Microsoft 70-411 Exam – Q14

Your network contains an Active Directory domain named The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 is configured as a Network Policy Server (NPS) server and as a DHCP server. The network contains two subnets named Subnet1 and Subnet2. Server1 has a DHCP scope for each subnet.

You need to ensure that noncompliant computers on Subnet1 receive different network policies than noncompliant computers on Subnet2.
Which two settings should you configure? (Each correct answer presents part of the solution. Choose two.)

A. The NAP-Capable Computers conditions
B. The NAS Port Type constraints
C. The Health Policies conditions
D. The MS-Service Class conditions
E. The Called Station ID constraints

Correct Answer: C, D

To configure NAP conditions in network policy using the Windows interface
1. Open the NPS console, double-click Policies, click Network Policies, and then double-click the policy you want to configure.

2. In policy Properties, click the Conditions tab, and then click Add. In Select condition, scroll to the Network Access Protection group of conditions.

3. If you want to configure the Identity Type condition, click Identity Type, and then click Add. In Specify the method in which clients are identified in this policy, select the items appropriate for your deployment, and then click OK.

The Identity Type condition is used for the DHCP and Internet Protocol security (IPsec) enforcement methods to allow client health checks when NPS does not receive an Access-Request message that contains a value for the User-Name attribute; in this case, client health checks are performed, but authentication and authorization are not performed.

4. If you want to configure the MS-Service Class condition, click MS-Service Class, and then click Add. In Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile, and then click Add.

The MS-Service Class condition restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method.

5. If you want to configure the Health Policies condition, click Health Policies, and then click Add. In Health Policies, choose an existing health policy, and then click OK. If you have not yet configured health policies, click New, and then configure a new health policy.
The Health Policies condition restricts the policy to clients that meet the health criteria in the policy that you specify.

6. If you want to configure the NAP-capable Computers condition, click NAP-capable Computers, and then click Add. In Specify the computers required to match this policy, click either Only computers that are NAP-capable or Only computers that are not NAP-capable, and then click OK.

The NAP-capable Computers condition restricts the policy to either clients that are capable of participating in NAP or clients that are not capable of participating in NAP. This capability is determined by whether the client sends a statement of health (SoH) to NPS.

7. If you want to configure the Operating System condition, click Operating System, and then click Add. In Operating System Properties, click Add, and then specify the operating system settings that are required to match the policy.

The Operating System condition specifies the operating system (operating system version or service pack number), role (client or server), and architecture (x86, x64, or ia64) required for the computer configuration to match the policy.

8. If you want to configure the Policy Expiration condition, click Policy Expiration, and then click Add. In Policy Expiration, configure the date and time when you want the network policy to expire, and then click OK.

The Policy Expiration condition specifies when the network policy expires; after the expiration date and time that you specify, the network policy is no longer evaluated by NPS.