Windows Autopilot

sebastian · May 14, 2021, 11:59am

Hi friends,

is anyone using Autopilot with zscaler (successfully)?

Currently we are bypassing zscaler and everything works fine. However after routing the traffic to zscaler (PBR through an IPSec Tunnel) the device registration stucks with no specific error message from Windows.

SSL and Authentication bypass is done. No blocks or errors in the zscaler logs.

Thanks four your assistance.

Mohan.radhakrishnan · June 19, 2021, 10:23am

We have autopilot working via zscaler
But had to do too many iterations of review of policy to define to achieve this.it was not easy

jduan · June 19, 2021, 2:51pm

Hey sebastian,
We created a URL group with the domains in this post with all Intune Endpoints Network endpoints for Microsoft Intune | Microsoft Docs

Then bypassed SSL Inspection for the URL group.

Are you using Hybrid AD join by any chance?

sebastian · June 21, 2021, 6:14am

Hi friends, thank you very much for your help. Meanwhile we created a URL whitelist along with a SSL exception list according to:
Windows Autopilot networking requirements | Microsoft Docs]
For the moment it looks like this is working. Personally I think this will break in the future since there is no web service like Office 365 IP Address and URL web service - Microsoft 365 Enterprise | Microsoft Docs for this Autopilot thing and the “documentation” for me looks more like an educated forum post of some Microsoft experts.

Best Regards
Sebastian

Mohan.radhakrishnan · June 26, 2021, 5:19pm

Hi,
Would you be able to share your feedback in 1-2-1 on list of url or domains you took into consideration as we see urls or domains change every day and difficult to have it continued running service for autopilot

rajesh0428 · October 18, 2021, 9:54pm

Hi Team,
Do we have any other resolution to this issue apart from creating bypasses?

twoodbury · October 24, 2021, 3:36pm

Rajesh,
Intune for both commercial and government requires SSL bypassing for certain application pushes. Not sure it would be possible without an SSL Bypass setup for the Intune endpoints.

Sepa · January 18, 2022, 12:57pm

There is no real way to get around SSL or AUTH bypasses for Autopilot unless you can pre-load the certificate you are using to decrypt the SSL traffic.
Even then you might still need to Authenticate bypass the FQDN’s that Autopilot is using.

To get around it you can either create a Location with no enforced Authentication and SSL inspection. or run a bypass list.

my bypass list looks like this.

.aka.ms
.microsoft.com
.live.com
.azure.net
.intel.com
.amd.com
.digicert.com
.windowsupdate.com
.phicdn.net
.hwcdn.net
.windows.com
.akamaized.net
.akadns.net
.passport.net
.windowsphone.com
.msftconnecttest.com
.v0cdn.net
.gammacdn.net
.msauth.net
.microsoftonline.com
.msftauth.net
.entrust.net
.windows.net
.microsoft.com.edgesuite.net
.sfx.ms
.googleapis.com
.office.com
.gvt1.com
.azureedge.net
.live.net
.quovadisglobal.com
.comodoca.com
.verisign.com
.aadrm.com
.office.net

leptin01 · February 15, 2022, 4:39pm

Hi, we are yet to get autopilot provisioning to work on the lan as all no-auth traffic is blocked by default. So until the user can authenticate with Z via the client connector, all traffic seemingly is blocked apart from certain URL’s required for SSO to sites.

We’re using a ZPA proxy which enables us to build off network and authenticate with the DC but this is only helpful when your off network, and we face the same issues when we plug the device back into the LAN. Any ideas?

Please, and thankyou

Kaija · July 12, 2022, 11:56am

The vast majority of Enterprise Applications are Certificate pinned ----- by the vendor — in some cases you can bring your PKI to the table for use — however ------ most do not do that ---- they enforce full logging on the cert pined apps — and have executive leadership accept the risk of the bypass to the Zscaler Platform ------

Tenable is a good example of vendor that is opposed to any and all SSL interception on their deployed product – while another vendor in the same vertical Qualys is not -------

Microsoft non-Office 365 versions of the Office Suite and Exchange Online — totally cert pinned ---- the Tenant directed installed client that auto updates — not fully pinned and plays actually much nicer with Zscaler ----

DocuSign ----- totally cert pinned ---- does not like interception at all ----- look at your Advanced Sandbox for DocuSign — same file - same name - every touch new cert - new hash —

Box Sign ---- allows bring your own PKI and works fine with Zscaler ----

it all comes down to choices ----- and acceptance of Risk -----