Problem: 

The NPS Azure AD Extension creates a self-signed certificate that is valid for two years.  This certificate must be renewed!

The renewal process is simple enough:

PS C:\Program Files\Microsoft\AzureMfa\Config
> .\AzureMfaNpsExtnConfigSetup.ps1

PowerShell Error:

This error implies the package source 'https://www.powershellgallery.com/api/v2 is not reachable or resolved. 

Fix:

Windows 2016, 2019, and up natively support TLS 1.2.  However, you might still need to update the .NET framework and cryptography.  At a minimum, manually enable TLS 1.2:

 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

That's it!