Q: Can you provide a short list of the most important tools I can use to troubleshoot a Network Access Protection (NAP) problem?

A: For NAP troubleshooting on the server side, you should first check the NAP-specific error messages that you can find in the following Event Viewer container: Custom Views\Server Roles\Network Policy and Access Services. To view NAP configuration information on a NAP server, you can use the following netsh commands:

  • For NAP Network Policy Server (NPS) configuration information:
    netsh nps show config
  • For NAP Health Registration Authority (HRA) configuration information:
    netsh nap hra show config

For NAP troubleshooting on the client side, check for error messages in the following Event Viewer container: Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational. To view NAP configuration information on a client, you can use the following netsh commands:

  • For client Group Policy configuration:
    netsh nap client show group
  • For client local policy configuration:
    netsh nap client show config
  • For client NAP state
    netsh nap client show state

Related: A Microsoft Network Access Protection (NAP) Primer

To determine which NAP System Health Agent (SHA) is causing problems, you can use the NAP-related events in the Event Viewer. These events mostly contain an error message with an identifier of the SHA that caused the error. You can find the meaning of these SHA identifiers in the system registry: The HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\napagent\Shas registry container holds a list of all SHAs that are active on your system. For example, identifier 79744 points to the Windows Out-of-Box System Health Agent.

For more information about NAP-specific events and their IDs, take a look at "NAP event logs" in the Microsoft article "Tools for Troubleshooting NAP." For more information about the event IDs related to NAP agent communication with the SHA, check "NAP Agent Communication with the SHA."

If you have a Microsoft System Center Configuration Manager (SCCM) installation in your environment, I advise you to use SCCM for advanced logging and data collection on your NAP clients. For more information on the SCCM NAP-specific log files, take a look at "Log Files for Network Access Protection."

Learn More: Managing Security Dependencies on Windows Networks