Microsoft Entra GSA and Windows Roaming Client

GSA does not support DNS-over-TLS, which may conflict with the Roaming Client when it attempts TLS first
Some ISPs (e.g., Spectrum, Comcast, hotel Wi-Fi) use transparent DoH/TLS proxying, causing resolution errors
Failures often occur on the Microsoft diagnostic domain: private.edgediagnostic.globalsecureaccess.microsoft.com

Create an NRPT Rule for the GSA diagnostic domain to resolve the issue. This rule bypasses the Windows agent so the domain's traffic successfully resolves through a public server.

Create an NRPT Rule

Use a PowerShell script to bypass the Windows agent for the impacted domain and resolve it via public DNS.

Open PowerShell as Administrator

Run the following script:

$fqdn = "private.edgediagnostic.globalsecureaccess.microsoft.com"

# Check if rule exists
$existing = Get-DnsClientNrptRule -ErrorAction SilentlyContinue | Where-Object { $_.Namespace -eq $fqdn }
if ($existing) {
    $existing | Remove-DnsClientNrptRule -Force
}

# Add new rule
Add-DnsClientNrptRule `
    -Namespace $fqdn `
    -NameServers @("8.8.8.8", "1.1.1.1") `
    -DisplayName "Force DNS for GSA Diagnostics over public resolvers"

Write-Host "NRPT rule added for $fqdn using public DNS"

Confirm the rule was added: Get-DnsClientNrptRule

After applying the NRPT rule, Microsoft Entra GSA diagnostic checks should resolve correctly, and Roaming Client filtering will continue to function in restrictive network environments.

Comments

2 comments

Dan Levy

June 03, 2026 17:43
Hello - is this article applicable to the Precheck roaming client, the classic, or both?
0
Minetta Gould Community Team DNSFilter Staff

June 03, 2026 20:18
Great question, Dan Levy! This article applies to Classic mode. DNS PreCheck intercepts DNS at the kernel level, so NRPT rules—which work through the Windows resolver—don't come into play there. Hope this helps!
0

Please sign in to leave a comment.

How can we help you?

Search

In this article

Create an NRPT Rule

Related Content

Comments