Which two settings should you configure?

Your network contains an Active Directory domain named adatum.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2. Server1 is configured
as a Network Policy Server (NPS) server and as a DHCP server.
The network contains two subnets named Subnet1 and Subnet2. Server1 has a DHCP
scope for each subnet.
You need to ensure that noncompliant computers on Subnet1 receive different network
policies than noncompliant computers on Subnet2.
Which two settings should you configure? (Each correct answer presents part of the solution.
Choose two.)

Your network contains an Active Directory domain named adatum.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2. Server1 is configured
as a Network Policy Server (NPS) server and as a DHCP server.
The network contains two subnets named Subnet1 and Subnet2. Server1 has a DHCP
scope for each subnet.
You need to ensure that noncompliant computers on Subnet1 receive different network
policies than noncompliant computers on Subnet2.
Which two settings should you configure? (Each correct answer presents part of the solution.
Choose two.)

A.
The MS-Service Class conditions

B.
The Called Station ID constraints

C.
The NAP-Capable Computers conditions

D.
The NAS Port Type constraints

E.
The Health Policies conditions

Explanation:
C: The NAP health policy server uses the NPS role service with configured health policies
and system health validators (SHVs) to evaluate client health based on administrator-defined
requirements. Based on results of this evaluation, NPS instructs the DHCP server to provide
full access to compliant NAP client computers and to restrict access to client computers that
are noncompliant with health requirements.
D: If policies are filtered by DHCP scope, then MS-Service Class is configured in policy
conditions.

Show Hint

Leave a Reply 15

Your email address will not be published. Required fields are marked *

KK

KK

the explanation is pointing to answer A, The MS-Service Class conditions and D, The Health Policies conditions.

Reply

mina

mina

I think its A & C

Reply

Jim

Jim

I believe it should be A & C

Reply

Peter Korterink

Peter Korterink

You do not use DHCP enforcement. So I think it’s B and E.

Reply

noname

noname

Answer = B & E

Reply

xfeeca

xfeeca

KK u mean A & E i think

A. MS Service class condition to identifie DHCP Scope
E. The health Policy condition to identifie the non compliant computer

Reply

chris

chris

What makes you think it doesn’t use DHCP enforcement? A & C seems right to me.

Reply

Ben

Ben

From Upgrading your skills to MCSA 2012 exam ref 70-417:

The MS-Service class condition lets you apply different network policies (and therefore different levels of access protection) to different scopes.
So the answer should be ms service class conditions and health policies conditions.

Reply

Sam

Sam

so what is it guys? A&E or A&C?

Reply

Ex

Ex

Correct answers are : A, E.

The network contains two subnets named Subnet1 and Subnet2. Server1 has a DHCP
scope for each subnet.

The MS-Service Class conditions can be used to identify DHCP scope, i.e subnet,
The MS-Service Class = DHCP > Network access protection tab > Use custom profile > Profile Name

You need to create health policy :
Noncompliant health policy for NonCompliant computers.

At first, you need to create health policy for noncompliant computers :
Right-click Health Policies, and then click New.
On the Create New Health Policy dialog box, under Policy Name, type Noncompliant.
Under Client SHV checks, select Client fails one or more SHV checks.
Under SHVs used in this health policy, select the Windows Security Health Validator check box, and then click OK.

More info : https://technet.microsoft.com/en-us/library/dd441008.aspx

Than you can create two network policies based on those two health policies and MS-Service Class conditions
Network policy 1 = MS-Service Class (Profile name) for subnet1 + Health policy for NonCompliant computers.
Network policy 2 = MS-Service Class (Profile name) for subnet2 + Health policy for NonCompliant computers.

Network policy :
Network policy > Conditions tab > Health policy condition + MS-service class condition.

In the NPS management console, in the tree, right-click Network Policies, and then click New.
In the Specify Network Policy Name and Connection Type window, in the Policy name box, type Noncompliant, and then click Next.
In the Specify Conditions window, click Add.
On the Select condition dialog box, double-click Health Polices.
On the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK.
In the Specify Conditions window, under Conditions, verify that Health Policy is specified with a value of Noncompliant, and then click Next.

If you want to configure the MS-Service Class condition, click MS-Service Class, and then click Add. In Specify the profile name that identifies your DHCP scope,
type the name of an existing DHCP profile, and then click Add.

Reply

Ex

Ex

additional info :
MS-Service Class restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name.
This condition is used only when you are deploying NAP with the DHCP enforcement method.
To use the MS-Service Class attribute, in Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile.

More info : https://technet.microsoft.com/en-us/library/dd441006.aspx
https://technet.microsoft.com/en-us/library/cc731220(v=ws.10).aspx
https://www.microsoftpressstore.com/articles/article.aspx?p=2216994
https://technet.microsoft.com/en-us/library/cc731560(v=ws.10).aspx

Reply

AntSalGra

AntSalGra

I think A & E.

Reply

Kevin

Kevin

Answer is A&C.

Reply

MJG

MJG

A & E.

Tested in lab. In fact, if anyone does the Global Knowledge course, This EXACT scenario is given.

Compliant machines are tested against health policies conditions.

Reply