Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy Server
role service installed.
You plan to configure Server1 as a Network Access Protection (NAP) health policy server for VPN
enforcement by using the Configure NAP wizard.
You need to ensure that you can configure the VPN enforcement method on Server1 successfully.
What should you install on Server1 before you run the Configure NAP wizard?
A.
 A system health validator (SHV)
B.
 The Host Credential Authorization Protocol (HCAP)
C.
 A computer certificate
D.
 The Remote Access server role
Explanation:
Configure NAP enforcement for VPN
This checklist provides the steps required to deploy computers with Routing and Remote Access
Service installed and configured as VPN servers with Network Policy Server (NPS) and Network
Access Protection (NAP).


The NAP health policy server requires a computer certificate to perform PEAP-based user or
computer authentication. After this certificate is acquired, a connection to AD CS is not required for
as long as the certificate is valid.
Why is not “A”
from this Microsoft page https://technet.microsoft.com/en-us/library/cc731260(v=ws.10).aspx
To configure NPS to enforce client health policies, you must configure the following:
System health validators (SHVs), which contain the settings that you can choose to enforce or not enforce. For example, in the Windows Security Health Validator (WSHV), you can choose whether to enforce client computer use of a firewall, antivirus software, and other settings.
Health policies, which contain the SHVs that you want to enforce with the health policy.
Network policy, which you create by adding one or more SHVs to the health policy. You can add the health policy to the network policy and enable NAP enforcement in the policy.