Microsoft Network Connectivity Status Indicator (NCSI)
In rare circumstances the Umbrella Roaming Client can make it more likely for Windows to incorrectly display a “No Internet Access” warning when connectivity is still functioning correctly. This is caused by a limitation in Microsoft’s Network Connectivity Status Indicator feature.
A fix from Microsoft is included in the Fall 2017 Windows 10 update, available October 2017.
This is primarily a cosmetic issue, in the sense that the client machine does still have full internet connectivity. However, some Microsoft applications such as Outlook, Office365, Skype and OneDrive may not even attempt to connect when this “No Internet Access” warning is displayed.
Please note - If you are seeing a genuine connectivity problem whilst the warning triangle is displayed (such as DNS queries not responding, latency, or websites not loading) then this article isn't the best place to start. This indicates that NCSI is displaying a legitimate warning caused by real network connectivity issues.
NCSI uses “Active” DNS probes to validate that internet connectivity is possible on each network interface. Active probing is described in more detail here:
However, these DNS checks are restricted and NCSI will refuse to send them to a DNS server on a different interface (such as 127.0.0.1). The Roaming Client runs a DNS forwarder on the loopback interface (127.0.0.1) as part of its core operation, therefore these specific checks are not compatible with the Roaming Client.
Microsoft engineering have confirmed the cause and released a new policy setting in Windows 10 to correct the problem.
This limitation does not cause any problem in the vast majority of environments, because Windows also performs other checks to validate connectivity. See Passive Polling below.
Microsoft has included a new policy setting which resolves the root cause. This is the preferred fix for Windows 10 users.
To obtain the fix please update Windows 10 to version 1709 (build 16299) or later and then apply the follow changes (the update alone does not enable the fix by default).
Deploying the fix (Local Group Policy)
The setting is available in gpedit.msc within "Computer Configuration > Administrative Templates > Network > Network Connectivity Status Indicator". Enable the 'Specify Global DNS' setting as pictured and then run
gpupdate /force. Note, a reboot is required to clear the existing issue.
Deploying the fix (CLI)
The same change is available by modifying a registry setting. This is a good way to script the change centrally.
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator" /v UseGlobalDNS /t REG_DWORD /d 1 /f
Deploying the fix (Windows Server 2016)
We are expecting the Group Policy setting to become available centrally for users of Server 2016. In the interim, the policy setting can be imported manually be downloading the latest ADMX templates.
- Download the latest administrative templates for Windows 10 Fall Creators update.
- Run the .msi installer to extract the .ADMX files.
- The extracted files are normally located in:
C:\Program Files (x86)\Microsoft Group Policy\Windows 10 Fall Creators Update (1709)\PolicyDefinitions\
- The extracted files are normally located in:
- Copy the extracted files to your central store for PolicyDefinitions.
- This is normally located here:
- This is normally located here:
- Re-Open the Group Policy Management tool to make the new policy available
Recommendations for Other Windows Versions
It is strongly recommended that affected customers upgrade to Windows 10 if possible to obtain the Microsoft fix.
For other Windows versions (eg. Windows 7) our recommendations are as follows:
- Use the described Host file workaround. This forces the Active DNS check to succeed and resolves the known issue.
- Cisco AnyConnect customers are advised to use our AnyConnect Roaming module, which is not affected by this issue.
- Install MS Hotfix 2964643 (Win 7 only) This resolves another NCSI issue when multiple network interfaces are connected.
Windows 7 Only. For Windows 10, apply the registry or GPO setting from above. This workaround resolves the known issue with the “Active” DNS tests. This can be used on any Windows version, but is most useful for Windows 7 and older systems where the Microsoft fix is not available.
- Press the Windows key or go to the start menu.
- Type Notepad in the search field.
- In the search input box, right-click Notepad and select Run As Administrator.
- In Notepad, open the following file: C:\Windows\System32\drivers\etc\hosts
- Append the following to the hosts file: 126.96.36.199 dns.msftncsi.com
- Click File and Save.
- Reboot the system
Note that this may cause NCSI to display that the system is “Connected” in some situations where there is actually limited connectivity.
Attached to this document is a file called hostsfile.vbs. This file is a visual basic script that runs on Windows computers. It appends the above entry to the hosts file automatically. This will assist with distributing this change to an entire organization.
Note, for this workaround to succeed, Active DNS tests must be enabled. If you have previously attempted other workarounds, please ensure that the Active DNS tests are re-enabled:
- Enable Active Probing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\EnableActiveProbing = 1 (DWORD)
This section is provided for informational purposes.
Windows also uses a technique called ‘Passive Polling’ to monitor for traffic received from the internet. If the “No Internet Access” warning is displayed incorrectly it is likely your environment is affected by an issue with Passive Polling.
Passive Polling works by analyzing the TTL (Time To Live) in the IP header of TCP/UDP packets. The TTL is analyzed to determine how many “hops” the packet has taken to reach the computer. When a received packet has crossed more than the default of 8 hops the system is deemed to have Internet Connectivity.
In some circumstances the Passive Polling technique may be inconsistent, for example:
- Running Windows in a desktop virtual machine such as Parallels Desktop or VMware Fusion/Workstation.
- When other networking software such as firewalls, proxy servers, or certain VPN clients reset the TTL.
- In an environment where there is a low number of packets received from the internet. For example, when Internet Access is strictly locked down.
- When multiple network interfaces are connected, passive polling may fail on one or more of these.
If you believe you are affected by a Passive Polling issue, please try the following.
- Reference https://docs.microsoft.com/answers/answers/210436/view.html for a solution from Microsoft.
- Contact Microsoft support for assistance.
- Add domains "msftconnecttest.com" and "msftncsi.com" to Internal Domains list in Umbrella dashboard -> Deployments -> Domain Management.
Our Cisco AnyConnect module works in a similar way to the standard Roaming Client, but has a different method of intercepting DNS traffic; using a kernel driver rather than modifying DNS server settings on the network interface. Therefore this product is not affected by the NCSI limitation.
We recommend that Cisco AnyConnect customers migrate to the Umbrella Security Module.
Adjust Passive Polling Parameters
Passive Polling can be adjusted to make the system more likely to recognize internet traffic. The drawback is that it may not work in every scenario. These steps should only be used as a last resort only and should not be used in conjunction with any of the above fixes.
Microsoft recommends adding the following registry keys:
- Disable Active Probing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\EnableActiveProbing = 0 (DWORD)
- Reduce the Passive Hop count threshold to 1 (this is the minimum):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\MinimumInternetHopCount = 1 (DWORD)
- Double (or more) the Passive Polling period:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\PassivePollPeriod = 30 (DWORD)
If any of the registry keys do not exist they should be created. Please reboot the system after making these changes.
Whilst these registry keys should make it far more likely that passive polling will succeed, they will not necessarily resolve the problem for every environment. Please contact Microsoft support for assistance in troubleshooting passive polling, try the solution provided by Microsoft at https://docs.microsoft.com/answers/answers/210436/view.html, or try adding domains "msftconnecttest.com" and "msftncsi.com" to Internal Domains list in Umbrella dashboard -> Deployments -> Domain Management.