IT Support Interview — Comprehensive Revision

Q&A reviewed

0 / 20

Every answer should take under 10 seconds. Slow on any of these? That's your weak spot.

Ports — Know These Cold

DNS53

HTTP / HTTPS80 / 443

SMTP (server–server)25

SMTP (client TLS)587

SSH22

RDP3389

IMAP / POP3143 / 110

FTP21

LDAP389

IP Addresses — Instant Recall

Loopback address127.0.0.1

APIPA (DHCP failed)169.254.x.x

Class A private10.0.0.0/8

Class B private172.16–31.x.x

Class C private192.168.x.x

/24 usable hosts254

Switch / Router layerL2 / L3

What is NAT?Private IPs share one public IP via router

AD / Identity — Daily Tools

Manage AD usersdsa.msc

Domain join / system propssysdm.cpl

Services managerservices.msc

Event Viewereventvwr.msc

Network connectionsncpa.cpl

Group Policy managementgpmc.msc

Apply GPO immediatelygpupdate /force

AD hierarchy (top → bottom)Forest → Tree → Domain → OU

Entra ID / Azure AD

What replaced Azure AD?Microsoft Entra ID (same product)

Cloud vs on-prem ADEntra ID = cloud; AD DS = on-prem

Revoke all sessions for userEntra ID → user → Revoke sessions

Reset MFA for a userM365 Admin → user → Manage MFA

Conditional Access does what?Blocks access if device non-compliant

Hybrid join meansDevice in both on-prem AD + Entra ID

SSPR stands forSelf-Service Password Reset

PIM stands forPrivileged Identity Management

Key Definitions — One-Liners

What is DNS?Translates names to IPs (phone book)

What is DHCP?Auto-assigns IPs to devices on network

APIPA address meansDHCP failed — can't reach network

TCP vs UDPTCP = reliable; UDP = fast

What is PoE?Data cable also powers the device

Dist. List vs Security GroupEmail only vs permissions + email

OSI mnemonic (bottom up)Please Do Not Throw Sausage Pizza Away

Intune + JAMF Quick Actions

Laptop stolen — first actionRemote Wipe in Intune

Force policy updateDevices → Sync

Get BitLocker recovery keyDevices → Recovery Keys

Zero-touch Windows setupWindows Autopilot

JAMF manages what?Apple devices (Mac, iPhone, iPad)

JAMF zero-touch enrollmentADE via Apple Business Manager

JAMF remote wipeComputers → Management → Wipe

Email / M365

Email not received — first stepRun Message Trace in EAC

Check Microsoft outageM365 Admin → Service Health

Shared mailbox license?No (up to 50GB)

OST file — what is it?Local cached copy of Exchange mailbox

Outlook not syncing — first checkStatus bar bottom-right of Outlook

Outlook safe modeCtrl + click icon

Email flow orderSender → MX → Gateway → Inbox

Say each answer out loud. Aim for 30–45 seconds. Mark reviewed when you're confident. Progress saves in your browser.

Always Asked First

Most Asked

Tell me about yourself.

›

"I'm an IT support professional with 2+ years of enterprise experience — currently at PwC supporting partners and executives in a Big 4 environment. Before that I ran IT support solo across a 200+ user, 9-site hospitality group with a 95% first-contact resolution rate. My strengths are Microsoft 365, Entra ID, Intune, and network troubleshooting, backed by active home lab work in Zero Trust and hybrid cloud. I'm looking to take that into a dedicated IT support role with room to grow toward cloud and sysadmin."

Under 45 seconds. Lead with current role, hit the big metric, end with where you're heading.

Most Asked

Why are you leaving your current role?

›

"PwC has been a great environment — supporting executives in a Big 4 setting is genuinely challenging. I'm looking to move into a role with more exposure to the full IT support stack. My current role is heavily AV-focused, which means I'm not getting the breadth of tickets, systems admin work, and cloud exposure I want at this stage of my career."

Never badmouth the employer. Frame it as running toward something, not escaping. This answer is honest and sounds mature.

Behavioural — Have Two STAR Stories Ready

Most Asked

How do you prioritise tickets when you have multiple open?

›

"Business impact first. Whole office down = P1, escalate immediately. Single user fully blocked = P2, I jump on it. Minor issues get queued. I follow the SLA matrix, update users proactively, and never let a ticket go silent. Nobody should have to chase me."

STAR Story 1

Describe a difficult or high-pressure situation you handled.

›

"At Platinum Hospitality, a network outage hit the POS systems during peak dinner service — revenue directly impacted across multiple sites. I immediately notified venue managers so they weren't in the dark, put them on 15-minute update cycles, and traced the fault to a failed switch. I pushed a remote config fix and had all sites restored within 40 minutes. The key was communication — stakeholders stayed calm because they knew it was being worked on."

This is STAR story 1. If asked a second behavioural question, don't repeat this scenario — use STAR story 2 below.

STAR Story 2

Tell me about a time you had to learn something quickly.

›

"When I moved into the IT Support Officer role at Platinum Hospitality, I had no prior Intune experience but the company needed an MDM rollout across 9 sites within weeks. I worked through Microsoft Learn and documentation, tested in a trial tenant, and within three weeks had Autopilot profiles configured and was deploying zero-touch devices. By the end of the rollout all sites were on compliant, managed endpoints. I can close skill gaps fast when the business needs it."

This answer also sells your self-teaching instinct, which is one of your strongest differentiators at this experience level.

Behavioural

How do you handle a VIP or an angry user?

›

"I stay professional — the frustration is about their work being blocked, not about me. I acknowledge it: 'I understand this is urgent, let me get onto it right now.' I give a clear timeframe, stay focused on the fix, and update them when it's resolved. At PwC I support senior partners regularly — speed and clear communication matter far more than technical jargon."

Most Asked

What do you do when you can't solve a problem?

›

"I check the internal Knowledge Base first — chances are someone solved it before. If not, Microsoft docs or the specific error code. Still stuck, I ask a senior colleague. If we're approaching an SLA breach, I escalate — always with a full log: what I tried, error messages, what I ruled out. I never escalate blind and make someone else start from scratch."

Technical

What is Active Directory and what do you use it for day-to-day?

›

"Active Directory is Microsoft's centralised directory service — manages users, computers, and security policies across a network. Everything authenticates through the Domain Controller. Day-to-day I use dsa.msc to create accounts, reset passwords, unlock accounts, manage group memberships, and handle onboarding and offboarding. It's the most-touched tool in L1/L2 support."

Key structure: Forest → Tree → Domain → OU

Technical

Walk me through troubleshooting slow internet for a user.

›

"First: is it just them or everyone on the floor? That tells me device vs network. I run ping 8.8.8.8 -t to check packet loss, then ping google.com — if 8.8.8.8 works but google.com fails, it's DNS. I run ipconfig /release, /renew, /flushdns. Check the IP isn't a 169.254 APIPA address. If WiFi, I check Meraki for the AP status. Whole office affected — ISP call and escalate to the network team."

Technical

What do you do in Microsoft Intune day-to-day?

›

"I use Intune for device fleet management. When a new staff member starts I enroll their device and configure Windows Autopilot for zero-touch setup. I push required apps remotely — set as Required so they install without user action. If a device is reported stolen, I immediately do a remote wipe from the portal. I use Conditional Access to ensure only compliant, enrolled devices can reach company resources."

Technical

Distribution List vs Security Group — what's the difference?

›

"A Distribution List is email-only — one email fans out to all members but it can't control access to anything. A Security Group controls permissions — shared drives, SharePoint sites, applications. Security groups can also be mail-enabled so you get both. I create and manage both in M365 Admin Centre."

Technical

What is Group Policy and how have you used it?

›

"Group Policy lets admins push configuration settings to all users and computers in a domain from one place — no manual per-machine work. I create GPOs and link them to OUs. I've used it for password complexity enforcement, mapping network drives, pushing security configs, and setting desktop wallpapers. When I need changes to apply immediately I run gpupdate /force on the client."

The Tricky Ones — Prepare These Carefully

Trap Question

What salary are you looking for?

›

"Based on my enterprise experience across Microsoft 365, Intune, and multi-site support at PwC and Platinum Hospitality, I'm targeting $70,000–$80,000 base. That said, I'm open to discussion — if the role has genuine growth toward cloud or sysadmin, I'm flexible on the exact number."

Always give a range, never a single number. Anchor slightly above your real minimum. The second sentence signals you won't walk over money alone. Research the market rate for the specific role before the interview and adjust accordingly.

Most Asked

Why should we hire you?

›

"I've proven I can handle a high-volume, multi-site environment solo with strong resolution rates. I don't just fix tickets — I document fixes, build knowledge base articles, and leave things better than I found them. I understand IT support isn't just about computers, it's about keeping people working. And I'm actively building toward cloud and security specialisation, so I'm an investment that compounds."

Always Happens

Do you have any questions for us?

›

Never say "No, I think you've covered everything." Pick 2–3 from this list:

"What does a typical first week look like for someone in this role?"
"What tools and ticketing systems does the team use day-to-day?"
"What does the progression path look like — is there a route from L1/L2 toward sysadmin or cloud?"
"What's the biggest challenge the IT team is working through right now?"
"How is performance measured — ticket volume, SLAs, or something else?"

The progression question is the most important one for you. It signals ambition and helps you figure out if the role is actually worth taking.

Situational — "What Would You Do If..."

Situational

A user calls frustrated — they say nothing works. You can't replicate the issue. What do you do?

›

"First I acknowledge the frustration — 'I hear you, let's figure this out together.' Then I ask targeted questions: when did it start, what exactly isn't working, any recent changes? I ask them to walk me through what they're seeing right now. Sometimes the act of explaining it surfaces something they hadn't noticed. If I still can't replicate it remotely, I either get eyes on their screen via Quick Assist or walk over. I never close a ticket I haven't verified is actually resolved."

They're testing how you handle ambiguity and an upset user simultaneously. Lead with empathy, then structure.

Situational

You discover a colleague has been sharing their password with another staff member. What do you do?

›

"I don't ignore it — password sharing is a policy violation and a security risk. I wouldn't confront the colleague directly. I'd document what I observed, then raise it with my manager or the security team through the appropriate channel. It's not personal, it's a security control. The right response is to report it and let the process handle it, not look the other way because it's awkward."

Tests your integrity and whether you understand security policy. Don't say you'd "have a quiet word" — reporting it is not your call to soften.

Situational

You're mid-way through a P3 ticket and a P1 comes in. What happens?

›

"P1 takes over immediately — no question. I quickly note where I am on the P3 so I can pick it up without losing context, then update the P3 user: 'I'm dealing with a critical incident, I'll be back with you as soon as it's resolved.' I jump on the P1, follow the escalation process, and keep a clear log. Once the P1 is stabilised or handed to L3, I return to the P3. The update message takes 30 seconds and stops the user from feeling abandoned."

Shows you understand SLA prioritisation and that communication during a context switch is part of the job.

Situational

A user asks you to give them local admin rights on their laptop "just temporarily." What do you say?

›

"I'd ask what they're actually trying to do — usually there's a specific problem I can solve another way. Need to install software? I can push it through Intune. One-off config change? I can do it with my credentials and document it. If they genuinely need elevated access for a project, that goes through a formal request with manager approval. Handing out admin rights informally creates a compliance gap and puts the user at higher risk if their account is compromised."

Tests security knowledge and your ability to say no professionally. Never just refuse — always offer an alternative path.

Situational

You made a change that accidentally broke something for multiple users. What do you do?

›

"Own it immediately — tell my manager what happened, what I changed, and who's affected. The first priority is restoring service: roll back the change if possible, or find the fastest workaround. I'd communicate to affected users that we're aware and working on it. Once resolved, I'd do a quick post-mortem — what caused it, what the fix was, and what I'd do differently next time. A mistake handled transparently builds more trust than a mistake quietly buried."

They want accountability, not panic. The answer that fails this question is "I'd try to fix it before anyone noticed."

What a realistic L1/L2 day looks like. Interviewers ask this to see if you understand the operational pace — not just the technical side.

8:30 AM

Arrive & Triage the Queue

Open ServiceNow. Overnight tickets waiting: 1 account lockout (P2), 1 printer down (P2), 4 P3/P4s (password resets, software request, slow internet). Check M365 Service Health — no outages. Review Slack/Teams for escalations from management. Order by priority, build a mental plan for the morning.

8:50 AM

P2: Account Lockout

User can't log in — locked out after 3 failed attempts. Verify identity (confirm with manager). Open dsa.msc, unlock account, reset password, tick "User must change at next logon." Ask: do you have Outlook or Teams on your phone? Old saved password hammering the account. User updates phone creds, back in within 8 minutes. Close ticket with resolution notes.

9:15 AM

P2: Printer Down on Floor 2

Printer showing offline for the whole floor. Physical check: power on, paper loaded, no error lights. Ping the printer IP — reachable. Print jobs stuck in queue. Open services.msc, restart Print Spooler. Clear spool queue (C:\Windows\System32\spool\PRINTERS). Printer back online. Floor sorted in 15 minutes. Log in KB for next time.

9:45 AM

New Hire Onboarding Handoff

New staff member arrives. Confirm: AD account active, email syncing, M365 license assigned, device enrolled in Intune and showing compliant. Walk them through first login, password change, Teams setup. Point them to the IT help desk Slack channel. Confirm access to shared drives. Done in 30 mins — document completion in ServiceNow.

10:30 AM

Rapid Ticket Clearance (P3/P4s)

Work through the backlog: reset 2 passwords, add a user to a distribution list (Exchange Admin Center), grant SharePoint site access (remove from wrong security group, add to correct one in dsa.msc), approve a software request via Intune (push app as Required). Each under 5 minutes. Every ticket updated in real time — no ticket goes silent.

11:30 AM

Teams / Audio Issue

User on VPN says Teams calls are dropping. Test at teams.microsoft.com in browser — works fine. Issue is desktop client. Clear cache (%appdata%\Microsoft\Teams, delete contents), restart Teams. Test call — resolved. Advise user to restart Teams client weekly. Update ticket. 15 minutes.

12:00 PM

Lunch + Team Standup

30-min team standup. Report morning stats, flag 1 open P3 (slow internet, floor 3 — investigating after lunch). Manager mentions 3 new devices arriving tomorrow — need Autopilot configured today. Add to afternoon list. Eat. Recharge.

1:00 PM

Knowledge Base Update

30 minutes documentation. Write up the printer Spooler fix from this morning — clear steps so any team member can handle it next time. Update the account lockout guide with the "check mobile saved credentials" step. Small time investment, big long-term payoff.

1:30 PM

Investigate: Slow Internet (Floor 3)

Isolated to one user. Run ping 8.8.8.8 -t (no packet loss), ping google.com (fails) — DNS. Run ipconfig /flushdns, /release, /renew. Still slow. Check Meraki dashboard — AP on floor 3 showing degraded signal. Reassign user to stronger AP. Speed back to normal. Escalate AP health to network team as P3. Document findings.

2:15 PM

Device Enrollment — Autopilot Config

3 new devices arriving tomorrow. Configure Windows Autopilot profiles in Intune: assign deployment profile, configure OOBE settings, enable BitLocker policy, push required apps. Register device serial numbers in Intune hardware hash. Zero-touch setup ready — devices will self-configure when user signs in tomorrow.

3:15 PM

Outlook Sync Issue

User can't see new emails in Outlook. Check status bar — "Disconnected." Test OWA (office.com) — emails visible. Local client issue. Rebuild OST: close Outlook, delete .ost from %localappdata%\Microsoft\Outlook\, reopen. Outlook resyncs. Back in 10 minutes. Confirm with user, close ticket.

4:00 PM

Offboarding Request

HR confirms employee finishing today. Follow offboarding checklist: disable AD account (dsa.msc), revoke Entra ID sessions, remote wipe device in Intune, remove M365 licenses, convert mailbox to shared (manager retains access), remove from all distribution lists and Teams. Collect hardware. Every step timestamped in ServiceNow. Manager signs off.

5:00 PM

End of Day Wrap

Review ServiceNow: 17 tickets closed, 2 escalated (1 network issue to L3, 1 hardware RMA in progress). Update open tickets with current status. Write handoff notes for any overnight on-call coverage. Check tomorrow's onboarding schedule — 3 new hires, devices are ready. Log off.

Complete checklists from first day to last. Knowing these cold impresses interviewers — most candidates can't recite the full offboarding order.

🟢 ONBOARDING

// Pre-Arrival — 1 Week Before Start

✓

Confirm start date, role, department, manager, and employment type with HR

✓

Order laptop/desktop + peripherals (keyboard, mouse, monitor, headset). Confirm delivery before Day 1

✓

Create AD account in correct OU (matches department/location). Set temp password, force change on first logon

✓

Assign M365 license in Admin Center (confirm seat type: E3/E5/F1 with HR)

✓

Verify mailbox creation in Exchange Admin Center — send test email to confirm delivery

✓

Add to department distribution lists and relevant Teams channels

✓

Enroll device in Intune: configure Autopilot profile, enable BitLocker policy, push required apps

✓

Grant access to shared drives and SharePoint sites (manager provides list of required access)

✓

Configure VPN access if remote work required — send credentials separately from device

✓

Coordinate physical access with facilities: desk, building swipe card, parking if applicable

✓

Send welcome email with temp credentials, help desk contact, WiFi details, and parking/location info

// Day 1 — Device Handoff & Setup

✓

Greet user, confirm identity, hand over device and accessories

✓

Walk through first login: AD password, forced change, Outlook sync confirmation

✓

Confirm Teams login, test audio (Settings → Devices), and send test message

✓

Verify WiFi + VPN connection: run ping 8.8.8.8, open company intranet

✓

Confirm shared drive access (map drives if needed via GPO or manual UNC path)

✓

Show user how to raise an IT ticket (ServiceNow portal, help desk Slack/Teams channel, phone)

✓

Brief on IT policies: password requirements, VPN use, acceptable use, security reporting

✓

Confirm device shows compliant in Intune (BitLocker on, AV active, OS up to date)

✓

Set up MFA: guide user through Microsoft Authenticator app registration

✓

Document all completed actions in ServiceNow with manager sign-off

// Week 1–4 Follow-Up

✓

Day 3: check-in call — any access issues, software blockers, hardware problems?

✓

Day 10: confirm all required applications installed and working (check Intune app deployment status)

✓

Day 30: formal review — device health, security compliance, all accounts active, no outstanding tickets

✓

Remind user to complete mandatory IT training: phishing awareness, password manager setup, VPN security

🔴 OFFBOARDING

// Pre-Exit — 1–2 Weeks Before Last Day

✓

HR confirms exit date and type (resignation / termination / contract end)

✓

For terminations: brief security team, confirm badge/access revocation timing (often same-day immediate)

✓

Identify high-value access: admin accounts, sensitive shared mailboxes, privileged permissions — flag for audit

✓

Manager confirms knowledge transfer completed — IT is not responsible for data handoff, but coordinate timing

✓

Schedule hardware collection — confirm device return on last working day

// Last Working Day — Run in This Order

✓

Step 1 — Disable AD account (dsa.msc → right-click → Disable Account). Priority — do it first

✓

Step 2 — Revoke Entra ID sessions (Entra ID portal → user → Revoke all sign-in sessions)

✓

Step 3 — Intune remote wipe (Intune → Devices → find device → Wipe). Confirms data removal

✓

Remove all M365 licenses in Admin Center (Teams, Exchange, SharePoint)

✓

Revoke VPN access (remove from VPN groups in AD or third-party VPN portal)

✓

Convert mailbox to shared mailbox or archive it (manager retains access for 90 days)

✓

Remove from all distribution lists and Teams teams (M365 Admin or Teams Admin Center)

✓

Remove from SharePoint site permission groups (revoke in AD security groups)

✓

Collect all hardware: laptop, phone, headset, badge, keys, monitors — document serial numbers

✓

Audit admin or service accounts the user held — reassign or disable each one

✓

Retrieve BitLocker recovery key before wiping if device will be redeployed (Intune → Recovery Keys)

// Post-Exit — Within 24 Hours

✓

Verify all systems confirm account as disabled — run access audit if compliance requires it

✓

Document every action in ServiceNow with exact timestamp (legal protection for both parties)

✓

Device decommissioned or reimaged — confirm wipe complete before redeployment

✓

HR acknowledgement: all IT actions completed, employee record flagged as offboarded

🚨 For involuntary terminations — disable the account the moment the employee is informed, before they leave the building. No exceptions.

What you use every day as L1/L2. Know each tool's purpose and what you specifically do inside it — interviewers ask this constantly.

Identity & Access Management

On-Prem Directory

Active Directory — dsa.msc

Daily workhorse for managing on-prem users, computers, groups, and OUs. If you work in a hybrid or on-prem environment, you live here.

What you do:

Create, modify, disable, and delete user accounts
Reset passwords + force change at next logon
Unlock locked-out accounts
Add/remove users from security and distribution groups
Move accounts between OUs (controls GPO application)
Check last logon, password expiry, account status

Cloud Identity

Microsoft Entra ID (Azure AD)

Cloud-based identity management. Manages users synced from on-prem AD or cloud-native accounts. Controls MFA, Conditional Access, and session management.

What you do:

Reset MFA for users locked out of their authenticator
Revoke all active sessions (emergency account compromise)
View device compliance status (enrolled in Intune?)
Check sign-in logs (why is the user being blocked?)
Manage Conditional Access policies
Enable/disable SSPR per user or group

Group Policy

Group Policy Management — gpmc.msc

Push configuration to all machines in a domain at once. L1/L2 mainly applies and troubleshoots existing GPOs rather than creating new ones.

What you do:

Run gpupdate /force to immediately apply a policy
Run gpresult /r to see which GPOs apply to a machine
Understand GPO purposes: password policy, drive mapping, software restrictions
Troubleshoot why a user isn't getting an expected policy

System Services

Services Manager — services.msc

Start, stop, and restart Windows background services. Critical for printer, network, and update troubleshooting.

What you do:

Restart Print Spooler (stuck print queues)
Stop/start Windows Update service
Restart BITS for OneDrive/sync issues
Check if a service is set to start automatically on reboot

Email & Communication

Email Administration

Exchange Admin Center (EAC)

Manage mailboxes, distribution lists, mail flow rules, and shared inboxes. Your go-to for any email-level issue that isn't a client problem.

What you do:

Create and manage distribution lists + shared mailboxes
Add or remove members from groups
Set send-as and full-access permissions on shared mailboxes
Run Message Trace to debug missing or undelivered emails
Check mail flow rules and transport connectors
Recover deleted mailboxes within 30-day retention window

Tenant Management

Microsoft 365 Admin Center

Top-level admin hub for all Microsoft services. Manage users, licenses, subscriptions, and service health from one place.

What you do:

Assign and remove M365 licenses
Reset user passwords and unlock accounts
Check Microsoft Service Health (is Teams/Exchange down?)
Reset MFA for locked-out users
View audit logs (who changed what and when)

Email Client

Outlook

The client-side of Exchange. You'll troubleshoot sync, performance, and add-in issues regularly.

What you do:

Check Exchange connection status (bottom-right corner)
Launch Safe Mode (Ctrl+click the icon)
Rebuild OST file (delete from %localappdata%\Microsoft\Outlook\)
Create a new mail profile for persistent issues
Know when OWA is the right workaround vs. a fix

Team Collaboration

Microsoft Teams Admin Center

Manage Teams structure, meeting policies, app permissions, and user settings at the org level.

What you do:

Add/remove members from Teams and channels
Manage org-wide settings (guest access, file sharing)
Troubleshoot Teams meeting and calling policies
View usage reports and user activity

Device Management & Support

Mobile Device Management

Microsoft Intune

Enroll, manage, and secure Windows, macOS, iOS, and Android devices. Zero-touch deployment via Autopilot. Remote wipe and compliance enforcement.

What you do:

Enroll new devices using Windows Autopilot
Monitor compliance (BitLocker on? AV active? OS current?)
Remote wipe stolen or departing-employee devices — immediately
Push apps to devices (Required = auto-installs)
Sync device to force policy update
Retrieve BitLocker recovery keys before device redeployment

Apple Device Management

JAMF Pro

MDM equivalent of Intune but exclusively for Apple devices — Mac, iPhone, iPad. Zero-touch via ADE through Apple Business Manager.

What you do:

Enroll Macs (manual or zero-touch via ADE)
Push policies and applications to Apple devices
Remote lock a Mac with a 6-digit PIN
Remote wipe a lost or stolen Apple device
View device inventory (OS version, compliance, hardware specs)
Create Smart Groups (dynamic grouping by criteria)

System Information

System Properties — sysdm.cpl

Manage machine name, domain membership, and system info. Essential for domain-join and trust relationship issues.

What you do:

Join or remove a device from the domain
Rename the computer to match naming convention
Check Windows edition and build version
Repair broken domain trust (remove → rejoin → restart)

Event Logging

Event Viewer — eventvwr.msc

Windows system logs for diagnosing errors, crashes, and security events. Critical for understanding what went wrong and when.

What you do:

Check Application, System, and Security logs for errors
Search by Event ID (4625 = logon failure, 6006 = clean shutdown)
Find source of repeated account lockouts (which machine?)
Identify timestamp of last unexpected reboot
Export logs for L3 or vendor investigation

Networking & Connectivity

Network Monitoring

Cisco Meraki Dashboard

Cloud-managed WiFi, switches, and firewalls. View AP health, connected clients, bandwidth, and remotely restart access points.

What you do:

Check AP status (online, degraded, offline)
View which devices are connected to which AP
Check signal strength and channel utilisation
Remotely reboot an AP
Confirm corporate vs guest network separation

Command Line

CMD / PowerShell

Your fastest troubleshooting weapon. Run network tests, flush caches, check user details, and force policy updates without touching a GUI.

What you do:

ipconfig /all — full network info
ipconfig /release /renew /flushdns — refresh network and DNS
ping 8.8.8.8 -t — continuous ping, check packet loss
ping google.com — DNS test
tracert google.com — trace hops to find where connection breaks
net user [user] /domain — check account status
gpupdate /force — apply Group Policy immediately
sfc /scannow — scan and repair Windows system files

ITSM Platform

ServiceNow

Your central hub. Every incident, request, and change is tracked here. Know the difference between an Incident and a Request.

What you do:

Log incidents (unexpected issues: user can't log in, printer down)
Create service requests (new user setup, software, hardware orders)
Triage tickets by P1/P2/P3/P4 priority and SLA
Update tickets proactively — user should never chase you
Close tickets with clear resolution notes

Remote Support

Remote Desktop / Quick Assist

Take control of a user's machine to troubleshoot without walking to their desk. Essential for large offices and remote-first teams.

What you do:

Use Quick Assist (built-in Windows) for ad-hoc remote support
Connect via RDP (port 3389) for managed machines on the same network
Use TeamViewer/AnyDesk for off-network users
Never leave a remote session open unattended

Walk through these out loud in interviews — systematic thinkers stand out. Click to expand each playbook.

🌐 Internet slow / not working›

Isolate scope. One user or whole office? One = device. Whole = upstream.

Run ping 8.8.8.8 -t — look for packet loss in the output.

Run ping google.com — 8.8.8.8 works but this fails? DNS issue.

ipconfig /all — is the IP a 169.254.x.x APIPA address? DHCP failed.

Run ipconfig /release → /renew → /flushdns.

Restart docking station. Try a different cable.

WiFi: check Meraki — is the AP online? Corporate vs guest network?

Whole office affected → contact ISP and escalate to network team immediately.

🔒 Can't log in / password reset›

Verify identity first — confirm full name, employee ID, or manager before making changes.

Check if locked: dsa.msc → user → Properties → Account tab → Unlock account.

Reset password → right-click → Reset Password → tick "User must change at next logon".

Check Event Viewer — which machine is triggering the repeated lockout?

Ask: does the user have Outlook or Teams on their phone using the old password?

Advise them to update saved credentials on all devices after the reset.

Most common cause: a phone with a saved old password hammering the account. Always ask about mobile devices.

📧 Outlook not syncing›

Check status bar (bottom-right of Outlook) — "Connected to Exchange"?

Test at office.com → OWA. Works there? Local client problem.

Safe Mode: Ctrl + click the icon. Works? Add-in conflict — disable them all.

Repair: Control Panel → Programs → Microsoft 365 → Quick Repair.

Rebuild OST: close Outlook → delete .ost in %localappdata%\Microsoft\Outlook\ → reopen.

New profile: Control Panel → Mail → Show Profiles → Add → set as default.

Check M365 Service Health first — if Exchange is having an outage, none of these steps matter.

🖨 Printer not working›

Isolate: just this user, or everyone? Just this printer, or all?

Physical: on, no error lights, paper loaded, not showing offline?

Ping the printer IP — can't reach it? Network or static IP issue.

Restart Print Spooler: services.msc → Print Spooler → Restart.

Remap: Win+R → \\server\printername

Stuck queue: stop Spooler → delete files in C:\Windows\System32\spool\PRINTERS → restart Spooler.

🎧 Teams / Audio not working›

Windows Sound Settings — correct output device selected?

Settings → Privacy → Microphone → toggle ON for Teams.

Teams: ··· → Settings → Devices → select correct mic and speaker.

Clear cache: %appdata%\Microsoft\Teams → delete contents → restart Teams.

Test at teams.microsoft.com (web) — isolates desktop app vs account issue.

🔑 VPN not connecting›

Confirm user has working internet without VPN first.

Disconnect → reconnect. VPN client up to date?

Check credentials — has their password expired?

Reinstall the VPN client.

Test from mobile hotspot — rules out local network blocking VPN ports.

Escalate with: error message, screenshot, steps tried.

💻 Laptop reported stolen›

Confirm genuine theft with manager — not just misplaced.

Intune → Devices → Remote Wipe. Removes all company data immediately.

Entra ID → Revoke all sign-in sessions for the user.

Disable AD account if credential compromise is suspected.

Log full incident with timestamps. Report to security / police.

Begin replacement hardware process.

Remote Wipe must happen immediately — never delay this step.

⚠️ "Trust relationship failed"›

Machine account password is out of sync with the Domain Controller.

PowerShell: Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

Classic: sysdm.cpl → remove from domain → rejoin → restart.

PowerShell is faster — no full disjoin/rejoin needed on modern Windows.

☁️ OneDrive not syncing›

Check the OneDrive icon in the system tray — hover for sync status message.

Click the icon → Help & Settings → Pause syncing → Resume to kick it.

Check storage quota — has the user hit their 1TB limit? (Settings → Account)

Check for file name issues — files with ? " : | < > * / characters can't sync.

Reset OneDrive: %localappdata%\Microsoft\OneDrive\onedrive.exe /reset — wait 2 mins, reopen.

Sign out and back in: Settings → Account → Unlink this PC → re-link.

Always check if the issue is in OneDrive personal vs SharePoint sync (different root causes).

🐌 PC slow / high CPU or RAM›

Open Task Manager (Ctrl+Shift+Esc) → Processes tab. Sort by CPU or Memory. What's at the top?

Check if Windows Update is running in background — common culprit. Let it finish or schedule for off-hours.

Check Defender — a full scan will spike CPU. Check MsMpEng.exe in Task Manager.

Check Startup programs: Task Manager → Startup tab. Disable non-essential items.

Run sfc /scannow — corrupted system files cause persistent sluggishness.

Check disk health: chkdsk C: /f (requires reboot). HDD nearly full also causes slowdowns.

If consistent and unexplained → consider hardware refresh. Check device age in Intune.

If CPU spikes are from an unknown process, check the file path — malware sometimes disguises itself with similar names to legit processes.

💙 BSOD (Blue Screen of Death)›

Note or photograph the stop code on the BSOD screen — e.g. KERNEL_SECURITY_CHECK_FAILURE.

Check Event Viewer → Windows Logs → System — filter for Critical errors near the crash time.

Check if it's happening after a Windows Update — recent update may need to be rolled back.

Run sfc /scannow and DISM /Online /Cleanup-Image /RestoreHealth — repairs corrupted OS files.

Check for driver issues — outdated GPU, NIC, or docking station drivers are common causes.

Run Windows Memory Diagnostic (mdsched.exe) — failing RAM causes random BSODs.

If recurring and hardware is suspected → escalate for physical inspection or device swap.

A one-off BSOD after an update is usually fixable. Recurring BSODs with hardware error codes = escalate fast.

🚫 Software install blocked by policy›

Confirm what policy is blocking it — AppLocker, Intune compliance, or UAC prompt without admin rights?

Check if the software is already available in Company Portal (Intune self-service). Push it from there if so.

If not in Company Portal, raise a software request — check if IT has a pre-approved version to push via Intune.

Verify the software is on the approved software list. Unapproved = needs manager sign-off + IT review before deployment.

Never run an installer using elevated credentials on behalf of the user without an approved request. Document everything.

Don't bypass the policy to be helpful — that's how shadow IT starts. Route it properly even if it takes longer.

SLA Matrix

Priority	Respond by	Resolve by	Example
P1 — Critical	< 15 min	< 2 hrs	Server down, whole office offline
P2 — Urgent	< 1 hr	< 4 hrs	User fully blocked from working
P3 — High	< 2 hrs	< 8 hrs	Degraded, workaround exists
P4 — Normal	< 4 hrs	< 24 hrs	Minor, non-blocking issue
Phone answer	< 30 seconds

Active Directory Daily Tasks

Task	Tool	How
Create user	dsa.msc	Right-click OU → New → User
Reset password	dsa.msc	Right-click user → Reset Password
Unlock account	dsa.msc	Properties → Account tab → Unlock
Disable account	dsa.msc	Right-click → Disable Account
Add to group	dsa.msc	Properties → Member Of → Add
Check password expiry	CMD	net user [username] /domain
Force Group Policy	CMD	gpupdate /force
Join domain	sysdm.cpl	Change → Domain → enter name

JAMF — Apple Device Management

Topic	Detail
What JAMF manages	Apple devices only — Mac, iPhone, iPad (Intune handles Windows)
Enroll a Mac	JAMF Pro → Computers → Enroll, or zero-touch via ADE (Apple Business Manager)
Push a policy or app	Policies → New → scope to device/group → trigger on enrollment or schedule
Remote wipe	Computers → find device → Management → Wipe Computer
Remote lock	Computers → Management → Lock → set a 6-digit PIN
Check device inventory	Computers → All Computers → filter by OS, department, compliance
Smart Group	Dynamic group — auto-includes devices matching criteria (like Entra dynamic groups)
JAMF vs Intune	Same concept, different platform. JAMF = Apple. Intune = Windows/cross-platform.

CMD / PowerShell Cheat Sheet

Command	Use it for
ipconfig /all	Full network info — IP, gateway, DNS, MAC, DHCP server
ipconfig /release + /renew	Drop and request a new DHCP lease
ipconfig /flushdns	Clear local DNS cache
ping 8.8.8.8 -t	Continuous ping — check for packet loss
tracert google.com	Find which hop (router) is failing
nslookup google.com	Check what IP DNS returns for a name
gpupdate /force	Apply Group Policy immediately
net user [user] /domain	Check account status, last password change, expiry
whoami /groups	See all security groups the current user is in
sfc /scannow	Scan and repair corrupted Windows system files
netstat -an	See all active network connections and listening ports
arp -a	Show ARP table (IP to MAC address mappings)

Key Port Numbers

Port	Protocol	What it does
21	FTP	File transfer (unencrypted)
22	SSH	Secure remote shell
25	SMTP	Outgoing mail — server to server
53	DNS	Name resolution
80	HTTP	Web (unencrypted)
110	POP3	Incoming mail — downloads to local
143	IMAP	Incoming mail — server sync
389	LDAP	Directory services (Active Directory)
443	HTTPS	Secure web
587	SMTP/TLS	Outgoing mail — client to server (secure)
3389	RDP	Remote Desktop Protocol

Windows Run Commands

Command	Opens
sysdm.cpl	System Properties — domain join, PC rename
ncpa.cpl	Network Connections — static IP, toggle NIC
appwiz.cpl	Programs & Features — uninstall / repair Office
services.msc	Services — restart Print Spooler, Windows Update
eventvwr.msc	Event Viewer — error codes, crash logs
dsa.msc	AD Users & Computers — manage domain users
gpmc.msc	Group Policy Management Console
diskmgmt.msc	Disk Management — partition drives
compmgmt.msc	Computer Management — local users, disk, services

OSI Model — Practical Reference

Layer	Name	Protocols / Devices	Real-world example
7	Application	HTTP, DNS, SMTP, FTP	Chrome, Outlook
6	Presentation	SSL/TLS, encryption	HTTPS certificate
5	Session	NetBIOS, RPC	Starting a Remote Desktop session
4	Transport	TCP, UDP	TCP for email, UDP for Teams calls
3	Network	IP, ICMP, routers	ping, tracert, routing between networks
2	Data Link	Ethernet, MAC, switches	Switch forwarding by MAC address
1	Physical	Cat5/Cat6, NIC, hubs	The cable in the wall

Mnemonic (bottom up): Please Do Not Throw Sausage Pizza Away

Situation	When to follow up	How
They gave you a timeline ("we'll get back to you by Friday")	Monday — if you haven't heard by end of day	Short email to recruiter: "Just checking in on the [role] — still very interested."
No timeline given after interview	5 business days	Same — one short follow-up email. Not a phone call.
After first follow-up, still nothing	5 more business days	One more. After that, move on mentally but keep the role active.
You have another offer coming	Immediately	Tell them — "I have an offer with a [X] day deadline. I'd prefer this role. Can we accelerate?"