Skip to content

Step by Step : Network Access Protection (NAP) Deployment in Windows Server 2012 R2 – Part 1 of 7 (Configure Server and Client Certificate Requirements)

July 19, 2014

As promised, today lets go through my Part 1 of 7, step by step on how to deploy Network Access Protection in Windows Server 2012 R2.

I can promise you this deployment will be major, so many step to go through, and for that reason, i prepare 7 parts of the Step by Step so that you as a IT Administrator can understand the flow of the deployment and please take time to read more on the NAP.

a little bit of information about NAP :

NAP is a policy-enforcement platform that is built into all Windows client computers beginning with the WinXP SP3, and all server-based operating systems beginning with the Windows Server 2008.

You can use NAP to protect network assets more strongly by enforcing compliance with system-health requirements. NAP provides the necessary software components to help ensure that computers connected or connecting to your network remain
manageable, and so that they do not become a security risk to your enterprise’s network and other attached computers.

Understanding the functionality and limitations of NAP will help you protect your network from the security risks posed by noncompliant computers.

For more information on the NAP :

In this Part 1, lets go through how to configure Server and Client Certificate Requirements / Health Policies before we jump into NAP deployment…

1 – On OSI-ADDS01 server, open Server Manager, click Tools, and then click Certification Authority

** in case you do not have Certificate Authority installed, please log in to my previous post : Installing Certificate Authority on Windows Server 2012 R2 (


2 – In the certsrv management console, double click osi-ADDS01-CA, right-click Certificate Templates, and then
select Manage on the context menu…


3 – In the Certificate Templates Console, right-click Computer, and then click Properties


4 – In the Computer Properties box, click the Security tab,  select Authenticated Users, an then in the Permissions for Authenticated Users, tick Allow check box for the Enroll permission, and then click OK.


5 – Next, in certsrv – [Certification Authority (Local)] console, right-click osi-ADDS01-CA, point to All Tasks, and then click Stop Service


6 – Next, right-click  osi-ADDS01-CA again, point to All Tasks, and then click Start Service


7 – Next, log in to another server (OSI-NPS), in this new server we are going to enroll new certificate from AD into this OSI-NPS Server :

– On the OSI-NPS Server, open MMC


8 – On the OSI-NPS Server, click File menu, click Add/Remove Snap-in


9 – Next, in the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish



10 – In the Add or Remove Snap-ins dialog box, click OK


11 – In the console1 tree, expand Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate


12 – In the Certificate Enrollment dialog box, click Next to proceed…


13 – Next on the Select Certificate Enrollment Policy interface, click Active Directory Enrollment Policy, and then click Next…


14 – Next, select the Computer check box, and then click Enroll


15 – Verify the status of certificate installation as Succeeded, and then click Finish…


Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: