Network icon showing yellow with the Webroot DNS Protection agent installed

  • 14 August 2019
  • 0 replies
Network icon showing yellow with the Webroot DNS Protection agent installed
Userlevel 2
Badge +2
When using the DNS Protection agent on an endpoint, the network icon may show yellow and display a warning of “No Internet Access or Limited Connectivity” even when the connection is functioning properly. This is due to a limitation in Microsoft’s Network Connectivity Status Indicator (NCSI) feature refusing to perform DNS lookups on a different interface such as (click here for information on Webroot DNS Agent behavior).

This is primarily a cosmetic issue, however, some Microsoft applications such as Outlook, Office365, Skype and OneDrive may not even attempt to connect when this “No Internet Access” warning is displayed.

Microsoft has included a new policy setting, Specify Global DNS, for Windows 10 build 1709 or later, which allows the NCSI feature to perform lookups over any network interface.

  • Specify Global DNS: This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.

For Windows 10, build 1709 or later

To deploy the fix (Local Group Policy):
1. Open gpedit.msc
2. Within "Computer Configuration > Administrative Templates > Network > Network Connectivity Status Indicator", enable the Specify Global DNS setting.

3. On the workstation run: gpupdate /force

Note: A reboot is required to clear the existing issue.

If the group policy setting is missing, you will need to import the ADMX template manually.

To import ADMX templates manually:
1. Download the latest administrative templates for the Windows 10 Fall Creators update.
2. Run the .msi installer to extract the .ADMX files.
  • The extracted files are normally located in:
C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Fall Creators Update (1709)\PolicyDefinitions\

3. Copy the extracted files to your central store for PolicyDefinitions.
  • This is normally located here:

4. Re-Open the Group Policy Management tool to make the new policy available.

To deploy the fix via command line:
The same change is available by modifying a registry setting. This can be applied by entering the following from a command line:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator" /v UseGlobalDNS /t REG_DWORD /d 1 /f

For other Windows Operating Systems

Where possible we recommend updating to Windows 10 to obtain the Microsoft fix. For other Windows Operation Systems (such as Windows 7), we have some options to try. However, as this is a limitation within the NCSI functionality, no single solution may address every scenario.

Option 1: Use Webroot DNS via Network Configuration
Webroot DNS Protection has two components: A network-based solution designed to protect all devices on a network and an agent-based option designed to protect installed devices independent of their active network connection. If devices are within the corporate network permanently, configuring Webroot DNS on the network rather than using the agent may be an option to consider. Click here for more information.

Option 2: Host File Modification
This method uses the hostfile to contain the IP of the NCSI DNS lookup. This can help in some scenarios.
  1. Press the Windows key or go to the start menu.
  2. Type Notepad in the search field.
  3. In the search input box, right-click Notepad and select Run As Administrator.
  4. In Notepad, open the following file: C:\Windows\System32\drivers\etc\hosts
  5. Append the following to the hosts file:
  6. Click File and Save.
  7. Reboot the system
Note: This may cause NCSI to display that the system is “Connected” in some situations where there is actually limited connectivity.

Active DNS tests must be enabled for this to succeed. To enable Active Probing, add the reg key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\EnableActiveProbing = 1 (DWORD)

Option 3: Applying Network-Parameter-3 registry key
This registry key is most useful for allowing functionality with certain VPN solutions, however as it sets the DNS server to the IPV4 IP of the machine it can help in some scenarios. For instructions on applying this registry key click here.

Option 4: Adjusting Passive Polling Parameters
Passive Polling can be adjusted to make the system more likely to recognize internet traffic. Whilst these registry keys should make it far more likely that passive polling will succeed, they will not necessarily resolve the problem for every environment. Please contact Microsoft Support for assistance in troubleshooting Passive Polling.

Microsoft recommends adding the following registry keys:

Disable Active Probing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\EnableActiveProbing = 0 (DWORD)

Reduce the Passive Hop count threshold to 1 (this is the minimum):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\MinimumInternetHopCount = 1 (DWORD)

Double (or more) the Passive Polling period:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\PassivePollPeriod = 30 (DWORD)
If any of the registry keys do not exist they should be created. Please reboot the system after making these changes.

If problems persist after making these changes, please open a ticket to report the issue and work with Support to investigate.

This topic has been closed for comments