Browse CompTIA Certification Guides

CompTIA 220-1202 Cheat Sheet: Windows, Security, and Recovery

March 28, 2026

CompTIA 220-1202 cheat sheet for Windows, security, recovery, traps, and final review.

On this page

Use this for last-mile review. 220-1202 rewards the answer that restores the workstation or user access with the least disruptive secure fix, then documents the change instead of improvising.

220-1202 answer sequence

Use this when the stem mixes OS repair, permissions, malware cleanup, recovery, or support workflow.

    flowchart TD
	  S["Scenario"] --> L["Pick the fault lane"]
	  L --> D["Check access, startup, malware, or operations"]
	  D --> R["Choose the least disruptive secure fix"]
	  R --> V["Verify outcome and document it"]

Core 2 reading order

  1. Scope: user account, workstation, domain trust, application, or policy problem?
  2. Risk: startup failure, permissions/security issue, malware suspicion, or operational-process question?
  3. Strongest first move: least disruptive diagnostic step before broader rollback, reset, or rebuild.
  4. Process discipline: document, preserve data, and keep security controls on unless the scenario explicitly justifies a temporary exception.

Fastest 10-minute review

If the question says… Strongest first lane
app or OS broke after driver/update Safe Mode, rollback or uninstall update, then DISM and sfc
user gets Access denied effective permissions, ownership, elevation, and share vs NTFS
browser redirects, popups, fake AV, or unknown startup items malware workflow and persistence cleanup
domain login slow or failing DNS to the domain controller, network profile, firewall, and time sync
BitLocker recovery screen TPM or hardware-change event, then recovery-key retrieval from approved escrow
repeated help-desk task script or standardize it, but test first and log actions
“quick fix” asks you to disable Defender, UAC, or firewall usually a trap unless the question explicitly says temporary controlled testing

Least-disruptive fix ladder

If you are tempted to… Usually check this first
reset the PC rollback, repair, restore, or Safe Mode path
make the user local admin scoped elevation, permission fix, or approved deployment workflow
disable a security control verify whether the issue is profile, policy, exception, or identity related first
reinstall the app profile, cache, patch, service, permission, or compatibility clues first
reimage after malware quarantine, remediate, verify persistence, then decide if reimage is justified

Core 2 triage order

    flowchart TD
	  Start["Read the symptom"] --> Scope["User, device, domain, or policy scope?"]
	  Scope --> Risk["Access/security, startup/recovery, malware, or operations?"]
	  Risk --> Safe["Least disruptive secure diagnostic step"]
	  Safe --> Repair["Targeted repair or rollback"]
	  Repair --> Verify["Verify user outcome and security posture"]
	  Verify --> Doc["Document change, root cause, and next-step prevention"]

Scenario speed table

Scenario cue Strong answer usually does
workstation unstable after patching isolate whether the issue started with driver, quality update, or startup item before broader reset
remote worker cannot access shared file separate identity issue, VPN path, share permission, and NTFS permission
suspicious persistence after malware cleanup check scheduled tasks, startup entries, browser add-ons, services, and restore points
local admin asks for permanent broad rights prefer least privilege, scoped elevation, or approved admin workflow
boot failure after power event WinRE, startup repair, update rollback, BCD path, then filesystem checks
script to automate endpoint work test outside production, parameterize, log output, and run with the least required privilege

Windows recovery and repair lanes

Need Strongest first lane Notes
startup failure after update or driver change Safe Mode or WinRE, then rollback or uninstall updates start with reversible recovery
missing or corrupt system files DISM /Online /Cleanup-Image /RestoreHealth then sfc /scannow image repair and protected file repair pair
disk or filesystem error chkdsk /f may require reboot
broken boot records or BCD bootrec or bcdedit inside WinRE use only when the stem is really about boot chain
restore previous system state System Restore rolls back system state, not user documents
large-scale repair with data preserved Reset this PC with Keep my files if the scenario allows more disruptive than rollback

WinRE tool chooser

Tool Best use
Startup Repair automatic boot-path repair
Uninstall Updates boot or stability issue immediately after a patch
System Restore known-good system restore point exists
Command Prompt bootrec, bcdedit, chkdsk, offline repair work
UEFI Firmware Settings hardware or boot-order configuration path

Recovery traps

Trap Better reading
using Reset this PC as the first response try reversible rollback and repair steps first
assuming BSOD always means hardware failure updates, drivers, startup items, and corrupted system files are common exam causes
running sfc alone after component-store corruption pair it with DISM when the Windows image itself may be damaged

Permissions, accounts, and access control

Boundary What it really answers Common miss
local user or group access on the individual device assuming domain admin logic on a standalone PC
domain account central identity and policy path forgetting DNS or time sync
share permission network access to the shared folder treating it as the only permission layer
NTFS permission local and network filesystem access ignoring effective access and inheritance
UAC elevation whether the task needs admin approval leaving the user permanently as admin

Share vs NTFS

If the user is… Remember
local at the machine NTFS is the main access layer
accessing over the network share and NTFS both matter
denied unexpectedly effective access is constrained by the most restrictive combination

Access-problem picker

Symptom Strongest first lane
user cannot map a drive network path, name resolution, credentials, then share and NTFS
folder visible but files cannot be opened effective permissions, ownership, inheritance, encrypted content
standard user cannot install app elevation policy, software approval, or deployment workflow
domain login fails after travel or network change DNS to domain controller, VPN path, network profile, time sync

Identity and support boundary picker

If the clue is really about… Strongest first reading
one user on one PC local profile, local rights, app config, or device state
many users on one managed system policy, deployment, or shared configuration
one user after travel or network change VPN path, domain reachability, DNS, or time sync
a mapped drive or shared folder issue network path first, then credentials, then share and NTFS
a password or lockout issue identity path, not disk-recovery path

Security hardening and malware

Control Strong exam meaning
Defender AV or EDR detect and remediate without removing core protection as the first move
firewall profiles domain, private, and public posture matters
BitLocker full-disk encryption with recovery-key lifecycle
MFA improves account security beyond password-only control
least privilege daily work as standard user, elevate only when required

CompTIA malware order

  1. Identify symptoms.
  2. Quarantine the affected system.
  3. Disable System Restore.
  4. Remediate with updated definitions and scans, or reimage if needed.
  5. Schedule scans and updates.
  6. Re-enable System Restore.
  7. Create a restore point.
  8. Educate the user.

Malware and hardening traps

Trap Better reading
disable AV or firewall first only do that when the question explicitly frames a temporary controlled test
blame one bad browser add-on for every symptom still inspect startup entries, services, scheduled tasks, DNS, and hosts file
forget post-cleanup steps restore point, update scheduling, and user education matter on this exam

OS tool and command picker

Need Strongest tool
hardware or driver problem Device Manager
startup item pressure Task Manager startup tab
service state services.msc
event history and failure clues Event Viewer
local security posture secpol.msc on supported editions
process or resource pressure Task Manager or Resource Monitor
DNS and IP inspection ipconfig /all, ping, tracert, nslookup
group policy refresh gpupdate /force

OS comparison anchors

Platform Fast recall
Windows strongest exam depth for repair, permissions, domain, policy, and malware
macOS Time Machine, FileVault, Activity Monitor, Disk Utility, Keychain
Linux systemctl, chmod, chown, sudo, /var/log, journalctl, package managers

Scripting and automation cues

If the question is really about… Strongest first lane
repeated administrative task PowerShell or script automation with logging
Linux/macOS task flow Bash tooling and scheduler awareness
simple general-purpose automation Python script with controlled inputs and output
scheduled repetition Task Scheduler, cron, or platform scheduler

Script safety table

Rule Why it matters
test outside production first Core 2 punishes risky automation habits
parameterize paths and targets avoids brittle one-off scripts
log actions and results supports troubleshooting and auditing
run with least privilege prevents over-broad damage

Operational procedures and professionalism

Topic Strong answer usually does
change management request, assess risk, approval, maintenance window, backout plan, communication
incident response identify, contain, eradicate, recover, lessons learned
documentation ticket notes, asset record, root cause, final resolution
customer interaction active listening, empathy, plain language, confirm resolution
disposal and privacy secure erase or destruction, need-to-know handling, proper e-waste process

High-confusion pairs

Pair Keep this distinction clear
Safe Mode vs WinRE reduced startup environment versus broader recovery environment
share permission vs NTFS network share layer versus filesystem access layer
local account vs domain account device-local identity versus centralized identity
malware cleanup vs incident process workstation remediation steps versus wider operational response
BitLocker recovery key issue vs account-password issue disk unlock path versus identity/authentication path
standard user support vs permanent admin grant least-privilege workflow versus risky over-permissioning

Final 15-minute review

Recheck this Because the exam often hides the miss here
least disruptive secure first step many wrong answers jump too quickly to reset or rebuild
share plus NTFS effective access access questions punish boundary confusion
DNS, firewall profile, and time sync domain questions often fail there first
DISM plus sfc Windows repair path is a classic recall point
malware order and post-cleanup steps CompTIA likes the sequence, not just the concept
documentation and backout plan process discipline is part of the right answer

What strong Core 2 answers usually do

  • preserve user data and system security while troubleshooting
  • fix the right boundary before granting broader access
  • separate startup repair, identity issues, malware cleanup, and process discipline
  • prefer reversible, documented, least-disruptive actions over dramatic rebuilds

From here, move to the FAQ for workflow explanations or use the resources page for official exam details.

Revised on Sunday, May 10, 2026
Study Plan
Sample Questions