Share via


Tools for Troubleshooting NAP

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

This topic provides a list of tools and procedures that you can use to obtain detailed information about Network Access Protection (NAP) problems.

NAP diagnostic tools

Use the following tools to diagnose NAP problems:

  • Netsh commands for NAP client

  • Log files

  • NAP event logs

  • NAP events and errors documentation

  • Microsoft Management Console

  • MMC snap-ins

Netsh commands for NAP client

The following Netsh commands for NAP client are useful for troubleshooting:

  • netsh NAP client show state

    This command provides the current status of a NAP client computer, including the restriction state, status of enforcement clients, status of installed system health agents (SHAs), and any trusted server groups that have been configured.

  • netsh NAP client show config

    This command shows the local configuration settings on a NAP client computer, including the cryptographic settings, enforcement client settings, trusted server groups settings, and client tracing settings that have been configured.

  • netsh NAP client show group

    This command shows the Group Policy configuration settings on a NAP client computer, including the cryptographic settings, enforcement client settings, trusted server groups settings, and client tracing settings that have been configured.

Important

If any NAP client settings are configured in Group Policy, the client computer will ignore all local NAP client configuration settings.

For more information, see Netsh Commands for Network Access Protection (NAP) Client (https://go.microsoft.com/fwlink/?LinkID=128797) and Netsh Commands for Health Registration Authority (https://go.microsoft.com/fwlink/?LinkId=136627).

Membership in the local Administrators group, or equivalent, is the minimum required to run commands that change configuration settings on the client computer. Commands that only display configuration status do not require these permissions. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

The following is an example of output from the netsh NAP client show state command.

Client state: 
---------------------------------------------------- 
Name                   = Network Access Protection Client 
Description            = Microsoft Network Access Protection Client 
Protocol version       = 1.0 
Status                 = Enabled 
Restriction state      = Not restricted 
Troubleshooting URL    =  
Restriction start time =  
Extended state         =  

Enforcement client state: 
---------------------------------------------------- 
Id                     = 79617 
Name                   = DHCP Quarantine Enforcement Client 
Description            = Provides DHCP based enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79618 
Name                   = Remote Access Quarantine Enforcement Client 
Description            = Provides the quarantine enforcement for RAS Client 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79619 
Name                   = IPSec Relying Party 
Description            = Provides IPSec based enforcement for Network Access Protection 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79621 
Name                   = TS Gateway Quarantine Enforcement Client 
Description            = Provides TS Gateway enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = No 

Id                     = 79623 
Name                   = EAP Quarantine Enforcement Client 
Description            = Provides EAP based enforcement for NAP 
Version                = 1.0 
Vendor name            = Microsoft Corporation 
Registration date      =  
Initialized            = Yes 

System health agent (SHA) state: 
---------------------------------------------------- 
Id                     = 79744 
Name                   = Windows Security Health Agent
 
Description            = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.
 
Version                = 1.0
 
Vendor name            = Microsoft Corporation
 
Registration date      =  
Initialized            = Yes 
Failure category       = None 
Remediation state      = Success 
Remediation percentage = 0 
Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating its security state.
 
Compliance results     = (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 
                         (0x00000000) - 

Remediation results    = 

Ok.

In this example, the EAP enforcement client is initialized, and the computer has been granted full network access.

Important

The netsh nap client show state command displays initialization status for each enforcement client. The netsh nap client show config and netsh nap client show group commands display status of enforcement clients as enabled or disabled. In order to provide client health status to NAP server components, an enforcement client must be both enabled and initialized.

In this example, the compliance results shows output that contains zeros. This output indicates the following system health components configured in Windows Security Center and monitored by the Windows System Health Agent (WSHA) are in compliance with requirements of the Windows System Health Validator (WSHV):

  1. Firewall is on.

  2. Antivirus is installed and running.

  3. The antivirus signature is up to date.

  4. Antispyware is installed and running.

  5. The antispyware signature is up to date.

  6. Automatic updates are enabled.

  7. Security updates are enabled.

  8. Security updates are installed for the security level and source specified.

Log files

You can use log files on servers running Network Policy Server (NPS) and NAP client computers to help troubleshoot NAP problems. Log files can provide the detailed information required for troubleshooting complex problems.

The following log files are useful for troubleshooting.

  • NPS accounting log files

    By default, NPS accounting logs are located in %windir%\system32\logfiles. For information about the format of NPS accounting log files, see Interpret NPS Database Format Log Files (https://go.microsoft.com/fwlink/?LinkId=136631).

  • NPS trace logging files

    You can capture detailed information in log files on servers running NPS by enabling remote access tracing. The Remote Access service does not need to be installed or running to use remote access tracing. When you enable tracing on a server running NPS, several log files are created in %windir%\tracing.

    The following log files contain helpful information about NAP:

    • IASNAP.LOG: Contains detailed information about NAP processes, NPS authentication, and NPS authorization.

    • IASSAM.LOG: Contains detailed information about user authentication and authorization.

    Membership in the local Administrators group, or equivalent, is the minimum required to enable tracing. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

    To create tracing log files on a server running NPS

    1. Open a command line as an administrator.

    2. Type netsh ras set tr * en.

    3. Reproduce the scenario that you are troubleshooting.

    4. Type netsh ras set tr * dis.

    5. Close the command prompt window.

  • NAP client tracing log files

    You can enable NAP client tracing by using the command line. On computers running Windows Vista®, you can enable tracing by using the NAP Client Configuration console. NAP client tracing files are written in Event Trace Log (ETL) format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which they are written. In the following example, files are written to %systemroot%\tracing\nap. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).

    To create NAP event trace log files on a client computer

    1. Open a command line as an administrator.

    2. Type logman start QAgentRt -p {b0278a28-76f1-4e15-b1df-14b209a12613} 0xFFFFFFFF 9 -o %systemroot%\tracing\nap\QAgentRt.etl –ets.

Note

To troubleshoot problems with WSHA, use the following GUID: 789e8f15-0cbf-4402-b0ed-0e22f90fdc8d.

3.  Reproduce the scenario that you are troubleshooting.

4.  Type **logman stop QAgentRt -ets**.

5.  Close the command prompt window.
  • DHCP client tracing log files

    If the DHCP NAP enforcement client is enabled on a client computer, NAP events are also logged when you enable DHCP client tracing. When you enable DHCP client tracing, log files are written to %windir%\System32\LogFiles\WMI.

    To create DHCP event trace log files on a client computer

    1. Open a command line as an administrator.

    2. Type netsh dhcp tr en.

    3. Reproduce the scenario that you are troubleshooting.

    4. Type netsh dhcp tr dis.

    5. Close the command prompt window.

  • Authenticator EAPHost tracing log files

    EAPHost trace logs contain debugging information that can help you find the root causes of issues that occur during the EAP authentication process. The debugging information can include application programming interface (API) calls performed, internal function calls performed, and state transitions performed. EAPHost tracing files are written in ETL format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which the files are written. In the following example, files are written to the current directory. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).

    To create authenticator EAPHost trace log files on a server running NPS

    1. Open a command line as an administrator.

    2. Type logman start trace EapHostAuthr -o .\EapHostAuthr.etl -p {F6578502-DF4E-4a67-9661-E3A2F05D1D9B} 0x4000ffff 0 -ets.

    3. Reproduce the scenario that you are troubleshooting.

    4. Type logman stop EapHostAuthr -ets.

    5. Close the command prompt window.

  • Client EAPHost tracing log files

    EAPHost trace logs can also be created on the client to use for debugging client-side EAP authentication processes. EAPHost tracing files are written in ETL format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which the files are written. In the following example, files are written to the current directory. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).

    To create client EAPHost trace log files on a server running NPS

    1. Open a command line as an administrator.

    2. Type logman start trace EapHostPeer -o .\EapHostPeer.etl -p {5F31090B-D990-4e91-B16D-46121D0255AA} 0x4000ffff 0 -ets.

    3. Reproduce the scenario that you are troubleshooting.

    4. Type logman stop EapHostAuthr -ets.

    5. Close the command prompt window.

  • HCAP tracing log files

    HCAP trace logs contain debugging information that can help you find the root causes of issues that occur with a server running HCAP. HCAP tracing files are written in ETL format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which the files are written. In the following example, files are written to the current directory. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).

    To create HCAP trace log files on a server running HCAP

    1. Open a command line as an administrator.

    2. Type logman start HCAPEXT -o .\hcap.etl -p {af000c3b-46c7-4166-89ab-de51df2701ee} 0xFFFFFFFF 9 -ets.

    3. Reproduce the scenario that you are troubleshooting.

    4. Type logman stop HCAPEXT -ets.

    5. Close the command prompt window.

  • HRA server tracing log files

    HRA trace logs contain debugging information that can help you find the root causes of issues that occur with a server running HRA. HRA tracing files are written in ETL format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which the files are written. In the following example, files are written to the current directory. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).

    To create HRA trace log files on a server running HRA

    1. Open a command line as an administrator.

    2. Type logman start HRAEXT -o .\hra.etl -p {3BEEDE59-FC7D-5057-CE28-BABAD0B27181} 0xFFFFFFFF 9 -ets.

    3. Reproduce the scenario that you are troubleshooting.

    4. Type logman stop HRAEXT -ets.

    5. Close the command prompt window.

  • NAP server tracing log files

    NAP server trace logs contain debugging information that can help you find the root causes of issues that occur with a NAP health policy server. NAP server tracing files are written in ETL format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which the files are written. In the following example, files are written to the current directory. For more information, see Logman (https://go.microsoft.com/fwlink/?LinkId=143549).

    To create NAP server trace log files on a server running NPS

    1. Open a command line as an administrator.

    2. Type logman start QSHVHOST -o .\shvhost.etl -p {06BB9E87-F689-4ec5-9E1E-44E1D471F21F} 0xFFFFFFFF 9 -ets.

    3. Reproduce the scenario that you are troubleshooting.

    4. Type logman stop QSHVHOST -ets.

    5. Close the command prompt window.

NAP event logs

Event logs are one of the most useful tools for troubleshooting NAP problems. You can review event logs for NAP on NAP client computers and on servers running NPS and HRA. NAP client events and HRA events are displayed in the NAP events and errors documentation section of this topic.

The following events on servers running NPS display detailed information about NAP client access request processing:

  • Event ID 6272: Network Policy Server granted access to a user.

    This event occurs when a NAP client computer is successfully authenticated and, depending on its health state, obtains full or restricted access to the network.

  • Event ID 6273: Network Policy Server denied access to a user.

    This event occurs when there is a problem with authentication or authorization and is associated with a reason code. For more information, see NPS Reason Codes (https://go.microsoft.com/fwlink/?LinkId=136640).

  • Event ID 6274: Network Policy Server discarded the request for a user.

    This event occurs if there is a configuration problem. It can occur if RADIUS client settings are incorrect or if NPS cannot create accounting logs.

  • Event ID 6276: Network Policy Server quarantined a user.

    This event occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow limited access. It can also occur if you have configured a setting of Allow full network access for a limited time and the specified date is in the past.

  • Event ID 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.

    This event occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow full network access for a limited time when the date specified in the policy has passed.

  • Event ID 6278: Network Policy Server granted full access to a user because the host met the defined health policy.

    This event occurs when the client access request matches a network policy that is configured with a NAP enforcement setting of Allow full network access.

For more information about NPS events, see Network Policy Server Infrastructure.

  1. Click Start, click Run, type eventvwr.msc, and then press ENTER.

  2. Open Custom Views\Server Roles\Network Policy and Access Services.

  1. Click Start, click Run, type eventvwr.msc, and then press ENTER.

    • If the computer is running Windows 7 or Windows Vista, open Applications and Services Logs\Microsoft\Windows\Network Access Protection\Operational.

    • If the computer is running Windows XP with Service Pack 3, open the System log.

NAP events and errors documentation

NAP events and errors documentation provides helpful information for troubleshooting NAP-related operating system events. The following tables list the events that can be generated by NAP client computers and Health Registration Authority (HRA) servers. Click the event ID for step-by-step troubleshooting procedures for that event.

NAP client events

Event ID

Message

Source

1

The System Health Agent %1 is installed but not registered with the NAP agent.

Microsoft-Windows-NetworkAccessProtection

2

The System Health Agent %1 attempted to initialize, but failed because it has initialized already.

Microsoft-Windows-NetworkAccessProtection

3

The System Health Agent %1 attempted to uninitialize but failed because it was not initialized.

Microsoft-Windows-NetworkAccessProtection

4

The System Health Agent %1 successfully initialized.

Microsoft-Windows-NetworkAccessProtection

5

The System Health Agent %1 successfully uninitialized.

Microsoft-Windows-NetworkAccessProtection

6

The enforcement client %1 attempted to initialize but failed because it is not registered with the NAP agent.

Microsoft-Windows-NetworkAccessProtection

7

The enforcement client %1 attempted to initialize but failed because it has already initialized.

Microsoft-Windows-NetworkAccessProtection

8

The enforcement client %1 attempted to uninitialize but failed because it was not initialized.

Microsoft-Windows-NetworkAccessProtection

9

The enforcement client %1 successfully initialized.

Microsoft-Windows-NetworkAccessProtection

10

The enforcement client %1 successfully uninitialized.

Microsoft-Windows-NetworkAccessProtection

11

The System Health Agent %1 failed the call to %2.

Microsoft-Windows-NetworkAccessProtection

12

The enforcement client %1 failed the call to %2.

Microsoft-Windows-NetworkAccessProtection

13

The Network Access Protection Agent failed to the peripheral component %1. The error code was %2. See the administrator for more information.

Microsoft-Windows-NetworkAccessProtection

14

A Statement of Health with correlation ID %1 could not be created because the maximum size of the connection is too small.

Microsoft-Windows-NetworkAccessProtection

15

A Statement of Health Request with correlation ID %1 could not include the following System Health Agents in the statement of Health: %2

Microsoft-Windows-NetworkAccessProtection

16

A packet has been received with an unexpected correlation of %1 instead of %2.

Microsoft-Windows-NetworkAccessProtection

17

The Statement of Health Response contained configuration for the following SHAs that are not installed on this computer: %1

Microsoft-Windows-NetworkAccessProtection

18

System Isolation State Change. Previous : State : %1 (%2) Probation Time : %3 Help URL : %4 Current : State : %5 (%6) Probation Time : %7 Help URL : %8

Microsoft-Windows-NetworkAccessProtection

19

The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The server was not available to service the request (%3). This server will not be tried again for %4 minutes. See the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

20

The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The server denied access to the request (%3). This server will not be tried again for %4 minutes. See the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

21

The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The request failed with the error code (%3). This server will not be tried again for %4 minutes. See the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

22

The Network Access Protection Agent successfully acquired a certificate for the request with the correlation-id %2 from %1. The certificate can be identified by its thumbprint of %3

Microsoft-Windows-NetworkAccessProtection

23

The Network Access Protection Agent successfully deleted the certificate with the thumbprint of %1. The certificate has expired or the health state of the client has changed or a replacement certificate has been acquired. See the administrator for more information.

Microsoft-Windows-NetworkAccessProtection

24

The Network Access Protection Agent failed to delete the certificate with the thumbprint of %1. The certificate could not be found or the Network Access Protection Agent has insufficient privileges to delete the certificate (%2). See the administrator for more information.

Microsoft-Windows-NetworkAccessProtection

25

The client loaded NAP group policy.

Microsoft-Windows-NetworkAccessProtection

26

The NAP service has started. NAP has the following information for this computer: Computer name is %1. Domain status is: %2. The operating system SKU is: %4. The service pack version is: %6. The processor type is: %5.

Microsoft-Windows-NetworkAccessProtection

27

A Statement of Health with correlation ID %1 was received from the System Health Agent %2. The duration to check the client's health was %3 ms.

Microsoft-Windows-NetworkAccessProtection

28

A Statement of Health with correlation ID %1 was sent to the enforcement client %2.

Microsoft-Windows-NetworkAccessProtection

29

A Statement of Health Response with correlation ID %1 was received from the enforcement client %2. The current client state is %3. The following SHAs report this client non-compliant: %4 The following error categories were encountered: %5 The probation expiration time is: %6 The help URL is: %7 The duration of health check was %8 ms.

Microsoft-Windows-NetworkAccessProtection

30

The System Health Agent %1 has returned an error code %2.

Microsoft-Windows-NetworkAccessProtection

31

The Network Access Protection agent failed to initialize the following enrollment configuration. HRA Group : %1 CSP Name : %2 Key Specification : %3 Key Length : %4 Signature Algorithm : %5 The initialization failed with the error code (%6). See the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

32

The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The server was not available to service the request (%3). See the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

33

The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The server denied access to the request (%3). See the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

34

The Network Access Protection Agent failed to acquire a certificate for the request with the correlation-id %2 from %1. The request failed with the error code (%3). See the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

35

The Network Access Protection agent failed to get a certificate for the request with correlation-id %2 from %1. The server presented a certificate that is not trusted for Enterprise authentication. This server will not be tried again for %4 minutes. Contact the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

36

The Network Access Protection agent failed to get a certificate for the request with correlation-id %2 from %1. The validation of the server certificate for SSL resulted in an error %3, the certificate is not appropriate for SSL. This server will not be tried again for %4 minutes. Contact the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

37

The Network Access Protection agent failed to get a certificate for the request with correlation-id %2 from %1. The server presented a certificate that is not trusted for Enterprise authentication. Contact the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

38

The Network Access Protection agent failed to get a certificate for the request with correlation-id %2 from %1. The validation of the server certificate for SSL resulted in an error %3, the certificate is not appropriate for SSL. Contact the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

39

The Network Access Protection Agent was unable to determine which HRAs to request a health certificate from. A network change or if GP is configured, a configuration change will prompt further attempts to acquire a health certificate. Otherwise no further attempts will be made. Contact the HRA administrator for more information.

Microsoft-Windows-NetworkAccessProtection

40

The Network Access Protection Agent has dynamically discovered the following HRAs for this network (using the query %1): %2 The DNS servers in your configuration at the time this discovery took place included: %3

Microsoft-Windows-NetworkAccessProtection

41

System Isolation State Change. Extended State details: Previous : Extended State : %1 (%2) Current : Extended State : %3 (%4)

Microsoft-Windows-NetworkAccessProtection

42

A Statement of Health Response with correlation ID %1 was just received from the enforcement client %2. The extended state in that Statement of Health Response was %3.

Microsoft-Windows-NetworkAccessProtection

1000

The Microsoft Security System Health Agent detected a change in the status of %1

Microsoft-Windows-SystemHealthAgent

1001

The Microsoft Security System Health Agent detected a change in the status of %1

Microsoft-Windows-SystemHealthAgent

1002

The Windows Security Health Agent was initialized successfully. Scan Interval: %1 minutes. Time delay before first scan: %2 seconds. Time interval between manual remediation state change: %3 seconds. Manual remediation timeout interval: %4 seconds.

Microsoft-Windows-SystemHealthAgent

1003

The Windows Security Health Agent could not be initialized. Failure Code: %1

Microsoft-Windows-SystemHealthAgent

1004

The Windows Security Health Agent was uninitialized successfully.

Microsoft-Windows-SystemHealthAgent

1005

The Windows Security Health Agent completed an online scan.

Microsoft-Windows-SystemHealthAgent

1006

The Windows Security Health Agent failed to complete an online scan. Failure Code: %1

Microsoft-Windows-SystemHealthAgent

1007

The Windows Security Health Agent completed an offline scan.

Microsoft-Windows-SystemHealthAgent

1008

The Windows Security Health Agent failed to complete an offline scan. Failure Code: %1

Microsoft-Windows-SystemHealthAgent

1009

The Windows Security Health Agent completed a download of security updates.

Microsoft-Windows-SystemHealthAgent

1010

The Windows Security Health Agent failed to complete a download of security updates. Failure Code: %1

Microsoft-Windows-SystemHealthAgent

1011

The Windows Security Health Agent completed an install of security updates.

Microsoft-Windows-SystemHealthAgent

1012

The Windows Security Health Agent failed to complete an install of security updates. Failure Code: %1

Microsoft-Windows-SystemHealthAgent

1013

Automatic remediation for firewall succeeded. Windows Firewall was turned on successfully.

Microsoft-Windows-SystemHealthAgent

1014

Automatic remediation for firewall failed. Windows could not turn on Windows Firewall. Failure Code: %1

Microsoft-Windows-SystemHealthAgent

1015

Automatic remediation for Automatic Updates succeeded. Automatic Updates was turned on successfully.

Microsoft-Windows-SystemHealthAgent

1016

Automatic remediation for Automatic Updates failed. Windows could not turn on Automatic Updates. Failure Code: %1

Microsoft-Windows-SystemHealthAgent

1017

Automatic remediation for Windows Security Center service succeeded. Windows Security Center service was turned on successfully.

Microsoft-Windows-SystemHealthAgent

1018

Automatic remediation for Windows Security Center service failed. Windows could not turn on Windows Security Center service. Failure Code: %1

Microsoft-Windows-SystemHealthAgent

1019

Automatic remediation for antispyware succeeded. Windows defender was turned on successfully.

Microsoft-Windows-SystemHealthAgent

1020

Automatic remediation for antispyware failed. Windows could not turn on Windows Defender. Failure Code: %1

Microsoft-Windows-SystemHealthAgent

1021

Automatic remediation for antispyware signatures succeeded. Windows Defender signatures were updated successfully.

Microsoft-Windows-SystemHealthAgent

1022

Automatic remediation for antispyware signatures failed. Windows could not update signatures for Windows Defender. Failure Code: %1

Microsoft-Windows-SystemHealthAgent

1023

The Windows Security Center detected a system health state change. The change in state was also successfully detected by the Windows Security Health Agent.

Microsoft-Windows-SystemHealthAgent

1024

Windows Security Center detected a system health state change but the Windows Security Health Agent could not enumerate the state change. Failure Code: %1

Microsoft-Windows-SystemHealthAgent

1025

The Windows Security Health Agent specified a new security health state for the computer. The correlation id for this transaction is %1

Microsoft-Windows-SystemHealthAgent

1026

The Windows Security Health Agent failed to specify a new security health state for the computer. Failure Code: %1. The correlation id for this transaction is %2

Microsoft-Windows-SystemHealthAgent

1027

The Windows Security Health Agent notified the Windows Network Access Protection Service of a change in the security health state of the computer.

Microsoft-Windows-SystemHealthAgent

1028

The Windows Security Health Agent failed to notify the Windows Network Access Protection Service of a change in the security health state of the computer. Failure Code: %1.

Microsoft-Windows-SystemHealthAgent

1029

The Windows Security Health Agent successfully processed a response from the Windows Security Health Validator. The correlation id for this transaction is %1.

Microsoft-Windows-SystemHealthAgent

1030

The Windows Security Health Agent failed to process a response from the Windows Security Health Validator. Failure Code: %1. The correlation id for this transaction is %2.

Microsoft-Windows-SystemHealthAgent

HRA events

Event ID

Message

Source

1

Microsoft Health Registration Authority extension started successfully.

HRA

2

The Health Registration Authority was unable to read the request from the host at %1. See the Health Registration Authority administrator for more information.

HRA

3

The Health Registration Authority encountered an error processing the response for the request with the correlation-id %1 at %2 (principal %3) (error %4). See the Health Registration Authority administrator for more information.

HRA

4

The Health Registration Authority encountered an internal error (%1). Restart the Health Registration Authority Web site in IIS. See the Network Policy Server administrator for more information.

HRA

5

Event deprecated

HRA

6

The Health Registration Authority extension has stopped successfully.

HRA

7

The Health Registration Authority denied the request with the correlation-id %1 at %2 (principal %3) because the request was not authorized (%4). Discarding the request.

HRA

8

The Health Registration Authority is mis-configured or cannot read its configuration, stopping Health Registration Authority. See the Health Registration Authority administrator for more information.

HRA

9

The Health Registration Authority was unable to acquire a certificate for request with the correlation-id %1 at %2 (principal: %3). Discarding the request. The Certificate Server %4 denied the request with the following error: %5 (%6). See the Certificate Server administrator for more information.

HRA

10

The Health Registration Authority was unable to acquire a certificate for request with the correlation-id %1 at %2 (principal: %3). The Certificate Server %4 denied the request with the following error: %6 (%7). This failure was possibly due to a network related issue. The request will be discarded if no other certificate servers are available. This server will not be tried again for %5 minutes. See the Certificate Server administrator for more information.

HRA

11

Microsoft Health Registration Authority could not contact IAS: %1

HRA

12

Microsoft Health Registration Authority received a clear session from %1. See the Health Registration Authority administrator for more information.

HRA

13

Microsoft Health Registration Authority approved a request.

HRA

14

Microsoft Health Registration Authority denied a request. The Network Policy Server has indicated that the client should be quarantined.

HRA

15

Audit event

HRA

16

Audit event

HRA

17

Audit event

HRA

18

Audit event

HRA

19

Audit event

HRA

20

Microsoft The Health Registration Authority failed to validate the cert request against the configuration. The Health Registration Authority denied the request with the correlation-id %1 at %2 (principal: %3) because it did not satisfy the cryptographic policy (%4). Discarding the request.

HRA

21

The Health Registration Authority has approved the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server has indicated that the client should be placed in probation.

HRA

22

The Health Registration Authority has approved the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server has indicated that the client should be given full access.

HRA

23

The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server was not available to service the request (%4). See the Network Policy Server administrator for more information.

HRA

24

The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server had no policy matching the request (%4). See the Network Policy Server administrator for more information.

HRA

25

The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server denied the request because the request was not authorized (%4). See the Network Policy Server administrator for more information.

HRA

26

The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server denied the request (%4). See the Network Policy Server administrator for more information.

HRA

27

The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server (NPS) denied the request because the request was malformed (%4). Verify the Health Registration Authority configuration or contact its administrator for more information.

HRA

28

The Health Registration Authority was unable to validate the request with the Correlation ID %1 at IP address %2 (Principal: %3). The Network Policy Server (NPS) was unable to contact one of the resources necessary to validate the request (%4). See the Network Policy Server administrator for more information.

HRA

29

Microsoft Health Registration Authority denied the certificate request with the correlation-id %1 at %2 for (principal: %3). Either no certificate servers are configured or the certificate servers that are configured are not available. Contact the Health Registration Authority for more information

HRA

30

The Health Registration Authority was unable to connect to the Certification Authority to remove expired records. The Certification Authority %1 denied the request with the following error: %2. Contact the Certification Authority administrator to check the permissions and for more information.%3

HRA

Microsoft Management Console

You can review settings for important NAP-related services using the following consoles:

  • NPS console

    You can use the NPS console to review RADIUS client settings, NPS policy settings, SHV settings, remediation server group settings, and accounting settings.

    Membership in the local Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

    To troubleshoot NAP using the NPS console

    1. Click Start, click Run, type nps.msc, and then press ENTER.

    2. Open RADIUS Clients and Servers, and review settings for RADIUS Clients and Remote RADIUS Server Groups.

    3. Open Policies, and review settings for Connection Request Policies, Network Policies, and Health Policies.

    4. Open Network Access Protection, and review settings for System Health Validators and Remediation Server Groups.

    5. Open Accounting, and review settings for Local File Logging and SQL Server Logging.

  • NAP Client Configuration console

    You can use the NAP Client Configuration console to review NAP client settings on the local computer. The NAP client configuration console is not available on computers running Windows XP.

Important

NAP client settings configured using the NAP Client Configuration console will be ignored if NAP client settings are configured in Group Policy.

## To troubleshoot NAP using the NAP Client Configuration console
1.  Click **Start**, click **Run**, type **napclcfg.msc**, and then press ENTER.

2.  Open **Enforcement Clients**, and review settings for NAP enforcement clients.

3.  Open **User Interface Settings**, and review settings for NAP notifications.

4.  Open **Health Registration Settings**, and review cryptographic settings and trusted server group settings.
  • Certification Authority console

    You can use the Certification Authority console to troubleshoot certificate permission and issuing problems.

    To troubleshoot NAP using the Certification Authority console

    1. Click Start, click Run, type certsrv.msc, and then press ENTER.

    2. Open the console tree and review certificates in Issued Certificates, Pending Requests, Failed Requests, and Certificate Templates.

    3. Right-click the name of the CA, and then click Properties.

    4. In the CA properties window, review settings on the Policy Module tab and the Security tab.

  • Certificate Templates console

    If you are using an enterprise CA, you can use the Certificate Templates console to review permissions and settings on NAP health certificate templates.

    To troubleshoot NAP using the Certificate Templates console

    1. Click Start, click Run, type certtmpl.msc, and then press ENTER.

    2. In the details pane, right-click System Health Authentication, and review settings on the Subject Name tab, the Extensions tab, and the Security tab.

MMC snap-ins

You can use MMC snap-ins to review NAP settings and monitor NAP activity.

  • HRA snap-in

    Use the HRA snap-in to troubleshoot CA settings and cryptographic settings.

    Membership in the local Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

    To troubleshoot NAP using the HRA snap-in

    1. Click Start, click Run, type mmc, and then press ENTER.

    2. Click File, click Add/Remove Snap-in, click Health Registration Authority, click Add, and then click OK twice.

    3. Click Certification Authority, and review the list of CAs.

    4. Right-click Certification Authority, and then click Properties.

    5. In Certification Authorities, review the settings for CA availability, certificate validity period, CA type, and CA templates.

  • Certificates snap-in

    You can use the Certificates snap-in to review certificates that have been issued to the NAP client computer and NAP servers.

    To troubleshoot NAP using the Certificates snap-in

    1. Click Start, click Run, type mmc, and then press ENTER.

    2. Click File, click Add/Remove Snap-in, click Certificates, click Add, select Computer account, click Next, click Finish, and then click OK.

    3. Open Personal\Certificates, and review the certificates.

    4. Open Trusted Root Certification Authorities\Certificates, and review the certificates.

  • IP Security Monitor snap-in

    You can use the IP Security Monitor snap-in to review IPsec security associations (SAs) on NAP client computers and server components that are part of a NAP with IPsec enforcement infrastructure.

    To troubleshoot NAP using the IP Security Monitor snap-in

    1. Click Start, click Run, type mmc, and then press ENTER.

    2. Click File, click Add/Remove Snap-in, click IP Security Monitor, click Add, and then click OK.

    3. Open Main Mode\Security Associations, and review the associations.

    4. Open Quick Mode\Security Associations, and review the associations.

See Also

Concepts

Quick Fixes for NAP
Troubleshooting NAP Problems