Client Connector - internal DNS resolution in machine tunnel mode

Hello community!

Our Windows Autopilot client deployment relies on the machine tunnel connectivity to our AD controllers hosted on Azure.

It has turned out that once the Zscaler client connector is deployed via Intune during the Windows setup, the machine tunnel is successfully established (app package is deployed with the machine provisioning key), but the internal domain is not resolved.

Result: Windows Autopilot deployment is stuck in the “Enrollment Status Page” Stage 3, where the device is trying to join the on-premises domain.


Pre-verification tasks for automatic device joining have been completed. NO join can be performed for the device because no domain controller was found. The device must be connected to a network that is connected to an Active Directory domain controller.

Let’s assume our internal domain is company.lan where the domain is added to the search domains in ZPA.

What I’ve tested so far (and whats really strange IMHO):

nslookup company.lan → fails
ping company.lan → fails (should be resolved by Zscaler AFAIK)

ping → success (ICMP response when using a FQDN)

What I didn’t get is, why DNS resolution using a FQDN is working and resolving the domain itself is not.

Some screenshots for further clarification:

The required servers that needs to be contacted are added by IP and FQDN in the application segment.

Would you feel this related to: Intune Autopilot and ZScaler - #5 by Charles_Repain

Somehow yes, let me answer those questions:

  1. Is there an App Segment for the Domain Controllers YES
  2. Is there a policy that authorised the user to access Domain Controllers App Segment YES
  3. If the machine is trying to access the Domain controller before the session is opened then you need to make sure that a Machine Tunnel is configured and that a policy allows connections to Domain Controllers from this machine tunnel YES

If I’m right ZIA is not affecting anything when the machine tunnel is up, right?