Identity with Windows Server 2016 — Question 88

You have an enterprise certification authority (CA) named ContosoCA. Recovery agents are configured for ContosoCA.
You duplicate the User certificate template and name it Cont_User. You plan to issue the certificates based on Cont_User to provide users with the ability to encrypt email messages and files.
You need to ensure that the recovery agents can access any user-encrypted files and email messages if the users lose their certificate.
What should you do?

Answer options

• A. Modify the Recovery Agents settings for ContosoCA.
• B. Issue a certificate based on a key recovery agent certificate.
• C. Modify the Request Handling settings for Cont_User.
• D. On ContosoCA, configure the Key Recovery Agent template as a certificate template to issue.

Correct answer: C

Explanation

The correct answer is C because modifying the Request Handling settings for the Cont_User template allows specifying that the private keys can be backed up for recovery agents. The other options do not directly address the requirement to ensure access to user-encrypted files and messages through the appropriate configuration of the certificate template.