Your network contains an Active Directory domain named contoso.com.
The domain contains two domain controllers named DC1 and DC2.
The domain contains a server named Server1.
Server1 is a certification authority (CA).
All servers run Windows Server 2012 R2.
You plan to deploy BitLocker Drive Encryption (BitLocker) to all client computers.
The unique identifier for your organization is set to Contoso.
You need to ensure that you can recover the BitLocker encrypted data by using a BitLocker data recovery agent.
You must be able to perform the recovery from any administrative computer.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
Select and Place:
Answer: 
The first step is incorrect, the rest is correct.
The first step should be:
Install BitLocker on Server1
Somebody please confirm to install Bitlocker on Server1 or on a DC.
https://technet.microsoft.com/en-us/library/jj679890.aspx
Sounds like a DC to me. I may have been wrong before.
We need 4 actions. We know the last three are the only steps needed, we also know we’re exporting without a private key as a CER, so the PFX option is invalid. That leaves us with having to install BitLocker on a server as the first step.
Why would we need to install BitLocker on any server? The only reason I can think of is because the BitLocker settings are Administrative Templates. Those only appear in the Group Policy Editor if the computer you’re creating the GPO on has the corresponding role/feature installed (although I assume a central store with an ADMX would do the trick as well).
Following that reasoning, would you open GPMC and create your GPO on a domain controller or a certificate authority? Given those choices, I’d pick the domain controller. So that’s what I’m going with here.
I could still be wrong, but I’m confident.
PS Thanks ‘no’ for your comments on the questions.
Hi David,
Your comment(s) is/are also appreciated. Keep up the good work!
That’s a mistake I’ve made too many times, assuming something that wasn’t there. If they had all the ADMX files in a central store, you could install Bitlocker on a DC or member server. So, the assumption should be the default, which is not using the central store. I believe that is why installing on the DC is the right answer.