You administer laptop and desktop computers that run Windows 8 Pro. Your company uses Active
Directory Domain Services (AD DS) and Active Directory Certificate Services (AD CS). Your

company decides that access to the company network for all users must be controlled by two-factor
authentication. You need to configure the computers to meet this requirement. What should you
do?

A.
Install smart card readers on all computers.
Issue smart cards to all users.

B.
Enable the Password must meet complexity requirements policy setting.
Instruct users to log on by using the domain \\username format for their username and their strong password.

C.
Create an Internet Protocol security (IPsec) policy that requires the use of Kerberos to authenticate all traffic.
Apply the IPsec policy to the domain.

D.
Issue photo identification to all users.
Instruct all users to set up and use PIN Logon.

Explanation:
Smart cards contain a microcomputer and a small amount of memory, and they provide secure,
tamper-proof storage for private keys and X.509 security certificates. A smart card is a form of twofactor authentication that requires the user to have a smart card and know the PIN to gain access
to network resources. Registry certificates cannot be used for two factor authentication. Although
certificates are ideal candidates for two-factor authentication, registry certificates-which are
protected by a strong private key and are the most appropriate certificates for two-factor
authentication-cannot be used. The reason for this is that Windows does not support registry
certificates and completely ignores them. As a result, organizations must deploy and manage
complex and expensive smart card solutions rather than using registry based certificates.
http://technet.microsoft.com/en-us/library/cc770519.aspx
http://technet.microsoft.com/en-us/library/jj200227.aspx