Windows Roaming Client Troubleshooting

Article author
Josh Lamb
  • Updated

This guide is for troubleshooting any issues associated with the Roaming Client.

This guide assumes that the Tray Icon has been enabled at install time, which is contextually important for troubleshooting the Roaming Client.

If you are in the testing phase of deploying the Roaming Client, it’s recommended to keep the Tray Icon enabled until initial issues which prevent wider deployment are resolved.

If you are beyond the testing phase of deploying the Roaming Client and do not have the Tray Icon enabled, all troubleshooting steps will need to be followed.

Conflicting Software

This first thing to check when diagnosing problems with the Roaming Client is to check for software conflicts. Some software applications have a known conflict with the Roaming Client and their settings will need to be adjusted or turned off to ensure smooth operation.

Browsers, VPNs, and Security Software

Our Software Conflicts article has a list of software that we have identified will need to be adjusted for DNSFilter to work properly on your network and on Roaming Clients. Check this article to see if any of the applications listed are being used in your environment.

Hyper-V and Windows Defender Application Guard

Hyper-V cannot be installed on the machine. Hyper-V automatically runs a DNS server on (all interfaces), which prevents the Roaming Client system service from being able to start. You’’ll have to examine the reason that Hyper-V is installed and if you are running any virtual machines. You can check if Hyper-V is installed by running:


If this service is active and running, you can uninstall Hyper-V using the following Powershell command:

Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All

If you are not running any virtual machines, it could be that a Windows Defender feature called Application Guard (which uses Hyper-V) is turned on. This feature uses Hyper-V to open untrusted sites in an isolated container in the Microsoft Edge browser. If you run an environment where Edge is your primary browser, you may want to consider switching to Chrome Enterprise.

If Application Guard is in use you can disable it with the following command (you’ll also need to disable Hyper-V itself, using the command above):

Disable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard

Microsoft NCSI

In exceptional situations, after the client is installed, Windows will display a limited network connectivity indicator (a yellow triangle) in the tray menu.


Limited Connectivity

Here are a few possible causes and solutions:

  1. A limitation in NCSI - Microsoft’s Network Connectivity Status Indicator (NCSI) feature . Since the Fall 2017 Creator’s Update of Windows 10, this can be easily remedied by running the below line in an Administrative Command Prompt:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator" /v UseGlobalDNS /t REG_DWORD /d 1 /f
  1. NCSI is blocked - Especially true if you have a heavily-restricted policy. Whitelist the domain in your policy.




Conflicting Hardware

USB Wi-Fi and HotSpots

Most USB-based Wi-Fi and HotSpot devices enforce their own DNS servers on the network adapter that is created when plugged in. As a result, they will likely not be compatible. Testing is encouraged.

Juniper SRX Firewall

If you are using the Juniper SRX Firewall, DNS Doctoring will need to be disabled, which is only available in the Command Line Interface. More information available In Juniper’s Documentation

Roaming Client Malfunction

If you have checked for known software and hardware conflicts and believe that the Roaming Client is malfunctioning, there are a few troubleshooting steps that you can take:

Check Service Status (Started/Stopped)

The tray icon for the Roaming Client should be Blue or Green. If is is Red, this is an indication that the client is not actively filtering DNS queries. There may be a problem with the system service. Verify the status of the service by:

  1. Press ⊞ Win + R to open the Run dialog. Type in services.msc and hit Enter.
  2. Scroll down to the service called DNSFilter Agent or DNS Agent (MSP Version). You may also check this via the command-line using:
SC QUERY "DNSFilter Agent"

or for the MSP version below:


The Agent status should be “started” and “running”. If the Agent is “stopped”, you can restart it from the services menu or by running:

SC START "DNSFilter Agent"

or for the MSP version below:


Check Port Bindings

In addition to checking the service status of the Roaming Client, you will want to check that no other applications are binding to DNS ports on the local machine (127.0.0.X:53).

You can discover this by running the following prompt command:

netstat -ban | findstr :53 

The image below illustrates the ideal output of the command. The first line shows that the local listen address and port (TCP) is listening for connections from any address ( The LISTENING message shows that this connection is actively bound by the Roaming Client and listening for traffic. The second line shows the same thing for UDP (although the connection is not active). **If there are other connections listening on 127.0.0.X:53, there may be a port binding conflict between that software and the Roaming Client.


Netstat showing proper Roaming Client binding


Check Transparent Proxying

If the service is started, and the Roaming Client ports are properly bound, you should check to see if DNS requests are being proxied on your network or by your ISP. Our Transparent Proxying article goes into detail on this subject.

Roaming Client Not Filtering

When the tray icon is a green or blue color, filtering should be occurring. If domains which should be blocked are not being blocked, there could be software or network settings which interfere with the DNS queries (usually the response, as opposed to the query).



If using a VPN, try disabling the VPN to see if it’s interfering with the ability to filter DNS requests. You may need to contact support with the brand/version of the VPN to investigate further.

Juniper SRX (DNS Doctoring)

If you are using the Juniper SRX Firewall, DNS Doctoring will need to be disabled, which is only available in the Command Line Interface. More information available In Juniper’s Documentation

If neither of these apply, please review the Enabling Logging section below.

Enable Logging

Enabling and sending DNSFilter Support the logs is the best way for DNSFilter to diagnose the issue. If a computer with the Roaming Client installed is continually having an issue which can be replicated, please follow these steps:

  1. Open the Wordpad application as an Administrator.b0e9d41-file-UuCxyfFoBT.png
  2. Open the following file in Wordpad: C:FilesAgentAgent.exe.config -> The file will likely only display as “DNS Agent.exe” - without the appended .config extension -> (If you are an MSP, the folder will be: C:\Program Files\DNS Agent) 

    Pro Tip: When searching for the Agent config file, you may notice that the DNS Agent or DNSFilter Agent folder is blank. If so, please make sure to change All WordPad documents to All documents to reveal the correct file

  3. Look for the following block of code in the file: <file value=""/>

Add your preferred logfile location and name between the double quotes: <file value="C:\DNSLog.txt"/>

  1. Locate the following block of code: <level value="INFO"/>

Change the log level value to DEBUG: <level value="DEBUG"/>

  1. Save the file.

  2. Open the Services application and locate DNSFilter Agent (MSPs: DNS Agent) and stop/start the service:

Once the problematic experience has been experienced, such as:

  • No DNS Resolution
  • Failure to resolve local resources
  • No Internet Connectivity
  • Failure to start the System Service

Please send the logs to DNSFilter Support

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request



Please sign in to leave a comment.