Tools to Troubleshoot NAP

Q: Can you provide a short list of the most important tools I can use to troubleshoot a Network Access Protection (NAP) problem?

A: For NAP troubleshooting on the server side, you should first check the NAP-specific error messages that you can find in the following Event Viewer container: Custom ViewsServer RolesNetwork Policy and Access Services. To view NAP configuration information on a NAP server, you can use the following netsh commands:

For NAP troubleshooting on the client side, check for error messages in the following Event Viewer container: Applications and Services LogsMicrosoftWindowsNetwork Access ProtectionOperational. To view NAP configuration information on a client, you can use the following netsh commands:

Related: A Microsoft Network Access Protection (NAP) Primer

To determine which NAP System Health Agent (SHA) is causing problems, you can use the NAP-related events in the Event Viewer. These events mostly contain an error message with an identifier of the SHA that caused the error. You can find the meaning of these SHA identifiers in the system registry: The HKEY_LOCAL_MACHINESYSTEM CurrentControlSetServicesapagentShas registry container holds a list of all SHAs that are active on your system. For example, identifier 79744 points to the Windows Out-of-Box System Health Agent.

For more information about NAP-specific events and their IDs, take a look at "NAP event logs" in the Microsoft article "Tools for Troubleshooting NAP." For more information about the event IDs related to NAP agent communication with the SHA, check "NAP Agent Communication with the SHA."

If you have a Microsoft System Center Configuration Manager (SCCM) installation in your environment, I advise you to use SCCM for advanced logging and data collection on your NAP clients. For more information on the SCCM NAP-specific log files, take a look at "Log Files for Network Access Protection."

Learn More: Managing Security Dependencies on Windows Networks