CompTIA A+ Core 2 (220-1202) PBQs

30 truly interactive simulations — malware quarantine console, AD users & computers tree, Registry Editor, Windows backup wizard, Group Policy, BitLocker.

30 PBQs
10 GUI/Sim
4 Diagnostic
4 Log/Form
12 DD/Form
Score: 0%
PBQ 1 Malware Quarantine Console
12:00Domain 2.0 Security
SCENARIO
A user at the law firm complained that her workstation has been running hot, the CPU fan spins at full speed even at idle, and she sees brief PowerShell windows flash open at random. Your endpoint-detection console flagged eight running processes for analysis. You need to triage each one: containerise the obviously malicious binaries to Quarantine, terminate active threats with Kill, and leave legitimate system processes alone. Each correct decision raises the system-stability gauge; killing a legitimate process tanks it.

INSTRUCTIONS:
1. Drag each process card from the red "Detection" column into either the amber Quarantine column (isolate the binary, preserve evidence) or the green Kill column (end the running process immediately).
2. Legitimate Windows processes (signed, system-owned) should remain in Detection — do not quarantine or kill them.
3. Watch the System stability gauge at the bottom — it climbs as you neutralise threats and drops if you wrongly kill a healthy process.
4. Click Validate when triage is complete.
Detection
Quarantine
Kill
System stability
50%
PBQ 2 Active Directory Users and Computers — dsa.msc
20:00Domain 2.0 Security
SCENARIO
You are logged into DC01.acme.local (Windows Server 2022 domain controller) with Domain Admin rights. HR has hired a new employee: Sarah Jones, starting Monday. You must create her AD user account inside the correct OU, configure password policy, set group memberships, and verify properties — using the real Active Directory Users and Computers MMC snap-in.

INSTRUCTIONS:
  1. Expand the acme.local domain in the tree. Click the HR OU.
  2. Right-click in the right-hand pane (or on the HR OU) → New > User. The standard Windows New Object - User wizard opens with the four real fields.
  3. Fill in: First name Sarah, Last name Jones, Full name auto-fills, User logon name sjones (UPN sjones@acme.local, downlevel ACME\sjones).
  4. Set initial password TempP@ss2026!. Uncheck "Password never expires" (compliance requires periodic rotation). Check "User must change password at next logon".
  5. After creation, right-click sjonesPropertiesMember Of tab → Add to the HR-Users security group.
  6. Click Validate.
📂 Active Directory Users and Computers
FileActionViewHelp
🔍 👤+ 👥+
acme.local — 5 objects
NameTypeDescription
acme.local · DC01.acme.local · Domain Admins
PBQ 3 Registry Editor (regedit)
12:00Domain 1.0 Operating Systems
SCENARIO
An EDR alert points to three persistence mechanisms a malware foothold left in the registry of a Windows 11 workstation. Your job is to use regedit.exe to (1) remove a malicious Run-key autorun, (2) reset a tampered SecurityHealth setting that disabled real-time protection, and (3) remove a malicious Image File Execution Options entry that redirects taskmgr.exe to a payload. Each fix uses a different value type (REG_SZ, REG_DWORD, sub-key delete) and a different hive path.

INSTRUCTIONS:
1. Click the carets in the left pane to navigate the registry tree.
2. Click a key to load its values on the right.
3. Right-click a value or sub-key for the context menu (Modify, Delete, Rename, New).
4. Use Modify… to open the value-edit dialog for that type (string editor for REG_SZ, DWORD editor with Hex/Decimal radio for REG_DWORD).
5. Click Validate once all three issues are fixed. The address bar shows the current full key path.
🔑 Registry Editor
FileEditViewFavoritesHelp
NameTypeData
Select a key in the navigation pane to view its values.
Computer\
PBQ 4 Windows Backup — Settings > Accounts > Windows Backup
15:00Domain 4.0 Operational
SCENARIO
You are imaging a Windows 11 laptop for a new traveling salesperson, Mara Patel. Her Microsoft 365 account is mara.patel@acme.onmicrosoft.com with 1 TB of OneDrive storage. The company's BYOD-replacement policy requires that her laptop:
  • OneDrive Folder Backup on for Desktop, Documents, and Pictures (Music can stay local because she has none)
  • Remember my apps ON so reinstalling Windows reinstalls her Store apps
  • Remember my preferences ON for Accessibility, Passwords, Language
  • Wi-Fi network passwords ON so she doesn't have to re-enter them on a replacement device
  • Also configure File History to back up to a 1 TB external USB drive (D:\) hourly, retain forever
Use the real Windows 11 Settings > Accounts > Windows Backup page below and the legacy Backup and Restore (Windows 7) Control Panel for File History.

INSTRUCTIONS: Click toggles to switch them On/Off. Click section headers to expand them. Open the File History settings at the bottom and set the destination + frequency.
Settings · Accounts
mara.patel@acme.onmicrosoft.com

Windows Backup

Back up your folders, settings, and credentials so you can find them on any device.

📂
OneDrive folder syncing
Sync Desktop, Documents, Pictures, Music, Videos to your OneDrive
🖥 Desktop folder
📝 Documents folder
🖼 Pictures folder
🎵 Music folder
🎬 Videos folder
📱
Remember my apps
Microsoft Store apps will be available on new devices
Remember my preferences
Accessibility, passwords, language and other Windows settings
Accessibility
Passwords (Microsoft autofill)
Language preferences
Other Windows settings
📶
Wi-Fi network passwords
Sync saved Wi-Fi networks so you don't have to type them again
Note: Settings > Windows Backup syncs to OneDrive only. For a local copy of the file history (versions), use Control Panel > File History.
PBQ 5 BitLocker Drive Encryption — manage-bde wizard
15:00Domain 2.0 Security
SCENARIO
A laptop is being deployed to the new field-sales team. Compliance requires full-volume disk encryption on the OS drive (C:), bound to the on-board TPM 2.0 plus a startup PIN (Microsoft's recommended "TPM + PIN" mode), and the 48-digit recovery key escrowed to Azure AD so the help-desk can recover the drive if the user forgets the PIN. Use the strongest encryption mode supported and encrypt the entire drive (not just used space, since this is a new SSD pre-loaded with the corporate image).

INSTRUCTIONS: Walk the actual Windows BitLocker Drive Encryption wizard below — six pages from "Choose how to unlock" through "Encrypt the drive". Each Next button validates the page. The recovery-key page lets you pick a backup location. Validate at the end.
🔒 BitLocker Drive Encryption (C:)
PBQ 6 Windows Defender Firewall with Advanced Security (live console)
20:00Domain 2.0 Security
SCENARIO
A jump-host (Windows 11 Pro, IP 10.0.5.20) is reachable from both the management subnet (10.0.0.0/24) and the Internet. Compliance demands that RDP (TCP/3389) be reachable only from the management subnet, and that all inbound RDP traffic from anywhere else is dropped. The administrator wants you to add the rule via the local firewall console (no GPO), then prove it works by simulating inbound packets from three different source IPs.

INSTRUCTIONS:
1. Click New Rule… in the right-hand actions pane to open the wizard.
2. Walk the 5-step wizard (Rule Type → Protocol & Ports → Scope → Action → Profile & Name).
3. After the rule is created it appears in the Inbound Rules list with a green/red status icon.
4. Use the Test traffic pane below to fire packets from three source IPs — watch the live "ALLOW / BLOCK / DROP" decisions.
5. Click Validate.
Windows Defender Firewall with Advanced Security on Local Computer
FileActionViewHelp
Windows Defender Firewall with Advanced Security
Inbound Rules
Outbound Rules
Connection Security Rules
Monitoring
Inbound Rules
NameGroupProfileEnabledActionProtocolLocal PortRemote Address
Inbound Rules
8 inbound rules · Domain network · jump-host JUMP-WIN11 (10.0.5.20)
Test traffic injector
[firewall] Inject packets above. Each click evaluates the inbound chain against the rules.
PBQ 7 UAC consent prompts & Account Control Settings
15:00Domain 2.0 Security
SCENARIO
A user just inserted a USB stick from a vendor at a trade show and double-clicked vendor-demo.exe. The screen darkened and the User Account Control consent prompt appeared. The user is unsure whether to click Yes or No. You walk her through the prompt and the underlying setting that controls whether and when these prompts appear.

INSTRUCTIONS:
  1. Read the UAC consent prompt below carefully — look at the publisher, the file origin, the publisher verification, and decide whether to allow.
  2. Click Show more detailsShow information about this publisher's certificate to inspect the signature chain.
  3. Pick the correct response button (Yes / No).
  4. Then open Control Panel > User Accounts > Change UAC Settings below and set the notification slider to the position recommended by Microsoft for corporate endpoints.

Do you want to allow this app from an unknown publisher to make changes to your device?

vendor-demo.exe
Publisher: Unknown
File origin: Removable media (USB drive E:)
File signature: Not digitally signed
Show more details · Show information about this publisher's certificate
🛡 Control Panel > User Accounts > User Account Control Settings

Choose when to be notified about changes to your computer.

Always notify me when:
• Apps try to install software or make changes to my computer
• I make changes to Windows settings
Recommended if you routinely install new software and visit unfamiliar websites.
Notify me only when apps try to make changes (default):
• Don't notify me when I make changes to Windows settings
Recommended if you use familiar apps and visit familiar websites.
Notify me only when apps try to make changes (do not dim my desktop):
Not recommended. Choose this only if it takes a long time to dim the desktop.
Never notify me when:
• Apps try to install software or make changes to my computer
• I make changes to Windows settings
Not recommended.
PBQ 8 Task Manager (Windows 11) — end a rogue cryptominer
15:00Domain 1.0 Operating Systems
SCENARIO
A user complains her Win 11 laptop runs hot, the fan won't slow down, and battery dies in 90 minutes. The system feels sluggish. You connect remotely, press Ctrl+Shift+Esc to open Task Manager. The Processes tab shows CPU pegged near 100% with one process responsible. You also notice it lacks a signed publisher.

INSTRUCTIONS:
  1. In the Task Manager Processes tab, sort by CPU (already sorted) and find the high-CPU process.
  2. Right-click the rogue process → select Open file location to confirm where the binary lives (an unsigned EXE in C:\Users\…\AppData\Local\Temp is a red flag).
  3. Right-click again → End task. CPU should immediately drop back to idle in the Performance tab.
  4. Click Validate once the process is terminated. Do not end any legitimate system process — ending svchost.exe or explorer.exe destabilises the OS.
📊 Task Manager
📊 Processes
📈 Performance
📝 App history
🚀 Startup apps
👤 Users
🔍 Details
⚙ Services

Processes

NameStatusCPUMemoryDiskNetwork
Processes: 0CPU: 0%Memory: 0%WS-CORP-01
PBQ 9 Group Policy Management Editor (live tree)
20:00Domain 2.0 Security
SCENARIO
The CISO needs a domain-wide password and lockout baseline pushed to every workstation in acme.local. You're already logged into a DC with GPMC. The Default Domain Policy is open in the editor. You must navigate the policy tree to the right node, double-click each setting, fill the configured value, then run gpupdate /force against a member workstation to verify the policy actually applies.

INSTRUCTIONS:
1. Click nodes in the left tree to expand. The target path is Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy / Account Lockout Policy. Use Local Policies → Audit Policy for the audit setting.
2. Double-click each policy to open its value dialog and apply: Minimum password length = 14, Password must meet complexity = Enabled, Account lockout threshold = 5 invalid attempts, Audit logon events = Success, Failure.
3. Click gpupdate /force on WS-CORP-01 to simulate policy refresh; the client will report the resultant policy.
4. Click Validate.
Select a policy in the left tree to view or change its setting.
Member workstation WS-CORP-01 — gpupdate /force
PS C:\Users\admin> _
PBQ 10 PowerShell Terminal
10:00Domain 1.0 Operating Systems
TASK
Live PS prompt — try Get-Process, Get-Service, Get-EventLog, Test-Connection, Get-ChildItem.
💻 Windows PowerShell — admin@WS-CORP-01
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\admin>
PBQ 11 Windows BSOD — minidump analysis
15:00Domain 3.0 Software Troubleshooting
SCENARIO
A user's Windows 11 workstation has been bluescreening intermittently — about once per day, more often when she opens 4K video in Adobe Premiere. You walk to her desk just after it crashed and the BSOD is still on the screen. You photograph the QR / STOP code, reboot, copy C:\Windows\Minidump\ off the disk to your analysis VM, and load the .dmp in WinDbg Preview.

INSTRUCTIONS:
  1. Read the BSOD screen below — note the STOP code and any module name shown after "What failed:".
  2. Click !analyze -v in the WinDbg console to load the minidump auto-analyzer and pull out PROBABLY_CAUSED_BY and BUCKET_ID.
  3. Pick the correct root cause and the correct first remediation step.
:(

Your PC ran into a problem and needs to restart. We're just collecting some error info, and then we'll restart for you.

100% complete
[QR code]
support.microsoft.com
windows-stop-code

For more information about this issue and possible fixes, visit https://www.windows.com/stopcode
If you call a support person, give them this info:
Stop code: DRIVER_IRQL_NOT_LESS_OR_EQUAL
What failed: nvlddmkm.sys

Collecting error info: kernel-mode dump saved to C:\Windows\MEMORY.DMP
0: kd> 



























PBQ 12 macOS kernel panic — Console.app post-mortem
 15:00Domain 1.0 Operating Systems


SCENARIO
A user just rebooted her M2 MacBook Pro after seeing the dark-grey curtain with "You need to restart your computer" in six languages. She tells you the panic started happening about a week ago, right after she installed a third-party display utility called DisplayHelperPro. The Mac auto-rebooted and reopened her apps, but the issue has recurred twice today already. The system saved a panic-report to /Library/Logs/DiagnosticReports/. You open Console.app to inspect the panic log.

INSTRUCTIONS:

    

  1. Click Crash Reports in the Console sidebar to load the panic log.
    2. 

  2. Read the panic header — identify the failing kext (kernel extension) from the backtrace.
    3. 

  3. Pick the correct first remediation and the recovery-mode follow-up.
    4. 







🍎


You need to restart your computer. Hold down the Power button until it turns off, then press it again.


Vous devez redémarrer votre ordinateur. Maintenez le bouton de marche enfoncé pendant plusieurs secondes ou appuyez sur le bouton Redémarrer.


Sie müssen Ihren Computer neu starten. Halten Sie die Einschalttaste gedrückt, bis er sich ausschaltet.


你需要重新启动你的电脑。请按住电源键直到它关闭。


panic(cpu 4 caller 0xfffffe002a8db4f0): "Kernel data abort. (saved state: 0xfffffe10aa61cb70)\n at pc=0xfffffe0044d12c4f, dscr=0x80000000, esr=0x96000045 (DataAbort, ...)" @kext_log_entry






Console — All Messages








📝 All Messages


⚠ Errors and Faults


💥 Crash Reports


🔍 Spotlight


📡 System Reports


🌐 Network




Click "Crash Reports" in the sidebar to load the latest panic.





























PBQ 13 Android battery drain & permission audit
 15:00Domain 3.0 Troubleshooting


SCENARIO
A user reports her Samsung Galaxy S24 battery is dying by mid-afternoon when it used to last 2 days, the back of the phone gets uncomfortably warm, and apps load slowly. The phone is on Android 14 with the latest security patch. You hand her the phone with Android Settings > Battery already open. Review the per-app battery drain and the permissions for each app. Find the offender and decide what to do.

INSTRUCTIONS:

    

  1. Examine the battery-usage breakdown below.
    2. 

  2. Tap any app row to open its App info panel and inspect the permissions it requested.
    3. 

  3. Pick the correct response for the offending app.
    4. 







9:42📶 5G · 🔋 28%


Battery
28%, charging stopped 14h ago · estimated 1h 12m left




Today — battery usage by app


🔦
Super Flashlight Pro
Background · 4h 38m active
47%




🌐
Chrome
Foreground · 1h 12m
18%




📸
Instagram
Foreground · 48m
12%




💬
WhatsApp
Background · 22m
9%




System UI
System · always-on
8%
































PBQ 14 Microsoft Outlook — Phishing Email Triage
 15:00Domain 2.0 Security


SCENARIO
A user forwarded a suspicious email to abuse@acme.com at 7:14 AM with the note "Looks fishy, can you check?". The email is open in Outlook below. You must perform a forensic triage of the message: identify and flag every phishing indicator you find by clicking it (sender-domain spoofing, mismatched Reply-To, urgency, threat language, generic salutation, asks for credentials, look-alike URL, etc.). You should also click View > Message Source to inspect the raw headers and verify the SPF / DKIM / DMARC results. When all 7 indicators are flagged and you've reviewed the headers, click Report & Validate.

INSTRUCTIONS:

    

  1. Hover any suspicious element — it underlines. Click to flag it (turns yellow with a warning icon).
    2. 

  2. Click View Message Source in the ribbon to expand the raw Received:, Authentication-Results:, and SPF/DKIM/DMARC headers.
    3. 

  3. Click Report & Validate when done. You need to find at least 7 of the 9 indicators and inspect the headers.
    4. 







✉ Outlook — user@acme.comInbox · 3 unread
















📥 Inbox 3


📤 Sent Items


📝 Drafts


🗑 Deleted Items


📥 Junk Email 12


🗂 Archive






















PBQ 15 Drag malware types to definitions
 8:00Domain 2.0 Security


TASK
Match each malware type to its description.




Malware


Ransomware


Trojan


Worm


Spyware / keylogger


Rootkit


Fileless / LotL




Encrypts files, demands payment for key


Hides in legit-looking program


Self-replicates over the network without user action


Captures keystrokes and exfils them


Lives in the kernel, hides itself from AV


Lives in memory using PowerShell/WMI, no disk artifact















PBQ 16 Authentication Factor Types
 8:00Domain 2.0 Security


TASK
Match each item to its auth factor type.




Items


Password


TOTP from authenticator app


Fingerprint


GPS location


Gait pattern




Something you know


Something you have


Something you are


Somewhere you are


Something you do















PBQ 17 NTFS vs Share Permissions
 8:00Domain 1.0 Operating Systems


TASK
User's NTFS = Read; Share = Full Control. What is effective access? Match scenarios.




Effective


Read


Full Control


Modify


No access




Local + remote: NTFS Read, Share Full Control


NTFS Modify, Share Read (over network)


NTFS Modify, Share Full (over network)


NTFS Deny, Share Full (any path)















PBQ 18 Backup Methods
 8:00Domain 4.0 Operational


TASK
Match each backup type to its description.




Backup types


Full


Incremental


Differential


Snapshot




Copies everything every time, longest backup, fastest restore


Only changed blocks since last backup of any type


Only changes since last full


Point-in-time block-level checkpoint (VM/storage)















PBQ 19 OS Install Methods
 8:00Domain 1.0 Operating Systems


TASK
Match install method to scenario.




Methods


USB media


PXE boot


Image deploy (MDT/SCCM)


In-place upgrade


Reset / Recovery partition




One PC, no network, ISO burned to flash drive


100 lab PCs, network boot from WDS


Standardized image with apps preinstalled


Win 10 → Win 11, keep apps and files


User locked out of PC, restore to factory















PBQ 20 Linux Command Match
 8:00Domain 1.0 Operating Systems


TASK
Drag command to its purpose.




Commands


chmod 755


chown user:group


grep -r "error"


ps aux


df -h


sudo




Set permissions rwxr-xr-x


Change file ownership


Search text in files recursively


List all running processes


Disk free space, human-readable


Run command as root















PBQ 21 macOS Features
 8:00Domain 1.0 Operating Systems


TASK
Match feature to function.




Features


Time Machine


Spotlight


Mission Control


Disk Utility / First Aid


Gatekeeper




Backup to external drive automatically


Universal search


Show all open windows / spaces


Verify and repair filesystem


Block unsigned apps from running















PBQ 22 Disposal Procedures
 8:00Domain 4.0 Operational


TASK
Match disposal method to media type.




Methods


Crypto-erase / DBAN


Degaussing


Physical shred / pulverize


Incinerate




Reuse SSD internally - data destruction


Old magnetic HDD before reuse


Highly classified drives that must never be reused


Confidential paper records















PBQ 23 Social Engineering Attacks
 8:00Domain 2.0 Security


TASK
Match each attack to its description.




Attacks


Phishing


Spear-phishing


Whaling


Vishing


Shoulder surfing


Tailgating / piggyback




Mass email scam, no specific target


Targeted at one specific person/org


CEO / executive impersonation


Voice call posing as IT/bank


Watching the screen / keyboard


Following authorized person through a door















PBQ 24 Browser Privacy & Security
 8:00Domain 2.0 Security


TASK
Match each setting to its purpose.




Settings


HTTPS-Only mode


Pop-up blocker


Password manager


Browser extension audit


Certificate trust store




Enforce TLS, warn on plain HTTP


Stop unsolicited overlay ads


Generate and autofill strong unique passwords


Remove unknown / over-permissioned add-ons


CA root list used to validate site identity















PBQ 25 Boot Order BIOS → Win Logon
 8:00Domain 1.0 Operating Systems


TASK
Drag steps into the correct boot sequence.




Steps


POST


UEFI firmware loads boot manager


Bootloader (winload.efi)


NT Kernel + drivers


User logon (winlogon)




Step 1


Step 2


Step 3


Step 4


Step 5















PBQ 26 Incident Response Order
 10:00Domain 4.0 Operational


TASK
Drag the IR steps into the correct order.




Steps


Preparation


Detection & Analysis


Containment


Eradication


Recovery


Lessons Learned




Step 1


Step 2


Step 3


Step 4


Step 5


Step 6















PBQ 27 Change Management Form
 10:00Domain 4.0 Operational


TASK
Fill the change request form for an emergency Windows patch deployment.































PBQ 28 Help-Desk Ticket Prioritization
 10:00Domain 4.0 Operational


TASK
Set priority for each ticket.





























PBQ 29 Documentation & Communication
 8:00Domain 4.0 Operational


TASK
User reports issue. Pick the right communication actions.



























PBQ 30 Workstation Hardening Checklist
 12:00Domain 2.0 Security


TASK
Check every action that should be done before deploying a new corporate workstation.

































PBQ 1/30
0% passed