Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1
has the Active Directory Certificate Services server role installed and is configured to support key archival and recovery.
You create a new Active Directory group named Group1.
You need to ensure that the members of Group1 can request a Key Recovery Agent certificate.
The solution must minimize the permissions assigned to Group1.
Which two permissions should you assign to Group1? (Each correct answer presents part of the solution. Choose two.)
B. Auto enroll
E. Full control
See step 6 below.
To configure the Key Recovery Agent certificate template
1. Open the Certificate Templates snap-in.
2. In the console tree, right-click the Key Recovery Agent certificate template.
3. Click Duplicate Template.
4. In Template, type a new template display name, and then modify any other optional properties as needed.
5. On the Security tab, click Add, type the name of the users you want to issue the key recovery agent certificates to, and then click OK.
6. Under Group or user names, select the user names that you just added. Under Permissions, select the Read and Enroll check boxes, and then click OK.
Reference: Identify a Key Recovery Agent