Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

The Network Location Server (NLS) is a critical infrastructure component for DirectAccess deployments. The NLS is used by DirectAccess clients to determine if the client is located inside or outside of the corporate network. If the NLS becomes unavailable, DirectAccess clients that are already outside the corporate network are unaffected. However, DirectAccess clients that are inside the corporate network will mistakenly believe that they are outside and the Name Resolution Policy Table (NRPT) will be enabled, forcing name resolution requests for hosts in the internal namespace to be sent to the DNS64 service running on the DirectAccess server. If the DirectAccess server is unreachable from the internal network (a common scenario for a variety of reasons), DirectAccess clients inside the corporate network will be unable to connect to any local network resources by name until the NLS is once again reachable.

Configuring the Network Connectivity Assistant to Allow DirectAccess clients to use local name resolution does not resolve this issue. Although it sounds intuitive, it doesn’t resolve this specific issue where the NLS is unreachable.

Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

When the option to Allow DirectAccess clients to use local name resolution is enabled, the client can only choose to disconnect (use local name resolution) after it has successfully established a connection to the DirectAccess server. If the DirectAccess connection shows that it is still connecting, the option to disconnect is not available.

Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

To address this issue, Microsoft has released update KB2953212 for Windows 8.x clients that allows the disabling of the NRPT regardless if the client has successfully established a DirectAccess connection. With this update, if a DirectAccess client is located on the corporate network and is unable to reach the NLS, the user will be able to disable the NRPT (effectively disconnect DirectAccess) and once again connect to resources on the corporate network.
Hotfix Available to Disable NRPT on Windows 8.x DirectAccess Clients

This update is certainly no excuse not to deploy your NLS in a highly-available configuration using Windows Network Load Balancing (NLB) or a third-party external load balancer (hardware or software), but it can be a life-saver if your NLS becomes unavailable for any reason. I’d recommend deploying this update to all of your Windows 8.x DirectAccess clients soon.

For more information and to download the hotfix, click here.

Leave a comment


  1. I installed this hotfix on my Windows8 machine and I don’t still don’t have any disconnect button.
    The hotfix shos when checking via “wmic qfe list” and I rebooted but that didn’t help either …

    • After installing this hotfix you will only see the disconnect button in a few scenarios – if you are on the corporate LAN, or if you are remote and haven’t established a DirectAccess connection, or if you are remote, have established a connection, and the option to allow users to use local name resolution is enabled in the DirectAccess configuration. In any of those scenarios you should see the disconnect button.

  2. How would you handle these scenario’s with Windows 7 clients? I can’t find a patch for them…..

  3. Tim Heizer

     /  March 4, 2015

    I have DA working on 2012r2 and a Win 8.1 client with this hotfix installed. When I connect to the corp lan and then stop the NLS site in IIS, the 8.1 client changes to “connecting” but I have no Disconnect button. The details below “Connecting” state “IPv6 is disabled. Contact your admin for help.” Any ideas? DA connects perfectly when not on the corp lan. It also works fine when on the corp lan and the NLS site is available.

    • That’s unusual. When I tested this a while back it worked fine then, but I haven’t tried it recently. I’ll test again and see if I have the same issue that you do.

  4. Sebastian Krueck

     /  March 18, 2015

    I downloaded the patch and tried to install it on my Win8.1 x64 machine, but Windows says that this update is not applicable for my computer. Any ideas what I need to do?

  1. Disconnect DirectAccess in Windows 8.x while on LAN - Simple and secure by Design but Business compliant [Benoît SAUTIERE / MVP]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 58 other followers

%d bloggers like this: