Exam 70-744 topic 1 question 71 discussion

Just labbed this out. The process is... Log in as User Run Cipher /r Log in as Administrator Add Agent by using CER file Explanation... Cipher creates the files based on the logged in user. We need the user cert, not the administrator cert, thus log in as user first and run cipher. Then since the task is to make the user a domain recovery agent, log in as administrator and use the CER file (group policy asks for the CER file to add the agent, not the pfx file) so use the CER file to add the agent in group policy. Further explanation... Certutil and .PFX may be used if a user wants to give his recovery key to another user, but this is not used for domain agents. (I didn't lab this out, this is jut my educated guess)

Correct Order of Actions:- 1. Instruct User1 to sign in to Computer1. 2. Run cipher.exe and specify the /R parameter. 3. Sign in to Computer1 as Contoso\Administrator. 4. Add the data recovery agent by using a .cer file. First, you have to instruct User1 to sign into computer1 and generate the EFS recovery agent key (private key .pfx file) and certificate (public key only .cer file) cipher.exe /R Generates an EFS recovery agent key and certificate, then writes them to a .pfx file (containing certificate and private key) and a .cer file (containing only the certificate). If /smartcard is specified, it writes the recovery key and certificate to a smart card, and no .pfx file is generated. Next, you have to user Administrative rights to use RSAT - GPMC to modify the default domain policy, add the User1's public key .cer file as DRA of the domain.

.pfx file not .cer file. .pfx file contains the private key that the data recovery agent need to recover encrypted files.

.pfx.file

Provided answer is correct.