Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The network contains 100 servers and 5,000 client computers. The client computers run either Windows XP Service Pack 1 or Windows 7.

You need to plan a VPN solution that meets the following requirements:

Stores VPN passwords as encrypted text
Supports Suite B cryptographic algorithms
Supports automatic enrollment of certificates
Supports client computers that are configured as members of a workgroup

What should you include in your plan?

A.
Upgrade the client computers to Windows XP Service Pack 3. Implement a standalone certification authority (CA). Implement an IPsec VPN that uses certificate based authentication.

B.
Upgrade the client computers to Windows XP Service Pack 3. Implement an enterprise certification authority (CA) that is based on Windows Server?2008 R2. Implement an IPsec VPN that uses Kerberos authentication.

C.
Upgrade the client computers to Windows 7. Implement an enterprise certification authority (CA) that is based on Windows Server 2008 R2. Implement an IPsec VPN that uses preshared keys.

D.
Upgrade the client computers to Windows 7. Implement an enterprise certification authority (CA) that is based on Windows Server 2008 R2. Implement an IPsec VPN that uses certificate based authentication.

Explanation:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:

This is as close as I could get to an answer to this.

In essence, Enterprise CAs are fully integrated into a Windows Server 2008 environment. This type of CA makes the issuing and management of certificates for Active Directory clients as simple as possible.
Standalone CAs do not require Active Directory. When certificate requests are submitted to Standalone CAs, the requestor must provide all relevant identifying information and manually specify the type of certificate needed. This process occurs automatically with an Enterprise CA. By default, Standalone CA requests require administrator approval. Administrator intervention is necessary because there is no automated method of verifying a requestors credentials. Standalone CAs do not use certificate templates, limiting the ability for administrators to customize certificates for specific organizational needs.

L2TP/IPsecL2TP connections use encryption provided by IPsec. L2TP/IPsec is the protocol that you need to deploy if you are supporting Windows XP remote access clients, because these clients cannot use SSTP. L2TP/IPsec provides per-packet data origin authentication, data integrity, replay protection, and data confidentiality.

L2TP/IPsec connections use two levels of authentication. Computer-level authentication occurs either using digital certificates issued by a CA trusted by the client and VPN server or through the deployment of pre-shared keys. PPP authentication protocols are then used for user-level authentication. L2TP/IPsec supports all of the VPN authentication protocols available on Windows Server 2008.

Supports Suite B cryptographic algorithms

When using the Certificate Templates console, note that you cannot configure the autoenrollment permission for a level 1 certificate template. Level 1 certificates have Windows 2000 as their minimum supported CA. Level 2 certificate templates have Windows Server 2003 as a minimum supported CA. Level 2 certificate templates are also the minimum level of certificate template that supports autoenrollment. Level 3 certificates templates are supported only by client computers running Windows Server 2008 or Windows Vista. Level 3 certificate templates allow administrators to configure advanced Suite B cryptographic settings. These settings are not required to allow certificate autoenrollment and most administrators find level 2 certificate templates are adequate for their organizational needs.