Intune Autopilot and ZScaler

We are trying to Autopilot Intune Azure AD join. We are not having much success with this due to some networking issue. We tried Hybrid Azure AD join and was told that you need VPN access on the device to be successful.

So, we tried the Hybrid Azure AD join from within network and we could not still succeed, as it does nothing. We do have ZScaler ZIA implemented. Unfortunately, we are not sure whether this is causing an issue. But, I was told that when we go through Wi-Fi the ZScaler is not in picture, but still wonder why it would not go through the process of Hybrid Azure join. Just curious I know, I see many people talking about this in ZScaler forum, but is there anyone who has done Hybrid Azure AD successfully from within the network with any kind of ZScaler ZIA configuration.

We have opened up the network as per the network document shown below, but still not successful. When we go through Wireless from home I can see the machine in Azure and in Onprem AD but does not allow me to login.

Hey, welcome to the Zenith community! Thanks for your question

When you say you’re trying to Autopilot Intune can you expand a bit more? Autopilot is a program that automatically joins a device to your Intune MDM instance. Are you saying that devices are not able to auto-provision into Intune?

Also Zenith,

I saw this article which kind looked same to my situation

Hi, we are yet to get autopilot provisioning to work on the lan as all no-auth traffic is blocked by default. So until the user can authenticate with Z via the client connector, all traffic seemingly is blocked apart from certain URL’s required for SSO to sites.

We’re using a ZPA proxy which enables us to build off network and authenticate with the DC but this is only helpful when your off network, and we face the same issues when we plug the device back into the LAN. Any ideas?

Please, and thankyou

Hello Ben,

Yes, let me explain exactly what is happening.

We are trying to do Hybrid Azure AD Join devices (OOBE) that will be shipped to users directly. The configuration for Autopilot has been set up and it is all good. The Domain Join profile has all the information to join the device to the domain. We have Intune connectors in place, network URLs opened up to the Internet and Microsoft sites as per this link below

When I connect from my home trying to join through Autopilot, I get to the point where it is creating a device on my domain controller (OU) and I see that same machine in Azure AD but it does not join Azure AD. It says it could not establish connectivity. As per Microsoft they say that the Domain Controller has to be in LINE OF SIGHT or this device has to have some form of VPN connectivity. Otherwise they are saying it would not work.

These screenshots are from my laptop of not completing the process with Hybrid Azure AD Join.


From Office Network

We thought it should work from the office, so let us try it from being on our network, but being on our network it spins and makes no progress. So, we took a similar laptop and tried to join it from being in the office (Hardware Hash is all in place in Intune) and configuration is all assigned. The office network configuration which I am not sure about and what all is involved, they had to have some form of MAC ID of the laptop to the DHCP scope for reservations I suppose so that it gets an IP address based on the MAC address.Which is all fine.

This laptop / machine when powered on goes to the branding page, the user enters the email address of the company and then password, 2 Factors in and then it starts spinning and nothing is happening neither the machines are showing up in AD OU.

I know we have ZSCALER ZIA on our laptops or desktops but these Laptops are not installed with ZSCALER ZIA (I am not familiar with this product at all nor do I know anything about it). But, the Network has ZSCALER involved and how it is setup I do not know as only the Networking people will know. But, I am not sure whether our office network does all these devices go through ZSCALER or not. I see many people are having problems because ZSCALER is involved and AUTOPILOT is having issues.

We tried connecting it through the WIFI from the office as I was told that the office WIFI is bypassing ZSCALERs etc…

So, this is where we are.

Thanks in advance for your help!

Hi @oryx360,

First of all I am going to ask the obvious but have you reached out to your Network team managing both ZIA and ZPA to solve your issue? Have they checked logs?

Regarding the case when users are out of the office, I am guessing that you are leveraging ZPA to access Domain Controllers. I am not familiar with Autopilot but I would check the following:

  1. Is there an App Segment for the Domain Controllers
  2. Is there a policy that authorised the user to access Domain Controllers App Segment
  3. If the machine is trying to access the Domain controller before the session is opened then you need to make sure that a Machine Tunnel is configured and that a policy allows connections to Domain Controllers from this machine tunnel

Regarding the case when users are in the office, you should:

  1. Look at ZIA logs to see if some traffic going to autopilot domains is not blocked
  2. Make sure a policy is set to allow traffic to autopilot domains
  3. Make sure you don’t perform SSL inspection on domains that do not support it (e.g.

Hope this pointers will help.

We are also trying to build hybrid joined window machines with strict enforcement policy.
We have ZPA in place which is providing line of sight to Domain controller.
Now challenge come in where after the successful installation of ZCC version and endpoint protection solution during the windows build, Machine not able to talk to internet due to strict enforcement policy.
We are not able to bypass URLs in app profile as there is no provision to provide wildcards in bypass app/gateway column.
To mitigate that please help me to know what would be the feasible and sustainable solution :-

Scenario 1 : Remove strict enforcement
Scenario 2 : Allow required Intune/Azure and Microsoft URLs from machine tunnel (latency issue will trigger and only 2 App connectors available in DC)
Scenario 3 : Use Pre-existing PAC file loaded by Intune to machine, after build complete and Zscaler authentication, App Profile override (not sure whether it work or not).
Scenario 4 : worked out with TAC where come to know that there is no provision of Pre login for ZIA service and engineering ticket ER-4640 is opened >> if there is any script which can added in install options to provide auth (using SAML with azure) complete

Thanks in advance,