In this article

When using Microsoft Entra Global Secure Access (GSA) alongside the DNSFilter Windows Roaming Client, users may see domain resolution failures in certain environments.

Common causes include:

• GSA does not support DNS-over-TLS, which may conflict with the Roaming Client when it attempts TLS first
• Some ISPs (e.g., Spectrum, Comcast, hotel Wi-Fi) use transparent DoH/TLS proxying, causing resolution errors
• Failures often occur on the Microsoft diagnostic domain: private.edgediagnostic.globalsecureaccess.microsoft.com

Create an NRPT Rule for the GSA diagnostic domain to resolve the issue. This rule bypasses the Windows agent so the domain's traffic successfully resolves through a public server.

Create an NRPT Rule

Use a PowerShell script to bypass the Windows agent for the impacted domain and resolve it via public DNS.

1. Open PowerShell as Administrator

2. Run the following script:

   $fqdn = "private.edgediagnostic.globalsecureaccess.microsoft.com"
   
   # Check if rule exists
   $existing = Get-DnsClientNrptRule -ErrorAction SilentlyContinue | Where-Object { $_.Namespace -eq $fqdn }
   if ($existing) {
       $existing | Remove-DnsClientNrptRule -Force
   }
   
   # Add new rule
   Add-DnsClientNrptRule `
       -Namespace $fqdn `
       -NameServers @("8.8.8.8", "1.1.1.1") `
       -DisplayName "Force DNS for GSA Diagnostics over public resolvers"
   
   Write-Host "NRPT rule added for $fqdn using public DNS"

3. Confirm the rule was added: Get-DnsClientNrptRule

After applying the NRPT rule, Microsoft Entra GSA diagnostic checks should resolve correctly, and Roaming Client filtering will continue to function in restrictive network environments.

Related Content

• Microsoft's GSA known limitations
• Solving "No such Host is Known" Azure VPN errors
• Bypassing the Windows agent for Webex domains