You deploy a new certification authority (CA) to a server that runs Windows Server 2016.
You need to configure the CA to support recovery of certificates.
What should you do first?
A. Assign the Request Certificates permission to the user account that will be responsible for recovering certificates.
B. Configure the Key Recovery Agent templates as a certificate template to issue.
C. Modify the Recovery Agents settings from the properties of the CA.
D. Modify the extension of the OCSP Response Signing template.
20given answer B is correct .
https://technet.microsoft.com/en-us/library/cc730721(v=ws.11).aspx
To configure your environment for key archival of Encrypting File System (EFS) certificates
1) Create a key recovery agent account or designate an existing user to serve as the key recovery agent.
2) Configure the key recovery agent certificate template and enroll the key recovery agent for a key recovery agent certificate.
3) Register the new key recovery agent with the CA.
4)Configure a certificate template, such as Basic EFS, for key archival, and enroll users for the new certificate. If users already have EFS certificates, ensure that
the new certificate will supersede the certificate that does not include key archival. For information, see Configure a Certificate Template for Key Archival.
5) Enroll users for encryption certificates based on the new certificate template.
Users are not protected by key archival until they have enrolled for a certificate that has key recovery enabled. If they have identical certificates that were issued
before key recovery was enabled, data encrypted with these certificates is not covered by key archival.
Answer A and D are irrelevant to this question.
Moreover, you must first configure the KRA template and issue a KRA certificate to a selected user account, who serve as key recovery agent before you can
configure the CA to be assigned with a KRA, so, answer B is correct.