# Define the sysvol share path. # Change the sysvol path per your organization, for example: # $sysvolPath = "\\dc1.contoso.com\sysvol\contoso.com\Policies" $sysvolPath = "\\<DC FQDN>\sysvol\<domain FQDN>\Policies" ## Edit # Define the search string. $searchString = "dnspolicyconfig" # Define the name of the file to search. $fileName = "registry.pol" # Get all the registry.pol files under the sysvol share. $files = Get-ChildItem -Path $sysvolPath -Recurse -Filter $fileName -File # Array to store paths of files that contain the search string. $matchingFiles = @() # Loop through each file and check if it contains the search string. foreach ($file in $files) { try { # Read the content of the file. $content = Get-Content -Path $file.FullName -Encoding Unicode # Check if the content contains the search string. if ($content -like "*$searchString*") { $matchingFiles += $file.FullName } } catch { Write-Host "Failed to read file $($file.FullName): $_" } } # Output the matching file paths. if ($matchingFiles.Count -eq 0) { Write-Host "No files containing '$searchString' were found." } else { Write-Host "Files containing '$searchString':" $matchingFiles | ForEach-Object { Write-Host $_ } }

Resolving Name Resolution Policy Table (NRPT) Group Policy Conflicts with Private Access in TrendAI Vision One™ Zero Trust Secure Access (ZTSA)

Product / Version includes:

TrendAI Vision One™ Zero Trust Secure Access

Last updated: 2026/03/17

Solution ID: KA-0022764

Category: Configure , Update

Summary

The Private Access in Zero Trust Secure Access module does not support Name Resolution Policy Table (NRPT) rules in Group Policy. To access internal apps by Private Access, the ZTSA module configures local NRPT rules on the device. These rules redirect matching DNS queries to the Private Access Connector. If NRPT rules are configured in Group Policy, they override local NRPT rules configured by the ZTSA module and internal apps become inaccessible.

In addition, NRPT rules that were configured and deleted in older versions of Windows created an empty list of NRPT rules in the registry.pol file. If this Group Policy Object (GPO) is applied on the device, the empty list overrides the local NRPT rules and internal apps become inaccessible.

Mitigation

Check whether the registry key HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig exists on the end-user device. If it exists, this indicates that Group Policy NRPT rules are being applied on the device.

To find which GPOs are configured with NRPT rules:

Run gpresult /h GPReport.html on the end-user device and look for an NRPT configuration.
Run the following PowerShell script that detects the paths of all registry.pol files in sysvol that contain NRPT rules.

Remember to change the sysvolPath variable to meet the configuration of your network.

# Define the sysvol share path.
# Change the sysvol path per your organization, for example: 
# $sysvolPath = "\\dc1.contoso.com\sysvol\contoso.com\Policies"
$sysvolPath = "\\<DC FQDN>\sysvol\<domain FQDN>\Policies"  ## Edit

# Define the search string.
$searchString = "dnspolicyconfig"

# Define the name of the file to search.
$fileName = "registry.pol"

# Get all the registry.pol files under the sysvol share.
$files = Get-ChildItem -Path $sysvolPath -Recurse -Filter $fileName -File

# Array to store paths of files that contain the search string.
$matchingFiles = @()

# Loop through each file and check if it contains the search string.
foreach ($file in $files) {
 try {
    # Read the content of the file.
    $content = Get-Content -Path $file.FullName -Encoding Unicode

    # Check if the content contains the search string.
    if ($content -like "*$searchString*") {
     $matchingFiles += $file.FullName
   }
 } catch {
   Write-Host "Failed to read file $($file.FullName): $_"
  }
}

# Output the matching file paths.
if ($matchingFiles.Count -eq 0) {
   Write-Host "No files containing '$searchString' were found."
} else {
   Write-Host "Files containing '$searchString':"
   $matchingFiles | ForEach-Object { Write-Host $_ }
}

Edit each of the GPOs found in the previous section:
- If the NRPT section is empty, create a new dummy rule, update the policy, delete the dummy rule, and update the policy again. These steps remove the DnsPolicyConfig from the registry.pol file (which was created in a legacy version of Windows).
- If the NRPT section isn't empty and contains rules, confirm that you still need these rules. If you don't need the rules, delete them. If you do need the rules and apply the GPO on a device with the ZTSA module, internal apps will become inaccessible.

Reference

Known limitations for Global Secure Access

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Resolving Name Resolution Policy Table (NRPT) Group Policy Conflicts with Private Access in TrendAI Vision One™ Zero Trust Secure Access (ZTSA)

Mitigation

Reference

Resolving Name Resolution Policy Table (NRPT) Group Policy Conflicts with Private Access in TrendAI Vision One™ Zero Trust Secure Access (ZTSA)

Product / Version includes:

Summary

Mitigation

Reference