on the selected organizational unit (OU) or container, enabling granular control over tasks like password resets while preserving security boundaries.

Exam trap

The Delegation of Control Wizard allows granular permissions, whereas built-in groups like Account Operators grant overly broad rights, violating the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because Local Security Policy assigns user rights (e.g., 'Log on locally') at the local machine level, not granular Active Directory permissions like resetting passwords, and it cannot delegate AD-specific tasks. Option C is wrong because Group Policy Management Console applies computer or user configuration settings via GPOs, not delegated permissions for AD object operations like password resets; it cannot grant a user the ability to modify AD objects. Option D is wrong because adding the technician to the 'Account Operators' group grants broad permissions to manage user accounts, groups, and passwords across the domain, which exceeds the requirement of only resetting passwords and introduces unnecessary security risks.

689
MCQmedium

A user reports that their Windows 10 PC is infected with a virus that changes the desktop background to a ransom note. After removing the virus with antivirus software, the desktop background remains unchanged. What should you do to restore the original background?

A.Reinstall the graphics driver.
B.Run System File Checker (sfc /scannow).
C.Check Group Policy settings for desktop wallpaper enforcement and reset them.
D.Perform a system restore to a point before the infection.
AnswerC

Malware often sets a Group Policy to lock the wallpaper; resetting this policy allows the user to change it.

Why this answer

Option C is correct because the virus likely modified the Group Policy setting that enforces a specific desktop wallpaper. Even after the virus is removed, the Group Policy setting persists and overrides any user attempts to change the background. Resetting the Group Policy wallpaper enforcement restores the user's ability to change the background normally.

Exam trap

The trap here is that candidates assume a virus removal or system file repair will fix all remnants of the infection, but they overlook that malware can modify persistent system policies like Group Policy, which require explicit reversal.

How to eliminate wrong answers

Option A is wrong because the graphics driver is not involved in displaying a static desktop background; the issue is a policy enforcement, not a rendering or driver problem. Option B is wrong because System File Checker (sfc /scannow) repairs corrupted system files, but the wallpaper change is due to a Group Policy setting, not file corruption. Option D is wrong because a system restore might revert the Group Policy change, but it is not the most direct or efficient fix; the problem is specifically a persistent policy setting that can be reset without affecting other system changes.

690
MCQmedium

A user on Windows 11 is trying to install a new application, but receives the error 'Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.' The user is a local administrator. What is the most likely cause?

A.The file is corrupted and needs to be re-downloaded.
B.User Account Control (UAC) is blocking the installation.
C.The file has been blocked by Windows because it was downloaded from the internet.
D.The user does not have 'Read & Execute' permissions on the file.
AnswerC

Windows adds a security zone to downloaded files. Right-clicking the file, selecting Properties, and clicking 'Unblock' removes the restriction. This is a common cause of this error for admin users.

Why this answer

Even local administrators can be blocked from running executables that were downloaded from the internet because Windows marks them with a zone identifier. The 'Unblock' button in the file's Properties removes this mark, allowing the file to run. This is a common security feature in Windows to prevent accidental execution of potentially unsafe files.

691
MCQhard

A user's iOS device is running out of storage, and they want to offload unused apps without deleting documents and data. Which iOS feature should be recommended, and where is it configured?

A.Enable 'Optimize iPhone Storage' in Photos settings
B.Use 'Offload Unused Apps' in Settings > General > iPhone Storage
C.Manually delete apps from the Home Screen
D.Configure iCloud Storage to offload app data
AnswerB

This feature removes the app but retains its data, allowing easy reinstallation without data loss.

Why this answer

The 'Offload Unused Apps' feature automatically removes app binaries when storage is low, but preserves the app's documents and data. This is configured in Settings > General > iPhone Storage, where users can also manually offload individual apps. It directly addresses the user's requirement to free up space without losing personal data.

Exam trap

CompTIA often tests the distinction between 'offloading' (preserving data) and 'deleting' (removing everything), and candidates may confuse 'Optimize iPhone Storage' with app offloading because both involve storage management.

How to eliminate wrong answers

Option A is wrong because 'Optimize iPhone Storage' in Photos settings only manages photo and video storage by replacing full-resolution originals with device-optimized versions, not app offloading. Option C is wrong because manually deleting apps from the Home Screen removes both the app and its documents/data, which contradicts the user's requirement to preserve data. Option D is wrong because iCloud Storage does not offload app data; it syncs and backs up data, but does not remove app binaries from the device to free local storage.

692
MCQhard

A security incident occurs where an attacker used a PowerShell script to download and execute a payload from a remote server. The script was obfuscated and ran in memory without touching the disk. Which security control could have prevented this attack?

A.Setting the execution policy to Restricted.
B.Enabling PowerShell Constrained Language Mode.
C.Disabling PowerShell script block logging.
D.Using a signed script policy.
AnswerB

Constrained Language Mode blocks dangerous cmdlets and limits script functionality, preventing such attacks.

Why this answer

PowerShell Constrained Language Mode (CLM) restricts the language elements available to PowerShell, preventing the use of most .NET types, COM objects, and other advanced features that attackers rely on for in-memory payload execution. Since the attack used an obfuscated script that ran entirely in memory without touching disk, CLM would block the script's ability to invoke arbitrary .NET methods or Win32 API calls needed to download and execute the remote payload, stopping the attack before it could run.

Exam trap

The trap here is that candidates often assume execution policy (Option A) is a strong security control, but CompTIA tests the fact that execution policy is a user preference, not a security boundary, and does not prevent in-memory or obfuscated script execution.

How to eliminate wrong answers

Option A is wrong because setting the execution policy to Restricted only prevents scripts from running from files, but it does not block scripts that are executed directly in memory (e.g., via Invoke-Expression or by passing a script block), so the in-memory attack would still succeed. Option C is wrong because disabling PowerShell script block logging would actually reduce visibility and make detection harder; it does not prevent the attack from occurring. Option D is wrong because using a signed script policy only enforces that scripts must be digitally signed to run, but the attacker's obfuscated script could be self-signed or run in memory bypassing signature checks, and signed script policies do not block in-memory execution.

693
MCQmedium

A technician is tasked with upgrading the operating system on ten identical workstations. The change advisory board has approved the upgrade. After completing the first workstation, the technician notices the new OS causes a critical line-of-business application to fail. What should the technician do next?

A.Continue upgrading the remaining workstations since the change was approved.
B.Restore the first workstation to the previous OS and complete the rest without changes.
C.Report the failure to the change advisory board and pause further upgrades.
D.Research a hotfix for the application and apply it to all workstations.
AnswerC

Reporting the issue allows the CAB to evaluate the risk, possibly modify the rollout plan, or find a workaround before proceeding.

Why this answer

This question tests the change management process when an approved change causes unexpected issues. The correct action is to stop the rollout and document the problem so the CAB can reassess the change.

694
MCQeasy

A technician writes a batch script to automate software installation across multiple workstations. The script needs to wait for the installer to finish before proceeding to the next line. Which command should be used?

A.PAUSE
B.TIMEOUT
C.START /WAIT
D.CALL
AnswerC

START /WAIT launches the installer and waits for it to exit before continuing.

Why this answer

The START /WAIT command launches a specified program or script and pauses execution of the batch file until that process terminates. This is exactly what is needed to ensure the installer completes before the next line runs, making it the correct choice for sequential automation.

Exam trap

CompTIA often tests the distinction between PAUSE (user input wait), TIMEOUT (fixed delay), and START /WAIT (process-aware wait), trapping candidates who confuse a simple delay with true process synchronization.

How to eliminate wrong answers

Option A (PAUSE) is wrong because it simply halts the script and displays 'Press any key to continue...', waiting for user input rather than for a specific process to finish. Option B (TIMEOUT) is wrong because it introduces a fixed delay (e.g., TIMEOUT /T 30) but does not monitor the installer process; the script will resume after the timeout regardless of whether the installer has completed. Option D (CALL) is wrong because it invokes another batch file or label within the same script context and returns control after that script finishes, but it does not inherently wait for a spawned process like an installer; it is designed for subroutine-like calls, not for launching external executables with a wait requirement.

695
MCQmedium

A user calls the help desk because they cannot access a shared folder on the network. The user's account is part of the 'Sales' group, which has 'Read' permission, but the user needs to modify files. What is the most efficient way to grant the required access?

A.Assign 'Full Control' to the user's account directly
B.Add the user to a group that has 'Modify' permission
C.Change the folder's sharing settings to 'Everyone' with 'Read/Write'
D.Remove the user from the Sales group and add them to a new group with 'Read' permission
AnswerB

Modify permission allows reading, writing, and deleting files, which meets the user's need without granting unnecessary rights.

Why this answer

Adding the user to a group with 'Modify' permissions is efficient because it avoids individual permission assignments and follows the principle of group-based access control. This ensures the user can edit files without overcomplicating permissions.

696
MCQmedium

A user reports that their external hard drive is no longer recognized by Windows. They suspect it might be infected with malware from a previous connection. You run a security scan and find no threats. What is the most likely cause of the drive not being recognized?

A.The drive is permanently damaged by malware.
B.The USB controller driver is corrupted or outdated.
C.The user needs to format the drive to remove malware.
D.Windows Firewall is blocking the external drive.
AnswerB

Corrupted drivers can prevent device recognition; reinstalling or updating the driver in Device Manager often fixes the problem.

Why this answer

When a drive is not recognized after a suspected malware incident, the issue is often driver-related or due to a corrupted file system, not necessarily malware. Reinstalling or updating the USB controller driver in Device Manager can resolve recognition issues. The correct answer is to check Device Manager for driver issues.

697
MCQhard

A technician discovers that a user has been sharing their login credentials with coworkers to allow them to access a shared drive. The company's security policy prohibits password sharing. What is the most effective way to prevent this behavior while still allowing necessary access?

A.Disable the user's account and create a generic shared account for the drive.
B.Implement a Group Policy that forces password changes every 30 days.
C.Configure the shared drive permissions using security groups and add the coworkers to the appropriate group.
D.Send a company-wide email reminding users not to share passwords.
AnswerC

This grants necessary access without sharing passwords, enforcing least privilege and accountability.

Why this answer

The root cause is that the shared drive access is tied to individual accounts, encouraging sharing. Implementing group-based permissions with proper access control lists (ACLs) allows the company to grant access to a group rather than an individual, eliminating the need to share passwords. Additionally, enforcing a policy of non-repudiation and using audit logs can deter sharing.

698
MCQmedium

A company uses a cloud-based file storage service. An employee reports that when they try to upload a large video file, the upload fails after several minutes of progress. The employee's internet connection is stable and other uploads of smaller files work fine. What is the most likely cause of this issue?

A.The employee's computer has insufficient RAM.
B.The cloud service's server is temporarily overloaded.
C.The file exceeds the maximum upload size allowed by the service.
D.The employee's account has been suspended.
AnswerC

Cloud storage services often impose file size limits, and exceeding that limit would cause the upload to fail, often after some progress.

Why this answer

The most likely cause is that the file exceeds the maximum upload size allowed by the cloud service. Cloud storage providers enforce file size limits to manage bandwidth and storage resources, and a large video file would be rejected after the upload begins if it surpasses this threshold. The fact that smaller uploads succeed and the connection is stable points directly to a file size restriction rather than a network or account issue.

Exam trap

CompTIA A+ often tests the misconception that a stable internet connection and successful small uploads rule out file size limits, leading candidates to incorrectly blame server overload or local hardware issues instead of recognizing the service's enforced upload cap.

How to eliminate wrong answers

Option A is wrong because insufficient RAM on the employee's computer would cause system-wide slowdowns or crashes, not a specific upload failure after several minutes of progress; RAM does not directly affect the upload process once the file is read into memory. Option B is wrong because a temporarily overloaded server would typically cause slow uploads or timeouts for all users, not a consistent failure after several minutes for a single large file while smaller uploads succeed. Option D is wrong because a suspended account would prevent all uploads, not just large files, and the employee would likely receive an authentication or authorization error immediately rather than after several minutes of progress.

699
MCQhard

A technician is troubleshooting a network issue and needs to access the user's computer remotely. The user is in a different city and speaks with a heavy accent, making communication difficult. The technician has trouble understanding the user's description of the error. What is the best approach?

A.Ask the user to type the error message in a chat window to avoid miscommunication.
B.Speak slowly and loudly, repeating each question until the user understands.
C.Ask the user to transfer the call to a colleague who speaks English more clearly.
D.Proceed with remote access without further communication, assuming you can diagnose the issue visually.
AnswerA

This leverages written communication to bypass the accent barrier, showing resourcefulness and respect for the user.

Why this answer

This question tests adaptability and respectful communication when language barriers exist. The correct answer uses a collaborative, patient approach to ensure understanding without causing embarrassment.

700
MCQmedium

A technician is configuring a new server room and needs to ensure that only authorized personnel can physically access it. The company wants a solution that does not require replacement of keys or cards if one is lost. Which access control method best meets this requirement?

A.Use a combination lock
B.Implement a biometric fingerprint reader
C.Install a smart card system
D.Use a keypad with a PIN code
AnswerB

Biometrics are tied to the individual and cannot be lost, so no reissuance is needed if a card is lost.

Why this answer

Biometric systems use unique physical traits (fingerprint, retina) that cannot be lost or easily duplicated. This eliminates the need to reissue credentials if a card or key is lost, though biometrics have their own management challenges.

701
MCQmedium

A small office user reports that their Windows 10 PC randomly freezes for 10-15 seconds, especially when opening large files. Task Manager shows high disk usage (100%) but low CPU and memory usage. Which built-in Windows tool should be used to diagnose the disk performance issue?

A.Use Resource Monitor to analyze disk activity and queue length.
B.Run the Performance Monitor with a Data Collector Set for disk.
C.Check the Event Viewer for disk-related errors.
D.Defragment the hard drive using the Optimize Drives tool.
AnswerA

Resource Monitor shows real-time disk I/O per process, helping pinpoint which process is causing high disk usage.

Why this answer

Resource Monitor (resmon.exe) provides real-time metrics on disk activity, including disk queue length, average disk seconds per read/write, and per-process I/O. The user's symptom of 100% disk usage with low CPU/memory suggests a disk bottleneck; a consistently high queue length (above 2 per spindle) indicates the disk cannot keep up with I/O requests, which Resource Monitor can pinpoint directly.

Exam trap

CompTIA often tests the distinction between real-time diagnostic tools (Resource Monitor) and historical logging tools (Performance Monitor), leading candidates to choose Performance Monitor because it sounds more comprehensive, but it is not designed for live troubleshooting of an active bottleneck.

How to eliminate wrong answers

Option B is wrong because Performance Monitor with a Data Collector Set is a historical logging tool, not a real-time diagnostic tool for immediate analysis of current high disk usage. Option C is wrong because Event Viewer logs system errors and warnings, not granular per-process disk I/O metrics like queue length or latency. Option D is wrong because defragmentation (Optimize Drives) improves sequential read performance on HDDs but does not address the underlying cause of high disk queue length or random freezes, and is irrelevant for SSDs which do not benefit from defragmentation.

702
MCQmedium

A user reports that their Windows 10 PC is infected with a virus that keeps reappearing after removal. The technician boots into Safe Mode, runs a full antivirus scan, and removes the threat. However, after rebooting normally, the virus returns. What is the most likely reason?

A.The antivirus definitions are outdated.
B.The virus has a persistence mechanism, such as a scheduled task or registry run key.
C.The user is re-downloading the virus from the same source.
D.The virus is a polymorphic variant that changes its signature.
AnswerB

Persistence mechanisms allow malware to reinstall itself after removal. The technician must identify and delete these triggers in Task Scheduler, registry, or startup folders.

Why this answer

Option B is correct because the virus likely uses a persistence mechanism such as a scheduled task (via schtasks.exe) or a registry Run key (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run) to re-infect the system after boot. Safe Mode may bypass some of these mechanisms, but a normal boot re-triggers them, allowing the virus to reinstall itself even after the initial removal.

Exam trap

CompTIA often tests the distinction between detection failure (outdated definitions or polymorphism) and re-infection due to persistence mechanisms, so the trap here is assuming the antivirus failed to detect the virus rather than recognizing that the virus is being re-introduced after removal.

How to eliminate wrong answers

Option A is wrong because outdated antivirus definitions would prevent detection, not cause the virus to reappear after removal; the scan already removed the threat. Option C is wrong because the user re-downloading the virus would require active user action each time, but the problem states the virus 'keeps reappearing' automatically after reboot, indicating a persistence mechanism rather than repeated user downloads. Option D is wrong because a polymorphic virus changes its signature to evade detection, but the antivirus already detected and removed it; the issue is re-infection after reboot, not evasion of the scan.

703
MCQhard

A technician is troubleshooting a wireless network where users report intermittent connectivity. The network uses WPA2-Enterprise with a RADIUS server. The technician notices that the RADIUS server logs show frequent authentication failures from one specific access point. What is the most likely cause?

A.The access point is using a different channel than the others.
B.The RADIUS server certificate has expired.
C.The access point's RADIUS shared secret is incorrect.
D.The clients are using WPA2-PSK instead of WPA2-Enterprise.
AnswerC

The shared secret is used for authentication between the AP and RADIUS server; a mismatch causes failures.

Why this answer

The RADIUS shared secret is a pre-shared key configured on both the access point and the RADIUS server to authenticate the AP itself. If the secret on the specific AP does not match the server's configuration, the server will reject authentication requests from that AP, causing intermittent connectivity for clients associated with it. The logs showing frequent authentication failures from one AP point directly to a mismatch in this shared secret.

Exam trap

CompTIA often tests the distinction between client-side authentication failures (e.g., wrong PSK or certificate) and infrastructure-side authentication failures (e.g., RADIUS shared secret mismatch), and the trap here is that candidates may confuse a RADIUS server certificate issue with a per-AP shared secret problem, not realizing that a certificate expiry would affect all APs uniformly.

How to eliminate wrong answers

Option A is wrong because using a different channel affects RF interference and throughput, not RADIUS authentication; the RADIUS server logs would not show authentication failures due to channel differences. Option B is wrong because an expired RADIUS server certificate would cause authentication failures for all access points, not just one specific AP, and the error would typically appear as a certificate validation failure rather than a shared secret mismatch. Option D is wrong because if clients were using WPA2-PSK instead of WPA2-Enterprise, the AP would not forward authentication requests to the RADIUS server at all, so the server logs would not show authentication failures from that AP.

704
MCQeasy

A customer reports that their laptop battery is swelling and the case is cracking. They ask if it's safe to continue using it plugged in. What should the technician advise?

A.It's fine to keep using it plugged in as long as the battery is removed.
B.Continue using it but only on battery power to avoid overheating the charger.
C.Shut down the laptop immediately, disconnect the battery if safely possible, and replace the battery as soon as possible.
D.Place the laptop in a freezer to reduce swelling, then continue using it.
AnswerC

This follows proper safety protocols: stop using the device, isolate the battery, and replace it. A swollen battery must be treated as hazardous electronic waste.

Why this answer

A swelling lithium-ion battery indicates internal chemical breakdown and gas generation, which can lead to thermal runaway, fire, or explosion. The immediate risk is physical rupture of the battery casing and potential short-circuiting. The correct action is to shut down the laptop, disconnect the battery if it can be done safely without puncturing it, and replace it as soon as possible to eliminate the hazard.

Exam trap

CompTIA often tests the misconception that a swollen battery is safe to use if kept plugged in or if the battery is removed, when in fact any continued use or physical handling of a swollen battery poses immediate fire and chemical hazard risks.

How to eliminate wrong answers

Option A is wrong because removing a swollen battery from a laptop that is still plugged in does not eliminate the risk of short circuits or fire from the damaged battery, and the act of removal itself can be dangerous if the casing is already compromised. Option B is wrong because continuing to use the laptop on battery power will further discharge and stress the already unstable battery, increasing the likelihood of thermal runaway. Option D is wrong because placing a lithium-ion battery in a freezer can cause condensation, internal short circuits, and further chemical instability, and it does not reverse the swelling or make the battery safe.

705
MCQmedium

A user on Windows 11 reports that their computer frequently freezes for 5–10 seconds at a time, especially when opening multiple browser tabs. The system has 8 GB of RAM and a mechanical hard drive. Which performance monitor counter should you check first to confirm the likely bottleneck?

A.% Processor Time
B.Available Mbytes
C.Avg. Disk Queue Length
D.Pages/sec
AnswerC

A high average disk queue length indicates that the disk is overwhelmed with requests, which is a classic symptom of excessive paging on a system with insufficient RAM and a slow HDD. This is the best counter to confirm the bottleneck.

Why this answer

Frequent freezing when multitasking on a system with a mechanical hard drive and limited RAM often points to excessive disk usage due to paging. The 'Avg. Disk Queue Length' counter in Performance Monitor indicates how many requests are waiting for the disk; a sustained value over 2 suggests the disk is the bottleneck, likely from swapping memory to the page file.

706
MCQeasy

After deploying a new Windows 11 update, several users complain that they can no longer access shared folders on the network. You verify that network discovery and file sharing are enabled. Which Windows security setting should you check first to resolve this issue?

A.Check if the users are in the 'Remote Desktop Users' group.
B.Verify that the 'Password Protected Sharing' option is turned off.
C.Review Windows Defender Firewall rules for 'File and Printer Sharing.'
D.Run Windows Update to install additional patches.
AnswerC

The firewall controls network traffic; if the rule is blocked, file sharing will fail.

Why this answer

After a Windows 11 update, the most common cause for losing access to shared folders—even when network discovery and file sharing are enabled—is that the Windows Defender Firewall rules for 'File and Printer Sharing' have been reset or disabled. This update often modifies firewall profiles (e.g., switching from Private to Public) or resets custom rules, blocking the NetBIOS, SMB, and RPC ports (TCP 139, 445; UDP 137, 138) required for file sharing. Checking and re-enabling these inbound rules restores connectivity.

Exam trap

The trap here is that candidates confuse 'Password Protected Sharing' (a sharing-level setting) with network-level blocking, or assume that enabling network discovery and file sharing in the GUI automatically opens all necessary firewall ports, when in fact the firewall rules are separate and often reset by updates.

How to eliminate wrong answers

Option A is wrong because the 'Remote Desktop Users' group controls RDP access, not file sharing over SMB; shared folders use SMB/CIFS, not Remote Desktop Protocol. Option B is wrong because 'Password Protected Sharing' affects whether users must have local accounts on the host to access shares, but it does not block network traffic; if it were the issue, users would see the share but be prompted for credentials, not unable to access it entirely. Option D is wrong because running Windows Update again would not fix a firewall rule that was already altered by the previous update; the problem is a configuration change, not missing patches.

707
MCQeasy

A user calls the help desk claiming they received an urgent email from the CEO asking them to purchase gift cards for a client and reply with the codes. The user is suspicious because the email address looks slightly off. What type of social engineering attack is this?

A.Shoulder surfing
B.Phishing
C.Tailgating
D.Dumpster diving
AnswerB

Phishing uses fraudulent communications, often email, to trick recipients into revealing sensitive information or performing actions like purchasing gift cards.

Why this answer

This is a phishing attack because the attacker impersonates a trusted entity (the CEO) via email to trick the user into performing a fraudulent action (purchasing gift cards and sharing codes). The suspicious email address indicates a spoofed sender, a common phishing technique that exploits trust and urgency to bypass user skepticism.

Exam trap

CompTIA A+ often tests the distinction between social engineering attack types by using a scenario that involves electronic communication (email) to trick the user, leading candidates to confuse phishing with physical or observation-based attacks like shoulder surfing or tailgating.

How to eliminate wrong answers

Option A is wrong because shoulder surfing involves directly observing a user's screen or keystrokes to steal information, not sending deceptive emails. Option C is wrong because tailgating is a physical security breach where an unauthorized person follows an authorized individual into a restricted area, unrelated to email-based deception. Option D is wrong because dumpster diving involves searching through trash for discarded sensitive documents or data, not crafting fraudulent electronic communications.

708
MCQeasy

A user reports that their Windows 10 PC is running very slowly, and they suspect a background process is consuming too much memory. Which command-line tool would you use from an elevated command prompt to identify the process with the highest memory usage?

A.tasklist /FI "MEMUSAGE gt 100000"
B.ipconfig /all
C.chkdsk /f
D.sfc /scannow
AnswerA

This command filters the task list to show only processes using more than 100,000 KB of memory, directly identifying high-memory processes.

Why this answer

Option A is correct because the `tasklist` command with the `/FI` filter `MEMUSAGE gt 100000` lists all processes whose memory usage exceeds 100,000 KB (approximately 100 MB). This allows you to quickly identify processes consuming excessive memory from an elevated command prompt, directly addressing the user's suspicion of a memory-hungry background process.

Exam trap

The trap here is that candidates may confuse `tasklist` with other diagnostic tools like `ipconfig` or `sfc`, or assume that any command with a `/f` switch (like `chkdsk /f`) is related to fixing performance issues, when in fact only `tasklist` with the correct filter can identify memory-heavy processes.

How to eliminate wrong answers

Option B is wrong because `ipconfig /all` displays detailed TCP/IP configuration information (IP addresses, MAC addresses, DHCP server, DNS servers) and has no capability to list processes or memory usage. Option C is wrong because `chkdsk /f` checks the file system and fixes disk errors on a volume; it does not interact with running processes or memory statistics. Option D is wrong because `sfc /scannow` scans and repairs protected system files, but it does not provide any information about running processes or their memory consumption.

709
MCQmedium

A user calls the help desk because their computer is running slowly and they see a fake antivirus program warning that their system is infected. The user cannot close the warning window. Which type of malware is this, and what is the best removal approach?

A.Ransomware; pay the fee to remove the warning.
B.Spyware; run a full scan in normal mode.
C.Rogue antivirus; boot into Safe Mode with Networking and run Malwarebytes.
D.Adware; uninstall the program from Control Panel.
AnswerC

Safe Mode prevents the malware from loading, and a dedicated tool can remove it.

Why this answer

The symptoms—a fake antivirus warning that cannot be closed—are classic indicators of rogue antivirus (scareware). This type of malware mimics legitimate security software to trick users into paying for unnecessary services. The best removal approach is to boot into Safe Mode with Networking, which loads only essential drivers and services, preventing the rogue program from auto-starting, then run Malwarebytes to detect and remove the threat.

Exam trap

CompTIA A+ often tests the distinction between ransomware and rogue antivirus, trapping candidates who confuse the 'pay to remove' demand with ransomware's file-encryption extortion, when the key difference is that rogue antivirus does not actually encrypt files.

How to eliminate wrong answers

Option A is wrong because ransomware typically encrypts files and demands payment for decryption, not a fake antivirus warning that can't be closed; paying the fee would not remove the malware and would only fund the attacker. Option B is wrong because spyware is designed to covertly collect personal information, not display fake warnings, and running a scan in normal mode may fail if the malware actively blocks security tools. Option D is wrong because adware usually displays pop-up ads but can often be closed or uninstalled normally; the inability to close the warning indicates a more aggressive rogue program that may not appear in the Control Panel's uninstall list.

710
MCQmedium

During a network equipment upgrade, a technician finds several old switches with visibly leaking capacitors on the circuit boards. What is the correct procedure for handling these switches?

A.Power them on to see if they still function before disposal.
B.Wear nitrile gloves, place the switches in a sealed bag, and label for e-waste recycling.
C.Use compressed air to blow out the leaked substance and then recycle the switches.
D.Dispose of the switches in the regular office recycling bin.
AnswerB

This is correct because gloves protect the technician, sealing prevents leaks, and labeling ensures proper hazardous waste handling.

Why this answer

Leaking capacitors often contain hazardous materials such as electrolytes or polychlorinated biphenyls (PCBs), which require special handling to prevent environmental contamination and personal injury. The correct procedure is to wear nitrile gloves (to avoid skin contact with corrosive or toxic substances), place the switches in a sealed bag to contain any leaked material, and label them for e-waste recycling, ensuring compliance with environmental regulations like the WEEE Directive or RCRA.

Exam trap

CompTIA often tests the misconception that visibly damaged equipment can be safely tested or cleaned with common tools, when in fact hazardous material protocols require containment and professional e-waste disposal without powering on or disturbing the leak.

How to eliminate wrong answers

Option A is wrong because powering on switches with leaking capacitors can cause short circuits, electrical fires, or further release of hazardous fumes, and it does not address proper disposal procedures. Option C is wrong because using compressed air can aerosolize hazardous electrolyte particles, leading to inhalation risks or spreading contamination, and it does not constitute safe handling or recycling. Option D is wrong because regular office recycling bins are not designed for hazardous e-waste; disposing of leaking capacitors in general waste violates environmental laws and can harm sanitation workers and the environment.

711
MCQmedium

During a macOS deployment, you need to create a bootable USB installer for macOS Sonoma to upgrade multiple iMacs. You have the 'Install macOS Sonoma' app in the Applications folder. Which command-line tool should you use to create the installer?

A.diskutil
B.asr
C.createinstallmedia
D.hdiutil
AnswerC

This is the correct command, typically used as: sudo /Applications/Install\ macOS\ Sonoma.app/Contents/Resources/createinstallmedia --volume /Volumes/MyVolume

Why this answer

The `createinstallmedia` command is the official Apple tool for creating a bootable USB installer from the 'Install macOS Sonoma' app. It is located inside the app bundle at `/Applications/Install macOS Sonoma.app/Contents/Resources/createinstallmedia` and is specifically designed for this purpose, ensuring the USB drive is properly formatted and the installer is written correctly for UEFI boot.

Exam trap

CompTIA often tests the distinction between disk management tools (`diskutil`, `hdiutil`) and the specific installer creation tool (`createinstallmedia`), leading candidates to pick `diskutil` or `hdiutil` because they are familiar with formatting drives or mounting images, but they cannot create a bootable installer from the macOS app bundle.

How to eliminate wrong answers

Option A is wrong because `diskutil` is used for managing disks and partitions (e.g., formatting, mounting, unmounting) but cannot create a bootable installer from an app bundle. Option B is wrong because `asr` (Apple Software Restore) is used for restoring disk images to volumes, not for creating bootable USB installers from macOS installer apps. Option D is wrong because `hdiutil` is used for manipulating disk images (e.g., mounting, converting, resizing DMG files) and cannot directly create a bootable USB installer from the macOS installer application.

712
MCQeasy

A technician is tasked with installing a security patch on 50 company laptops. The change management process requires a full system backup before any patch installation. During the backup of the first laptop, the backup fails due to insufficient disk space. What should the technician do?

A.Skip the backup for this laptop and proceed with the patch installation.
B.Free up disk space by deleting temporary files and retry the backup.
C.Install the patch anyway and create a manual restore point.
D.Report the failure to the change manager and request an exception.
AnswerB

This is a reasonable troubleshooting step to meet the backup requirement, and if successful, allows the technician to comply with policy.

Why this answer

Option B is correct because the change management process explicitly requires a full system backup before patch installation. Deleting temporary files is a standard, low-risk method to free disk space and retry the backup, ensuring compliance without violating policy. This approach maintains data integrity and follows the established procedure.

Exam trap

CompTIA often tests the candidate's understanding that change management policies are mandatory and must be followed, not circumvented, and that troubleshooting steps should be taken before escalating to management.

How to eliminate wrong answers

Option A is wrong because skipping the backup violates the mandatory change management requirement, risking data loss if the patch causes issues. Option C is wrong because installing the patch without a full backup and relying on a manual restore point does not satisfy the policy for a complete system backup, and a restore point may not capture all system state. Option D is wrong because reporting the failure and requesting an exception is premature; the technician should first attempt to resolve the disk space issue, as the process expects troubleshooting before escalation.

713
MCQmedium

A school district is deploying laptops to students and wants to deter theft while keeping devices usable. Which physical security control should they implement on the laptops?

A.Install a cable lock on each laptop
B.Use a laptop safe
C.Apply asset tracking tags
D.Enable a BIOS password
AnswerC

Asset tags (e.g., RFID or barcode) help track and recover stolen laptops without hindering normal use.

Why this answer

Asset tracking tags (e.g., RFID or GPS-enabled stickers) provide a non-intrusive way to monitor and recover laptops if stolen, without hindering normal use. They deter theft by enabling location tracking and inventory management, which aligns with the school's goal of keeping devices usable while reducing loss.

Exam trap

CompTIA often tests the distinction between physical controls (e.g., locks, safes, tags) and logical controls (e.g., BIOS passwords, encryption), and the trap here is confusing a BIOS password as a physical security measure when it is actually a logical access control.

How to eliminate wrong answers

Option A is wrong because a cable lock physically tethers the laptop to a desk, which restricts mobility and contradicts the requirement to keep devices usable for students who need to move between classes. Option B is wrong because a laptop safe is a stationary storage container, not a control applied to the laptop itself, and it prevents use while stored. Option D is wrong because a BIOS password is an authentication control, not a physical security control; it secures access to firmware settings but does not deter or prevent physical theft of the device.

714
MCQhard

A technician is decommissioning a server that uses a hardware RAID controller. The company policy requires that all data be destroyed, but the drives must be returned to the leasing company. Which method ensures data is unrecoverable while preserving the drives?

A.Remove the drives and use a degausser on each one.
B.Perform a secure erase using a bootable utility like DBAN.
C.Use the RAID controller's built-in 'secure erase' or 'low-level format' command.
D.Physically drill through the drive enclosures.
AnswerC

The controller's utility can access all sectors, ensuring complete data removal while keeping drives functional for return.

Why this answer

Option C is correct because the RAID controller's built-in 'secure erase' or 'low-level format' command issues the ATA Secure Erase command (or SCSI equivalent) directly to each drive, which overwrites all user-accessible data areas and often the hidden RAID metadata, making data unrecoverable. This method preserves the physical drives for return to the leasing company, as required by policy, and is the only option that both destroys data and leaves the drives functional.

Exam trap

The A+ exam often tests the misconception that a software-based overwrite tool like DBAN is sufficient for RAID arrays, but the trap here is that such tools cannot access the controller's hidden metadata or spare sectors, whereas the RAID controller's built-in secure erase command ensures complete data destruction at the physical drive level.

How to eliminate wrong answers

Option A is wrong because degaussing a hard drive destroys the magnetic platters, rendering the drive permanently non-functional and unreturnable to the leasing company. Option B is wrong because DBAN (Darik's Boot and Nuke) performs a software-based overwrite that may not reach the RAID controller's hidden metadata or spare sectors, and it requires the drives to be removed from the RAID controller or the controller to be in pass-through mode, which is often impractical. Option D is wrong because physically drilling through the drive enclosures destroys the drives, making them impossible to return to the leasing company, and violates the policy of preserving the drives.

715
MCQmedium

A technician is troubleshooting a Windows 10 PC that shows a black screen with a movable mouse cursor after boot. The user can press Ctrl+Alt+Del and launch Task Manager. Which Control Panel or Settings tool should be used to repair the system files that may be corrupted?

A.System Properties > System Protection
B.Device Manager
C.Administrative Tools > Computer Management
D.Settings > Update & Security > Troubleshoot
AnswerA

System Protection allows you to perform a System Restore or configure restore points, which can fix corruption caused by recent changes.

Why this answer

The black screen with a movable mouse cursor after boot, combined with the ability to launch Task Manager via Ctrl+Alt+Del, indicates that the Windows shell (explorer.exe) may be failing to load due to corrupted system files. System Properties > System Protection provides access to System Restore, which can revert system files and registry settings to a previous known-good state, effectively repairing corruption without affecting user data. This tool leverages Volume Shadow Copy snapshots to restore critical system files, making it the appropriate choice for this scenario.

Exam trap

The trap here is that candidates confuse 'System Restore' (accessed via System Properties > System Protection) with 'Reset this PC' or 'Troubleshoot' (found in Settings > Update & Security), leading them to choose Option D, but System Restore is the correct tool for reverting system file corruption without reinstalling Windows.

How to eliminate wrong answers

Option B (Device Manager) is wrong because it is used to manage hardware drivers and devices, not to repair corrupted system files or restore the operating system to a previous state. Option C (Administrative Tools > Computer Management) is wrong because it provides access to tools like Event Viewer, Disk Management, and Services, but does not include a direct mechanism to repair corrupted system files or perform a system restore. Option D (Settings > Update & Security > Troubleshoot) is wrong because it offers automated troubleshooters for common issues (e.g., network, audio) and includes the 'Reset this PC' option, but it does not provide System Restore functionality; System Restore is accessed via System Properties, not through the Troubleshoot page.

716
MCQhard

A company is migrating from Windows 7 to Windows 10 and needs to automate the installation of 200 workstations with identical software and settings. They have a reference computer already configured. Which Windows tool should they use to capture and deploy a custom system image?

A.Windows System Image Manager (Windows SIM)
B.System Preparation Tool (Sysprep)
C.Windows Recovery Environment (WinRE)
D.Windows Backup and Restore
AnswerB

Sysprep prepares the reference installation for imaging by generalizing it, which is the first step in creating a deployable image.

Why this answer

Sysprep is the correct tool because it generalizes a Windows installation by removing unique system identifiers (such as the computer SID, computer name, and driver caches) so that the reference computer’s image can be safely captured and deployed to multiple workstations. After Sysprep runs with the /generalize option, the image is captured using a tool like DISM or ImageX, then deployed to 200 identical workstations, ensuring each machine generates its own unique SID and settings on first boot.

Exam trap

The trap here is that candidates confuse Sysprep with Windows SIM, thinking that creating an answer file is the same as capturing an image, but Sysprep is the prerequisite generalization step that makes the image safe for cloning, while Windows SIM only creates automation scripts.

How to eliminate wrong answers

Option A is wrong because Windows System Image Manager (Windows SIM) is used to create unattended answer files (Unattend.xml) that automate installation settings, not to capture or deploy a system image. Option C is wrong because Windows Recovery Environment (WinRE) is a diagnostic and recovery platform for repairing a broken OS, not a tool for capturing or deploying a custom image. Option D is wrong because Windows Backup and Restore creates file-level or system-state backups, not a hardware-independent, deployable system image suitable for cloning to multiple workstations.

717
MCQmedium

A technician is troubleshooting a Windows 10 workstation that displays a fake security alert claiming the system is infected and prompting the user to call a toll-free number. The user cannot close the alert window or open Task Manager. Which type of malware is causing this behavior, and what is the best removal approach?

A.It is a rootkit; use a rootkit removal tool from within Windows.
B.It is ransomware; pay the fee to remove the alert.
C.It is a tech support scam; boot into Safe Mode with Networking and run an anti-malware scan.
D.It is a worm; disconnect the network and reinstall the operating system.
AnswerC

Safe Mode prevents the scam from running, and an anti-malware scan can remove the associated files and registry entries.

Why this answer

The fake security alert that cannot be closed and blocks Task Manager is a classic tech support scam, not actual malware that encrypts files or hides deep in the system. Booting into Safe Mode with Networking loads only essential drivers and services, bypassing the scam's persistence mechanism, and allows an anti-malware scan to remove the malicious files and registry entries.

Exam trap

Cisco often tests the distinction between ransomware (which encrypts data) and tech support scams (which only display fake alerts), leading candidates to confuse the visible popup with actual file-encrypting malware.

How to eliminate wrong answers

Option A is wrong because a rootkit hides its presence by intercepting system calls at the kernel level, whereas this alert is a visible, user-mode popup that blocks Task Manager via simple registry or Group Policy changes, not kernel-level hooks. Option B is wrong because ransomware encrypts user files and demands payment for decryption, but this alert does not encrypt anything—it only displays a fraudulent message to trick the user into calling a phone number. Option D is wrong because a worm self-replicates across networks without user interaction, while this alert is a standalone scam that does not spread; reinstalling the OS is unnecessary when a targeted removal from Safe Mode suffices.

718
MCQeasy

A user reports that their workstation is running slowly and they see frequent pop-up ads even when no browser is open. They also notice a new toolbar in their system tray that they did not install. What is the most likely security issue?

A.A rootkit has hidden itself in the kernel.
B.The system has adware installed.
C.A ransomware encryption process has started.
D.The user's account has been phished and credentials stolen.
AnswerB

Adware commonly causes pop-up ads, slow performance, and unwanted toolbars, matching the symptoms exactly.

Why this answer

Adware is a type of malware that displays unwanted advertisements, often in the form of pop-ups or browser redirects, and may install toolbars or other unwanted software without the user's consent. The presence of a new toolbar in the system tray and frequent pop-ups even when no browser is open are classic indicators of adware infection, as adware often runs background processes to generate revenue through ad impressions.

Exam trap

The distinction between adware and other malware types is a common test point in CompTIA A+. Candidates may confuse adware with a rootkit because both can be persistent, but rootkits are stealthy and do not produce visible ads or toolbars.

How to eliminate wrong answers

Option A is wrong because a rootkit is designed to hide its presence and maintain privileged access at the kernel level, not to display pop-up ads or install visible toolbars; rootkits typically avoid drawing attention. Option C is wrong because ransomware typically encrypts files and displays a ransom note, not pop-up ads or toolbars, and the system would show signs of file encryption or lock screen rather than slow performance with ads. Option D is wrong because phishing and credential theft lead to unauthorized access to accounts, not the installation of adware or the appearance of pop-up ads and toolbars on the local workstation.

719
MCQhard

A technician is deploying a new point-of-sale system in a busy retail store. The store manager insists on a specific configuration that the technician knows will cause data security vulnerabilities. Which of the following is the BEST course of action?

A.Implement the configuration as requested to keep the manager happy.
B.Refuse to do the work and walk away.
C.Explain the security risks in non-technical terms and propose a secure alternative that meets their needs.
D.Secretly implement a secure configuration and tell the manager it's what they asked for.
AnswerC

This demonstrates professionalism by educating the client and offering a solution.

Why this answer

Option C is correct because it aligns with the CompTIA A+ objective of balancing security with business needs. The technician must communicate the security risks of the manager's requested configuration (e.g., using default credentials or disabling encryption on the POS system) in non-technical terms, then propose a secure alternative that still meets the operational requirements, such as using WPA3 with a strong passphrase instead of an open Wi-Fi network. This approach maintains professionalism, avoids data breaches, and preserves the working relationship.

Exam trap

CompTIA often tests the trap that candidates choose Option A (compliance with authority) or Option B (rigid refusal) instead of the balanced, professional approach of explaining risks and proposing alternatives, which is the core of CompTIA's 'Communication and Professionalism' domain.

How to eliminate wrong answers

Option A is wrong because implementing an insecure configuration knowingly violates the technician's ethical and professional responsibility to protect sensitive payment card data, potentially leading to PCI DSS non-compliance and data breaches. Option B is wrong because walking away without attempting to educate the manager or offer a secure alternative is unprofessional and fails to resolve the issue, leaving the store vulnerable. Option D is wrong because secretly implementing a different configuration undermines trust and could cause operational issues if the manager discovers the change, and it does not address the root cause of the manager's misunderstanding.

720
MCQmedium

During a security audit, you find that a configuration file /etc/app/config.cfg has permissions -rwxrwxrwx. What command should you run to restrict it so only the owner can read and write, and the group can read, while others have no access?

A.chmod 640 /etc/app/config.cfg
B.chmod 750 /etc/app/config.cfg
C.chmod 644 /etc/app/config.cfg
D.chmod 600 /etc/app/config.cfg
AnswerA

640 gives owner read/write, group read, and others no access, matching the requirement.

Why this answer

The correct answer is A because the requirement is to set permissions so the owner can read and write (6), the group can read (4), and others have no access (0). The octal representation 640 achieves exactly this: 6 (rw-) for owner, 4 (r--) for group, and 0 (---) for others. This matches the security policy of restricting access to only the owner and group read access.

Exam trap

CompTIA often tests the distinction between 644 and 640, where candidates mistakenly choose 644 because they forget that 'others have no access' means the last digit must be 0, not 4.

How to eliminate wrong answers

Option B (750) is wrong because it grants the group execute permission (5) and others no access, but the requirement specifies group should only have read access, not execute. Option C (644) is wrong because it grants others read access (4), violating the requirement that others have no access. Option D (600) is wrong because it grants the group no access (0), but the requirement specifies the group should have read access.

721
MCQmedium

A user reports that their browser displays a warning saying 'Your connection is not private' when visiting a frequently used banking site. After checking, you see the certificate error is for a different domain. What is the most likely cause?

A.The user's system date and time are incorrect
B.The website's SSL certificate has expired
C.A malicious proxy or DNS hijacking is redirecting traffic to a fake site
D.The browser needs to be updated to the latest version
AnswerC

A man-in-the-middle attack can present a certificate for a different domain, indicating redirection to a fraudulent site.

Why this answer

The certificate error for a different domain indicates that the browser is being directed to a server whose SSL certificate does not match the expected banking site's domain. This is a classic sign of a man-in-the-middle attack, often caused by malicious proxy or DNS hijacking, where traffic is redirected to a fraudulent server presenting a certificate for a different domain.

Exam trap

CompTIA often tests the distinction between certificate errors caused by date/time issues versus domain mismatches, and the trap here is that candidates may confuse a 'different domain' error with a simple expired certificate or browser update issue.

How to eliminate wrong answers

Option A is wrong because an incorrect system date and time would cause a certificate validity error (e.g., 'not yet valid' or 'expired'), but the error would still reference the correct domain, not a different one. Option B is wrong because an expired SSL certificate would produce a warning about the certificate being out of date, but the domain in the certificate would still match the banking site's domain. Option D is wrong because an outdated browser might lack support for newer TLS versions or cipher suites, but it would not cause a certificate domain mismatch; the error would typically be about protocol or cipher incompatibility, not a different domain.

722
MCQmedium

A company is moving to a new office and wants to secure its server room against both unauthorized entry and environmental hazards. Which combination of physical controls should be implemented?

A.A key lock and a fire extinguisher
B.An electronic badge reader and a temperature sensor
C.A biometric scanner and a security camera
D.A combination lock and a humidity monitor
AnswerB

The badge reader controls and logs access; the temperature sensor monitors environmental conditions to prevent overheating.

Why this answer

Option B is correct because the question requires controls that address both unauthorized entry (electronic badge reader) and environmental hazards (temperature sensor). An electronic badge reader provides access control by authenticating users before entry, while a temperature sensor monitors environmental conditions to detect overheating or fire risks, enabling proactive responses to protect server equipment.

Exam trap

The trap here is that candidates pick options that address only one of the two required categories (unauthorized entry or environmental hazards) instead of both.

How to eliminate wrong answers

Option A is wrong because a key lock only addresses unauthorized entry but does not monitor environmental hazards; a fire extinguisher is a reactive suppression tool, not a proactive environmental monitoring control. Option C is wrong because a biometric scanner and security camera both address unauthorized entry and surveillance, but neither monitors environmental hazards like temperature, humidity, or smoke. Option D is wrong because a combination lock addresses unauthorized entry, but a humidity monitor only addresses one environmental hazard (humidity) and does not cover other critical hazards like temperature or fire; the question asks for a combination that secures against both unauthorized entry and environmental hazards, and humidity alone is insufficient.

723
MCQmedium

A small business owner wants to replace their old wireless router because guests have been using the network to access inappropriate content. The owner wants to isolate guest traffic from the main business network and enforce content filtering. Which combination of wireless security and features should the technician recommend?

A.WPA3-Personal with MAC address filtering.
B.WPA2-PSK with a guest network enabled and content filtering via OpenDNS.
C.WPA2-Enterprise with a RADIUS server and no guest network.
D.WEP encryption with a hidden SSID.
AnswerB

A guest network isolates traffic, and DNS-based content filtering blocks inappropriate sites.

Why this answer

Option B is correct because WPA2-PSK with a guest network creates a separate VLAN or subnet that isolates guest traffic from the main business network, preventing guests from accessing internal resources. Content filtering via OpenDNS provides DNS-level filtering to block inappropriate content without requiring additional hardware, addressing both isolation and content control requirements.

Exam trap

The trap here is that candidates often choose WPA3-Personal or WPA2-Enterprise thinking stronger encryption equals better security, but the question specifically requires guest isolation and content filtering, which are features of a guest network and DNS-level filtering, not of the authentication protocol itself.

How to eliminate wrong answers

Option A is wrong because WPA3-Personal uses a shared passphrase and does not inherently isolate guest traffic; MAC address filtering is easily bypassed by spoofing and does not enforce content filtering. Option C is wrong because WPA2-Enterprise with a RADIUS server provides strong authentication but does not include a guest network, so guest traffic would still mix with the main network, and it lacks content filtering capabilities. Option D is wrong because WEP encryption is deprecated and easily cracked within minutes using tools like aircrack-ng; hiding the SSID only prevents casual discovery but does not isolate traffic or filter content.

724
MCQhard

A technician is installing a new UPS (Uninterruptible Power Supply) in a server rack. The UPS is heavy and must be mounted securely. What is the most important safety consideration during installation?

A.Ensure the UPS is connected to a grounded outlet before mounting.
B.Use a lifting team or mechanical lift to position the UPS.
C.Verify that the UPS batteries are charged before installation.
D.Install the UPS at the top of the rack for better airflow.
AnswerB

This is correct. UPS units are heavy and require proper lifting equipment or multiple people to avoid back injury or dropping the unit.

Why this answer

The UPS is a heavy piece of equipment, and improper lifting can cause serious injury or damage. Using a lifting team or mechanical lift ensures safe handling and prevents back strain, crush injuries, or dropping the unit, which is the primary safety concern during physical installation.

Exam trap

The trap here is that candidates focus on electrical safety (grounding) or operational readiness (battery charge) instead of recognizing that the immediate physical hazard of moving a heavy object is the most critical safety consideration during installation.

How to eliminate wrong answers

Option A is wrong because grounding is an electrical safety step, but it is not the most important consideration during the physical mounting of a heavy UPS; the immediate risk of injury from lifting outweighs electrical concerns at this stage. Option C is wrong because verifying battery charge is a functional check, not a safety consideration during installation; batteries can be charged after the unit is securely mounted. Option D is wrong because installing the UPS at the top of the rack creates a top-heavy stability hazard and makes lifting more dangerous; heavy components should be mounted low in the rack for stability.

725
MCQmedium

A technician needs to deploy a custom script to 50 Windows 10 workstations during an automated software installation. The script must run with administrative privileges. Which command-line tool should be used to execute the script with elevated rights from a batch file?

A.msiexec /i package.msi
B.wmic os get name
C.runas /user:Administrator script.bat
D.schtasks /create
AnswerC

Correct. runas executes the script under the Administrator account, ensuring necessary permissions.

Why this answer

Option C is correct because the `runas` command allows executing a script with administrative privileges by specifying the `/user:Administrator` parameter, which prompts for the administrator password and runs the script in a security context with elevated rights. This is the appropriate tool for running a custom script with administrative privileges from a batch file during an automated deployment.

Exam trap

CompTIA often tests the distinction between tools that execute commands immediately with elevation (runas) versus tools that schedule tasks (schtasks) or install packages (msiexec), leading candidates to confuse scheduling with immediate execution.

How to eliminate wrong answers

Option A is wrong because `msiexec /i package.msi` is used to install Windows Installer (.msi) packages, not to execute arbitrary scripts with elevated rights; it does not provide a mechanism to run a custom script. Option B is wrong because `wmic os get name` retrieves the operating system name via WMI and does not execute scripts or elevate privileges. Option D is wrong because `schtasks /create` schedules a task for later execution but does not immediately run a script with administrative privileges from a batch file; it requires additional configuration and does not provide a direct interactive elevation prompt.

726
MCQmedium

A technician is removing malware from a Windows 10 PC and wants to ensure that no remnants remain in the registry or startup folders. After running an antivirus scan and deleting infected files, which additional step should the technician perform?

A.Run the Windows Memory Diagnostic tool.
B.Check and clean startup entries using MSConfig or Autoruns.
C.Disable System Restore to free up disk space.
D.Update all device drivers to the latest versions.
AnswerB

Startup entries are a common persistence mechanism; cleaning them ensures the malware does not restart with the system.

Why this answer

After removing malware, it is critical to check and clean startup entries using tools like MSConfig or Autoruns to prevent the malware from reloading on reboot. Malware often adds entries to the registry Run keys or the Startup folder to persist. Simply deleting files may leave these entries intact, allowing the malware to reinstall itself.

727
MCQeasy

A user reports that after a recent Windows update, the 'Local Users and Groups' snap-in is missing from the Computer Management console. The user needs to add a new local user account. Which administrative tool should be used to complete this task?

A.Run lusrmgr.msc from the Run dialog.
B.Open the Services console (services.msc) and restart the 'User Manager' service.
C.Use the Disk Management tool to create a new user volume.
D.Open the Registry Editor and modify the SAM registry hive.
AnswerA

Correct. lusrmgr.msc launches the Local Users and Groups snap-in directly, allowing user account creation.

Why this answer

The 'Local Users and Groups' snap-in is a Microsoft Management Console (MMC) component that can be launched directly by running lusrmgr.msc from the Run dialog. This command opens the Local Users and Groups manager, which allows you to create, modify, and delete local user accounts and groups without needing the Computer Management console. Since the snap-in is missing from the console due to the update, using the standalone MMC command is the correct workaround.

Exam trap

The exam often tests the misconception that missing snap-ins require service restarts or registry edits, but the correct approach is to use the standalone MMC command for the specific snap-in.

How to eliminate wrong answers

Option B is wrong because there is no 'User Manager' service in Windows; the Local Users and Groups functionality is not a service that can be restarted via services.msc. Option C is wrong because Disk Management is used for managing disk partitions and volumes, not for creating user accounts. Option D is wrong because directly editing the SAM registry hive is unsupported, dangerous, and not a standard administrative tool for adding user accounts; it can corrupt the security database.

728
MCQhard

A company is migrating to a new cloud-based system and needs to dispose of old tape backup cartridges that contain years of financial data. The tapes are magnetic media. Which disposal method is most appropriate for this media type?

A.Overwrite the tapes with a bulk eraser.
B.Reformat the tapes using a tape drive.
C.Incinerate the tapes in a certified facility.
D.Delete the files from the tape catalog.
AnswerA

A bulk eraser (degausser) is designed for magnetic tape and will completely erase the data. This is the standard method for tape disposal.

Why this answer

Magnetic tape is best destroyed by degaussing, which disrupts the magnetic domains, or by physical shredding. Degaussing is fast and effective for tape, but it renders the tape unusable. Shredding is also acceptable.

729
MCQhard

A technician is troubleshooting an Android phone that cannot connect to Wi-Fi networks, even though other devices connect fine. The technician notices that the phone's MAC address is displayed as '02:00:00:00:00:00' in the Wi-Fi settings. Which feature is likely causing this, and how should it be resolved?

A.The phone is using a static IP configuration; change it to DHCP.
B.The Wi-Fi hardware is faulty; the phone needs repair.
C.The phone has a randomized MAC address enabled; disable it for the network.
D.The phone is in Airplane Mode; turn it off.
AnswerC

Android 10+ uses randomized MACs by default to enhance privacy; the address shown is a randomized one, and disabling it for that network can fix connection issues.

Why this answer

The MAC address '02:00:00:00:00:00' is a well-known randomized MAC address (the second hex digit '2' indicates a locally administered, unicast address per IEEE 802 standards). Android devices use MAC randomization by default to enhance privacy, but this can cause connectivity issues on networks that filter or authenticate by MAC address. Disabling randomization for the specific network allows the phone to use its permanent MAC address, resolving the connection problem.

Exam trap

On the CompTIA A+ exam, the randomized MAC address (especially '02:00:00:00:00:00') is a privacy feature, not a hardware fault. Candidates often mistakenly choose hardware failure or static IP issues.

How to eliminate wrong answers

Option A is wrong because a static IP configuration does not cause the MAC address to display as '02:00:00:00:00:00'; that address is a randomized MAC, not related to DHCP vs. static IP. Option B is wrong because a faulty Wi-Fi hardware would typically show no MAC address or an error, not a specific randomized MAC like '02:00:00:00:00:00', and other devices connect fine, ruling out a network-side issue. Option D is wrong because Airplane Mode disables all wireless radios, so the phone would not show any Wi-Fi networks or a MAC address in Wi-Fi settings; it would show 'Wi-Fi off' or similar.

730
MCQeasy

A user calls the help desk complaining that their browser homepage keeps changing to a site they did not set, and they cannot change it back. You remotely check and find no malware. What is the most likely cause?

A.The user's browser profile is corrupted.
B.A recently installed program modified the browser settings during installation.
C.The user's DNS settings are being hijacked by the ISP.
D.The browser's shortcut target is pointing to a different URL.
AnswerB

Many free applications bundle browser modifications; if the user did not uncheck those options, the homepage changes.

Why this answer

Option B is correct because many legitimate software installers include bundled programs or browser extensions that modify the default homepage, search provider, or new tab page as part of their installation routine. Even without malware, these changes are often made via registry keys (e.g., HKCU\Software\Microsoft\Internet Explorer\Main\Start Page) or browser policy files, and the user may not have unchecked the relevant option during setup. Since no malware was found, a recently installed program is the most likely cause of the unwanted homepage change.

Exam trap

The trap here is that candidates often assume any unwanted homepage change must be malware, but CompTIA tests the concept that legitimate software can alter browser settings during installation, and the absence of malware points to a non-malicious program as the cause.

How to eliminate wrong answers

Option A is wrong because a corrupted browser profile typically causes crashes, missing bookmarks, or sync errors, not a persistent homepage change that the user cannot revert. Option C is wrong because ISP DNS hijacking redirects all DNS queries for a domain to a different IP, which would affect navigation to any site, not just change the browser's homepage setting; the homepage is a local browser preference, not a DNS resolution issue. Option D is wrong because a modified shortcut target would only affect the homepage if the browser is launched with a command-line argument (e.g., --homepage URL), but the user would still be able to change the homepage within the browser settings; the shortcut target does not override the internal browser preference unless explicitly configured that way.

731
MCQeasy

A customer calls the help desk saying their remote desktop session to the office workstation keeps disconnecting after a few minutes. They are using a standard RDP client over the internet. What should the technician check first?

A.Verify that the user's local antivirus is not blocking RDP traffic.
B.Check the remote workstation's power settings to ensure it is not going to sleep.
C.Review the Remote Desktop Session Host configuration for idle session time limits.
D.Reinstall the RDP client on the user's home computer.
AnswerC

Idle time limits disconnect sessions after a period of inactivity. This matches the symptom of disconnecting after a few minutes.

Why this answer

The user's RDP session disconnects after a few minutes, which is a classic symptom of an idle session timeout enforced by the Remote Desktop Session Host (RD Session Host) or Group Policy. By default, Windows Server RDS roles have an idle session limit (often 15 minutes) that disconnects inactive sessions to free resources. Checking this configuration directly addresses the symptom, whereas other options target less likely causes for a consistent, time-based disconnect.

Exam trap

The trap here is that candidates often blame the client or local network (options A or D) for a disconnect, but CompTIA tests your understanding that server-side session timeout policies are the most common cause of periodic, predictable RDP disconnections over the internet.

How to eliminate wrong answers

Option A is wrong because local antivirus typically blocks RDP at connection time (e.g., port 3389) with a persistent failure, not a delayed disconnect after minutes of use. Option B is wrong because the remote workstation's power settings would cause the entire machine to sleep, dropping all network connectivity instantly, not just the RDP session after a few minutes of activity. Option D is wrong because reinstalling the RDP client would not resolve a server-side timeout policy; the client software is not the cause of a consistent, timed disconnect.

732
MCQeasy

A user reports that they cannot execute a custom shell script they placed in their home directory, even though they can read and write to it. The script has permissions -rw-r--r--. Which command should you use to resolve this issue?

A.chmod 644 script.sh
B.chmod 755 script.sh
C.chmod 777 script.sh
D.chmod u+x script.sh
AnswerB

755 gives the owner read, write, and execute, and group/others read and execute, which allows the user to execute the script.

Why this answer

The script has permissions -rw-r--r-- (644), which does not include execute for anyone. The correct command is chmod 755 script.sh (option B), which sets rwxr-xr-x, allowing the owner to execute (and others to read/execute). Option D (chmod u+x) also adds execute for the owner, resulting in -rwxr--r-- (744), which does allow the user to run the script.

However, in the context of this question, the expected best practice is to use chmod 755, as it is the standard for executable scripts and ensures group/others have minimum necessary read/execute. Option D is considered incorrect because it only adds execute for the owner without adjusting group/others, which is not the typical recommended approach.

Exam trap

CompTIA often tests the distinction between making a file executable (adding the x bit) and the specific octal values; candidates may incorrectly choose chmod 644 (which only sets read/write) or chmod 777 (which grants excessive permissions) because they confuse 'readable' with 'executable' or overcorrect with full permissions.

How to eliminate wrong answers

Option A is wrong because chmod 644 sets permissions to -rw-r--r--, which is exactly the current non-executable state and does not add execute permission. Option C is wrong because chmod 777 sets permissions to -rwxrwxrwx, which grants full read, write, and execute to all users, violating the principle of least privilege and creating a security risk. Option D is wrong because chmod u+x only adds execute permission for the owner, resulting in -rwxr--r-- (744), which would technically work but is not the best practice; the question asks for the command to resolve the issue, and 755 is the standard recommended permission for scripts that need to be executed by the owner and possibly others, while u+x is a valid but less common approach that does not match the typical exam answer.

733
MCQhard

A technician is decommissioning a RAID array of 10 hard drives that contained sensitive HR data. The company policy requires that data be destroyed without removing individual drives from the array. Which method is most appropriate?

A.Remove each drive and use a hammer to break the platters.
B.Use a degausser that can accommodate the entire array chassis.
C.Perform a secure erase on each drive via the RAID controller.
D.Reformat the array and reuse it for non-sensitive data.
AnswerB

A degausser can destroy data on all magnetic drives simultaneously without removal, though it may damage the controller—acceptable for decommissioning.

Why this answer

The correct answer is to use a degausser designed for large media, which can destroy data on all drives simultaneously without disassembly. However, this may damage the RAID controller. Alternatively, a bulk eraser could be used.

This question tests understanding of bulk destruction methods for RAID arrays.

734
MCQmedium

A company policy requires that all workstations must have Windows Firewall enabled. You check a user's PC and find the firewall is off. Which Control Panel applet would you use to turn it back on?

A.Security and Maintenance
B.Windows Defender Firewall
C.Network and Sharing Center
D.System
AnswerB

This applet provides full control over firewall settings, including turning it on or off for domain, private, and public networks.

Why this answer

The Windows Defender Firewall applet (Option B) is the dedicated Control Panel interface for managing Windows Firewall settings, including turning the firewall on or off. Since the question specifically asks which applet to use to enable the firewall, this is the correct tool. Other applets may display firewall status but do not provide the direct toggle to enable or disable the firewall.

Exam trap

The trap here is that candidates often confuse Security and Maintenance (which shows a warning about the firewall being off) with the actual tool needed to fix the issue, leading them to select Option A instead of the correct Windows Defender Firewall applet.

How to eliminate wrong answers

Option A (Security and Maintenance) is wrong because it only reports the firewall status and provides a link to the Windows Defender Firewall applet, but does not contain the actual toggle to turn the firewall on or off. Option C (Network and Sharing Center) is wrong because it is used for managing network connections, adapters, and sharing settings, not for enabling or disabling the Windows Firewall. Option D (System) is wrong because it displays basic system information, hardware specs, and allows management of system properties like remote settings and device names, with no firewall controls.

735
MCQeasy

A user's computer is infected with adware that changes the browser homepage and displays constant pop-ups. After removing the adware with an antivirus, the homepage remains changed. What additional remediation step should you take?

A.Reinstall the operating system
B.Reset the browser settings to default
C.Run a disk cleanup utility
D.Update the antivirus definitions and scan again
AnswerB

Resetting the browser clears all adware-induced changes, restoring the homepage and removing unwanted extensions.

Why this answer

After adware removal, the browser's homepage and settings are often stored in the browser's configuration files or registry keys that the antivirus does not reset. Resetting the browser settings to default restores the homepage, search engine, and new tab page to their original state, clearing any persistent malicious configurations left behind by the adware.

Exam trap

CompTIA often tests the misconception that a full OS reinstall is required for any persistent malware symptom, but the trap here is that the issue is a configuration change, not an active infection, so a targeted browser reset is sufficient.

How to eliminate wrong answers

Option A is wrong because reinstalling the operating system is an extreme measure that is unnecessary when the issue is isolated to the browser's settings; it would also delete user data and applications. Option C is wrong because a disk cleanup utility only removes temporary files and frees up disk space, it does not modify browser configuration settings or registry entries that control the homepage. Option D is wrong because updating antivirus definitions and scanning again would only detect and remove remaining malware files, but the adware has already been removed; the persistent homepage change is a configuration artifact, not an active infection.

736
MCQmedium

During a security audit, you discover that a user’s Windows 10 device has allowed multiple failed login attempts without locking the account. Which policy should you adjust to enforce account lockout after 5 failed attempts?

A.Password Policy – Minimum password length
B.Account Lockout Policy – Account lockout threshold
C.User Rights Assignment – Deny log on locally
D.Security Options – Interactive logon: Message text for users attempting to log on
AnswerB

This setting defines the number of failed logins allowed before the account is locked.

Why this answer

The Account Lockout Policy – Account lockout threshold setting directly controls the number of failed logon attempts allowed before the account is locked. By setting this value to 5, the system will enforce a lockout after exactly five incorrect password entries, preventing further brute-force attempts until an administrator unlocks the account or the lockout duration expires.

Exam trap

The CompTIA A+ exam often tests the distinction between password policy settings (which govern password complexity and length) and account lockout policy settings (which govern failed attempt limits), leading candidates to mistakenly choose Password Policy options when the question is about lockout enforcement.

How to eliminate wrong answers

Option A is wrong because Minimum password length only enforces the number of characters required in a password, not the number of failed attempts before lockout. Option C is wrong because User Rights Assignment – Deny log on locally controls which users or groups are prohibited from logging on at the console, not the failed attempt count. Option D is wrong because Interactive logon: Message text for users attempting to log on sets a legal or informational banner displayed before logon, but does not affect account lockout behavior.

737
MCQmedium

You are configuring a new Windows 10 computer for a user who frequently downloads files from the internet. To reduce the risk of malware, you want to block the execution of downloaded files from the internet until they are scanned by antivirus. Which Windows feature should you enable?

A.Windows Defender Firewall
B.Windows Defender Application Guard
C.BitLocker Drive Encryption
D.User Account Control (UAC)
AnswerB

Windows Defender Application Guard runs untrusted files in an isolated container but does not block execution until scanning; it allows execution within a sandbox.

Why this answer

None of the listed options correctly address the requirement. The feature that blocks execution of downloaded files until they are scanned is Windows Defender SmartScreen or Windows Defender Antivirus real-time protection. Windows Defender Application Guard isolates files in a sandbox but does not block execution pending scan; it allows execution but in a container.

Windows Defender Firewall controls network traffic, BitLocker encrypts drives, and UAC prompts for elevation but does not scan files.

Exam trap

Candidates may confuse Application Guard's sandboxing with pre-execution scanning. However, the specific feature for blocking execution until scan is SmartScreen, which is not listed here.

How to eliminate wrong answers

Option A is wrong because Windows Defender Firewall controls network traffic based on rules (e.g., blocking inbound/outbound connections) but does not inspect or block execution of downloaded files on the local system. Option C is wrong because BitLocker Drive Encryption provides full-disk encryption to protect data at rest but has no mechanism to scan or block execution of downloaded files. Option D is wrong because User Account Control (UAC) prompts for administrative consent before system-level changes but does not scan or block execution of user-downloaded files from the internet.

738
MCQhard

A technician is working in a server room and notices a small fire starting in a power strip. What type of fire extinguisher should be used?

A.Class A fire extinguisher (water).
B.Class B fire extinguisher (CO2).
C.Class C fire extinguisher (dry chemical).
D.Class D fire extinguisher (metal).
AnswerC

Class C extinguishers are designed for electrical fires. They use non-conductive agents to safely extinguish the fire without risk of shock.

Why this answer

A small fire in a power strip involves energized electrical equipment. Class C fire extinguishers (dry chemical) are specifically designed for electrical fires because the dry chemical agent is non-conductive, preventing the risk of electric shock. Using a water-based extinguisher (Class A) or CO2 (Class B) on live electrical equipment can cause electrocution or damage, while Class D is for combustible metals.

Exam trap

CompTIA often tests the distinction between Class B and Class C extinguishers, trapping candidates who mistakenly think CO2 (Class B) is safe for electrical fires because it is non-conductive, but CO2 is not rated for electrical fires and can cause cold shock to components.

How to eliminate wrong answers

Option A is wrong because Class A water extinguishers conduct electricity, posing a severe electrocution hazard on live electrical equipment. Option B is wrong because Class B CO2 extinguishers are primarily for flammable liquids and gases, not for electrical fires; CO2 can also cause thermal shock to sensitive electronics. Option D is wrong because Class D extinguishers are specifically for combustible metal fires (e.g., magnesium, sodium) and are not applicable to electrical fires involving a power strip.

739
MCQeasy

A user calls the help desk, frustrated that their laptop 'keeps freezing' during video conferences. They admit they have 15 browser tabs open, are running a resource-heavy design app, and have not restarted the laptop in three weeks. The technician needs to recommend a solution while maintaining professionalism. What should the technician say first?

A."You need to close some tabs and restart your laptop immediately."
B."I understand that's frustrating. Let's look at what might be causing this. Have you noticed it happens when certain programs are open?"
C."That's because you never restart your computer. You should do that weekly."
D."Let me transfer you to our advanced support team for this issue."
AnswerB

This shows empathy and invites collaboration, aligning with best practices for professional communication.

Why this answer

Option B is correct because it first validates the user's frustration (professionalism) and then uses a probing question to gather diagnostic data about the specific conditions causing the freezing. This aligns with the CompTIA A+ troubleshooting methodology (identify the problem) and maintains rapport, which is critical for customer satisfaction. The technician avoids premature blame or dismissal, instead focusing on correlating the symptom (freezing) with resource contention from the browser tabs and design app.

Exam trap

CompTIA often tests the candidate's ability to prioritize professional communication over technical action; the trap here is that many candidates jump to a technical fix (Option A or C) instead of first acknowledging the user's issue and gathering information, which is the correct first step in the troubleshooting process.

How to eliminate wrong answers

Option A is wrong because it issues a direct command without acknowledging the user's frustration or gathering additional context, which violates professional communication standards and may escalate the user's frustration. Option C is wrong because it blames the user for not restarting, which is unprofessional and dismissive; it also assumes the root cause without verifying whether the freezing is due to memory leaks, driver issues, or thermal throttling. Option D is wrong because it escalates prematurely without attempting basic triage; the issue is likely within the technician's scope (resource management and reboot), and transferring without effort wastes time and frustrates the user further.

740
MCQeasy

A user reports that after a Windows update, their default browser keeps resetting to Microsoft Edge every time they restart the computer. They need to keep Google Chrome as the default. Which Control Panel or Settings applet should you use to permanently change this setting?

A.Programs and Features
B.Default Apps
C.Internet Options
D.Device Manager
AnswerB

Default Apps in Settings allows you to set default programs for web browsing, email, and other activities, and these settings are preserved after updates.

Why this answer

The Default Apps settings page (Settings > Apps > Default Apps) is the correct location in Windows 10/11 to permanently set Google Chrome as the default browser. This applet allows you to choose a specific browser for the HTTP, HTTPS, and .HTM/.HTML file associations. After a Windows update, these associations can be reset to Microsoft Edge; re-selecting Chrome here and confirming the change ensures the setting persists across reboots.

Exam trap

The trap here is that candidates confuse the 'Set your default programs' link inside Internet Options with the actual Default Apps page, not realizing that Internet Options only provides a shortcut to the same Settings page and does not itself store or manage the association data.

How to eliminate wrong answers

Option A (Programs and Features) is wrong because it is used for uninstalling, changing, or repairing installed programs, not for configuring file or protocol associations. Option C (Internet Options) is wrong because while it contains a 'Programs' tab with a 'Set programs' link, that link redirects to the Default Apps page; the Internet Options applet itself does not directly manage default browser associations. Option D (Device Manager) is wrong because it manages hardware devices and drivers, not software or default application settings.

741
MCQmedium

You are deploying a new application to multiple Windows 10 workstations using a script. The application requires administrator privileges, and you need to run the command with elevated rights from within the script. Which command should precede your installation command?

A.runas /user:Administrator
B.net user
C.cd
D.whoami
AnswerA

This command runs the subsequent program with administrator privileges, as required for the installation.

Why this answer

The `runas /user:Administrator` command allows you to execute a subsequent command with the security context of the specified user (in this case, the built-in Administrator account), which provides the elevated privileges required to install the application. This is necessary because the script itself runs under the current user's context, which may lack the administrative rights needed for the installation.

Exam trap

CompTIA often tests the misconception that `runas` is the only way to elevate privileges within a script, but the trap here is that candidates might confuse `runas` with simply running the script itself as Administrator, forgetting that the command must explicitly precede the installation command to elevate that specific process.

How to eliminate wrong answers

Option B is wrong because `net user` is used to manage user accounts (create, delete, or modify) and does not execute a command with elevated privileges. Option C is wrong because `cd` changes the current directory and has no capability to elevate permissions. Option D is wrong because `whoami` displays the current user's username and security context but does not alter or elevate privileges.

742
MCQeasy

A customer complains that their Windows 10 PC fails to boot and displays a 'Bootmgr is missing' error. You suspect the Boot Configuration Data (BCD) is corrupted. Which tool should you use to repair the BCD from the Windows Recovery Environment?

A.chkdsk /f
B.sfc /scannow
C.bootrec /rebuildbcd
D.diskpart
AnswerC

bootrec /rebuildbcd scans all disks for Windows installations and adds them to the BCD store, fixing corruption.

Why this answer

The bootrec tool is specifically designed to repair BCD and boot sector issues. Running bootrec /rebuildbcd scans for Windows installations and rebuilds the BCD store.

743
MCQhard

While configuring a new Windows 11 workstation, you need to ensure that a legacy application can always run with administrative privileges without prompting the user. The user is a standard user. What is the best way to accomplish this?

A.Set the application's compatibility mode to 'Run this program as an administrator' and grant the user full control over the program's folder.
B.Create a scheduled task that runs with the highest privileges and launches the application at user logon.
C.Disable User Account Control (UAC) via the Control Panel.
D.Add the user to the local Administrators group.
AnswerB

A scheduled task can be configured to run with stored administrator credentials and launch the application without any UAC prompt. This is the supported method for standard users to run legacy apps that require elevation.

Why this answer

Forcing a legacy app to run as administrator without UAC prompts for a standard user requires creating a scheduled task that runs with elevated privileges. The task can be set to run at user logon or on demand, and the application is launched by the task with the stored admin credentials. This bypasses UAC while maintaining security for the standard user account.

744
MCQeasy

A user calls the help desk, frantic because they received an email from what appears to be the CEO asking them to urgently purchase $500 in gift cards for a client and reply with the codes. The email address looks slightly off, and the signature is missing the usual legal disclaimer. What type of social engineering attack is this most likely an example of?

A.Shoulder surfing
B.Phishing
C.Tailgating
D.Pretexting
AnswerB

Phishing is the correct term for fraudulent emails designed to trick recipients into taking harmful actions, such as buying gift cards.

Why this answer

This is a classic example of phishing, specifically a subtype known as spear phishing or whaling, because the attacker impersonates a high-level executive (the CEO) to trick the user into performing a financial action. The telltale signs are the slightly off email address (spoofed domain or lookalike character) and the missing legal disclaimer, which are common indicators of a fraudulent email designed to harvest credentials or money. Phishing relies on social engineering to bypass technical controls by exploiting human trust and urgency.

Exam trap

The CompTIA A+ exam often tests the distinction between phishing and pretexting by presenting a scenario where the attacker uses a fabricated story (pretext) but delivers it via email, leading candidates to choose pretexting instead of recognizing that the email delivery method makes it phishing.

How to eliminate wrong answers

Option A is wrong because shoulder surfing involves directly observing a user's screen or keystrokes over their shoulder to capture sensitive information, which does not apply to an email-based request. Option C is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area without proper authentication, not a digital email scam. Option D is wrong because pretexting is a social engineering technique where the attacker fabricates a scenario (pretext) to obtain information, often via phone or in person, but the core mechanism here is the fraudulent email itself, which is the defining characteristic of phishing.

745
MCQeasy

A user reports that after a recent Windows update, they can no longer install software on their company-issued laptop. When they try to run an installer, they get a message: 'Your system administrator has blocked this program.' The user has local administrator rights on the laptop. Which Windows security setting is most likely causing this issue?

A.Windows Defender Firewall is blocking the installer.
B.User Account Control (UAC) is set to 'Always notify.'
C.BitLocker Drive Encryption is preventing write access.
D.The user's account is not part of the local Administrators group.
AnswerB

UAC with 'Always notify' prompts for consent for any installation, even for local admins, and can block if not approved.

Why this answer

User Account Control (UAC) with the 'Always notify' setting forces every installation attempt to prompt for administrator approval, even when the user has local admin rights. If the user clicks 'No' or the prompt is suppressed by Group Policy (e.g., via the 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' policy set to 'Elevate without prompting' or 'Prompt for consent'), the installer is blocked with the 'Your system administrator has blocked this program' message. This occurs because UAC treats the installer as requiring elevation, and the policy prevents the user from approving it.

Exam trap

CompTIA often tests the misconception that local administrator rights bypass all security controls, but UAC's Admin Approval Mode can still block installations based on Group Policy settings, even for users in the Administrators group.

How to eliminate wrong answers

Option A is wrong because Windows Defender Firewall blocks network traffic, not local software installation; it does not generate a 'blocked this program' message for installers. Option C is wrong because BitLocker Drive Encryption encrypts the entire volume and prevents unauthorized read/write access at the disk level, but it does not intercept installer execution or produce a 'system administrator has blocked this program' error; it would instead show a BitLocker recovery or access-denied error. Option D is wrong because the question explicitly states the user has local administrator rights, so the account is already part of the local Administrators group; the issue is caused by UAC elevation policies, not group membership.

746
MCQmedium

A small business owner reports that all their employees are receiving emails from each other containing a link that, when clicked, downloads a file that installs a program that spreads to other contacts. The emails appear to come from known senders. What type of malware is this?

A.Virus
B.Worm
C.Trojan horse
D.Rootkit
AnswerB

A worm spreads independently, often by sending copies of itself through email or network connections.

Why this answer

The correct answer is B (Worm) because the malware self-replicates by sending copies of itself via email to all contacts without requiring user action beyond clicking the link. Unlike a virus, it does not need to attach to a host file; it spreads autonomously over the network using the email system as a transport mechanism.

Exam trap

CompTIA often tests the distinction between a virus and a worm by emphasizing that a worm self-propagates without user intervention beyond initial activation, whereas a virus requires host file attachment and user execution of that file.

How to eliminate wrong answers

Option A is wrong because a virus requires attaching to a legitimate program or file to execute and replicate, whereas this malware spreads independently via email without modifying existing files. Option C is wrong because a Trojan horse disguises itself as legitimate software but does not self-replicate; it relies on deception to install, not on automatic propagation to contacts. Option D is wrong because a rootkit is designed to hide its presence and provide unauthorized access at the kernel level, not to spread via email or replicate to other contacts.

747
MCQhard

A technician is setting up remote access for a user who will be traveling internationally. The user needs to access files on a Windows server using RDP. Which additional security measure should the technician implement to protect the RDP session?

A.Enable Network Level Authentication (NLA) on the server
B.Use a VPN to encrypt all traffic before initiating RDP
C.Change the RDP port to a non-standard number
D.Disable clipboard redirection in the RDP session
AnswerB

A VPN creates an encrypted tunnel, securing the entire RDP session from interception.

Why this answer

B is correct because RDP traffic is encrypted but not authenticated at the transport layer, making it vulnerable to man-in-the-middle attacks, especially over untrusted international networks. A VPN (e.g., IPsec or OpenVPN) provides an additional layer of encryption and authentication for the entire session before RDP traffic is sent, ensuring confidentiality and integrity even if the RDP protocol itself is compromised.

Exam trap

CompTIA often tests the misconception that RDP's built-in encryption is sufficient for all scenarios, leading candidates to overlook the need for a VPN when the connection traverses untrusted networks, especially in international travel contexts.

How to eliminate wrong answers

Option A is wrong because Network Level Authentication (NLA) requires the user to authenticate before a full RDP session is established, which protects against some attacks but does not encrypt the traffic; it is a pre-session authentication mechanism, not a transport-layer security measure. Option C is wrong because changing the RDP port from the default 3389 to a non-standard number is a form of security through obscurity that does not provide actual encryption or authentication; it only reduces automated scans but does not protect the session from targeted attacks. Option D is wrong because disabling clipboard redirection prevents data transfer via the clipboard but does not encrypt or secure the RDP session itself; it is a data-leakage prevention measure, not a security measure for the session's confidentiality.

748
MCQmedium

A user reports that their Android phone's screen is unresponsive to touch, but the buttons and notification LED still work. They have already performed a forced restart. What should the technician do NEXT?

A.Replace the screen assembly.
B.Boot the phone into Safe Mode to check if the issue persists.
C.Perform a factory reset from the recovery menu.
D.Update the phone's firmware using a computer.
AnswerB

Safe Mode disables third-party apps; if the touch works there, a recently installed app is likely the culprit.

Why this answer

This scenario tests troubleshooting touchscreen issues. Since a forced restart didn't help, booting into Safe Mode can determine if a third-party app is causing the problem.

749
MCQeasy

A user reports that after a recent software update, their inventory management application crashes on launch. The change log shows the update was applied last night by a junior technician. What is the first step the technician should take according to change management best practices?

A.Restore the user’s system from a backup taken before the update.
B.Check the change log for the update details and rollback procedure.
C.Uninstall the update immediately to restore functionality.
D.Escalate the issue to the IT manager for a decision.
AnswerB

The change log should contain the change details, approval, and rollback plan, making it the correct first step to assess the situation.

Why this answer

Option B is correct because change management best practices require that before any action is taken, the technician should first consult the change log to understand what was changed and identify the documented rollback procedure. This ensures a controlled, reversible approach rather than risking data loss or further instability by acting without full knowledge of the update's scope.

Exam trap

CompTIA often tests the misconception that immediate restoration or uninstallation is the fastest fix, but the trap here is that candidates overlook the critical first step of consulting the change log to understand the update's scope and the documented rollback procedure before taking any action.

How to eliminate wrong answers

Option A is wrong because immediately restoring from backup is a reactive step that should only be taken after reviewing the change log and rollback plan; it may also be unnecessary if a simpler rollback exists. Option C is wrong because uninstalling the update without first checking the change log could leave the system in an inconsistent state or miss dependencies that require a specific rollback order. Option D is wrong because escalating to the IT manager bypasses the technician's responsibility to first gather information from the change log, which is a standard first step in incident response per change management frameworks.

750
MCQhard

A company's security policy requires that all laptops have a TPM chip enabled and be configured to require a PIN at startup before the operating system loads. Which security feature is being configured?

A.Secure Boot
B.BitLocker with TPM and PIN protector
C.Windows Defender System Guard
D.Group Policy password complexity enforcement
AnswerB

BitLocker can use a TPM plus a PIN for pre-boot authentication, requiring both hardware validation and user input to unlock the drive.

Why this answer

The scenario describes using a TPM chip and requiring a PIN at startup before the OS loads. This is exactly how BitLocker's TPM+PIN protector works: the TPM validates the system integrity, and the PIN provides an additional factor of authentication, unlocking the drive encryption key before Windows boots. Option B is correct because it directly matches the described configuration.

Exam trap

The trap here is that candidates confuse Secure Boot (which only verifies bootloader integrity) with the full-disk encryption and pre-boot authentication provided by BitLocker with TPM+PIN.

How to eliminate wrong answers

Option A is wrong because Secure Boot ensures only signed firmware and bootloaders run, but it does not provide full-disk encryption or require a PIN at startup. Option C is wrong because Windows Defender System Guard is a set of hardware-backed security features (like credential guard) that protect the kernel and system integrity, but it does not encrypt the drive or require a PIN before the OS loads. Option D is wrong because Group Policy password complexity enforcement applies to user account passwords after the OS has loaded, not to a pre-boot PIN for drive decryption.

Page 9

Page 10 of 10

All pages