Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

Netsh Commands for NAP Client

Updated: February 8, 2008

Applies To: Windows Server 2008

The following commands allow you to configure Network Access Protection (NAP) client from the nap client context of netsh.

The following entries provide details for each command.

Adds the uniform resource locator (URL) of a Health Registration Authority (HRA) server to a trusted server group.

add server [ group = ] group [ url = ] url [ [ processingorder = ] processingorder ]

group
Required. Specifies the name of the trusted server group to which you want to add an HRA server.

url
Required. Specifies the URL of an HRA server that you want to add to the trusted server group. If the trusted server group requires server verification (https:), then the URL must contain the https:// prefix.

processingorder
Optional. Designates the processing order of the HRA URL in the list of URLs in the trusted server group. If you do not specify the processing order, the URL is added to the end of the list and is processed last.

add server group = "group1" url = "url1" processingorder = "1"

Adds a trusted server group.

add trustedservergroup [ name = ] name [ [ requirehttps= ] ENABLE | DISABLE ]

name
Required. Specifies the name of the trusted server group that you want to add to the NAP client configuration.

requirehttps
Optional. Specifies whether server verification (https:) is required for all servers in this group. If not specified, https: is enabled by default.

add trustedservergroup name = "group1" requirehttps = "ENABLE"

Deletes the URL of an HRA server from the specified trusted server group.

delete server [ group = ] group [ url = ] url

group
Required. Specifies the name of the trusted server group from which you want to remove an HRA server.

url
Required. Specifies the URL of the HRA server that you want to remove from the trusted server group.

delete server group = "group1" url = "url1"

Deletes a trusted server group.

delete trustedservergroup [ name = ] name

name
Required. Specifies the name of the trusted server group that you want to remove from the NAP client configuration.

delete trustedservergroup name = "group1"

Creates a script that contains the current NAP client configuration.

dump

If saved to a file, this script can be used to restore altered configuration settings.

Exports an *.xml file that contains the current configuration settings for the NAP client.

export [ filename = ] filename

Filename
Required. Specifies the file name and folder location where you want to save the *.xml file.

export filename = "c:\config.xml"

Displays a list of commands that are available at the netsh context where the command is run, and those inherited from the parent context.

help

Imports an .xml file that contains configuration settings for the Network Access Protection (NAP) client.

import [ filename = ] filename

Filename
Required. Specifies the file name and folder location from which you want to import the *.xml file.

import filename = "c:\config.xml"

Renames the HRA URL of an existing trusted server in the specified trusted server group.

rename server [ group = ] group [ url = ] url [ newurl = ] newurl

Group
Required. Specifies the name of the trusted server group that contains the HRA server URL that you want to change.

url
Required. Specifies the existing HRA server URL.

Newurl
Required. Specifies the new HRA server URL. If no value is supplied for newurl, the HRA server URL is not changed.

rename server group = "group1" url = "url1" newurl = "url2"

Renames an existing trusted server group.

rename trustedservergroup [ name = ] name [ newname = ] newname

Name
Required. Specifies the name of the trusted server group that you want to rename.

Newname
Required. Specifies the new name of the trusted server group.

rename trustedservergroup name = "group1" newname = "group2"

Restores the NAP client configuration to the default settings.

reset configuration

Sets the cryptographic service provider (CSP) Request Policy to Microsoft Enhanced Cryptographic Provider v1.0.

reset csp

Sets the enforcement client parameter to DISABLED.

reset enforcement

Sets the hash algorithm Request Policy to sha1RSA (1.3.14.3.2.29).

reset hash

Deletes all URLs in a specified trusted server group.

reset server [ group = ] group

Group
Required. Specifies the name of the trusted server group.

reset server group = "group1"

Sets the tracing parameter to DISABLE.

reset tracing

Deletes all trusted server groups and the list of all health registration authority servers (by URL) contained in each trusted server group.

reset trustedservergroup

Deletes all user interface settings in the NAP client configuration.

reset userinterface

Changes the cryptographic service provider (CSP) in the NAP client configuration. You can display name of the currently available CSPs with the show csps command.

set csp [ name = ] name [ [ keylength = ] keylength ]

name
Required. Specifies the name of the cryptographic service provider (CSP).

keylength
Optional. Specifies the length of the asymmetric key. The default key length is 2048.

set csp name = "Microsoft RSA SChannel Cryptographic Provider" keylength = "2048"

Enables or disables NAP enforcement clients in the NAP client configuration. When NAP enforcement clients are enabled, NAP clients can connect to a network with the same type of enforcement server. For example, if a NAP client has the DHCP enforcement client enabled, the NAP client can connect to your network with a DHCP NAP enforcement server. You must specify one or more enforcement clients. By default, all enforcement clients are disabled.

set enforcement [ ID = ] ID [ ADMIN = ] ENABLE | DISABLE

ID
Required. Specifies the identifier of an installed enforcement client to be enabled or disabled. You can view a list of available enforcement clients and their associated IDs with the show configuration command.

ADMIN
Required. Specifies the administrative state of the specified enforcement client. You must specify ENABLE in order for a NAP client to connect to a network using the type of NAP enforcement method specified by the ID parameter.

set enforcement ID = 79619 ADMIN = "ENABLE"

Sets the hash algorithm that will be used on the target computer. You can obtain the object identifier (OID) from the "show hashes" command.

set hash [ oid = ] oid

oid
Required. Specifies the OID of the hash algorithm. You can specify only one OID.

set hash oid = "1.2.840.113549.1.1.5"

Sets the URL and processing order of an HRA server within an existing trusted server group.

set server [ group = ] group [ url = ] url [ processingorder = ] processingorder

group
Required. Specifies the name of an existing trusted server group that contains the HRA server that you want to add or modify.

url
Required. Specifies the HRA server URL. If the trusted server group requires server verification (https:), then the URL must use the https:// prefix. If the URL is not found in the specified trusted server group, it will be added.

processingorder
Required. Designates the processing order of the HRA URL in the list of URLs in the trusted server group.

set server group = "group1" url = "url1" processingorder = "1"

Specifies whether tracing is enabled and the amount of information that is logged by NAP client. Although both parameters are optional, you must specify at least one parameter.

set tracing [ [ state = ] ENABLE | DISABLE [ level = ] BASIC | ADVANCED | VERBOSE ]

state
Optional. Specifies whether tracing is enabled or disabled. If you specify ENABLE, NAP client creates a trace log file. If you specify DISABLE, NAP client does not create a trace log file. The default is DISABLE. If you enable tracing but do not specify a value for level, NAP client uses the default level value of BASIC

level
Optional. Specifies the amount of information that is logged by NAP client and that appears in the tracing log file. If you specify BASIC, the least amount of information is logged in the trace log file. If you specify ADVANCED, a greater amount of information is logged in the trace log file. If you specify VERBOSE, all information is logged in the trace log file. The default is BASIC. If you do not specify a value for state, NAP client uses the default state value of DISABLE.

set tracing state = "ENABLE" level = "ADVANCED"

Specifies the NAP client user interface settings. Although all parameters are optional, you must specify at least one parameter.

set userinterface [ [ title = ] title [ text = ] text [ image = ] image ]

title
Optional. Specifies the title that appears in the NAP client user interface.

text
Optional. Specifies the description that appears in the NAP client user interface.

Image
Optional. Specifies the image that appears in the NAP client user interface.

set userinterface title = "My company" text = "Protecting your computer" image = "c:\Logo.jpg"

Displays configuration settings and state information for NAP client, including CSP, enforcement client, tracing, and trusted server group configurations.

show configuration

Displays all available cryptographic service providers (CSPs) on the target system. Use this command to obtain the names that you can use in the add csp and delete csp commands.

show csps

Displays Group Policy configuration settings and state information for NAP client.

show grouppolicy

Displays all available hash algorithms on the target system. Use this command to obtain the OIDs that you can use in the add hash and delete hash commands.

show hashes

Following is an example of the information displayed when you run the show hashes command at the netsh nap client prompt.

 

Hash OID

sha1RSA

1.2.840.113549.1.1.5

md5RSA

1.2.840.113549.1.1.4

sha1DSA

1.2.840.10040.4.3

sha1RSA

1.3.14.3.2.29

shaRSA

1.3.14.3.2.15

md5RSA

1.3.14.3.2.3

md2RSA

1.2.840.113549.1.1.2

md4RSA

1.2.840.113549.1.1.3

md4RSA

1.3.14.3.2.2

md4RSA

1.3.14.3.2.4

md2RSA

1.3.14.7.2.3.1

sha1DSA

1.3.14.3.2.13

dsaSHA1

1.3.14.3.2.27

mosaicUpdatedSig

2.16.840.1.101.2.1.1.19

sha1NoSign

1.3.14.3.2.26

md5NoSign

1.2.840.113549.2.5

sha256NoSign

2.16.840.1.101.3.4.2.1

sha384NoSign

2.16.840.1.101.3.4.2.2

sha512NoSign

2.16.840.1.101.3.4.2.3

sha256RSA

1.2.840.113549.1.1.11

sha384RSA

1.2.840.113549.1.1.12

sha512RSA

1.2.840.113549.1.1.13

RSASSA-PSS

1.2.840.113549.1.1.10

sha1ECDSA

1.2.840.10045.4.1

sha256ECDSA

1.2.840.10045.4.3.2

sha384ECDSA

1.2.840.10045.4.3.3

sha512ECDSA

1.2.840.10045.4.3.4

specifiedECDSA

1.2.840.10045.4.3

Displays state information, including client access restriction state, the state of installed enforcement clients and system health agents, and the client compliance and remediation results.

show state

Displays all trusted server groups and the HRA server URLs in each group.

show trustedservergroup

Following is an example of the information displayed when you run the show trustedservergroup command at the netsh nap client prompt.

 

Setting Value

Group

Trusted server group 1

Require Https

Enabled

URL

https://www.example.com

Processing order

1

Group

Trusted server group 2

Require Https

Enabled

URL

https://www.contoso.com

Processing order

1

Group

Trusted server group 2

Require Https

Enabled

URL

https://www.example.com

Processing order

2

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.