How to Configure Network Access Protection on Windows Server 2019

March 20, 2026
Tutorials
Comment off

Introduction to Network Access Protection

Network Access Protection (NAP) is a Windows Server technology that evaluates the health of client computers attempting to connect to the network and restricts access for machines that do not meet defined health requirements. NAP checks conditions such as whether Windows Firewall is enabled, antivirus signatures are up to date, automatic updates are configured, and whether required software is installed. Non-compliant computers are quarantined to a restricted network until they remediate their health issues. While NAP was deprecated in Windows Server 2012 R2 in favor of Microsoft Intune and modern MDM solutions, it remains functional on Windows Server 2019 for organizations with legacy infrastructure. This tutorial covers NAP architecture and IPsec-based enforcement, the most commonly deployed NAP method.

NAP Architecture Components

NAP has several interconnected components: the NAP Client (built into Windows Vista and later), System Health Agents (SHAs) on the client that report health status, System Health Validators (SHVs) on the NPS server that evaluate health reports, the Network Policy Server acting as the Health Policy Server, Health Registration Authority (HRA) for IPsec-based enforcement that issues health certificates, and Remediation Servers (WSUS, antivirus update servers) that non-compliant clients can reach in the restricted zone.

NAP Enforcement Methods

NAP supports multiple enforcement methods: IPsec enforcement (strongest—requires health certificates for secure communication), 802.1X enforcement (restricts network port access), VPN enforcement (evaluates health of VPN-connecting clients), DHCP enforcement (provides restricted IP configuration to non-compliant clients), and Terminal Services Gateway enforcement. IPsec enforcement is the most comprehensive because it evaluates all network communications, not just initial access.

Installing NAP Server Components

Install the NPS role (which includes NAP policy server), the Health Registration Authority role service, and Active Directory Certificate Services for issuing health certificates.

Install-WindowsFeature NPAS, ADCS-Cert-Authority, ADCS-Web-Enrollment `
    -IncludeManagementTools

Install the Health Registration Authority role service:

Install-WindowsFeature ADCS-Online-Cert, RSAT-ADCS-Mgmt
Install-AdcsHealthRegistrationAuthority -CAConfig "CA01.yourdomain.comYourOrg-Root-CA" -Force

Configuring System Health Validators

System Health Validators define the health requirements for client computers. The Windows Security Health Validator (WSHV) is built into Windows and checks: Firewall status (enabled on all interfaces), Virus Protection (installed, enabled, and up to date), Spyware Protection (installed, enabled, and up to date), and Automatic Updates (enabled with specific settings).

Configure the WSHV in the NPS console under Network Access Protection > System Health Validators > Windows Security Health Validator. Click Configure and specify which health checks are required.

nps.msc

Creating Health Policies

Health Policies define what constitutes a compliant or non-compliant computer by referencing SHVs. Create two health policies: one for compliant computers (all SHV checks passed) and one for non-compliant computers (any check failed).

In NPS > Policies > Health Policies: create “Compliant-Policy” with Windows Security Health Validator set to “Client passed all SHV checks.” Create “Non-Compliant-Policy” with the SHV set to “Client failed one or more SHV checks.” These policies are referenced in Network Policies.

Creating NAP Network Policies

Create two Network Policies in NPS: one for compliant computers granting full access, and one for non-compliant computers restricting access.

Policy 1 “Allow Compliant Computers”: Conditions: Health Policies = Compliant-Policy. Settings: NAP enforcement = Allow full network access. Grant access.

Policy 2 “Restrict Non-Compliant Computers”: Conditions: Health Policies = Non-Compliant-Policy. Settings: NAP enforcement = Allow limited access. Grant access with restrictions. Configure an IP filter restricting non-compliant clients to the remediation server subnet only.

Configuring DHCP Enforcement

DHCP enforcement is the simplest NAP method to deploy. Non-compliant computers receive an IP address with a short lease time and routes that only allow access to remediation servers. Compliant computers receive a normal IP configuration.

# Enable DHCP enforcement on the DHCP server
Install-WindowsFeature DHCP -IncludeManagementTools

# Enable NAP enforcement on DHCP scope
netsh dhcp server set dnscredentials youradminuser yourdomain yourpassword
netsh dhcp server scope 10.0.1.0 set state 1

In the DHCP Management console, right-click the scope and configure NAP settings. Set the NAP enforcement action and specify the network access protection remediation class.

Enabling the NAP Client Agent

Enable the NAP client on Windows computers via Group Policy or PowerShell. The NAP Agent service (napagent) must be running and the appropriate enforcement clients enabled.

# Start and enable the NAP Agent service
Set-Service napagent -StartupType Automatic
Start-Service napagent

# Enable NAP enforcement clients via GPO
# Computer Configuration > Policies > Windows Settings > 
# Security Settings > Network Access Protection > NAP Client Configuration
# Enable the appropriate enforcement clients (DHCP, IPsec, etc.)

Testing NAP Health Evaluation

Test NAP health evaluation using the napstat command on a client computer. It shows the current health status and which SHV checks have passed or failed.

napstat

On the NPS server, review health evaluation events in the event log and in the NPS accounting log to verify clients are being properly evaluated.

Get-WinEvent -FilterHashtable @{
    LogName = 'Application'
    ProviderName = 'Microsoft-Windows-NetworkAccessProtection'
    StartTime = (Get-Date).AddHours(-1)
} | Select-Object TimeCreated, LevelDisplayName, Message | Format-List

Configuring Remediation Server Groups

Remediation servers are the systems non-compliant clients must reach to fix their health issues: WSUS for Windows updates, antivirus update servers, and any other required services. Configure remediation server groups in NPS and reference them in the non-compliant network policy so the access restriction allows traffic to these specific servers.

# Create remediation server group in NPS console under NAP > Remediation Server Groups
# Add WSUS server: 10.0.1.20
# Add AV update server: 10.0.1.21
# Reference this group in the Non-Compliant Network Policy

Conclusion

Network Access Protection on Windows Server 2019 provides a policy-driven framework for evaluating client health before granting network access. While NAP is considered a legacy technology and Microsoft recommends modern endpoint management solutions like Intune for new deployments, it remains a viable option for organizations with older Windows infrastructure that cannot immediately migrate. Understanding NAP architecture is also valuable because its concepts—health evaluation, enforcement, remediation—directly inform modern zero-trust and conditional access designs. For new deployments, consider Microsoft Entra Conditional Access or Intune compliance policies as modern equivalents.