Windows 10 DSCP Marking Failure: Troubleshooting Policy-Based QoS for Process-Specific Traffic


4 views

After migrating from Windows 7 to Windows 10 Pro (versions 1809 through 21H2), many network engineers report that Policy-Based QoS configurations fail to apply DSCP values to outbound traffic, despite proper GPO configuration. Network Monitor consistently shows packets marked with DSCP 0, even when policies specify other values (e.g., AF11 with DSCP 10).

Before diving deeper, verify these essentials:

  1. The policy applies to the correct network interface (Ethernet/WiFi)
  2. Group Policy successfully refreshes (gpupdate /force)
  3. No conflicting third-party QoS software exists
  4. The target executable runs with administrator privileges

The traditional NLA registry fix (KB2733528) often proves insufficient. Try this enhanced approach:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\QoS]
"Do not use NLA" = "1"
"DisableUserTOSSetting" = 0
"ServiceMainCoS" = dword:0000000a

Reboot after applying these registry changes. The ServiceMainCoS value directly corresponds to your desired DSCP (10 in this case).

For programmatic control, use this PowerShell script to verify and enforce settings:

# Verify QoS policy application
Get-NetQosPolicy | Where-Object {$_.DSCPValue -ne 0} | Format-Table -AutoSize

# Force DSCP marking per process
Start-Process -FilePath "C:\Path\to\application.exe" -ArgumentList @("--qos-tier=2") -Verb RunAs
Set-NetQosPolicy -Name "CustomAppPolicy" -AppPathNameMatchCondition "application.exe" -DSCPValue 10 -NetworkProfile All

Modern Windows versions handle QoS differently:

  • Hyper-V virtual switches may intercept and reset DSCP
  • Windows Defender Application Guard creates isolated containers
  • TCP Chimney Offloading bypasses user-mode QoS

Disable these features temporarily for testing:

Disable-NetAdapterChecksumOffload -Name "Ethernet" -Ipv4
Set-NetTCPSetting -SettingName "Internet" -AutoTuningLevelLocal Restricted

When GPO fails, consider:

1. Netsh Legacy Method:

netsh int tcp set global autotuninglevel=restricted
netsh interface tcp set global rss=disabled

2. WFP (Windows Filtering Platform):

// C++ WFP example snippet
FWPM_LAYER_STREAM_V4 layer;
layer.subLayerWeight = 0;
layer.dscpValue = 0x0A; // DSCP 10
FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, NULL, &engineHandle);
FwpmSubLayerAdd0(engineHandle, &layer, NULL);

Many network engineers and Windows administrators have noticed that the traditional Group Policy method for DSCP marking seems broken in Windows 10/11. While the same approach worked flawlessly in Windows 7 (after applying KB2733528), modern Windows versions appear to ignore these QoS settings.

Before troubleshooting, let's confirm your policy is properly configured:

# Check applied QoS policies
Get-NetQosPolicy | Format-Table -AutoSize

# Verify DSCP values in outgoing packets (requires admin)
netsh trace start scenario=NetConnection capture=yes tracefile=C:\\temp\\qos.etl
netsh trace stop

Windows 10 introduced several networking changes that affect QoS:

  • Network Quality Awareness (NQA) superseding NLA
  • HTTP.sys now handles most application traffic
  • Modern apps running in containerized processes

Method 1: Registry Hack (Temporary Fix)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\QoS]
"Do not use NLA"=dword:00000001
"DisableDSCPInNBL"=dword:00000000

Method 2: PowerShell Alternative

# For specific executable (e.g., chrome.exe)
New-NetQosPolicy -Name "Chrome_QoS" -AppPathNameMatchCondition "chrome.exe" -DSCPValue 10 -NetworkProfile All

# For source port (alternative approach)
New-NetQosPolicy -Name "Port5000_QoS" -IPSrcPortStartMatchCondition 5000 -IPSrcPortEndMatchCondition 5000 -DSCPValue 46

When system-level solutions fail, you can implement DSCP marking directly in your application:

// C# example for socket-level DSCP marking
Socket s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
s.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.TypeOfService, 10 << 2);
// The <<2 shift is required because DSCP uses bits 3-8

Use these tools to confirm DSCP tagging:

  1. Wireshark (look for Differentiated Services Field)
  2. Microsoft Network Monitor 3.4
  3. PowerShell: Test-NetConnection -TraceRoute -Hops 1

Consider configuring your network hardware to remark traffic:

// Cisco IOS example
class-map match-any CHROME_TRAFFIC
 match access-group name CHROME_ACL
!
policy-map MARK_DSCP
 class CHROME_TRAFFIC
  set dscp af11
!
interface GigabitEthernet0/1
 service-policy input MARK_DSCP