Core 2 Roleplay Lab - IT Support Scenarios

SCENARIO 1 — USER SCRIPT

You are calling IT support about a laptop that won't boot.

Hi, thanks for picking up. I'm having a really frustrating problem with my laptop.

It won't boot up at all. When I press the power button, I just see a black screen with some white text that says something like "No bootable device found."

Um, I think it happened after I was trying to clean up some space yesterday. I might have deleted some files, but I'm not sure which ones.

Yes, I can see it. It's a Windows 11 laptop, HP brand.

Okay, let me try that... I'm pressing F9 now. Oh, I see a menu!

It says "Boot Menu" at the top. There are options like "OS Boot Manager," "USB," and "Network Adapter."

I'll select OS Boot Manager... Okay, pressing Enter now.

Oh! It's starting to boot! I see the Windows logo now!

Yes, it's working! I'm at the login screen. That's amazing, thank you so much!

So what exactly happened? Why did it stop booting?

Oh no, I hope I didn't mess anything up permanently. Should I be worried about those files I deleted?

That makes sense. I'll definitely be more careful. Thank you so much for your help!

SCENARIO 1 — TECH SCRIPT

You are IT support helping a user with a boot failure.

Hello, this is IT support. I understand you're having an issue with your laptop. Can you describe what's happening?

Note: Listen carefully to initial symptom description. Boot errors require methodical troubleshooting.

I see. That error message typically means the system can't find a valid operating system to load. Before we dive deeper, can you tell me what model laptop this is and what operating system you're running?

Perfect. Let's start with the BIOS boot menu to check if the hard drive is being detected. Can you restart the computer and immediately press F9 repeatedly when you see the HP logo?

Note: Boot key varies by manufacturer (F2, F12, Del, F9 for HP). Always verify manufacturer first.

Great! Now, what options do you see listed in that boot menu?

Perfect. The OS Boot Manager being present is a good sign—it means your hard drive is detected. Let's try selecting that option and see if Windows will load.

Note: If OS Boot Manager appears, the drive is recognized. Boot order may have been changed accidentally.

Excellent! It sounds like the boot order got changed somehow. The system was trying to boot from a device that didn't have an operating system on it.

Well, the boot order in your BIOS determines which device the computer tries to start from first. It probably got reset or changed, possibly during a Windows update or if you had a USB drive plugged in. The good news is your files and Windows installation are completely intact.

You shouldn't worry too much. Windows system files are protected and can't be easily deleted from normal folders. Just avoid deleting anything from the C:\Windows or C:\Program Files directories in the future.

You're very welcome! If this happens again, you know the steps now. Have a great day!

SCENARIO 1 — INSTRUCTOR SHEET

Confidential – For Instructor Use Only

Root Cause Analysis

Issue: Windows 11 boot failure with "No bootable device found" error

Root Cause: BIOS boot order was changed or reset, causing the system to attempt booting from a non-bootable device (likely USB or network) before checking the internal hard drive containing the OS Boot Manager.

Why It Occurred: Common triggers include Windows updates, BIOS resets, CMOS battery issues, or accidentally changing boot priority when a USB device was connected.

Replication Steps (For Setup)

Access BIOS/UEFI on a Windows 11 machine (typically F2, F9, F12, or Del during POST)
Navigate to Boot Order or Boot Priority settings
Move "OS Boot Manager" or "Windows Boot Manager" down in priority below USB or Network Boot
Save changes and exit (F10)
System will display "No bootable device" error on next startup

Troubleshooting Workflow

Gather Information: Confirm symptoms, OS version, and laptop manufacturer
Access Boot Menu: Guide user to manufacturer-specific boot key (F9 for HP)
Verify Hardware Detection: Confirm OS Boot Manager appears in boot options
Restore Functionality: Select correct boot device
Explain Root Cause: Educate user on boot order and prevention
Document: Note resolution for future reference

Learning Objectives (CompTIA A+ Core 2)

1.3: Given a scenario, use features and tools of the Microsoft Windows 10/11 operating system – Understanding boot processes and BIOS/UEFI interaction
3.1: Given a scenario, troubleshoot common Windows OS problems – Boot failure diagnosis and resolution using systematic methodology
Communication Skills: Practice clear technical explanations, active listening, and building user confidence through education

SCENARIO 1 — OBSERVER CHECKLIST

Performance Evaluation Form

Tech Name: Observer Initials:

Date:

Criterion	Score (0-5)	Notes
1. Information Gathering Asked appropriate questions to identify OS, manufacturer, and symptoms. Confirmed error message details before proceeding.	_____/5
2. Technical Accuracy Correctly identified boot order issue. Provided accurate manufacturer-specific boot key. Verified OS Boot Manager presence.	_____/5
3. Communication Clarity Gave clear, step-by-step instructions. Used appropriate technical language without overwhelming user. Confirmed understanding.	_____/5
4. Problem Resolution Guided user to successful boot. Explained root cause in understandable terms. Addressed user concerns about deleted files.	_____/5
5. Professionalism & User Education Maintained courteous tone. Provided preventive advice. Built user confidence. Closed call appropriately.	_____/5
TOTAL: _____/25

Additional Comments:

SCENARIO 2 — USER SCRIPT

You are calling IT support about slow internet on your desktop.

Hi, I need some help. My internet has been incredibly slow for the past two days and I can't figure out why.

I'm on Windows 10, desktop computer, connected with an ethernet cable.

Everything loads super slowly. Web pages take forever, emails won't send, and streaming just buffers constantly.

Yes, other devices on Wi-Fi seem fine. My phone and tablet work normally.

Um, I'm not sure how to check that. Can you walk me through it?

Okay, I've got the Command Prompt window open. It's black with white text.

I'm typing it now... i-p-c-o-n-f-i-g. Okay, pressing Enter.

I see a lot of information. There's something called "Ethernet adapter Ethernet" and it shows an IPv4 address that starts with 169.

169.254.21.47 is the full address.

Okay, what do I type?

Done. It said something about releasing and renewing...

Let me check... Now it shows a different IP address! It starts with 192.168.

Wow, let me try a website... Yes! It's loading fast now! What was wrong?

That makes sense. So the 169 address was bad?

Got it. Thank you so much for the quick fix!

SCENARIO 2 — TECH SCRIPT

You are IT support helping a user with slow internet.

Hello, IT support here. I understand you're experiencing slow internet. Can you tell me what type of device you're using and how it's connected?

Note: Always identify device type and connection method first—wired vs. wireless affects troubleshooting path.

Thank you. Can you describe what you mean by "slow"? Are pages not loading, or are they loading but taking a long time?

I see. Have you noticed if other devices on your network are experiencing the same issue?

Note: If only one device is affected, issue is likely local to that device rather than network-wide.

That's helpful information. Since only your desktop is affected, let's check your IP address configuration. This will tell us if your computer is communicating properly with your router. Can you open Command Prompt for me?

Perfect. Now type "ipconfig" and press Enter. This will show us your network settings.

Note: ipconfig shows IP configuration. Look for 169.254.x.x (APIPA) which indicates DHCP failure.

Great. Look for your Ethernet adapter section. Can you read me the IPv4 address listed there?

Ah, that's the issue! That's an APIPA address—it means your computer couldn't get a proper IP address from your router. Let's fix that. Type "ipconfig /release" and press Enter, then type "ipconfig /renew" and press Enter.

Note: APIPA (Automatic Private IP Addressing) = 169.254.x.x. Release/renew forces new DHCP request.

Excellent. Now check your IP address again by typing "ipconfig" once more. What IPv4 address do you see now?

Perfect! That's a valid private IP address assigned by your router. Your computer can now communicate properly with the network. Try accessing a website to confirm.

Your computer wasn't getting an IP address from your router, so Windows assigned itself an APIPA address automatically. That address doesn't allow internet access—it's only for local network communication.

Exactly. The 169 address is Windows' way of saying "I'm on a network, but I can't talk to the router." By releasing and renewing, we forced your computer to request a proper address from the DHCP server in your router.

You're very welcome! If this happens again, you know the commands now. Have a great day!

SCENARIO 2 — INSTRUCTOR SHEET

Confidential – For Instructor Use Only

Root Cause Analysis

Issue: Windows 10 desktop experiencing slow network connectivity despite hardwired ethernet connection

Root Cause: DHCP client failure resulting in APIPA (Automatic Private IP Addressing) assignment of 169.254.x.x address. Computer unable to communicate with DHCP server on router to obtain valid IP configuration.

Why It Occurred: Common causes include temporary DHCP server unavailability during boot, network cable disconnect/reconnect, router restart without successful DHCP lease, or Windows network service glitch.

Replication Steps (For Setup)

On Windows 10 machine, open Command Prompt as Administrator
Disable DHCP client service: net stop dhcp
Release current IP: ipconfig /release
System will auto-assign APIPA address in 169.254.0.0/16 range
Verify with ipconfig - should show 169.254.x.x
To restore for student: net start dhcp then ipconfig /renew

Troubleshooting Workflow

Isolate the Issue: Confirm single device vs. network-wide problem
Check Physical Layer: Verify cable connection (though not required in this scenario)
Diagnose IP Configuration: Use ipconfig to identify APIPA address
Resolve DHCP Issue: Release and renew IP address lease
Verify Resolution: Confirm valid IP address assigned and test connectivity
Educate User: Explain APIPA, DHCP, and how to recognize/fix in future

Learning Objectives (CompTIA A+ Core 2)

1.4: Given a scenario, use the appropriate Microsoft command-line tool – Mastery of ipconfig, /release, and /renew switches
1.6: Given a scenario, configure Microsoft Windows networking features on a client/desktop – Understanding DHCP, APIPA, and IP addressing
Diagnostic Methodology: Practice systematic isolation techniques to identify whether issues are device-specific or network-wide

SCENARIO 2 — OBSERVER CHECKLIST

Performance Evaluation Form

Tech Name: Observer Initials:

Date:

Criterion	Score (0-5)	Notes
1. Problem Isolation Asked about other devices to determine if issue was local or network-wide. Gathered connection type and OS information.	_____/5
2. Diagnostic Command Usage Correctly guided user to Command Prompt. Properly utilized ipconfig command. Identified APIPA address as root cause.	_____/5
3. Solution Implementation Provided correct syntax for ipconfig /release and /renew. Verified successful DHCP lease. Confirmed connectivity restoration.	_____/5
4. Technical Explanation Clearly explained APIPA concept. Described DHCP function in user-friendly terms. Answered follow-up questions accurately.	_____/5
5. User Guidance & Support Provided clear step-by-step command line instructions. Confirmed user actions before proceeding. Empowered user with knowledge for future.	_____/5
TOTAL: _____/25

Additional Comments:

SCENARIO 3 — USER SCRIPT

You are calling IT support about accounting software that keeps crashing.

Hello, I really need help. My accounting software keeps crashing and I have a deadline today.

It's Windows 10, and the software is QuickBooks. It was working fine until yesterday evening.

Yes, actually. Windows installed some updates last night when I shut down. Could that be related?

It opens for a few seconds, then just closes completely. No error message or anything—it just disappears.

Okay, let me try... Right-click, I see Run as administrator. I'll click that.

Same thing. It opens briefly, then crashes.

Sure, how do I do that?

Okay, I'm in Settings. Clicking Update & Security now.

I see View update history. Should I click that?

Okay, clicked it. It shows several updates installed yesterday. One is called KB5034441.

Okay, clicking Uninstall updates... I see a list now. Should I remove that KB one?

Alright, I right-clicked it and selected Uninstall. It's asking me to confirm. Confirming now...

It says I need to restart. Should I do that now?

Okay, restarting... The computer is coming back up now.

Trying QuickBooks now... Oh my gosh, it's working! It opened completely and didn't crash!

Thank you so much! That was incredibly stressful. Will this update try to install again?

SCENARIO 3 — TECH SCRIPT

You are IT support helping a user with application crashes after a Windows update.

Hi there, I understand you're having application crashes. Let me help you troubleshoot this. Can you tell me what software is crashing and what version of Windows you're running?

Note: Establish baseline—identify the application, OS version, and timeline of when the issue started.

QuickBooks on Windows 10, got it. And you said this started after updates were installed last night. That's a very helpful clue. Let's first try running the application as administrator to rule out a permissions issue. Can you right-click the QuickBooks icon and select "Run as administrator"?

Same crash even with admin rights. That tells us it's not a permissions issue. Let's check those recent Windows updates. Go to Settings, then Update & Security.

Note: When an app crashes after updates, check update history first. Correlation between update timing and crash onset is strong diagnostic evidence.

Good, now click on "View update history" so we can see exactly what was installed.

KB5034441—I recognize that one. It's been known to cause compatibility issues with certain applications. Let's try uninstalling it. Click on "Uninstall updates" at the top.

Yes, find KB5034441 in the list, right-click it, and select Uninstall. This will remove just that specific update without affecting other patches.

Note: Always uninstall the specific problematic update rather than rolling back all updates. This preserves security patches.

Go ahead and confirm the uninstall. It will need a restart to complete the removal.

Yes, please restart now. The uninstall will finalize during the reboot process.

Excellent! The problematic update was causing a conflict with QuickBooks. Regarding your question—yes, Windows may try to reinstall it. I'd recommend going to Settings, Update & Security, then Advanced Options, and selecting "Pause updates" for 7 days. That will give the software vendor time to release a compatibility fix. You can also check the QuickBooks website for any patches they've released.

You're welcome! I'm glad we could get you back up and running before your deadline. Don't hesitate to call back if you need anything else.

SCENARIO 3 — INSTRUCTOR SHEET

Confidential – For Instructor Use Only

Root Cause Analysis

Issue: QuickBooks application crashes immediately after opening on Windows 10

Root Cause: A recent Windows cumulative update (KB5034441) introduced a compatibility conflict with the QuickBooks application runtime, causing it to crash on launch.

Why It Occurred: Windows cumulative updates can modify system libraries, .NET frameworks, or Visual C++ redistributables that third-party applications depend on. When the updated components are incompatible with the application's expected versions, crashes occur.

Replication Steps (For Setup)

Install QuickBooks (or simulate the scenario verbally) on a Windows 10 machine
Note the current installed Windows updates via Settings → Update & Security → View update history
The scenario assumes a recently installed cumulative update causes the conflict
Students should identify the correlation between update installation and crash onset
Resolution: Uninstall the specific KB update and restart

Troubleshooting Workflow

Gather Information: Identify application, OS version, and when issue started
Establish Timeline: Correlate crash onset with recent system changes (updates)
Rule Out Simple Causes: Test Run as Administrator to eliminate permissions
Investigate Updates: Check update history for recently installed patches
Targeted Fix: Uninstall specific problematic update (not all updates)
Verify Resolution: Restart and confirm application works
Prevent Recurrence: Pause updates temporarily, advise checking for vendor patches

Learning Objectives (CompTIA A+ Core 2)

1.4: Given a scenario, use the appropriate Microsoft command-line tool – Understanding Windows Update management
3.1: Given a scenario, troubleshoot common Windows OS problems – Application crashes after system updates
4.1: Given a scenario, implement best practices associated with documentation and support systems management – Change management and rollback procedures
Communication Skills: Practice timeline-based diagnosis, clear explanation of technical cause, and preventive advice

SCENARIO 3 — OBSERVER CHECKLIST

Performance Evaluation Form

Tech Name: Observer Initials:

Date:

Criterion	Score (0-5)	Notes
1. Information Gathering Asked about application name, OS version, and timeline. Identified correlation between updates and crash onset.	_____/5
2. Technical Accuracy Correctly identified Windows Update as probable cause. Ruled out permissions first. Targeted specific KB for removal rather than rolling back all updates.	_____/5
3. Communication Clarity Gave clear navigation instructions for Settings. Explained why each step was necessary. Used appropriate technical language.	_____/5
4. Problem Resolution Successfully guided user to uninstall problematic update. Confirmed application worked after restart. Addressed deadline pressure appropriately.	_____/5
5. Professionalism & Preventive Advice Maintained calm under user's stress. Provided actionable prevention steps (pause updates, check vendor). Closed interaction professionally.	_____/5
TOTAL: _____/25

Additional Comments:

SCENARIO 4 — USER SCRIPT

You are calling IT support about blue screen errors after installing a new graphics card.

Hi, I'm hoping you can help me. My PC keeps crashing with a blue screen and I don't know what to do.

It's a Windows 11 desktop—my gaming PC. I just installed a new graphics card yesterday, an NVIDIA RTX 4070. Ever since then I keep getting blue screens.

Yes, there's an error code at the bottom. It says DRIVER_IRQL_NOT_LESS_OR_EQUAL. I've gotten it three times already today.

Um, I downloaded the latest driver from the NVIDIA website and installed it right after I put the card in. It worked for maybe an hour, then the first blue screen happened.

Okay, how do I get into Safe Mode? The computer is on right now but I'm afraid to do anything because it might crash again.

Alright, I'm going to Settings, then System, then Recovery. I see the "Restart now" button next to Advanced startup. Clicking it now.

My screen went blue—not the crash kind though. It says "Choose an option." I see Troubleshoot listed there.

Okay, clicked Troubleshoot, then Advanced options. Now I see Startup Settings. Clicking that, and now clicking Restart.

It restarted and now there's a numbered list. I see option 4 is Enable Safe Mode and option 5 is Enable Safe Mode with Networking. Which one?

Pressing 4 now... Okay, Windows is loading. The screen looks really low-resolution and it says "Safe Mode" in the corners. I'm in.

Right-clicking the Start button... I see Device Manager in the list. Opening it now.

I expanded Display adapters and I see my NVIDIA GeForce RTX 4070. There's a little yellow triangle with an exclamation mark on it!

Double-clicked it. Under the General tab it says "This device is not working properly" and something about a driver issue. I see a Driver tab too.

Okay, I'm on the Driver tab now. I see a "Roll Back Driver" button. Should I click that?

Clicking Roll Back Driver... It's asking me why I'm rolling back. I'll select "My apps don't work with this driver." Clicking Yes.

It looks like it did something. The yellow triangle is gone now. Should I restart?

Restarting now... It's coming back up in normal mode. Full resolution is back! Let me wait a minute and see if it crashes...

It's been a few minutes and no blue screen! That's amazing. So it was the driver the whole time?

That makes sense. I'll check for a newer version before I try updating again. Thank you so much!

SCENARIO 4 — TECH SCRIPT

You are IT support helping a user with blue screen errors after a graphics card installation.

Hello, IT support here. I'm sorry to hear you're dealing with blue screens. Can you tell me what version of Windows you're running and when this started happening?

Note: BSOD errors always require identifying the stop code and any recent hardware or software changes. These are your two biggest clues.

A new graphics card installation right before the crashes started—that's a very strong correlation. Can you tell me the exact error message on the blue screen? There should be a stop code at the bottom.

DRIVER_IRQL_NOT_LESS_OR_EQUAL—that's a driver-related stop code. It means a driver is trying to access memory it shouldn't. Did you install drivers for the new graphics card, and if so, where did you get them?

Note: DRIVER_IRQL_NOT_LESS_OR_EQUAL (0x000000D1) almost always points to a faulty or incompatible driver. With new hardware, the GPU driver is the prime suspect.

I see. The driver you installed may be incompatible or corrupted. We need to boot into Safe Mode so we can work on the driver without it causing another crash. Safe Mode loads Windows with only essential drivers.

Since Windows is running right now, let's use the Settings method. Go to Settings, then System, then Recovery. Under "Advanced startup," click "Restart now."

Note: Multiple paths to Safe Mode exist. From a running system: Settings → System → Recovery → Advanced startup. From login screen: hold Shift + click Restart. If system won't boot: interrupt boot 3 times to trigger WinRE.

Good, that's the Windows Recovery Environment. Click on Troubleshoot to continue.

Perfect. Now click Advanced options, then Startup Settings, and then click Restart. The system will reboot and give you a menu of startup options.

Press 4 for Enable Safe Mode. We don't need networking for this fix since we'll be working with Device Manager.

You're in Safe Mode. The low resolution is normal—Safe Mode uses a basic display driver. Now right-click the Start button and select Device Manager from the menu.

Note: In Safe Mode, Windows loads the Microsoft Basic Display Adapter instead of the GPU-specific driver. This is why the resolution is low but the system is stable.

Expand the "Display adapters" section and tell me what you see. Look for your NVIDIA card and check if there's any warning icon on it.

That yellow exclamation mark confirms the driver is in an error state. Double-click on the NVIDIA adapter to open its properties, and then click on the Driver tab.

Yes, click "Roll Back Driver." This will revert to the previous driver that was working before you installed the new one. It will ask you for a reason—just pick whichever option fits and click Yes.

Note: Roll Back Driver reverts to the previously installed driver version. If this button is grayed out, the alternative is to click "Uninstall Device" and let Windows install a generic driver on reboot.

Excellent. The driver has been rolled back successfully. Go ahead and restart the computer normally. It should boot with full resolution using the previous stable driver.

Great news! Yes, the driver you downloaded was likely incompatible with your specific hardware configuration, even though it was from the official NVIDIA site. Sometimes the very latest driver has bugs with certain card revisions. I'd recommend checking the NVIDIA website in a week or two for an updated version, and reading the release notes before installing to see if any known issues have been fixed.

You're welcome! If you do update the driver in the future and run into trouble again, you now know how to get into Safe Mode and roll it back. Have a great day!

SCENARIO 4 — INSTRUCTOR SHEET

Confidential – For Instructor Use Only

Root Cause Analysis

Issue: Windows 11 desktop experiencing repeated BSOD (Blue Screen of Death) with stop code DRIVER_IRQL_NOT_LESS_OR_EQUAL after installing a new NVIDIA RTX 4070 graphics card

Root Cause: An incompatible or buggy GPU driver is attempting to access an invalid memory address at an elevated IRQL (Interrupt Request Level), causing a kernel-level exception that triggers the blue screen crash.

Why It Occurred: The user installed the latest NVIDIA driver package, which may contain a bug specific to their hardware revision, motherboard chipset, or BIOS version. Driver version incompatibilities are common with newly released GPU models or freshly published driver packages that have not been widely tested across all configurations.

Replication Steps (For Setup)

On a Windows 11 machine with a dedicated GPU, open Device Manager
Expand Display adapters, right-click the GPU, and select Properties
Under the Driver tab, note the current driver version for rollback reference
To simulate the error state: install an intentionally mismatched or older driver version for the GPU, or use Device Manager to set the device status to "error" for demonstration
For verbal-only simulation, describe the BSOD stop code and have students walk through the diagnostic and resolution process
Ensure students can navigate the full Safe Mode boot path: Settings → System → Recovery → Advanced startup → Troubleshoot → Advanced options → Startup Settings → Enable Safe Mode

Troubleshooting Workflow

Identify the Stop Code: Record the BSOD error message (DRIVER_IRQL_NOT_LESS_OR_EQUAL) and correlate with recent changes
Establish Timeline: Confirm the crashes began immediately after the new GPU and driver installation
Boot to Safe Mode: Use Settings → Recovery → Advanced startup, or Shift+Restart from the login screen, to access Windows Recovery Environment and select Safe Mode
Open Device Manager: Right-click Start → Device Manager. Expand Display adapters and locate the GPU with the yellow exclamation mark
Roll Back or Uninstall Driver: Open GPU properties → Driver tab → Roll Back Driver. If Roll Back is unavailable, select Uninstall Device and allow Windows to load a generic driver on reboot
Restart and Verify: Boot normally and confirm the system is stable without BSOD recurrence
Educate User: Explain driver compatibility, recommend checking release notes before future driver updates, and mention Windows Update as an alternative driver source

Learning Objectives (CompTIA A+ Core 2)

3.1: Given a scenario, troubleshoot common Windows OS problems – Diagnosing BSOD errors, interpreting stop codes, and resolving driver conflicts through Safe Mode and Device Manager
1.3: Given a scenario, use features and tools of the Microsoft Windows 10/11 operating system – Navigating Device Manager to identify device errors, using Safe Mode for isolated troubleshooting, performing driver rollback and uninstall operations
Communication Skills: Practice explaining technical concepts (IRQL, kernel-mode drivers, Safe Mode) in accessible terms while guiding a user through multi-step recovery procedures

SCENARIO 4 — OBSERVER CHECKLIST

Performance Evaluation Form

Tech Name: Observer Initials:

Date:

Criterion	Score (0-5)	Notes
1. Safe Mode Knowledge Correctly guided user through the full Safe Mode boot path. Explained purpose of Safe Mode (minimal drivers). Knew alternative entry methods (Shift+Restart, WinRE).	_____/5
2. Device Manager Usage Navigated directly to Display adapters. Identified the yellow exclamation mark as a device error indicator. Accessed driver properties correctly.	_____/5
3. Driver Rollback Procedure Correctly used Roll Back Driver feature. Explained what rollback does and why it resolves the issue. Mentioned Uninstall Device as an alternative if rollback is unavailable.	_____/5
4. Communication Clarity Gave clear, sequential instructions for each step. Explained BSOD stop code meaning in understandable terms. Confirmed user actions before proceeding to next step.	_____/5
5. Professionalism & User Education Maintained reassuring tone during a stressful situation. Provided preventive advice about future driver updates. Empowered user with Safe Mode knowledge for self-help. Closed interaction professionally.	_____/5
TOTAL: _____/25

Additional Comments:

SCENARIO 5 — USER SCRIPT

You are calling IT support about pop-ups, a hijacked browser, and a very slow computer.

Hi, I really need help. My computer has gone completely haywire and I don't know what happened.

It's Windows 10. Everything was fine until a couple of days ago. Now I'm getting pop-ups constantly, even when my browser isn't open. They just appear on my desktop.

That's the other thing—my browser homepage changed. It used to be Google, but now it opens to some sketchy search page called "SearchBaronPlus" or something. I definitely didn't change that.

Oh, and my antivirus. I tried to open Windows Defender to run a scan, but it won't open. I click it and nothing happens. The icon is still in the system tray but it has a little red X on it.

I downloaded a free video converter from a website about three days ago. I needed to convert some files for a project. Could that be related?

The computer is also running incredibly slow. Programs take forever to open, and the fan is running full speed all the time even when I'm not doing anything.

Disconnect from the internet? Okay, should I unplug the ethernet cable or just turn off Wi-Fi?

Done. I turned off Wi-Fi from the taskbar and unplugged the cable just to be safe. What now?

Alright, I remember Safe Mode from last time I had issues. Holding Shift and clicking Restart... I'm at the blue screen with options. Going to Troubleshoot, Advanced options, Startup Settings, Restart.

I see the numbered list. You said option 5, Safe Mode with Networking? Pressing 5 now.

Okay, I'm in Safe Mode. The pop-ups aren't appearing right now, which is nice. What should I do first?

Okay, I'm in Settings, then Apps. I see the list of installed programs... Oh wow, there are several things I don't recognize. There's something called "SearchBaron Browser Optimizer" and "DesktopNotify Pro" and "SystemBoost Helper." I never installed any of those.

Uninstalling them now. SearchBaron is gone... DesktopNotify is gone... SystemBoost is gone. What's next?

You want me to download Malwarebytes? But I disconnected from the internet.

Oh right, Safe Mode with Networking. Okay, I'm going to malwarebytes.com now... Downloading the free version... Installing it... It's open now. Should I run a scan?

Running a full scan now. This might take a while... Okay, it's done. It found 47 threats! That's terrifying. There are things labeled "PUP" and "Adware" and two items marked "Trojan."

Clicking Quarantine now... It says all threats have been quarantined and it's asking me to restart. Should I?

Restarting... The computer is back up in normal mode. It already feels faster! And no pop-ups so far!

My browser homepage is still the weird one though. How do I fix that?

Okay, I went to browser settings and reset everything to defaults. The homepage is back to normal now!

Windows Defender is working again too! It opened right up when I clicked it. Should I run another scan with that?

Good idea. And yes, I'll change my passwords. I'm honestly a little scared now. How do I avoid this happening again?

That all makes sense. I'll be way more careful about what I download from now on. Thank you so much for walking me through all of this!

SCENARIO 5 — TECH SCRIPT

You are IT support helping a user whose computer is infected with malware.

Hello, IT support here. I can hear this is urgent—tell me everything that's going on with your computer.

Note: Let the user describe all symptoms before jumping to conclusions. Multiple symptoms together paint a clearer picture of the infection type and severity.

Pop-ups appearing outside the browser, a changed homepage, and a disabled antivirus—those are all classic signs of a malware infection. Can you think of anything you downloaded or installed recently? Any new software, email attachments, or files from the internet?

Note: Identifying the infection vector helps determine scope. Freeware bundles are one of the most common delivery mechanisms for adware and PUPs (Potentially Unwanted Programs).

That's almost certainly the source. Free software downloads from untrusted sites often come bundled with adware and other malware that installs alongside the legitimate program. The fact that your antivirus is disabled is particularly concerning—some malware specifically targets security software to prevent removal.

How is the computer performing overall? Is it running slow, overheating, or behaving strangely in any other way?

The first thing I need you to do is disconnect from the internet immediately. This prevents any malware from sending data out or downloading additional payloads. Turn off Wi-Fi and unplug any ethernet cable.

Note: Network isolation is the critical first step in malware response. It prevents data exfiltration, command-and-control communication, and further downloads of malicious components.

Good. Now we need to boot into Safe Mode with Networking. Safe Mode will prevent most malware from running at startup, and the networking part will let us download a removal tool. Hold Shift on your keyboard, then click Start and click Restart while still holding Shift.

Follow the path through Troubleshoot, then Advanced options, then Startup Settings, and click Restart. When you see the numbered list, press 5 for "Enable Safe Mode with Networking."

That's because most malware loads during normal startup. Safe Mode only loads essential Windows services, so the malicious programs aren't active right now. First, let's check for suspicious programs. Go to Settings, then Apps, and look through the list of installed programs. Look for anything you don't recognize or didn't intentionally install.

Note: PUPs and adware often install with generic or professional-sounding names to avoid suspicion. Check installation dates—anything installed around the same time as the freeware download is suspect.

Those are all malware components that came bundled with that video converter. Go ahead and uninstall each of them one by one. Click on each one, then click Uninstall.

Now we need to run a dedicated malware scanner. I want you to reconnect to the internet briefly—remember, we're in Safe Mode with Networking so this is safe. Open your browser and go to malwarebytes.com. Download and install the free version of Malwarebytes.

Yes, run a full system scan. It will take some time, but it will search every file on your system for known malware, adware, and PUPs. Let it run to completion.

Note: Malwarebytes is an industry-standard remediation tool that complements Windows Defender. It excels at finding PUPs and adware that traditional antivirus may miss.

47 threats is a significant infection, but don't panic—many of those are likely related components from the same bundle (registry entries, scheduled tasks, browser extensions). The PUPs and adware are the pop-up generators. The Trojans are more serious and may have been downloading additional malware. Click "Quarantine" to isolate and neutralize all detected threats.

Yes, go ahead and restart into normal mode. The quarantine moves the malicious files to a secure location where they can't execute. After the restart, we'll do a few more cleanup steps.

The malware likely modified your browser settings directly. Open your browser's settings and look for a "Reset settings" or "Restore settings to their original defaults" option. This will clear the hijacked homepage, any malicious extensions, and modified search engines all at once.

Note: Browser reset is essential after adware removal. Malware often installs hidden browser extensions, modifies the default search engine, and changes homepage settings that persist even after the main malware files are removed.

That's a great sign that Defender is working again—the malware that was blocking it has been removed. Yes, run a full scan with Windows Defender as well. It may catch anything Malwarebytes missed, since different scanners use different detection signatures.

I strongly recommend you change all your passwords from a different device—your phone or another computer—just in case. Start with email, banking, and any site where you use the same password. Those Trojans may have captured keystrokes or credentials.

Here are some important habits going forward: First, only download software from official vendor websites or trusted sources like the Microsoft Store. Second, when installing any free software, always choose "Custom" or "Advanced" installation and uncheck any bundled programs. Third, keep Windows Defender active at all times and never ignore its warnings. And fourth, if something seems too good to be true—like a free version of paid software—it usually is.

You're very welcome! Your system should be clean now, but if you notice any of those symptoms returning, call us right away. It's always easier to deal with malware early. Have a great day!

SCENARIO 5 — INSTRUCTOR SHEET

Confidential – For Instructor Use Only

Root Cause Analysis

Issue: Windows 10 computer exhibiting multiple malware symptoms: persistent pop-up advertisements, browser homepage hijacking, disabled Windows Defender, and severe performance degradation

Root Cause: Malware infection consisting of adware, PUPs (Potentially Unwanted Programs), and at least two Trojan components, delivered via a bundled freeware installer (free video converter downloaded from an untrusted website). The malware bundle installed multiple components including a browser hijacker (SearchBaron), a desktop notification adware agent (DesktopNotify Pro), and a fake system utility (SystemBoost Helper) that disabled Windows Defender to prevent detection and removal.

Why It Occurred: The user downloaded free software from an unverified source. The installer used a deceptive "express install" process that silently bundled multiple malicious programs alongside the legitimate video converter. The lack of custom installation review allowed all bundled components to install without the user's informed consent.

Replication Steps (For Setup)

This scenario is best conducted as a verbal/roleplay exercise due to the risk of actual malware exposure
For visual simulation: change the browser homepage to an unfamiliar search engine, install a benign browser extension with pop-up behavior, and disable Windows Defender via Group Policy (gpedit.msc → Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Turn off Microsoft Defender Antivirus → Enabled)
Add fake entries to the Apps list by creating dummy programs or shortcuts named "SearchBaron Browser Optimizer," "DesktopNotify Pro," and "SystemBoost Helper"
To restore: re-enable Defender via Group Policy, reset browser settings, and remove dummy programs
Ensure Malwarebytes free version is accessible for students to demonstrate the scanning and quarantine process

Troubleshooting Workflow

Identify Symptoms: Document all reported symptoms (pop-ups, homepage hijack, disabled AV, performance issues) to determine infection scope
Identify Infection Vector: Determine what was downloaded/installed recently to understand the attack surface
Disconnect from Network: Disable Wi-Fi and unplug ethernet to prevent data exfiltration and C2 (command-and-control) communication
Boot to Safe Mode with Networking: Shift+Restart → Troubleshoot → Advanced options → Startup Settings → Enable Safe Mode with Networking (option 5)
Remove Suspicious Programs: Settings → Apps → identify and uninstall all unrecognized software, especially anything installed around the time of infection
Run Malware Scan: Download and run Malwarebytes (reconnect network in Safe Mode). Execute full scan and quarantine all detected threats
Restart and Verify: Reboot into normal mode and confirm symptoms are resolved
Reset Browser: Reset browser settings to defaults to remove hijacked homepage, malicious extensions, and modified search engines
Re-enable Security: Confirm Windows Defender is operational and run a secondary full scan
Credential Security: Advise user to change all passwords from a separate clean device
User Education: Teach safe download practices, custom installation habits, and warning signs of bundled malware

Learning Objectives (CompTIA A+ Core 2)

2.4: Given a scenario, explain common methods for removing malware – Complete malware removal workflow including network isolation, Safe Mode boot, scanning with anti-malware tools, quarantine, and post-removal verification
2.1: Summarize various security measures and their purposes – Understanding physical and logical security measures including network disconnection for threat containment and the role of antivirus/anti-malware software
2.3: Given a scenario, detect, remove, and prevent malware using the appropriate tools and methods – Using Malwarebytes and Windows Defender for detection, identifying PUPs and adware in Add/Remove Programs, resetting browser settings, and educating users on prevention
Communication Skills: Practice reassuring an anxious user, explaining malware concepts without causing panic, and delivering actionable prevention guidance

SCENARIO 5 — OBSERVER CHECKLIST

Performance Evaluation Form

Tech Name: Observer Initials:

Date:

Criterion	Score (0-5)	Notes
1. Threat Containment Immediately directed user to disconnect from the network. Explained the importance of isolation to prevent data exfiltration. Chose appropriate Safe Mode option (with Networking).	_____/5
2. Malware Identification Correctly identified symptoms as malware indicators. Asked about recent downloads to determine infection vector. Recognized disabled antivirus as a sign of active malware defense evasion.	_____/5
3. Removal Methodology Followed proper malware removal sequence: isolate, Safe Mode, remove suspicious programs, scan with anti-malware tool, quarantine threats, verify removal, reset browser, confirm AV operational.	_____/5
4. User Education on Prevention Explained how bundled software works. Advised on safe download practices and custom installation options. Recommended password changes from a clean device. Provided clear future prevention steps.	_____/5
5. Professionalism & Composure Maintained calm and reassuring tone despite severity of infection. Did not blame user for the infection. Managed the multi-step process without rushing or overwhelming the user. Closed interaction professionally.	_____/5
TOTAL: _____/25

Additional Comments:

SCENARIO 6 — USER SCRIPT

You are calling IT support about documents you sent to the office printer that never came out.

Hi, I really need help. I sent several important documents to the printer about fifteen minutes ago and nothing has come out. I have a meeting in thirty minutes and I need these printed.

It's the main office printer, the HP LaserJet down the hall. I'm on Windows 10. The printer icon in the system tray shows it as online.

I've tried sending the documents twice now. The second time I even tried a different file—a simple one-page memo—and that didn't print either.

Yes, I checked the printer itself. The display screen says "Ready" and there's plenty of paper. No paper jams or anything like that.

No, nobody else has mentioned problems. But I'm not sure if anyone else has tried printing recently.

Okay, how do I check the print queue?

I double-clicked the printer icon in the system tray. Oh wow, I see a whole bunch of documents listed here. Some say "Error" and others say "Printing" but nothing is actually coming out.

There are about eight documents in there. Some of them are from earlier this morning. A couple have that "Error" status.

Okay, I selected all of them and hit Cancel. It's asking me to confirm... Done, they're clearing out now.

Alright, I have the Command Prompt open. What do I type?

Typed "net stop spooler" and pressed Enter. It says the Print Spooler service is stopping... Okay, it stopped successfully.

Now "net start spooler"... It says the Print Spooler service was started successfully.

Let me try printing that one-page memo again... Sending it now.

Yes! I can hear the printer warming up! It's printing! Oh, that's such a relief.

So the old stuck documents were causing the problem? That makes sense. How do I prevent this from happening again?

Got it. Thank you so much, you really saved me before this meeting!

SCENARIO 6 — TECH SCRIPT

You are IT support helping a user whose print jobs are not reaching the printer.

Hello, IT support here. I understand you're having trouble printing. Can you tell me which printer you're trying to use, what operating system you're on, and whether the printer appears online or offline?

Note: Identify the printer model, connection type, and OS immediately. Check whether the issue is with the printer hardware, the network, or the local print system.

Okay, so the printer shows as online and you've sent multiple documents with no output. Have you checked the physical printer for any error messages on its display, paper jams, or low toner?

Good, so the hardware seems fine. Have any other users reported issues with this printer today?

Note: Determining if the issue is isolated to one user or affecting everyone helps narrow the root cause—local spooler vs. printer/network issue.

Let's start by checking your print queue. Double-click the printer icon in your system tray near the clock, or go to Settings, then Devices, then Printers & Scanners, find your printer, and click "Open print queue."

That's very likely the problem. When print jobs get stuck or fail, they can block the entire queue. Nothing behind them can print until they're cleared. Let's cancel all of those documents. Click Printer at the top menu, then "Cancel All Documents."

Note: Stuck or corrupted jobs in the queue block all subsequent jobs. Always clear the queue before restarting the spooler.

Good. Now we need to restart the Print Spooler service to make sure it's running cleanly. Open Command Prompt as Administrator—right-click the Start button and select "Command Prompt (Admin)" or "Windows Terminal (Admin)."

Type net stop spooler and press Enter. Wait for it to confirm the service has stopped.

Now type net start spooler and press Enter. This restarts the service fresh.

Note: You can also restart the spooler through services.msc → find Print Spooler → right-click → Restart. The command line method is faster for phone support.

Excellent. Before we test, let's also make sure this printer is set as your default. Go to Settings, Devices, Printers & Scanners, and check that the HP LaserJet has "Default" listed under it. If not, click it and select "Set as default."

Now try sending one document to the printer as a test.

The Print Spooler service manages all print jobs on your computer. When a corrupted or oversized job gets stuck, it can hang the entire spooler. All jobs behind it pile up and nothing prints. Restarting the spooler clears that logjam.

To prevent this in the future, if you ever notice a print job sitting in the queue for more than a minute or two without progress, cancel it right away before it blocks everything else. And if clearing the queue doesn't work, that net stop spooler and net start spooler sequence is your go-to fix.

You're very welcome! Good luck in your meeting. Don't hesitate to call back if you need anything.

SCENARIO 6 — INSTRUCTOR SHEET

Confidential – For Instructor Use Only

Root Cause Analysis

Issue: User sends multiple documents to a network printer but nothing prints, despite the printer showing as online and ready.

Root Cause: The Windows Print Spooler service became hung due to corrupted or failed print jobs stuck in the queue. These blocked jobs prevented all subsequent print requests from being processed and sent to the printer.

Why It Occurred: A corrupted print job (often caused by a large or complex document, a momentary network interruption during transmission, or a driver incompatibility) entered the queue and failed to complete or cancel cleanly. The spooler continued attempting to process the failed job, blocking the pipeline. This is one of the most common printing issues in enterprise environments.

Replication Steps (For Setup)

On a Windows 10/11 machine, open services.msc and locate the Print Spooler service
Stop the Print Spooler service
Navigate to C:\Windows\System32\spool\PRINTERS
Create a dummy file (e.g., a 0-byte .SPL file) in the PRINTERS folder to simulate a corrupted job
Restart the Print Spooler service—it will attempt to process the corrupt file and stall
Alternatively, send a print job and immediately stop the spooler mid-transmission to leave a partial job in the queue
Student should observe that new print jobs queue but do not print

Troubleshooting Workflow

Gather Information: Identify printer model, OS, connection type, and whether the printer hardware shows errors
Isolate the Scope: Determine if the problem affects one user or all users—single-user issue points to local spooler, multi-user points to printer/network
Inspect the Print Queue: Open the print queue and look for stuck, failed, or error-status jobs
Clear the Queue: Cancel all documents via Printer → Cancel All Documents
Restart the Spooler: Run net stop spooler followed by net start spooler from an elevated Command Prompt
Verify Default Printer: Confirm the correct printer is set as the default to prevent future misdirected jobs
Test Print: Send a single test document to verify the fix
Educate User: Explain how stuck jobs block the queue and how to recognize and clear them early

Learning Objectives (CompTIA A+ Core 2)

3.1: Given a scenario, troubleshoot common Windows OS problems – Diagnosing print failures caused by spooler service issues and corrupted queue jobs
1.3: Given a scenario, use features and tools of the Microsoft Windows 10/11 operating system – Using the Services console (services.msc), printer management, and command-line service control (net stop/net start)
Communication Skills: Practice guiding a stressed user through time-sensitive troubleshooting while maintaining composure and providing clear, sequenced instructions

SCENARIO 6 — OBSERVER CHECKLIST

Performance Evaluation Form

Tech Name: Observer Initials:

Date:

Criterion	Score (0-5)	Notes
1. Problem Identification Gathered printer model, OS, and connection details. Verified physical printer status. Asked about other affected users to determine scope.	_____/5
2. Print Queue Management Directed user to open and inspect the print queue. Identified stuck/failed jobs as the root cause. Properly guided cancellation of all queued documents.	_____/5
3. Service Restart Procedure Correctly instructed user to open an elevated Command Prompt. Provided accurate `net stop spooler` and `net start spooler` commands. Confirmed service restarted successfully.	_____/5
4. Default Printer Verification Checked that the correct printer was set as default. Verified the fix with a test print. Confirmed output reached the physical printer.	_____/5
5. Professionalism Under Time Pressure Acknowledged the user's deadline and urgency. Maintained a calm, efficient pace. Provided preventive advice without rushing the interaction. Closed the call professionally.	_____/5
TOTAL: _____/25

Additional Comments:

SCENARIO 7 — USER SCRIPT

You are calling IT support because your workstation account is locked out and you cannot log in.

Hi, I really need help. I can't log into my computer at all. I keep getting an error message on the screen.

It says "The referenced account is currently locked out and may not be logged on to." I'm positive I'm using the right password.

Sure, no problem. My name is Jamie Parker, employee ID 4417. I'm in the Accounting department, desk 3B.

My username is jparker. I've been using the same password for the past two weeks since IT had me change it.

Honestly, I'm not totally sure. I came in this morning, typed my password, and it didn't work. So I tried a few more times, maybe four or five, and then this lockout message appeared.

Wait, actually—now that you mention it, I did notice the Caps Lock light was on when I sat down. I turned it off after the first failed attempt, but I might have already typed the wrong password a couple of times with it on.

Nobody else uses my computer. It's just my workstation at my desk.

Okay, sure. I'll wait while you unlock it.

Oh, you can see that? Yes, I do use Outlook on my phone. I changed my password two weeks ago on the computer but I don't think I ever updated it on the phone.

That could be it! The phone was probably trying my old password over and over in the background.

Okay, I'm trying to log in now... It's working! I'm in! Thank you so much!

Got it. I'll update my phone right now and I'll make sure Caps Lock is off next time. Thanks again for the quick help!

SCENARIO 7 — TECH SCRIPT

You are IT support helping a user who is locked out of their workstation account.

Hello, IT support. I understand you can't log into your workstation. Can you tell me the exact error message you're seeing?

Note: The phrase "locked out" is critical—it means the account lockout threshold has been exceeded. This is different from an expired or disabled account, which produce different error messages.

That's an account lockout message. Before I make any changes to your account, I need to verify your identity for security purposes. Can you please provide me with your full name, employee ID, and department?

Note: Always verify user identity before unlocking an account. An attacker could call the help desk pretending to be a locked-out user to gain unauthorized access. This is a social engineering defense.

Thank you, Jamie. Let me pull up your account. Can you confirm your username for me?

I see your account, and it is indeed locked. Before I unlock it, I want to understand what happened. Were you able to log in yesterday, and do you remember how many times you tried your password this morning?

That's a common cause. When Caps Lock is on, your password goes in with the wrong case and the system counts each attempt as a failed login. Our policy locks accounts after five failed attempts to protect against unauthorized access.

One more question—does anyone else have access to your workstation, or could someone else have been trying to log in with your credentials?

Note: Always investigate whether the lockout could indicate a security incident. Multiple failed logins from an unknown source could mean someone is trying to access the account.

Good. I'm going to unlock your account now. I'm connecting to your machine remotely and opening the Local Users and Groups manager. Give me just a moment.

Note: Open lusrmgr.msc on the machine or domain controller. Navigate to Users, find the account, open Properties, and uncheck "Account is locked out" on the Account tab.

Your account is now unlocked. Before you try logging in, I also noticed something in the logs—there were several failed authentication attempts from a mobile device. Do you by chance have your work email set up on your phone?

That's likely a contributing factor. When you changed your password on your computer but didn't update it on your phone, the phone kept trying to authenticate with the old password in the background. Each failed attempt from the phone counted toward your lockout threshold, so you may have already been close to the limit before you even sat down this morning.

Note: Stale credentials on mobile devices and saved passwords in applications are one of the most common causes of repeated account lockouts. Always check for this pattern.

Go ahead and try logging in now with your current password—and double-check that Caps Lock is off first.

You're all set. Make sure you update your password on your phone right away—go to your email app's account settings and enter your current password. That will prevent the phone from locking you out again. And in the future, whenever you change your password on the computer, update it on all your other devices the same day. Have a great morning!

SCENARIO 7 — INSTRUCTOR SHEET

Confidential – For Instructor Use Only

Root Cause Analysis

Issue: User receives "The referenced account is currently locked out and may not be logged on to" error and cannot access their Windows workstation.

Root Cause: The account exceeded the failed login attempt threshold defined in the local or domain account lockout policy (typically 3–5 attempts). The lockout was triggered by a combination of Caps Lock being enabled during manual login attempts and stale credentials stored on a mobile device repeatedly failing authentication in the background.

Why It Occurred: Account lockout policies exist to defend against brute-force password attacks. In this case, the user changed their workstation password two weeks prior but never updated the saved credentials in their phone's email application. The phone continuously attempted to authenticate with the old password, consuming failed-attempt counts. When the user arrived and mistyped their password due to Caps Lock, the remaining attempts were exhausted and the account locked.

Replication Steps (For Setup)

On a Windows 10/11 machine, open secpol.msc (Local Security Policy)
Navigate to Account Policies → Account Lockout Policy
Set "Account lockout threshold" to 5 invalid logon attempts
Set "Account lockout duration" to 30 minutes (or 0 for manual unlock only)
Set "Reset account lockout counter after" to 30 minutes
Create or use a test user account
Attempt to log in with the wrong password 5 times to trigger the lockout
Student should see the lockout error message on the next login attempt
To unlock: open lusrmgr.msc → Users → right-click user → Properties → uncheck "Account is locked out"

Troubleshooting Workflow

Confirm the Error: Have the user read the exact error message to distinguish lockout from disabled/expired account
Verify User Identity: Request full name, employee ID, department, and username before making any account changes—this is a critical security step
Unlock the Account: Use lusrmgr.msc (Local Users and Groups) or Active Directory Users and Computers to find the account, open Properties, and uncheck "Account is locked out"
Investigate Root Cause: Ask about Caps Lock, recent password changes, number of login attempts, and whether anyone else has access to the workstation
Check for Stale Credentials: Identify devices or applications (mobile email, VPN clients, mapped drives, scheduled tasks) that may be authenticating with an old password
Test the Fix: Have the user log in successfully while confirming Caps Lock is off
Educate the User: Explain why lockout policies exist (brute-force protection) and advise updating passwords on all devices immediately after a change

Learning Objectives (CompTIA A+ Core 2)

1.5: Given a scenario, manage and configure basic security settings in the Microsoft Windows OS – Managing user accounts via lusrmgr.msc (Local Users and Groups), understanding account properties and lockout status
2.2: Given a scenario, configure and apply security best practices – Understanding account lockout policies, failed login thresholds, and their role in defending against brute-force and unauthorized access attempts
Communication Skills: Practice verifying user identity (social engineering defense), explaining security policies in non-threatening terms, and conducting root cause analysis during a support interaction

SCENARIO 7 — OBSERVER CHECKLIST

Performance Evaluation Form

Tech Name: Observer Initials:

Date:

Criterion	Score (0-5)	Notes
1. Identity Verification (Security) Requested full name, employee ID, department, and username before making account changes. Treated the interaction as a potential social engineering scenario by following verification protocol.	_____/5
2. Account Unlock Procedure Correctly used `lusrmgr.msc` to locate the user account. Unchecked the "Account is locked out" property. Confirmed the account was unlocked before asking the user to log in.	_____/5
3. Root Cause Investigation Asked about Caps Lock status, number of failed attempts, and recent password changes. Identified stale credentials on the mobile device as a contributing factor. Did not simply unlock and move on.	_____/5
4. Policy Explanation Explained why account lockout policies exist (brute-force protection). Described the failed-attempt threshold clearly. Connected the policy to real-world security without alarming the user.	_____/5
5. User Education Advised updating passwords on all devices after a change. Warned about Caps Lock awareness. Provided actionable, memorable guidance the user can apply independently in the future.	_____/5
TOTAL: _____/25

Additional Comments:

SCENARIO 8 — USER SCRIPT

You are calling IT support about a computer that takes forever to start up.

Hi, I really need some help. My computer takes an absolute eternity to start up in the morning. I'm talking ten minutes or more just to get to the desktop.

It's a Windows 11 desktop. I've had it for about two years now. When I first got it, it booted up in under a minute. Now it's completely unbearable.

No, I haven't really changed anything major. I mean, I've installed programs over time—Spotify, Discord, Steam for my kid, some Adobe stuff for work. But nothing recently.

Task Manager? Sure, let me try that... Ctrl, Shift, Escape. Okay, it's open.

I see Processes right now. Oh wait, I see a Startup tab at the top. Clicking that now.

Wow, there's a lot of stuff in here. I see Spotify, Discord, Steam Client, Adobe Updater, some OneDrive thing, a Corsair utility, something called "iTunesHelper," and a few others I don't even recognize.

Most of them say "High" under Startup impact. A couple say "Medium."

Really? I had no idea all of those were starting up automatically. I only use Spotify when I want to listen to music, not every single morning.

Okay, I right-clicked on Spotify and I see "Disable." I'll click that. Doing the same for Discord... Steam... Adobe Updater... and iTunesHelper. Done.

Now you want me to check disk space? Okay, opening This PC... Oh. My C: drive says 23 GB free out of 256 GB. Is that bad?

Disk Cleanup? Let me search for it... Found it. It's scanning now. It says it can free up 8.4 GB! There are a lot of temporary files and something called "Windows Update Cleanup."

Alright, I checked all the boxes and clicked OK. It's cleaning now.

Chrome extensions? Let me check... Oh wow, I have like fifteen extensions. I don't even remember installing half of these. There's a coupon finder, two ad blockers, a weather widget, some PDF tool...

Okay, I removed the ones I don't use. I think I'm down to about five now.

So all of this was slowing down my startup? I had no idea programs could just add themselves to the boot process like that. Thank you so much—I'll restart now and see how it goes!

SCENARIO 8 — TECH SCRIPT

You are IT support helping a user with extremely slow startup times.

Hello, IT support here. I understand your computer is taking a long time to boot up. Can you tell me what version of Windows you're running, and roughly how long the startup takes?

Note: Establish the baseline—how long is startup taking versus the user's expectation? Get OS version and approximate system age.

Two years old and it used to be fast—that's a classic sign of startup bloat. Have you installed many programs over that time period?

That explains a lot. Many of those programs add themselves to your startup sequence, meaning they all try to load every time you turn on your computer. Let's take a look. Can you open Task Manager by pressing Ctrl+Shift+Esc?

Note: Task Manager is the primary tool for managing startup applications in Windows 10/11. The Startup tab shows all programs registered to run at boot.

Perfect. Now click on the "Startup" tab at the top of the Task Manager window. This shows every program that launches automatically when your computer starts.

Good. Can you tell me what programs you see listed there, and what their "Startup impact" column says?

That's your problem right there. Every one of those programs is fighting for system resources during boot. Your computer is trying to launch all of them simultaneously, which overwhelms the CPU and disk. Let's disable the ones you don't need running at startup. You can always open these programs manually when you actually want to use them.

Note: Disabling a startup item does NOT uninstall the program. It simply prevents it from auto-launching. The user can still open it manually anytime.

Right-click on Spotify and select "Disable." Then do the same for Discord, Steam Client, Adobe Updater, and iTunesHelper. Keep things like Windows Security and OneDrive if you use cloud syncing.

Excellent. Now let's check your disk space, because a nearly full hard drive also slows down boot times significantly. Open File Explorer and click on "This PC" in the left panel. How much free space does your C: drive show?

Note: Windows needs at least 10-15% free disk space for virtual memory, temporary files, and system operations. Below that threshold, performance degrades noticeably.

That's quite low—only about 9% free. Let's run Disk Cleanup to reclaim some space. Search for "Disk Cleanup" in the Start menu and run it on your C: drive.

8.4 GB is a great recovery. Go ahead and check all the boxes—those are all safe to remove—then click OK to clean them up.

Good. One more thing—excessive browser extensions can also drag down overall system performance, especially at startup if your browser is set to launch automatically. Can you open Chrome and go to the extensions page? You can type chrome://extensions in the address bar.

That's a lot of extensions. Each one consumes memory and CPU cycles. I'd recommend removing anything you don't actively use on a regular basis. Keep your essential ones and remove the rest.

You're in much better shape now. To answer your question—yes, most programs add startup entries during installation, often without clearly asking. Going forward, I'd suggest checking your Startup tab in Task Manager every couple of months to keep things clean. After you restart, your boot time should be dramatically improved.

Note: Reinforce the preventive habit. Educating users on periodic startup maintenance prevents repeat calls for the same issue.

SCENARIO 8 — INSTRUCTOR SHEET

Confidential – For Instructor Use Only

Root Cause Analysis

Issue: Windows 11 desktop takes 10+ minutes to reach the desktop, progressively worsening over two years of ownership

Root Cause: Startup bloat from accumulated software installations. Multiple high-impact applications (Spotify, Discord, Steam, Adobe Updater, iTunesHelper, Corsair utility) registered as startup items, all competing for CPU, memory, and disk I/O during boot. Compounded by low disk space (only 9% free on a 256 GB drive) limiting virtual memory and temp file operations.

Why It Occurred: Most consumer software silently enables auto-start during installation. Over two years of installing applications, the startup queue grew unchecked. The user was unaware that these programs were loading at boot because no single installation caused a dramatic slowdown—the degradation was gradual. Low disk space from accumulated files, cached updates, and temporary data further compounded the problem.

Replication Steps (For Setup)

On a Windows 11 machine, install several common consumer applications: Spotify, Discord, Steam, iTunes, and any Adobe product with an updater component
Verify each application has added a startup entry by opening Task Manager (Ctrl+Shift+Esc) → Startup tab
Optionally, fill the C: drive to below 10% free space using large temporary files to simulate the low-disk condition
Install 10+ browser extensions in Chrome (coupon finders, weather widgets, PDF tools, duplicate ad blockers) to simulate extension bloat
Restart the machine and observe the extended boot time caused by all startup items loading simultaneously

Troubleshooting Workflow

Gather Information: Confirm OS version, system age, and timeline of performance degradation. Ask about recently installed software.
Open Task Manager: Guide user to Ctrl+Shift+Esc and navigate to the Startup tab to audit all auto-start entries.
Identify High-Impact Items: Review the Startup impact column. Flag non-essential programs marked as "High" or "Medium" impact.
Disable Unnecessary Startup Items: Right-click → Disable for each non-essential item (Spotify, Discord, Steam, Adobe Updater, iTunesHelper). Preserve security and OS-critical entries.
Check Disk Space: Open This PC and verify free space on C: drive. Below 10-15% free triggers performance degradation.
Run Disk Cleanup: Launch Disk Cleanup utility, select all safe categories (Temporary files, Windows Update Cleanup, Recycle Bin, Thumbnails), and execute cleanup.
Audit Browser Extensions: Open chrome://extensions and remove unused or suspicious extensions that consume memory and CPU.
Educate on Prevention: Advise periodic review of Task Manager Startup tab every 1-2 months after installing new software.

Learning Objectives (CompTIA A+ Core 2)

1.3: Given a scenario, use features and tools of the Microsoft Windows 10/11 operating system – Task Manager (Startup tab management), Disk Cleanup utility, and system resource monitoring
3.1: Given a scenario, troubleshoot common Windows OS problems – Slow boot performance diagnosis, startup optimization, and disk space management
Communication Skills: Practice explaining cumulative performance degradation in user-friendly terms, distinguishing between disabling a startup entry and uninstalling a program, and teaching preventive maintenance habits

SCENARIO 8 — OBSERVER CHECKLIST

Performance Evaluation Form

Tech Name: Observer Initials:

Date:

Criterion	Score (0-5)	Notes
1. Performance Diagnosis Approach Asked about system age, OS version, and software installation history. Correctly identified startup bloat as the probable cause based on the gradual degradation pattern.	_____/5
2. Task Manager Proficiency Guided user to open Task Manager via keyboard shortcut. Navigated to Startup tab. Correctly interpreted Startup impact column and identified non-essential items.	_____/5
3. Startup Optimization Clearly distinguished between essential and non-essential startup items. Disabled appropriate programs without affecting security or OS-critical services. Explained that disabling does not uninstall.	_____/5
4. Disk Space Management Checked drive capacity and identified low free space as a contributing factor. Guided user through Disk Cleanup utility. Addressed browser extension bloat as additional overhead.	_____/5
5. User Education on Prevention Explained how programs add startup entries during installation. Recommended periodic Startup tab reviews. Gave clear preventive maintenance guidance to avoid future recurrence.	_____/5
TOTAL: _____/25

Additional Comments:

SCENARIO 9 — USER SCRIPT

You are calling IT support about a VPN that stopped connecting from your home office.

Hi, I'm hoping you can help me. I work from home and my VPN just stopped working. I can't connect to the company network at all.

It just says "Connection failed" when I try to connect. No other details really—just that message and then it goes back to the disconnected state.

It was working perfectly fine last week. I didn't change anything on my end. I just came in Monday morning and it wouldn't connect anymore.

Windows 11, and I'm using the company VPN client—I think it's called GlobalProtect. My regular internet is working fine. I can browse websites, watch videos, everything else works.

Sure, let me open Command Prompt... Typing "ping 8.8.8.8" now. I'm getting replies. It says "Reply from 8.8.8.8" with some numbers.

Okay, where do I find the detailed error? Let me look at the VPN client... There's a little arrow for details. It says something about "connection timed out" and "unable to establish tunnel."

My password? No, I haven't changed it. But wait—actually, I did get an email last week saying I needed to update my password for the company account. I did change it on the website. Could that matter?

Let me try with the new password... Still says "Connection failed." Same timeout error.

Windows Firewall? Okay, how do I check that?

I'm typing "wf.msc" in the search bar... Okay, I see "Windows Defender Firewall with Advanced Security." There are inbound rules and outbound rules on the left.

Outbound rules... There are a lot of them. You want me to look for ones that are blocking? How do I tell which ones are blocking?

I'm sorting by Action... Oh, I see a few that say "Block" in the Action column. One of them says "Block VPN Ports" and it looks like it was recently added. That seems suspicious.

Okay, I right-clicked on it and selected Disable Rule. Let me try the VPN now... It's connecting... Oh! It says "Connected!" I can see the company network!

The firewall did that? But I didn't add any firewall rules. How did that get there?

That makes sense. I did notice Windows updated over the weekend. So should I just leave that rule disabled?

Okay, I understand. Thank you so much for walking me through that—I was starting to panic about missing work today!

SCENARIO 9 — TECH SCRIPT

You are IT support helping a remote user whose VPN has stopped connecting.

Hello, IT support here. I understand your VPN isn't connecting. Can you tell me exactly what happens when you try to connect—any error messages or codes?

Note: Always start by getting the exact error message. "It doesn't work" is too vague—push for specifics.

Got it. And when did this stop working? Was there anything that changed on your computer recently—updates, new software, any configuration changes?

Okay, so it was working last week and failed on Monday with no deliberate changes. What version of Windows are you running, and which VPN client are you using? Also, can you confirm your regular internet is working?

Note: Verify basic internet connectivity first. If the internet is down, the VPN obviously cannot connect. Always rule out the simplest explanation.

Good—internet is working, so this is VPN-specific. Let's verify connectivity to an external server first. Open Command Prompt and type ping 8.8.8.8 and press Enter. This confirms your network stack is functioning properly.

Perfect, you have solid internet connectivity. Now let's look at the VPN client for more details. Many VPN clients have a "details" or "diagnostics" section that shows the actual error. Can you look for that in the GlobalProtect window?

"Connection timed out" and "unable to establish tunnel"—that tells us the VPN client is trying to reach the server but the connection is being blocked somewhere. Before we dig into that, one quick question: have you changed your company password recently? Some VPN clients cache old credentials.

Note: VPN credentials are a common point of failure. Many organizations have 90-day password rotation policies. Always check if the user's password recently changed.

Good thinking to check that. Go ahead and try connecting with your updated password, making sure to type it carefully.

Still failing with the correct password. Since your internet works but the VPN tunnel can't establish, something is likely blocking the VPN traffic specifically. Let's check your Windows Firewall. Type wf.msc in the Windows search bar and open it. This gives us the advanced firewall configuration.

Note: wf.msc opens Windows Defender Firewall with Advanced Security. This is the granular interface—not the basic Control Panel firewall view. It shows all inbound and outbound rules with their actions.

Good, you're in. Now click on "Outbound Rules" in the left panel. VPN traffic originates from your computer going outward, so any blocking rule would appear here. Look for rules with "Block" in the Action column—you can click the Action column header to sort by it.

A rule called "Block VPN Ports" that was recently added—that's almost certainly our culprit. Right-click on that rule and select "Disable Rule." Then try your VPN connection again.

Note: We disable rather than delete the rule first. This lets us test the theory while preserving the rule in case we need to examine it further or if the issue is something else.

Excellent! That confirms the firewall rule was blocking the ports your VPN uses to create its tunnel. Great question about how it got there—Windows updates sometimes reset or add firewall rules, and certain security software can also inject rules. Group policy updates from your company could also be a factor. It's unusual but not unheard of.

Rather than leaving it disabled, the better approach is to delete that blocking rule entirely and then verify that your VPN's ports are explicitly allowed. Right-click the disabled rule and select "Delete." Then I'd recommend contacting your company's network team to confirm the correct firewall configuration for GlobalProtect—they may need to push an updated policy to your machine. For now, your VPN is working and you're all set.

You're very welcome! If it happens again after another update, you know exactly where to look. Have a great workday!

Note: For remote workers, VPN connectivity is critical. Always validate the fix, explain the root cause, and provide the user with enough knowledge to check the firewall themselves if the issue recurs.

SCENARIO 9 — INSTRUCTOR SHEET

Confidential – For Instructor Use Only

Root Cause Analysis

Issue: VPN client (GlobalProtect) fails to connect from a remote user's home office with "Connection failed—connection timed out" error, despite normal internet connectivity

Root Cause: A Windows Defender Firewall outbound rule was added that blocks VPN protocol ports. The rule titled "Block VPN Ports" prevents the VPN client from establishing an encrypted tunnel to the corporate VPN gateway. Typical VPN ports affected include UDP 500 and UDP 4500 (for IKEv2/IPsec) or TCP 443 (for SSL VPN).

Why It Occurred: The blocking rule was introduced during a Windows update or security policy push over the weekend. Windows cumulative updates can occasionally reset or modify firewall rules, and third-party security software or group policy objects can also inject blocking rules. The user was unaware of the change because it happened silently in the background.

Replication Steps (For Setup)

On a Windows 11 machine with a VPN client installed, open wf.msc (Windows Defender Firewall with Advanced Security)
Navigate to Outbound Rules
Create a new outbound rule: Action → New Rule → Port → UDP → Specific remote ports: 500, 4500 → Block the connection → Apply to all profiles → Name: "Block VPN Ports"
Optionally create a second rule blocking TCP 443 if the VPN uses SSL tunneling
Test that the VPN client now fails with "Connection timed out" or "Unable to establish tunnel"
To restore for student exercise: leave the blocking rule active so the student must discover and disable/delete it

Troubleshooting Workflow

Gather Information: Get exact error message, VPN client name, OS version, and timeline of when the failure started
Verify Internet Connectivity: Use ping 8.8.8.8 to confirm the network stack is functional and internet access is unaffected
Examine VPN Error Details: Check the VPN client's diagnostic or detail view for specific error codes (timeout, tunnel failure, authentication failure)
Check Credentials: Verify VPN credentials are current—ask about recent password changes per company rotation policy
Inspect Windows Firewall: Open wf.msc, navigate to Outbound Rules, sort by Action, and identify any rules blocking VPN-related ports (UDP 500, 4500, TCP 443)
Test the Theory: Disable the suspicious blocking rule (do not delete yet) and attempt VPN connection
Confirm and Clean Up: Once VPN connects, delete the problematic rule. Advise user to contact network team for proper firewall policy configuration
Educate User: Explain how firewall rules can block specific traffic, and show the user where to check if the issue recurs

Learning Objectives (CompTIA A+ Core 2)

1.6: Given a scenario, configure Microsoft Windows networking features on a client/desktop – Windows Defender Firewall configuration, inbound/outbound rules, and VPN connectivity requirements
2.1: Summarize various security measures and their purposes – Firewall best practices, understanding port-based blocking, and balancing security with functionality
Diagnostic Methodology: Practice layered troubleshooting—verifying connectivity at each level (internet, DNS, application-specific) before investigating firewall and security configurations

SCENARIO 9 — OBSERVER CHECKLIST

Performance Evaluation Form

Tech Name: Observer Initials:

Date:

Criterion	Score (0-5)	Notes
1. Connectivity Verification Confirmed internet connectivity before investigating VPN-specific issues. Used ping to validate network stack. Methodically ruled out basic network problems first.	_____/5
2. VPN Error Analysis Directed user to find detailed error information in the VPN client. Correctly interpreted "connection timed out" and "unable to establish tunnel" as indicators of blocked traffic rather than authentication failure.	_____/5
3. Firewall Troubleshooting Guided user to `wf.msc` and navigated to Outbound Rules. Identified the blocking rule by sorting on the Action column. Disabled the rule before deleting to test the theory.	_____/5
4. Security-Conscious Approach Checked credentials and password rotation before escalating. Disabled the rule (rather than immediately deleting) to preserve evidence. Recommended contacting the network team for proper policy configuration.	_____/5
5. Remote User Support Skills Maintained a calm and reassuring tone with a stressed remote worker. Gave clear step-by-step guidance for unfamiliar tools. Empowered user with knowledge to self-diagnose if issue recurs.	_____/5
TOTAL: _____/25

Additional Comments:

SCENARIO 10 — USER SCRIPT

You are calling IT support about a browser that has been taken over by unwanted toolbars and redirects.

Hi, something really weird is going on with my browser. My homepage changed to some search engine I've never heard of, and I keep getting redirected to random ad pages when I click on links.

I'm using Chrome on Windows 10. This started a couple of days ago. There are also these new toolbars in my browser that I definitely didn't install. One says "SearchAssist" and another says "QuickDeals."

Hmm, let me think... Actually, yes. I downloaded a free PDF converter from a website maybe three or four days ago. I needed to convert a document for work and I just grabbed the first free one I found on Google.

It was something like "SuperPDFConverter" or "FreePDFTools"—I don't remember the exact name. It seemed like a normal installer. I just clicked Next a bunch of times to get through it.

Okay, I'm in Chrome now. How do I get to the extensions?

Typing chrome://extensions now... Oh wow. There are extensions here I've never seen before. "SearchAssist Pro," "QuickDeals Saver," "BrowseSecure," and "SmartTab Redirect." I only recognize my ad blocker and my password manager.

Removing them now. Clicking Remove on SearchAssist Pro... QuickDeals Saver... BrowseSecure... SmartTab Redirect. All four are gone.

Reset Chrome settings? Sure, where is that?

I'm in Settings now. Scrolling down to "Reset settings"... I see "Restore settings to their original defaults." Clicking that. It's asking me to confirm. Confirming now.

Okay, Chrome looks normal again. My homepage is back to Google. But what about the program I installed? Should I remove that too?

Okay, opening Programs & Features. Let me look... I see "SuperPDF Converter" installed three days ago. There's also something called "SearchAssist Browser Companion" from the same date that I definitely didn't install on purpose.

Uninstalling both of them now. SuperPDF Converter is gone... and SearchAssist Browser Companion is gone too.

A full scan with Windows Defender? Okay, let me open that. Going to Windows Security... Virus & threat protection... Scan options... Full scan. Starting it now. It says it might take a while.

Got it. So this all came from that PDF converter I downloaded?

That's really sneaky. I'll definitely be more careful about what I download in the future. Are there safe alternatives for converting PDFs?

Good to know. Thank you so much for cleaning all of this up. My browser feels normal again!

SCENARIO 10 — TECH SCRIPT

You are IT support helping a user whose browser has been hijacked by unwanted extensions and redirects.

Hello, IT support here. I understand something is wrong with your browser. Can you describe exactly what's happening—what changes you're seeing and when they started?

Note: Browser hijacking symptoms include changed homepage, new default search engine, unexpected toolbars, pop-ups, and search redirects. Get specifics on all observed changes.

Homepage changes, redirects to ads, and toolbars you didn't install—those are classic signs of a browser hijacker. This is important: did you download or install anything from the internet in the days before this started?

Note: Establishing the timeline and identifying the source is critical. Most browser hijackers are bundled with freeware downloaded from untrusted sites.

A free PDF converter—that's very likely the source. These free download sites often bundle extra software with their installers. Do you remember the name of the program or the website?

I see. The "click Next a bunch of times" part is exactly how these unwanted programs get installed. They hide opt-out checkboxes in the installation wizard, and if you don't uncheck them, they install alongside the program you actually wanted. Let's clean this up step by step. First, open Chrome and go to your extensions. Type chrome://extensions in the address bar.

Those are all unwanted extensions installed by the hijacker. Remove every extension you don't recognize or didn't install yourself. Keep your ad blocker and password manager, but remove SearchAssist Pro, QuickDeals Saver, BrowseSecure, and SmartTab Redirect.

Note: Browser hijackers typically install multiple extensions to maintain persistence. Even if the user removes one, the others can reinstall it. Remove ALL suspicious extensions at once.

Good. Now we need to reset Chrome's settings to undo all the changes the hijacker made to your homepage, default search engine, and new tab page. Go to Chrome Settings—click the three dots in the top right, then Settings.

Scroll all the way down and click "Reset settings" in the left sidebar, then click "Restore settings to their original defaults." This will reset your homepage, new tab page, search engine, and disable any remaining hidden extensions. It won't delete your bookmarks or saved passwords.

Note: Resetting the browser is essential. Hijackers modify multiple browser settings. Manually changing just the homepage often isn't enough—the hijacker may have also changed the default search engine, new tab URL, and startup pages.

Great, Chrome should be clean now. But we also need to remove the source program from your system, or it could re-infect your browser. Open the Control Panel and go to Programs & Features. You can also type appwiz.cpl in the Windows search bar to get there directly.

Sort the list by installation date to see the most recent installs first. Look for the PDF converter and anything else suspicious that was installed around the same time.

The "SearchAssist Browser Companion" is a PUP—a Potentially Unwanted Program. It was bundled with the PDF converter installer. Uninstall both of them. Right-click each one and select Uninstall.

Note: PUPs (Potentially Unwanted Programs) are not technically viruses, but they modify system behavior without meaningful user consent. They are typically bundled with freeware installers.

Now let's run a full security scan to make sure nothing else was left behind. Open Windows Security from the Start menu, go to "Virus & threat protection," then "Scan options," select "Full scan," and click "Scan now." This will check every file on your system.

Exactly. The PDF converter itself may have been a legitimate—if low-quality—program, but the installer was bundled with the SearchAssist hijacker and those browser extensions. This is called "bundleware." The companies behind these PUPs pay the download sites to include their software in the installer, and they rely on people clicking "Next" without reading each screen.

Absolutely. For PDF conversion, you can use built-in tools—Microsoft Word can open and save PDFs, and Chrome itself can print any page to PDF. If you need a dedicated tool, stick to well-known names and always download directly from the developer's official website rather than third-party download sites. And during installation, always choose "Custom" or "Advanced" install so you can uncheck any bundled extras.

Note: End with safe downloading habits. The best defense against PUPs and browser hijackers is user awareness—knowing how to recognize bundleware and where to download software safely.

You're very welcome! Once that full scan finishes, you should be completely clean. If you notice anything odd with your browser again, don't hesitate to call. Have a great day!

SCENARIO 10 — INSTRUCTOR SHEET

Confidential – For Instructor Use Only

Root Cause Analysis

Issue: Chrome browser on Windows 10 exhibits homepage hijacking, search redirects to ad-laden pages, and unauthorized toolbar/extension installations

Root Cause: A Potentially Unwanted Program (PUP) was bundled with a freeware PDF converter downloaded from an untrusted third-party site. The PUP installed a browser hijacker ("SearchAssist Browser Companion") and multiple malicious Chrome extensions (SearchAssist Pro, QuickDeals Saver, BrowseSecure, SmartTab Redirect) that modified the browser's homepage, default search engine, new tab page, and injected ad-redirect scripts.

Why It Occurred: The user downloaded freeware from a third-party download site and clicked through the installer without reading each screen. The installer included pre-checked opt-in checkboxes for bundled software that the user inadvertently accepted. This is a common distribution method for PUPs and browser hijackers—they are not technically malware in the traditional sense but operate in a legal gray area by obtaining minimal "consent" through deceptive installer design.

Replication Steps (For Setup)

On a Windows 10 machine with Chrome, manually install several Chrome extensions with names like "SearchAssist Pro," "QuickDeals Saver," "BrowseSecure," and "SmartTab Redirect" (create dummy extensions or use the scenario verbally)
Change Chrome's homepage to a fake search engine URL (e.g., searchassist-home.com) via Settings → On startup → Open a specific page
Change the default search engine to a non-standard entry via Settings → Search engine
Install a dummy program in Programs & Features named "SuperPDF Converter" and "SearchAssist Browser Companion" with a recent installation date (or simulate verbally)
Students should discover the extensions, reset Chrome, find and uninstall the PUPs from Programs & Features, and run a Windows Defender scan

Troubleshooting Workflow

Identify the Threat: Recognize the combination of homepage hijacking, search redirects, and unauthorized extensions as classic browser hijacker symptoms
Establish the Source: Ask about recent downloads and installations. Correlate the timeline of symptoms with the freeware installation date
Remove Malicious Extensions: Navigate to chrome://extensions and remove all unrecognized or suspicious extensions
Reset Browser Settings: Use Chrome's "Restore settings to their original defaults" to undo all hijacker modifications to homepage, search engine, new tab page, and startup settings
Uninstall PUPs: Open Programs & Features (appwiz.cpl), sort by installation date, and uninstall the source freeware and any bundled companion programs
Run Full Security Scan: Execute a Windows Defender full scan to detect and remove any residual malicious files, registry entries, or scheduled tasks
Educate on Safe Practices: Teach the user about bundleware, custom/advanced installation options, and safe download sources

Learning Objectives (CompTIA A+ Core 2)

2.4: Given a scenario, explain common methods for removing malware – Browser hijacker identification and removal, PUP uninstallation, browser reset procedures, and full system scanning
2.1: Summarize various security measures and their purposes – Safe browsing habits, software download best practices, and understanding bundleware distribution methods
2.3: Given a scenario, detect, remove, and prevent malware using the appropriate tools and methods – Using Windows Defender for full scans, identifying PUPs in Programs & Features, and recognizing browser hijacker indicators
Communication Skills: Practice non-judgmental user education about safe downloading, explaining PUPs versus traditional malware, and empowering users with preventive knowledge

SCENARIO 10 — OBSERVER CHECKLIST

Performance Evaluation Form

Tech Name: Observer Initials:

Date:

Criterion	Score (0-5)	Notes
1. Threat Identification Correctly recognized symptoms as browser hijacker. Asked about recent downloads to establish the infection vector. Identified the freeware PDF converter as the source.	_____/5
2. Extension & PUP Removal Guided user to `chrome://extensions` to audit and remove malicious extensions. Used Programs & Features to identify and uninstall the bundled PUP alongside the source freeware.	_____/5
3. Browser Reset Procedure Directed user to reset Chrome settings to default. Explained what the reset does and does not affect (bookmarks/passwords preserved). Ensured homepage and search engine were restored.	_____/5
4. Security Scan Execution Instructed user to run a full Windows Defender scan rather than a quick scan. Explained the importance of checking for residual malicious files after manual cleanup.	_____/5
5. Prevention Education Explained bundleware and how PUPs are distributed through freeware installers. Recommended safe alternatives and official download sources. Advised using Custom/Advanced installation to avoid bundled extras.	_____/5
TOTAL: _____/25

Additional Comments:

IT Support Roleplay Lab

Select your role to begin: