Exam MD-100 topic 12 question 3 discussion

THE CORRECT IS B. Run cipher.exe, and then add a certificate to the local computer certificate store.

It seems like the answer must be C. According to the instructions literally laid out by the Exam Ref Book. You run Cipher.exe to create the files, and then install the DRA via: Security Settings\Public Key Policies\Encrypting File System > Right-Click "Add Data Recovery Agent" In the Local Policy settings.

After a day studing this subject, I have got the whole situation here, since it was new to me. The correct answer is letter C. It is impossible (there is no other option) to have a recovery agent attached without the Group Policy (in this case the Local GPO), because when you create new files the recovery agent will be attached to those files and then be able to an admin (or a help desk) to retrieve access to the file after installing the .PFX (private key). The best source of knowledge you will find is in this video: https://www.youtube.com/watch?v=51v_vuoMp9I

If you double click a certificate, you will be prompted to install it to a certificate store, otherwise the purpose of add it to a policy means that you will use a local computer configuration and that is critical because of security reasons or domain policy that is even more.

After you run the cipher/ r on the DRA account, "We must import these files that we just created into the Add a Data Recovery Agent to the Encrypting File System policy within Group Policy."- Testout PC Pro In the meantime, check out these links and tell me what you think. :3 CREATE AND VERIFY AN ENCRYPTING FILE SYSTEM (EFS) DATA RECOVEY AGENT (DRA) CERTIFICATE: https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate WINDOWS CIPHER COMMAND: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cipher

ANSWER IS C. I have tested this.

To me it does seem correct, I dont see the point of using local group policy for it. I guess no reason not too but just seems a simpler way to do it without local policy.

C. Run cipher.exe, and then add a certificate to the local Group Policy. Trick is that the workstation is in a workgroup and basically air-gapped.

Best answer is C : In a domain environment, you can import the EFS Recovery Agent's certificate into the Computer Configuration\Windows Settings\Security Settings\PubHc Key Policies\Encrypting File System policy of a GPO. The GPO must be linked to the organizational unit (OU) where the user's computer account, not the user account, exists. The certificate can be imported from either a Base-64 or DER-encoded certificate file, or from Active Directory if the certificate template enables publication of the certificate file. ■ In a workgroup environment, you can import the EFS Recovery Agent's certificate into the Computer Configuration\Windows Settings\Security Settings \Public Key Policies\Encrypting File System policy (of the local computer). In this scenario, the EFS Recovery Agent certificate must be imported from a file. In local group policy you are specifically adding a Data Recovery Agent.

Answer should be C. See reference, and look for workgroup section. You need to use gpedit to import the cert. https://www.serverbrain.org/certificate-security-2003/defining-efs-recovery-agents.html

The process for creating a DRA certifi cate in Windows 10 for a device that is not domain joined can be performed using this procedure: cipher /r:

https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate

Cipher.exe is used to encrypt files, not create certs. That's reserved for Certutil.exe, then the cert has to be loaded into the GPO under Public Key Policies. The answer is D.