Windows Autopilot

Hi friends,

is anyone using Autopilot with zscaler (successfully)?

Currently we are bypassing zscaler and everything works fine. However after routing the traffic to zscaler (PBR through an IPSec Tunnel) the device registration stucks with no specific error message from Windows.

SSL and Authentication bypass is done. No blocks or errors in the zscaler logs.

Thanks four your assistance.

1 Like

We have autopilot working via zscaler
But had to do too many iterations of review of policy to define to achieve this.it was not easy :slight_smile:

Hey sebastian,
We created a URL group with the domains in this post with all Intune Endpoints Network endpoints for Microsoft Intune | Microsoft Docs

Then bypassed SSL Inspection for the URL group.

Are you using Hybrid AD join by any chance?

Hi friends, thank you very much for your help. Meanwhile we created a URL whitelist along with a SSL exception list according to:
Windows Autopilot networking requirements | Microsoft Docs]
For the moment it looks like this is working. Personally I think this will break in the future since there is no web service like Office 365 IP Address and URL web service - Microsoft 365 Enterprise | Microsoft Docs for this Autopilot thing and the “documentation” for me looks more like an educated forum post of some Microsoft experts.

Best Regards
Sebastian

1 Like

Hi,
Would you be able to share your feedback in 1-2-1 on list of url or domains you took into consideration as we see urls or domains change every day and difficult to have it continued running service for autopilot

Hi Team,
Do we have any other resolution to this issue apart from creating bypasses?

Rajesh,
Intune for both commercial and government requires SSL bypassing for certain application pushes. Not sure it would be possible without an SSL Bypass setup for the Intune endpoints.

There is no real way to get around SSL or AUTH bypasses for Autopilot unless you can pre-load the certificate you are using to decrypt the SSL traffic.
Even then you might still need to Authenticate bypass the FQDN’s that Autopilot is using.

To get around it you can either create a Location with no enforced Authentication and SSL inspection. or run a bypass list.

my bypass list looks like this.

.aka.ms
.microsoft.com
.live.com
.azure.net
.intel.com
.amd.com
.digicert.com
.windowsupdate.com
.phicdn.net
.hwcdn.net
.windows.com
.akamaized.net
.akadns.net
.passport.net
.windowsphone.com
.msftconnecttest.com
.v0cdn.net
.gammacdn.net
.msauth.net
.microsoftonline.com
.msftauth.net
.entrust.net
.windows.net
.microsoft.com.edgesuite.net
.sfx.ms
.googleapis.com
.office.com
.gvt1.com
.azureedge.net
.live.net
.quovadisglobal.com
.comodoca.com
.verisign.com
.aadrm.com
.office.net