Machine Tunnel implementations - best practices

Would also like to know when this feature will be released.

Hi Guys,

I’ve heard rumours that certificate posture check for machine tunnel is very close to release.
I cant say the same for Domain joined or registry but here’s hoping.



Currently doing a POV and trying to get machine tunnel to work with Autopilot builds for hybrid-joined laptops…

Have been through the various guides and I’m deploying ZScaler client through Intune wit the following switches:

When the Autopilot build gets to the stage for 1st logon via our internal domain, ZScaler diagnostics is visible after the Ctrl/Alt/Del, but the tunnel status is Off and it shows as user tunnel rather than machine tunnel:

Because of this, the 1st logon won’t work as there is no connection up to my internal domain…

If I install ZScaler client using these switches to a logged on domain joined laptop it installs and personal tunnel starts automatically, and if I then logoff and do Ctrl/Alt/Del, machine tunnel is up when I open ZScaler diagnostics…

App version is

Getting this to work is a requirement of our POV…

Any help greatly accepted.



1 Like

Hi Gary, and welcome.

For the install switches, after the POLICYTOKEN= switch, did you include the actual token? If not, you’ll need to get that from the Windows Application Profile that you’ve created for this Machine Tunnel POV.

If you haven’t yet, go through the steps in this page (Configuring Zscaler Client Connector Profiles | Zscaler), including setting the Machine Tunnel options, then Save it (maybe name it Autopilot Machine Tunnel). Re-open this App Profile, and at the top you’ll see the Policy Token (a string of numbers with lots of 3s in it). Copy this to Notepad, and then add it to the POLICYTOKEN= switch.

This should get you going.

Keep that Policy Token secure, and treat it as “sensitive”, like a password. Unless you get some additional security added, anyone with ZCC and that token can gain access to your Domain Controllers.

Hi Paul,

Thanks for getting back to me :slightly_smiling_face:

Yes, I knew not to publish the Policy Token :wink:

There seemed to be maintenance for ZPA today, and as if by magic this stuff all worked without any changes when I tested this evening :slight_smile:


Implemented Machine Tunnel a few months back and it is working well with a few caveats. Reading through this thread’s latest update, I see reference to “POLICYTOKEN= switch” for the install for Machine Tunnel. I haven’t used any special switches with the install to get the Machine Tunnel functional, so a bit confused here. I just push out the default package and reference the machine token group in the in the Policy. Am I missing something here?

Hi Rob.

I think you’re talking about the same thing we are. I probably should have stated “the POLICYTOKEN option” rather than “switch”. If you don’t reference the proper Policy Token for ZCC when it’s installed, then it won’t know which ZPA instance to use, let alone which App Profile to use. At least, that’s how it is unless something’s changed.

Hi Paul – See screenshot of the profile I’m using. From my understanding, defining the policy token in the install isn’t required anymore…at least that is what our implementation partner stated although I wouldn’t take that as gospel. I’ll check with my TAM & see what they say also. If it is required, I’m unsure how all of our machine tunnels are working at this point.


I need to use Policytoken as I am building hybrid joined laptops with autopilot. Initially the laptop joins our AAD, then uses on-prem appliance to create offline account in our on-prem AD for the device. Various apps install in the background including ZScaler client. The laptop then needs a connection to our on-prem network for the initial user logon as there is no cached profile yet on the device. Without the policytoken in the install parameters, ZScaler diagnostics doesn’t appear when press Ctrl/Alt/Del and there is no machine tunnel available for that initial login…

@Bronyrafon hi Gary. Are you available for a quick Teams call (30m)? to discuss Machine Tunnels and Autopilot? We’re trying to achieve the same thing - we use Hybrid AD joined laptops with User-driven AD DS flow within Autopilot. The policy you push during install - is it ZPA only with Machine Tunnels, or ZIA as well? My understanding is that if you enforce a policy for ZIA, then it restricts Internet access for the user unless enrolled, but user won’t be able to enroll unless he logs into machine, he can’t login unless machine tunnels are up and running :slight_smile: Chicken and the egg. Unless I misunderstand something and ZIA isn’t actually active unless user logs into machine and this is when ZIA enrollment is enforced. Would be nice if you can spare some time and meet with us to discuss? :slight_smile:


The Client Connector policy we are using is for both and has the Machine Token selected for the Machine Provisioning Key I created in ZPA.

In my Autopilot Enrollment Status Page, the ZScaler Intune package is selected in the ‘Block device use until these required apps are installed if they are assigned to the user/device’ section, ensuring ZScaler client is installed before user can login to Windows…

As in my earlier post, the switches I am using for installing ZScaler client via Intune are:



1 Like

Thanks Gary! So… you’re not using STRICTENFORCEMENT flag, right? I thought this one is required with POLICYTOKEN… but it seems like I am wrong… apparently STRICTENFORCEMENT requires POLICYTOKE, but not vice versa.

Cool, we’ll give it a try! Thanks

Correct, not using STRICTENFORCEMENT…

We are doing 1 min delta synchs with ADConnect on-prem to ensure the machine records in AAD are up to date in order for our MFA/CA to work when staff do their initial login to the device etc…



Hello Gerhard,

Any news about the certificate posture check feature for machine tunnels ?


Hi Marc,

Current ETA for Cert Trust & Client Cert postures using Machine Tunnel is second half of 2022 unless someone heard differently ?


1 Like

That’s disappointing. But, it’ll be good when it arrives.

Zscaler should add authentication using Machine cert or Microsoft Pre-Logon Access Provider (PLAP) as it will help expecially for ZPA.

1 Like

Hi Paul,

Have you managed to test Machine Tunnel ‘Certificate Trust’ Posture using ZCC 3.9 yet ?

No. I wasn’t even aware that 3.9 had the feature! But, we’ll be looking into it.

1 Like

Upon further investigation it doesn’t seem to be 100% live yet.
In our Beta cloud I get this new option below “Apply to Machine Tunnel”


1 Like