Common IT Interview Questions for 2026: 31 Questions Across Hardware, OS, Networking, Security, and Ticket Workflow

What common IT interview questions actually test in 2026

IT interview questions in 2026 test four things in roughly this order: can you fix a broken machine without panicking, can you navigate Windows and Linux without Googling every command, do you understand how packets move through a network well enough to triage outages by layer, and can you keep your composure when the SLA clock is ticking and the user is escalating. The exact wording has not moved much since 2019. The hiring bar has. Tier 1 candidates today are expected to know more networking and security than they were five years ago, because the cost of a misrouted ticket or a missed phishing report has gone up.

The 2026 hiring environment has shifted three specifics. Hybrid work pushed identity from on-premise Active Directory to a mixed Active Directory plus Microsoft Entra ID (formerly Azure AD) stack, and interviewers expect you to know both. Endpoint security has consolidated around EDR tools (CrowdStrike, SentinelOne, Defender for Endpoint are the three names you hear most often), and SOC analyst loops now include a log-review scenario at the Tier 1 level that used to start at Tier 2. ITIL terminology is no longer optional. Words like ticket, incident, problem, change, and SLA are interview signal vocabulary. Using them correctly in a story buys you credibility you can't buy back.

Most candidates over-prepare for the easy questions (what is RAM, what is an IP address) and under-prepare for the structurally harder ones (a user reports a phishing email at 4:55 on Friday, walk me through your next 30 minutes). The interviews where the offer slips are usually the ones where the candidate had a confident answer for trivia and froze on the scenario. You need a decision tree, not a flashcard deck.

Honest call: if you only have a weekend before the IT round, drill troubleshooting flow first, OSI model second, ticket prioritization third, and security incident response fourth. Most candidates do it in reverse and walk in confident on RAM types but fumbling the angry-user prompt that decides 70 percent of the interview.

How an IT interview differs from a developer interview

A developer interview tests algorithmic problem-solving, code fluency, and system design. An IT interview adds three different dimensions that rarely appear in software interviews.

Layered diagnosis. The interviewer hands you a vague symptom (a user can't print, the office Wi-Fi is slow, a server is unresponsive) and grades how you decompose the problem. Most candidates jump to a guess. Strong candidates ask one clarifying question, narrow the scope, and explain what they'd rule out at each layer.

Tool fluency. Naming the right command or tool for the symptom is half the grade. ipconfig /all for Windows network config. ip a for Linux. nslookup or dig for DNS lookups. gpresult /r for group policy debugging. Event Viewer for Windows logs. journalctl -xe for systemd logs. tcpdump or Wireshark for packet capture. The candidate who reaches for the right tool in two seconds reads as someone who has actually shipped tickets.

Soft skills under stress. A developer interview rarely tests how you handle an angry user. An IT interview almost always does. The hardest IT scenario question in any loop is some version of: a user is yelling, the SLA is about to breach, your manager is on vacation, and you don't know the answer. Show your composure under that prompt and you've answered half the interview already.

One thing I'd add from watching Marcus prep for his sysadmin junior loop last month: he had three years of field tech experience and an A+ cert, but he kept under-selling his troubleshooting reasoning because he assumed the interviewer would know what he meant. He'd say "I checked the cable" instead of "I checked the cable at both ends and reseated it because intermittent disconnects are often a partially seated jack rather than a dead cable." The longer version is what got the offer. Specifics over abbreviations.

The 31 IT interview questions you should rehearse

What follows is a structured rehearsal set across the five categories that show up most. Each question has the bones of a strong answer. Not a canned script, the structure that an interviewer is grading. Adapt the language to your own voice. The structure is the load-bearing part.

Hardware and troubleshooting interview questions (7 Q)

Q1. A computer won't boot. Walk me through your troubleshooting.

Go layer by layer from physical to OS. One, confirm power: PSU LED, wall outlet, power button. Is the system getting voltage? Two, check for POST: beeps, codes on the motherboard display, fans spinning, drives spinning up. No POST means motherboard, CPU, or RAM. Three, reseat RAM, drop to one stick, try a different slot. RAM is the most common no-POST cause. Four, check the boot drive: SATA or NVMe seated, drive recognized in BIOS, correct boot order. Five, if POST is fine but the OS doesn't load, look at the boot loader, recent updates, or a corrupted system file (Windows Recovery, Linux GRUB). Six, escalate if the issue points at hardware failure with no spare to swap.

What the interviewer notices: layered structure, naming POST beeps, knowing RAM is the most common no-POST suspect.

Q2. How do you diagnose a RAM problem?

Three approaches. One, swap test: pull one stick and boot. If it works, the pulled stick was bad. If not, swap to the other stick and try again. Two, run a memory diagnostic. Windows has Windows Memory Diagnostic built in. Linux has MemTest86 or memtester. Let it run a full pass, ideally overnight. Three, watch for the symptoms: random crashes (especially BSODs with MEMORY_MANAGEMENT or PAGE_FAULT_IN_NONPAGED_AREA), corruption in files, programs failing on launch. Document the slot and stick that failed so the replacement goes in the right place.

Q3. A user's drive is failing. How do you recover their data?

First, stop using the drive. Every read or write on a failing drive accelerates the failure. Two, image the drive with a tool like ddrescue (which retries failed sectors rather than aborting). Pull the image onto a healthy drive. Three, mount the image read-only and copy off what you can. Four, if the drive has obvious mechanical failure (clicking, not spinning, BIOS doesn't see it), that's a data recovery service job, not a help desk job. Escalate. Five, document everything for the incident: SMART status before failure, last backup date, what data was lost or recovered, recommendation to the user (more frequent backups, drive replacement).

Q4. A user reports their keyboard is acting strange. What do you check?

A surprisingly common ticket because most candidates skip the obvious. One, ask: is it one key, several keys, all keys? Is it intermittent or constant? Is it wireless or wired? Two, check the obvious: stuck keys, debris under keys, battery low on wireless, USB cable seated. Three, swap with a known-good keyboard. If the problem follows the keyboard, it's the hardware. If it stays with the computer, it's the OS, driver, or layout setting. Four, check keyboard layout (US vs UK), language settings, accessibility features (Sticky Keys, Filter Keys, Toggle Keys). Five, check the user profile: if it works on another user account, it's profile-specific.

Q5. How do you test a network cable?

Three tools, three depths. One, a basic cable tester (toner and continuity tester) checks pin continuity end to end. Cheap, fast, finds broken or miswired cables. Two, a TDR (Time Domain Reflectometer) finds the distance to a fault along the cable. Useful when you don't know where in the run the break is. Three, certification testers (Fluke or similar) check signal quality at speed, not just continuity. Required when you suspect a cable run is causing intermittent errors at high speed. For most help desk work, the basic tester is what you carry. The interview signal is knowing that continuity doesn't equal good signal, and that a cable can pass continuity and still drop packets at gigabit.

Q6. A user can't print. What do you check?

The classic eight-step. One, is the printer powered on with no error light? Two, is it on the same network as the user (or USB connected)? Three, can you ping the printer's IP? Four, can other users print to it? If yes, the issue is local to this user. Five, is the print queue stuck? Clear it with Get-Printer and Remove-PrintJob in PowerShell on Windows, or the spooler restart. Six, is the right printer set as default? Seven, are there pending Windows updates that broke the driver? (This happens more than it should.) Eight, reinstall the driver. The interviewer is grading whether you go scope first (is it the printer or the user) before driver-shotgun.

Q7. How do you safely remove an external drive from a Windows system?

Always use Safely Remove Hardware or use the Eject option from File Explorer before pulling the cable. Modern Windows tends to flush cached writes faster than older versions did, but cached writes still happen, and yanking the cable mid-flush corrupts files. The interview signal is knowing why this matters: write caching exists for performance. Eject forces the cache flush plus releases the file system handles. The same logic applies to Linux: umount /media/usb first, or risk a corrupt filesystem next time you plug it in.

OS and admin interview questions (7 Q)

Q8. What is Group Policy and how does it apply?

Group Policy is the Active Directory mechanism for centrally configuring Windows settings across users and computers. A GPO (Group Policy Object) is a collection of settings: password rules, screen lock, mapped drives, software install, security baselines. GPOs link at four levels in order: Local, Site, Domain, Organizational Unit. The acronym is LSDOU. When two GPOs conflict, the last one applied wins (so OU beats Domain beats Site beats Local). To debug why a GPO isn't applying, run gpresult /r (or gpresult /h report.html for a readable report) on the target machine, and check link order, security filtering, and WMI filters in Group Policy Management Console.

Q9. How do you reset a forgotten local administrator password on a Windows machine?

Three options. One, if you have another admin account on the box, log in and reset the password through Computer Management or net user. Two, if no other admin exists, boot from a Windows installation USB, open a command prompt at the recovery screen, replace utilman.exe or sethc.exe with cmd.exe (the classic trick), reboot, hit the corresponding accessibility key on the login screen, and reset the password from the elevated command prompt. Restore the original file when done. Three, for domain-joined machines, the cleaner answer is to reset through the domain. The interview signal is knowing the trick exists and also knowing that on modern Windows 11 with BitLocker enabled, the trick is blocked unless you have the recovery key. Be honest about the BitLocker constraint.

Q10. What does the registry do in Windows?

The Windows Registry is the hierarchical database that stores configuration for the OS, services, and most installed applications. Five root hives: HKEY_LOCAL_MACHINE (system-wide settings), HKEY_CURRENT_USER (the logged-in user's profile), HKEY_USERS (all loaded user profiles), HKEY_CLASSES_ROOT (file associations), HKEY_CURRENT_CONFIG (current hardware profile). You read and edit it with regedit or reg.exe. The interview-relevant rule: never edit the registry casually. Always export the key first as a backup. Common help desk uses: removing leftover entries from a failed uninstall, disabling a startup item that's not in Task Manager's startup list, applying a fix from a Microsoft KB article that says "create this DWORD and set it to 1."

Q11. How do you check what services are running on a Windows server?

Three commands depending on context. services.msc opens the GUI Services console. Fine for one-off lookups. Get-Service in PowerShell lists all services with status (Running, Stopped, etc.) and supports filtering: Get-Service | Where-Object Status -eq 'Running'. sc.exe query is the older cmd.exe tool, still useful for scripts. For a remote server, add -ComputerName to the PowerShell command or use Server Manager. The interview signal is reaching for PowerShell, not just the GUI. PowerShell is the language of modern Windows administration.

Q12. What does chmod 755 mean on a Linux file?

chmod changes file permissions. The three digits represent owner, group, and other in that order. Each digit is the sum of read (4), write (2), and execute (1). So 755 means owner has 7 (4+2+1 = read, write, execute), group has 5 (4+0+1 = read and execute), other has 5 (read and execute). It's the standard permission for an executable script that the owner can edit but everyone else can only run. Common counterparts: 644 for a config file (owner read and write, everyone else read only), 600 for a private key file (owner read and write, nobody else), 700 for a private script directory (owner full access, nobody else).

Q13. How do you find what's using a port on Linux?

ss -tulpn | grep :PORT is the modern command. ss is the successor to netstat and is preinstalled on most distros. The flags: t (TCP), u (UDP), l (listening), p (process), n (numeric, don't resolve names). For a specific port like 8080: ss -tulpn | grep :8080. If you only know the process and need the port, lsof -p PID lists all open files (and Linux treats sockets as files). For Windows, the equivalent is netstat -ano | findstr :PORT plus tasklist /fi "pid eq PID" to map the PID to a process. The interview signal is knowing the modern command (ss not netstat) and that ports are tied to processes through socket file descriptors.

Q14. What's the difference between macOS, Windows, and Linux from an enterprise admin perspective?

Macs in enterprise are usually managed by Jamf or Intune, not Active Directory directly. They join Azure AD (Microsoft Entra ID) for SSO, but local user accounts are separate. Group Policy doesn't apply to macOS; the equivalent is a configuration profile pushed by an MDM. Linux desktops in enterprise are rare outside engineering. Linux servers are everywhere. Windows is still the dominant desktop OS and the dominant directory service. The honest framing in an interview: "I've supported Windows fleets at scale. I've supported a handful of Macs through Jamf or Intune. I've administered Linux servers via SSH and configuration management. I haven't built a Mac MDM deployment from scratch but I know the components." That kind of layered honesty wins.

Networking interview questions (6 Q)

Q15. Walk me through the OSI model.

Seven layers, bottom to top. Layer 1 Physical: the actual cables, wireless signals, voltages. The thing you can touch. Layer 2 Data Link: MAC addresses, switches, Ethernet frames. The thing that moves data across one local network segment. Layer 3 Network: IP addresses, routers, packets. The thing that moves data across networks. Layer 4 Transport: TCP and UDP, ports, sessions. The thing that handles end-to-end reliability or speed. Layer 5 Session: setup and teardown of communication sessions. Layer 6 Presentation: data formatting, encryption, compression. Layer 7 Application: the protocol the user actually interacts with (HTTP, DNS, SMTP, SSH). The interview reason this gets asked is that troubleshooting is layered. "User can't reach the file server" decomposes into "is it Layer 1 cable, Layer 2 switch, Layer 3 IP, Layer 4 firewall, or Layer 7 share permission."

Q16. What is subnetting and how do you calculate it?

Subnetting divides a larger IP network into smaller subnetworks. The CIDR (Classless Inter-Domain Routing) notation tells you the mask. A /24 means the first 24 bits are network, the last 8 are host, giving 256 addresses minus 2 (network and broadcast) for 254 usable hosts. /25 splits a /24 in half (128 addresses minus 2 = 126 usable). /26 quarters it (64 minus 2 = 62 usable). The quick mnemonic: every step from /24 to /30 halves the host count. Most interview subnetting questions stop here. Beyond that, you need to be able to compute network and broadcast addresses from a given IP and mask. Practice with 192.168.1.50/26: the subnet is 192.168.1.0 through 192.168.1.63, the broadcast is 192.168.1.63, usable hosts are 192.168.1.1 through 192.168.1.62.

Q17. What is DNS and how does a query work?

DNS (Domain Name System) translates human-readable names into IP addresses. A query goes through up to four resolvers in order. One, the local resolver cache on the client (run ipconfig /displaydns on Windows to see it). Two, the recursive DNS server (usually your DHCP-assigned server or a public one like 8.8.8.8). Three, the root DNS servers (13 of them) that point at the TLD servers. Four, the TLD servers (.com, .org) point at the authoritative name servers for the specific domain. Five, the authoritative server returns the actual IP. The recursive server caches the answer for the TTL (Time To Live) so future queries don't repeat the full walk. Diagnose DNS with nslookup, dig, or Resolve-DnsName in PowerShell.

Q18. What is DHCP and what's the DORA process?

DHCP (Dynamic Host Configuration Protocol) hands out IP addresses and network config to devices joining a network. DORA stands for the four-step handshake. Discover: the client broadcasts a request for an IP. Offer: a DHCP server replies with an available IP. Request: the client formally requests that IP. Acknowledge: the server confirms the lease. The lease has a duration (typically 1 to 8 days) and the client renews at 50 percent of the lease time. Common interview follow-up: a new device gets a 169.254.x.x address. What's wrong? It can't reach a DHCP server (cable, VLAN, server down, IP exhaustion), so it self-assigned an APIPA address.

Q19. How does a firewall rule work?

A firewall rule has five core components: source IP or range, destination IP or range, protocol (TCP, UDP, ICMP), port (or port range), and action (allow, deny, log). Rules are evaluated top to bottom; the first match wins. The implicit default-deny at the end is what most firewalls add for safety: if nothing explicitly allows the traffic, it's blocked. The interview-relevant rule of thumb: deny by default, allow specifically. A rule "allow TCP from 10.0.0.0/24 to 10.0.1.50 port 443" lets the engineering subnet reach the internal web server on HTTPS only. The candidate who can read a firewall ruleset and tell you what's blocked and why is what the interviewer wants.

Q20. What is a VLAN and why use it?

A VLAN (Virtual Local Area Network) logically segments a switch's ports into separate broadcast domains. Two devices on different VLANs cannot talk to each other directly through the switch; they have to go through a router or Layer 3 switch. The use cases in 2026 are mostly security and traffic isolation: put VoIP phones on one VLAN, guest Wi-Fi on another, employee laptops on a third, servers on a fourth. A typical office network has 5 to 15 VLANs. The interview-relevant question is usually "a user moved to a different desk and now can't reach the server. What's likely?" Answer: the new switch port is in a different VLAN. Check the port config on the switch, change the VLAN assignment, or move the user back.

Security basics interview questions (5 Q)

Q21. A user reports a phishing email. What do you do?

Seven steps. One, thank the user immediately. You want them to keep reporting. Two, ask the user not to click anything in the email, including unsubscribe links. Three, quarantine the email in the mail security tool so other users don't open it (most mail filters have a "remove from all mailboxes" action). Four, check the mail logs to see who else received it and whether anyone clicked or replied. Five, if anyone entered credentials, reset those credentials and force re-MFA. Six, scan the endpoint with the EDR tool for any payload that may have landed. Seven, capture the indicators of compromise (sender, link, attachment hash) and report them to the SOC or your mail filter vendor. Document everything in the ticket and the incident log.

Q22. What's a strong password policy in 2026?

The 2026 best practice (aligned with NIST SP 800-63B) has moved away from forced complexity and mandatory rotation toward length plus a breach-check. The recommended baseline: 12 characters minimum (16 preferred), no required mix of upper, lower, number, symbol (because users defeat it with Password1!), no expiry unless there's evidence of compromise, and a check against breached-password databases on every set or change. Combine with MFA on everything. The interview signal is knowing that the old guidance (8 chars, complexity, 90-day rotation) is no longer the recommendation, and being able to explain why: users defeat complexity with predictable patterns, and forced rotation produces weaker passwords (Spring2026! then Summer2026!).

Q23. What's MFA and why does it matter?

MFA (Multi-Factor Authentication) requires two or more proofs of identity from different categories. Something you know (password), something you have (phone, hardware token, smart card), something you are (fingerprint, face, iris). The point: a stolen password alone doesn't get an attacker into the account. The 2026 best practice is to move users off SMS-based MFA (vulnerable to SIM swap) onto authenticator apps (Microsoft Authenticator, Google Authenticator) or hardware keys (YubiKey, Titan). For the most sensitive accounts (admin, finance, executive), use phish-resistant FIDO2 hardware keys. SMS is better than nothing, but it is not the answer for 2026.

Q24. Walk me through basic incident response.

Six phases (the NIST IR lifecycle). One, Preparation: tools, runbooks, contact lists, tabletop exercises before anything happens. Two, Identification: detect the incident through alerts, user reports, or threat intelligence. Confirm it's actually an incident, not a false positive. Three, Containment: isolate affected systems to stop the spread (network isolation, account disable, EDR quarantine). Don't shut down yet; you'll lose volatile memory needed for forensics. Four, Eradication: remove the threat (malware, attacker tools, persistence). Patch the entry point. Five, Recovery: restore systems from clean backups, validate they're clean, return to production. Six, Lessons Learned: post-incident review, RCA, update runbooks. The interview signal is naming all six and knowing why containment comes before eradication.

Q25. You see 500 failed login attempts against one user account in the last 10 minutes. What do you do?

Brute force or password spray. Four steps. One, lock the account immediately to stop the attack. Two, check the source IPs (one IP is brute force, many IPs is password spray or distributed brute force). Three, check whether any attempt succeeded. If yes, the account is compromised: reset the password, revoke active sessions, force re-MFA, scan the user's devices, walk through their recent activity with the user. If no, the account is at risk but not compromised: notify the user, force a password reset, check whether MFA is enabled on the account. Four, capture the indicators (source IPs, user agent strings, timestamps) for the SOC and update the firewall or WAF to block the source IPs if persistent.

Soft skills and ticket workflow interview questions (6 Q)

Q26. Tell me about a time you handled an angry user.

Use STAR. Situation: brief context. Task: what you needed to do. Action: what you specifically did, including the de-escalation move. Result: measurable outcome. A strong example, drawn from a 3-year help desk arc:

Situation: a senior partner at the firm called Friday at 4:50pm. Her laptop wouldn't connect to the VPN, she was leaving for the airport in 40 minutes, she had a deposition to prep on the flight.

Task: get her back on the VPN before the airport run, calmly.

Action: I let her vent for the first 45 seconds without interrupting. Then said: "I have you. We have time. Let me ask two quick things and I think we can fix this in five minutes." Confirmed her username, asked if she'd changed her password recently (yes, that morning, password expiry), confirmed the laptop was on Wi-Fi and could reach external sites, then walked her through clearing the cached credentials in the VPN client and re-authenticating. Connected first try. Stayed on the line for 90 seconds to make sure her remote files mounted. Wished her a good flight.

Result: she made the flight. She emailed the help desk manager Monday morning thanking the team. I added the "password change blocks cached VPN credentials" gotcha to the team knowledge base so the next person didn't start from scratch.

The de-escalation move (let her vent, then "I have you") plus the system-level fix (KB article) is what interviewers grade.

Q27. How do you prioritize a queue of 15 tickets when you start your shift?

Three filters in order. One, P1 first, no exceptions. Anything tagged high impact plus high urgency, or anything with an SLA breaching in the next hour, goes top of queue. Two, batch the quick wins. If you have five password resets in the queue, do them back-to-back in 15 minutes. The mental context-switch cost of bouncing between tickets is real; batch the same-shape work. Three, the rest by SLA remaining, oldest first. If two tickets have the same SLA, take the one with the simpler triage first so you can mark it resolved and clear queue size. Communicate ETAs proactively. Users tolerate a 4-hour wait if they know it's 4 hours. They escalate at 90 minutes if they don't know.

Q28. When do you escalate a ticket?

Three triggers. One, the ticket is outside your authority. Account creation in a system you don't have admin rights to, a security incident that requires SOC eyes, a hardware RMA that needs purchasing approval. Escalate immediately with all the context you've gathered. Two, you've exhausted your troubleshooting playbook and the symptom is unchanged. Don't grind for hours; escalate after 30 to 60 minutes of structured attempts so the next person can pick up where you left off. Three, the SLA is going to breach. Escalate before the breach, not after. The interview signal is knowing escalation is not failure; it's the right move when the alternative is missing the SLA or making the wrong call alone. The escalation should include what you tried, what you ruled out, what you suspect, and what you'd try next.

Q29. How do you contribute to a knowledge base?

Two habits, both daily. One, after every ticket that took non-trivial time, write a one-paragraph KB entry: the symptom, the root cause, the fix, the prevention. Two, when you find an existing KB article that's wrong or stale, fix it the same day, don't file a ticket against the documentation team. The interview signal is treating KB contribution as part of the job, not a side task. Strong IT teams measure KB hits per ticket, and reps who contribute high-value articles get promoted faster than reps who clear more tickets without writing anything down. The KB is the team's institutional memory; if you don't add to it, you're net-negative on the team's leverage.

Q30. How do you handle on-call rotation?

Four habits make on-call sustainable. One, have a clear runbook for the top 10 alert types so 2am-you isn't reasoning from scratch. Two, set up alerts that page only on actionable incidents. If 70 percent of pages are noise, fix the alert thresholds, don't grind through the noise. Three, hand off cleanly. When the on-call shift ends, brief the next person on any open incidents, partial fixes, and known issues. A 5-minute handoff prevents a 5-hour follow-up call later. Four, take recovery time after a bad rotation. A weekend of pages is not a weekend off; reschedule appointments, sleep, and protect the day after. The interview signal is understanding on-call as a system, not a heroic act.

Q31. A user is panicking about losing their work after a crash. What do you say?

Acknowledge the feeling first, then the facts. "I get the panic; let's see what we can recover." Don't promise recovery before you've checked. Walk through three recovery paths: autosave or temp files (most modern apps keep an autosave; check the autosave directory before anything else), file history or version control (Windows File History, OneDrive version history, Google Docs revision history), backup (network share backup, cloud backup, USB backup). Be honest about what's recoverable and what isn't. The worst move is over-promising in the moment, recovering 80 percent, and leaving the user feeling like they lost the rest because of you. Promise the 80 and deliver. The interview signal is honesty plus calm plus a structured recovery path.

How to prepare for an IT interview (5 steps)

A focused four-week prep plan, scaled for a candidate with 3 years of field tech or help desk experience and an A+ cert pivoting toward IT Specialist, Sysadmin Junior, or SOC Analyst. Adjust the weighting if your starting point differs.

1. Week 1: rebuild your home lab. Windows Server VM promoted to a domain controller. Two Linux VMs (one Ubuntu, one CentOS or Rocky). Create users, OUs, GPOs in AD. Practice user and permission management on Linux. The lab is the artifact you'll reference. "I have a home lab where I practiced X" beats "I've read about X" every time.

2. Week 2: drill 30 to 40 question rehearsals out loud, timed. Pick the questions from this guide that match your target role. 90 seconds per answer. Record yourself. The first run feels awful. By the third pass through the list, the structure becomes automatic. Fluency is what gets you past the phone screen.

3. Week 3: drill networking and security fundamentals. OSI model. TCP versus UDP. DNS query flow. DHCP DORA. Subnetting (a /24, /25, /26, /30). Firewall rule structure. Phishing response. MFA categories. NIST IR lifecycle. Write a one-page cheat sheet from memory. The act of writing it is the prep; carrying it to the interview morning is the warmup.

4. Week 3 in parallel: practice scenario questions on a whiteboard. "Half the office can't reach SharePoint, what do you check first?" Sketch the decision tree. Walk through out loud. 5 to 7 minutes per scenario. The interviewer grades structure of thinking, not depth of recall.

5. Week 4: run two timed mock interviews. 30 minutes each. First mock: troubleshooting and OS. Second mock: networking, security, and one extended scenario. Narrate your reasoning out loud while sketching. Capture the gaps. Fix them before the real loop.

The morning of the real interview: review the cheat sheet for five minutes. Cold brain beats over-rehearsed brain.

IT interview format by role type

The same IT questions get formatted differently depending on the role you're targeting. The breakdown for the four most common IT roles hiring entry-level to mid-level in 2026:

Two patterns to notice. Troubleshooting is the floor for every role; you can't skip it. The weighting shifts upward through the layers as roles get more specialized. Soft skills weight tracks how much direct user contact the role has: help desk is mostly user contact, sysadmin and SOC are mostly back-end work.

What this means for your prep: prioritize the section that gets the heaviest weight for your target role, but don't drop the others. A SOC analyst loop will still hit you with a troubleshooting question, and a help desk loop will still ask about MFA. Cover the table; deepen the column.

Common IT interview mistakes for help desk and Tier 1 candidates

The seven most-reported mistakes from IT interviews in the 2025-2026 hiring cycle, in roughly the order of frequency:

Jumping to a guess instead of a layered diagnosis. "Why won't this computer boot?" answered with "probably the RAM" loses to a 30-second walkthrough that checks power, POST, RAM, drive, OS in order. Interviewers grade the structure of thinking. A guess that happens to be right is still a guess.

Over-claiming experience. Saying you've managed an Active Directory forest when you've created six user accounts gets caught on the first follow-up. The honest framing wins: "I've done user creation, password resets, GPO troubleshooting. I haven't designed a forest from scratch but I'd want to learn that." Honest plus eager beats inflated plus brittle every time.

Skipping the de-escalation move in scenario answers. Most candidates jump straight to "I'd check the cable" when the prompt was "the user is yelling, what do you do?" The first 15 seconds of the answer is acknowledge feeling, then triage. Skip that and you've lost 30 percent of the grade on the soft-skills question.

Not knowing the right tool by name. "I'd check the network config" is weaker than "I'd run ipconfig /all on Windows or ip a on Linux." "I'd look at logs" is weaker than "I'd open Event Viewer for Windows or run journalctl -xe on systemd Linux." Specific tools signal you've actually used them.

Confusing Active Directory and Azure AD (Microsoft Entra ID). They're not the same product. They sync but they serve different purposes. AD is on-premise identity. Entra ID is cloud identity. Knowing the distinction is a small signal, but missing it is a big one in 2026 hybrid environments.

Treating SLA as a number, not a behavior. "The SLA is 4 hours" is the wrong frame. "The SLA is 4 hours and I communicate progress at the 1-hour mark even if I haven't fixed it" is the right frame. Users tolerate a 4-hour wait when they're updated. They escalate at 90 minutes when they're not.

Forgetting the documentation step. Every strong IT ticket ends with a note in the KB or the incident log. Candidates who don't mention documentation in their scenario walkthroughs read as junior even when their troubleshooting is strong.

One thing I'd add from watching Marcus do this prep: don't try to fix all seven at once. Pick the two that match your current pattern (almost always the guess-first habit plus the missing de-escalation move) and audit your last two practice mocks for them. Fix them in your muscle memory. The other five take care of themselves once those two are gone.

Key terms

A+ (CompTIA A+)

The entry-level CompTIA certification covering hardware, networking, mobile devices, OS, security, and troubleshooting. Two exams (Core 1 and Core 2). The standard credential for help desk and Tier 1 IT roles. Validated foundational competence; not a substitute for hands-on experience.

N+ (CompTIA Network+)

The CompTIA networking certification covering OSI model, TCP/IP, routing, switching, wireless, and basic network security. The next step up from A+ for IT specialist and sysadmin junior tracks. Strong signal for any role that touches network infrastructure.

S+ / Sec+ (CompTIA Security+)

The CompTIA entry-level security certification covering threats, attacks, vulnerabilities, identity, access management, cryptography, and risk management. The standard credential for SOC Analyst Tier 1 and government IT roles. Often a hiring floor for DoD-adjacent positions.

ITIL (Information Technology Infrastructure Library)

The framework for IT service management. Defines processes for incident, problem, change, and release management. ITIL 4 is the current version. Knowing ITIL vocabulary (ticket, incident, problem, change, SLA, CMDB) is interview signal even at help desk roles.

SLA (Service Level Agreement)

A documented commitment to response and resolution times for IT services. Example: P1 response within 30 minutes, resolution within 4 hours. Often tiered by priority. SLAs are contractual in B2B and internal targets in most enterprise IT shops.

SOP (Standard Operating Procedure)

The documented step-by-step process for a recurring task: how to onboard a new employee account, how to triage a phishing report, how to handle a P1 outage. Strong IT teams treat SOPs as living documents; weak teams let them rot.

RCA (Root Cause Analysis)

The post-incident review process to identify the underlying cause of an outage or incident, not just the surface symptom. Common formats include the Five Whys and Ishikawa fishbone diagrams. The output is an action item list to prevent recurrence.

CMDB (Configuration Management Database)

The inventory of every IT asset (hardware, software, services, relationships) the organization owns. Lives in ITSM tools like ServiceNow or BMC Helix. Used for impact analysis (if this server goes down, which apps are affected) and change planning.

MTBF (Mean Time Between Failures)

The average time a system runs between failures, measured in hours. A drive with MTBF of 1.2 million hours has roughly a 1-in-137-years per-drive failure expectancy under expected workload. Useful for capacity planning, not for predicting any single drive's lifespan.

EDR (Endpoint Detection and Response)

The class of security tools that monitor endpoint behavior (process, file, network, registry activity) for malicious patterns and provide investigation and remediation tooling. CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint are the three names mentioned most often in 2026 SOC interviews. The successor to traditional antivirus.

Related guides

• Customer service interview questions: the de-escalation and soft-skills frameworks that overlap with IT help desk interviews, including the STAR-format behavioral templates.
• Behavioral interview frameworks (STAR, SOAR, CAR, PAR): the structural foundation behind the behavioral answers in the soft-skills section of this guide.
• Technical phone screen tactics: the round structure that hosts many entry-level IT loops, with the timing and structure tactics that work across role types.
• Best questions to ask the interviewer: the closing-question move that separates the strong IT candidate from the average one, with role-specific question banks.
• Mock interview practice: how to drill the questions in this guide under realistic timing pressure before interview day, including the AI-driven mock-interview options.
• Post-interview thank-you email: the 24-hour follow-up that signals professionalism after the IT interview loop.

About the author: Alex Chen is the founder of InterviewChamp.AI, building AI interview prep for the new-grad CS market and writing about the modern interview gauntlet from the inside.