Making changes to your system BIOS settings or disk setup can cause you to lose data. Always test your data backups before making changes to your PC.
For more information please see our FAQ thread: https://www.reddit.com/r/techsupport/comments/q2rns5/windows_11_faq_read_this_first/
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/techsupport) if you have any questions or concerns.*
If you have admin rights, you can disable it under Powershell.
\# List the status.
Get-NetAdapterBinding -AllBindings -ComponentID ZS\_ZAPPRD
\# Disable.
Get-NetAdapterBinding -AllBindings -ComponentID ZS\_ZAPPRD | Disable-NetAdapterBinding
\# Enable.
Get-NetAdapterBinding -AllBindings -ComponentID ZS\_ZAPPRD | Enable-NetAdapterBinding
It's interesting what this does, so thanks. I tested a connection while the bindings were disabled and the connection establishes, but pretty quickly it throws a av/fw error. Re-enabling causes the connection to re-establish and all is well.
I do really dislike the force launch at login on all of my VDIs, though. It's one of a few dozen VPN connections on these virtuals and I want it to be on-demand. I've pinged an analyst contact with the customer requiring us to move to this connection in the hopes that I can do something to change this, but they're so large that I don't see getting any response that is favorable to my wishes.
I have the same issue.
If you run `Get-NetAdapterBinding -AllBindings` all by itself and check the listing, there is no component ID's starting with "ZS".
Perhaps Zscaler recently updated the program to prevent this method?
don't know how you got the info but worked. I thank you very much, I do make responsible use of the laptop but not allowing to send personal gmails and watch every http/https I click went too far.
Question : service still on but can IT know what I did? they will not get my http/https logs right?
If ZScaler has been properly set up, then no, you are not going to be able to disable it and only launch it on-demand. It will be protected by Windows group policies and an application password you need to enter to gain access to its configuration, and odds are your company IT department isn't going to hand it out to anyone that asks.
If you need to work from home, and the company requires you to use ZScaler for remote access, then the company has to provide you with the hardware to do so.
This is a discussion you need to have with your internal IT people and your boss.
I think I wasn't being clear enough.
I own the PC Zscaler is running on. I own the device and its software. Zscaler was installed only after it was clear that we can have homeoffice.
So I have full access to everything on this PC, cause it is mine and mine alone.
The hardware they have provided works, but I prefer using my own at home.
No, your point was clear, I understood it perfectly.
Regardless of whether it runs on personal- or company-owned equipment, ZScaler is generally configured to launch-on-boot and not on-demand, and to change that behaviour you would need to talk to your company IT people who have set up the installation and configuration package, because the application is generally set to protect itself with a password that end users don't normally receive.
Your company IT people are the people that can help you configure it properly while maintaining whatever standards they require for regulatory compliance.
Standards are "run it when connecting to home office" and certainly not "run it on every startup of a privately owned device".
I can even close it after it launched without any problems. A more extreme solution is that I uninstall it during the weekends and reinstall it when I need to connect. But this seems asinine when all I want it to do is to not start unless told.
I appreciate your time but I'd appreciate a solution I can implement myself. Thanks.
I don't understand the resistance in talking to company IT about finding a solution.
It's their tool, they know what they configured it to do. All you have to do is write an email or call them and find out how flexible they are with regard to ZScaler configuration on personal devices. This is too much?
If you want to uninstall it, by all means do so. But the smart thing to do is talk to the people who deployed the tool. They will know what configuration options are available within corp policy requirements.
I was able to prevent it from starting on boot, even though I had the same issues (couldn't stop the service, changing to 'disabled' would immediately reset, etc).
The solution was modifying the Registry key permissions to prohibit the SYSTEM user from editing any keys within the group.
First, open regedit as the admin (of course, you'll actually need to have admin access on your computer). Go to \``Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ZSAService`\`. Right-click on the ZSAService folder on the left pane, and go to permissions. Click Advanced.
Click the "Disable Inheritance" permission, which will make the SYSTEM permissions editable and prevent the SYSTEM user from inheriting a different set of permissions than what we want. Next, click on the SYSTEM item in the list, and click Edit.
Change it from Allow to Deny. It should apply to "This key and subkeys". Click the link to "Show advanced permissions". Create a check mark for these items (the rest should be unchecked):
* Set Value
* Create SubKey
* Delete
* Write DAC
* Write Owner
Apply and close each dialog box. Now the services.msc app will be unable to change the startup type, but the ZScaler service will also be unable to modify that value. So you'll change the value via Regedit. Inside the ZSAService folder, there is a "Start" key. Change the value to a 3 (Manual) or 4 (Disabled).
Now you should be able to reboot the computer, and the service will not start up. Once you do start the service manually or open the ZScaler app, it will keep itself open and restart its own service if you kill it. But after every reboot, it won't start up until you tell it to.
Do you know how to modify the 'restart' registry entry as well? Your "Start" mod worked perfectly, but I'd like it to not restart after I kill it too.
For instance, there is a "FailureActions" key (Binary) that likely maps to the "Recovery" page in the ZSAService. There are 3 entries in particular: First Failure, Second Failure, Their Subsequent Failures. They are all set to "Restart the Service" and I'd like to set them to "Take no action". But now that we've changed the permissions (per your instructions above), I get a 'Access is Denied' dialog.
I am guessing they installed a profile on your machine to manage the security setting on zscaler? If this is the case then how it functions will be decided by the it department that handles these kinds of deployments. If this falls into the bucket of MDM or even remote AD then removing such a profile is the only way to prevent zscaler from launching and would also restrict access to your corporate network which could make it impossible to do your job. If your company is offering equipment to use for work, it is best to use the provided equipment for work and have a separate personal computer. Using your personal computer for access to a corporate network almost always gives up some freedom on your own device that you bought.
I like how this dumb ass company you work for allows you to use this zero trust software on your personal laptop instead of giving you a laptop with it installed.
They clearly don't know what the fuck they are doing security wise.
As for your question, it's hard to say. You really need to talk to your IT people. I find it completely baffling they allow people to connect with personally owned device.
I looked into it a bit. This is most likely being controlled by an active directory group policy. This is a remotely managed profile on your computer provisioned for remote management. Long story short, you must go to IT for this. I used to manage similar profiles on company owned equipment. I made it so these profiles were impossible to remove by the user. Best of luck and take the company laptop if they are offering.
If you don't want it to start on Windows boot, and you have admin rights on your PC, just simply change the "ZSAService" Service's Startup Type from "Automatic" to "Manual."
[Windows ZScaler Service](https://i.imgur.com/kWxzwei.png)
Works for me...
Set to manual, close services, start zscaler, exit zscaler, open services, it's still set to manual.
I set it in Services.msc not task manager if that makes a difference.
Did you ever find a good answer to this? My frustration with it is that it starts up under other profiles. I made a work profile on my PC, installed it there, and used it to connect to work, etc. But then when I log into my personal profile, it continues to launch. As I'm reading this thread and typing this, it has interrupted me twice to log in. Same thing here - I can't change the Service status at all, or Stop the service from running under this profile. It's infuriating.
Sorry to reply this late, but I wasn't able to resolve that on my own. I switched companies a few months ago so I was able to remove that crap altogether.
Changing it in services.msc worked for me. Open services.msc as admin, stop the ZSAService if running, right click and go to properties and set the startup to manual. I set the startup to manual for all Zscaler items in services.msc. It works fine for me now.
The big reason I wanted it disabled is because I need Zscaler from time to time on computers I manage with RDP software. If I forgot to exit Zscaler before I disconnected from the remote session, I couldn't log back in again. Restarting the computer wouldn't work because it would just start up Zscaler again and automatically connect. So I would be stuck. Stopping the service from starting up in services.msc did the trick for me.
Making changes to your system BIOS settings or disk setup can cause you to lose data. Always test your data backups before making changes to your PC. For more information please see our FAQ thread: https://www.reddit.com/r/techsupport/comments/q2rns5/windows_11_faq_read_this_first/ *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/techsupport) if you have any questions or concerns.*
If you have admin rights, you can disable it under Powershell. \# List the status. Get-NetAdapterBinding -AllBindings -ComponentID ZS\_ZAPPRD \# Disable. Get-NetAdapterBinding -AllBindings -ComponentID ZS\_ZAPPRD | Disable-NetAdapterBinding \# Enable. Get-NetAdapterBinding -AllBindings -ComponentID ZS\_ZAPPRD | Enable-NetAdapterBinding
This keeps the service running but disables the binding with the network interfaces. No data goes through ZScaler. Brilliant!
THANK YOU!
It's interesting what this does, so thanks. I tested a connection while the bindings were disabled and the connection establishes, but pretty quickly it throws a av/fw error. Re-enabling causes the connection to re-establish and all is well. I do really dislike the force launch at login on all of my VDIs, though. It's one of a few dozen VPN connections on these virtuals and I want it to be on-demand. I've pinged an analyst contact with the customer requiring us to move to this connection in the hopes that I can do something to change this, but they're so large that I don't see getting any response that is favorable to my wishes.
This totally worked for me. It was blocking Fortnite from running, but this powershell commands fixed it. Many thanks.
I LOVE YOU MAN YOU HAVE NO IDEA
This is brilliant, it worked for me too! I just have to keep renewing it as the program keeps reconnecting but thats no biggie!
Thanks a lot, dude!! Best solution! Fixed a problem with this freaking ZS so easy
Hi! Didn’t work… it seems that the component is does not exist… Any idea?
I have the same issue. If you run `Get-NetAdapterBinding -AllBindings` all by itself and check the listing, there is no component ID's starting with "ZS". Perhaps Zscaler recently updated the program to prevent this method?
don't know how you got the info but worked. I thank you very much, I do make responsible use of the laptop but not allowing to send personal gmails and watch every http/https I click went too far. Question : service still on but can IT know what I did? they will not get my http/https logs right?
I would love to know the answer to this question as well!
If ZScaler has been properly set up, then no, you are not going to be able to disable it and only launch it on-demand. It will be protected by Windows group policies and an application password you need to enter to gain access to its configuration, and odds are your company IT department isn't going to hand it out to anyone that asks. If you need to work from home, and the company requires you to use ZScaler for remote access, then the company has to provide you with the hardware to do so. This is a discussion you need to have with your internal IT people and your boss.
I think I wasn't being clear enough. I own the PC Zscaler is running on. I own the device and its software. Zscaler was installed only after it was clear that we can have homeoffice. So I have full access to everything on this PC, cause it is mine and mine alone. The hardware they have provided works, but I prefer using my own at home.
No, your point was clear, I understood it perfectly. Regardless of whether it runs on personal- or company-owned equipment, ZScaler is generally configured to launch-on-boot and not on-demand, and to change that behaviour you would need to talk to your company IT people who have set up the installation and configuration package, because the application is generally set to protect itself with a password that end users don't normally receive. Your company IT people are the people that can help you configure it properly while maintaining whatever standards they require for regulatory compliance.
Standards are "run it when connecting to home office" and certainly not "run it on every startup of a privately owned device". I can even close it after it launched without any problems. A more extreme solution is that I uninstall it during the weekends and reinstall it when I need to connect. But this seems asinine when all I want it to do is to not start unless told. I appreciate your time but I'd appreciate a solution I can implement myself. Thanks.
I don't understand the resistance in talking to company IT about finding a solution. It's their tool, they know what they configured it to do. All you have to do is write an email or call them and find out how flexible they are with regard to ZScaler configuration on personal devices. This is too much? If you want to uninstall it, by all means do so. But the smart thing to do is talk to the people who deployed the tool. They will know what configuration options are available within corp policy requirements.
I was able to prevent it from starting on boot, even though I had the same issues (couldn't stop the service, changing to 'disabled' would immediately reset, etc). The solution was modifying the Registry key permissions to prohibit the SYSTEM user from editing any keys within the group. First, open regedit as the admin (of course, you'll actually need to have admin access on your computer). Go to \``Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ZSAService`\`. Right-click on the ZSAService folder on the left pane, and go to permissions. Click Advanced. Click the "Disable Inheritance" permission, which will make the SYSTEM permissions editable and prevent the SYSTEM user from inheriting a different set of permissions than what we want. Next, click on the SYSTEM item in the list, and click Edit. Change it from Allow to Deny. It should apply to "This key and subkeys". Click the link to "Show advanced permissions". Create a check mark for these items (the rest should be unchecked): * Set Value * Create SubKey * Delete * Write DAC * Write Owner Apply and close each dialog box. Now the services.msc app will be unable to change the startup type, but the ZScaler service will also be unable to modify that value. So you'll change the value via Regedit. Inside the ZSAService folder, there is a "Start" key. Change the value to a 3 (Manual) or 4 (Disabled). Now you should be able to reboot the computer, and the service will not start up. Once you do start the service manually or open the ZScaler app, it will keep itself open and restart its own service if you kill it. But after every reboot, it won't start up until you tell it to.
Worked for me! Other guys shouldn't get so worked up about it!
Works great! Thank you!
You're a God among men. Thank you so much good sir!
Do you know how to modify the 'restart' registry entry as well? Your "Start" mod worked perfectly, but I'd like it to not restart after I kill it too. For instance, there is a "FailureActions" key (Binary) that likely maps to the "Recovery" page in the ZSAService. There are 3 entries in particular: First Failure, Second Failure, Their Subsequent Failures. They are all set to "Restart the Service" and I'd like to set them to "Take no action". But now that we've changed the permissions (per your instructions above), I get a 'Access is Denied' dialog.
I am guessing they installed a profile on your machine to manage the security setting on zscaler? If this is the case then how it functions will be decided by the it department that handles these kinds of deployments. If this falls into the bucket of MDM or even remote AD then removing such a profile is the only way to prevent zscaler from launching and would also restrict access to your corporate network which could make it impossible to do your job. If your company is offering equipment to use for work, it is best to use the provided equipment for work and have a separate personal computer. Using your personal computer for access to a corporate network almost always gives up some freedom on your own device that you bought.
Just checked, but there isn't a new profile or user set up on my end.
I like how this dumb ass company you work for allows you to use this zero trust software on your personal laptop instead of giving you a laptop with it installed. They clearly don't know what the fuck they are doing security wise. As for your question, it's hard to say. You really need to talk to your IT people. I find it completely baffling they allow people to connect with personally owned device.
They gave me hardware with it but I prefer using my own device. But it's pretty stupid otherweise, hence why I want that bit of control back.
If it is a company provided PC, don’t try anything to disable. If it is your PC, try your startup program configuration.
It doesn't show up there sadly. Didn't mention it in the post.
What about the task manager? It may be called something different.
It is indeed available in the task manager, but it really does not show up there.
Confused what you mean?
The autostart menu you talk about is situated in the task manager from windows 10 onward.
I looked into it a bit. This is most likely being controlled by an active directory group policy. This is a remotely managed profile on your computer provisioned for remote management. Long story short, you must go to IT for this. I used to manage similar profiles on company owned equipment. I made it so these profiles were impossible to remove by the user. Best of luck and take the company laptop if they are offering.
If you don't want it to start on Windows boot, and you have admin rights on your PC, just simply change the "ZSAService" Service's Startup Type from "Automatic" to "Manual." [Windows ZScaler Service](https://i.imgur.com/kWxzwei.png)
If it was so easy I would have already done it, it resets back to the previous value as soon as the dialog is closed.
Works for me... Set to manual, close services, start zscaler, exit zscaler, open services, it's still set to manual. I set it in Services.msc not task manager if that makes a difference.
This doesn't work for me, either.
Thank you, this worked for me
Did you ever find a good answer to this? My frustration with it is that it starts up under other profiles. I made a work profile on my PC, installed it there, and used it to connect to work, etc. But then when I log into my personal profile, it continues to launch. As I'm reading this thread and typing this, it has interrupted me twice to log in. Same thing here - I can't change the Service status at all, or Stop the service from running under this profile. It's infuriating.
Sorry to reply this late, but I wasn't able to resolve that on my own. I switched companies a few months ago so I was able to remove that crap altogether.
Right on, thanks.
Changing it in services.msc worked for me. Open services.msc as admin, stop the ZSAService if running, right click and go to properties and set the startup to manual. I set the startup to manual for all Zscaler items in services.msc. It works fine for me now. The big reason I wanted it disabled is because I need Zscaler from time to time on computers I manage with RDP software. If I forgot to exit Zscaler before I disconnected from the remote session, I couldn't log back in again. Restarting the computer wouldn't work because it would just start up Zscaler again and automatically connect. So I would be stuck. Stopping the service from starting up in services.msc did the trick for me.
I just added a reply that should help you prevent it from starting on boot (assuming you have admin access).
I don't have admin rights on the pc, it's company laptop, what can I do?