Share via

How to Set Global Secure Access Client to Default State Disabled on Windows

Mihail Solovyov 0 Reputation points
2025-08-06T08:59:17.68+00:00

Hi Guys,

I want my users to manually enable the client instead to disable it.. As when they connect to on-premise network with GSA enabled this messes their DNS.

So I'm trying to make GSA client to change it's behavior to Always disabled ( after restart, update or whatever ) I'm using this article as reference: https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-install-windows-client#disable-or-enable-private-access-on-the-client

But this registry key does not do anything.
I have also tried to implement Conditional Access if user is in network 10.10.10.X GSA to be disabled ( private tunnel )
But this also doesn't work. Do you have any ideas what can I try or do.

The only thing I've managed to do is to get is BSOD from the client.. 

ffffe8d`528ad8f0 fffff801`1c084c90     : fffff801`1c0968a3 00000000`00000000 00000000`00000000 ffff808d`e71cfe30 : globalsecureaccessdriver+0x4cca
fffffe8d`528ad8f8 fffff801`1c0968a3     : 00000000`00000000 00000000`00000000 ffff808d`e71cfe30 fffffe8d`528addf8 : globalsecureaccessdriver+0x4c90
fffffe8d`528ad900 00000000`00000000     : 00000000`00000000 ffff808d`e71cfe30 fffffe8d`528addf8 ffff808d`ed9d1030 : globalsecureaccessdriver+0x168a3


SYMBOL_NAME:  globalsecureaccessdriver+4cca

MODULE_NAME: globalsecureaccessdriver

IMAGE_NAME:  globalsecureaccessdriver.sys

STACK_COMMAND: .process /r /p 0xfffff80174bcef80; .thread 0xffff808dd26e7280 ; kb

BUCKET_ID_FUNC_OFFSET:  4cca

FAILURE_BUCKET_ID:  0x133_DPC_globalsecureaccessdriver!unknown_function

Many thanks!
Mihail Solovyov

Microsoft Security | Microsoft Entra | Microsoft Entra Private Access

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Besir Oz 15 Reputation points
    2025-08-19T07:35:25.58+00:00

    Hello Mihail!

    Did you find any solution to set GSA client to disabled by default?

    Since there is no built-in way to set it to disabled when the device on corporate network, having it disabled all together, as you try, seems to be the only way. The user would then have the option to enable when on an external network.

    0 comments
  2. Praveen Chivarla 2,005 Reputation points Microsoft External Staff Moderator
    2025-08-29T09:52:37.1333333+00:00

    Hi @Mihail Solovyov,

    Thank you for posting your query on Microsoft Q&A.

    As per our understanding, you want to configure the Microsoft Entra Global Secure Access (GSA) Windows client so that it remains disabled by default after system restarts, updates, or reboots. Your goal is for users to have to manually enable the client when needed, to avoid DNS issues when connected to an on-premises network. You have tried registry edits and conditional access policies but have been unsuccessful, even encountering BSODs related to the GSA driver.

    The GSA client for Windows includes both a kernel-mode driver (globalsecureaccessdriver.sys) and a user-mode service. The documented registry key (like PrivateAccessEnabled) controls the private access feature but does not control the start behavior of the underlying driver or service. Conditional Access policies similarly do not manage the service or driver startup.

    Incorrect attempts to disable the driver or service using unsupported methods can cause system instability or BSODs like the one you reported.

    Please review the steps below to resolve the issue:

    1. Identify the GSA services and drivers on the client system Open an elevated PowerShell or Command Prompt and run:

    get-service | Where-Object DisplayName -Match "Global Secure Access"

    sc query type= driver state= all | findstr /i "globalsecureaccess"

    This reveals the exact service and driver names to manage.

    1. Disable auto-start of the GSA driver and service

    Using Services MMC (Graphical):

    1. Run services.msc as Administrator.
    2. Locate services like “Global Secure Access Driver” and “Global Secure Access Service”.
    3. Right-click each, choose Properties, and set the Startup type to Disabled.

    Using CLI commands:

    sc config globalsecureaccessdriver start= disabled

    sc stop globalsecureaccessdriver

    sc config globalsecureaccessservice start= disabled

    sc stop globalsecureaccessservice

    1. Set the private access registry key to disabled Execute this command in an elevated prompt:

    reg add "HKLM\SOFTWARE\GlobalSecureAccess\Client" /v PrivateAccessEnabled /t REG_DWORD /d 0 /f

    This ensures private access is off by default.

    1. Provide a manual enable procedure for users Instruct users to start the services manually in an elevated prompt as needed:

    sc start globalsecureaccessdriver

    sc start globalsecureaccessservice

    1. Test thoroughly in a controlled environment
      • Restart the device to verify GSA remains disabled.
        • Manually start services and confirm GSA functionality.
          • Monitor for DNS conflicts or crashes.

    Please refer to:

     Please "Accept as Answer" if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.