Windows Autopilot

Hi friends,

is anyone using Autopilot with zscaler (successfully)?

Currently we are bypassing zscaler and everything works fine. However after routing the traffic to zscaler (PBR through an IPSec Tunnel) the device registration stucks with no specific error message from Windows.

SSL and Authentication bypass is done. No blocks or errors in the zscaler logs.

Thanks four your assistance.

1 Like

We have autopilot working via zscaler
But had to do too many iterations of review of policy to define to achieve this.it was not easy :slight_smile:

Hey sebastian,
We created a URL group with the domains in this post with all Intune Endpoints Network endpoints for Microsoft Intune | Microsoft Docs

Then bypassed SSL Inspection for the URL group.

Are you using Hybrid AD join by any chance?

Hi friends, thank you very much for your help. Meanwhile we created a URL whitelist along with a SSL exception list according to:
Windows Autopilot networking requirements | Microsoft Docs]
For the moment it looks like this is working. Personally I think this will break in the future since there is no web service like Office 365 IP Address and URL web service - Microsoft 365 Enterprise | Microsoft Docs for this Autopilot thing and the “documentation” for me looks more like an educated forum post of some Microsoft experts.

Best Regards
Sebastian

1 Like

Hi,
Would you be able to share your feedback in 1-2-1 on list of url or domains you took into consideration as we see urls or domains change every day and difficult to have it continued running service for autopilot

Hi Team,
Do we have any other resolution to this issue apart from creating bypasses?

1 Like

Rajesh,
Intune for both commercial and government requires SSL bypassing for certain application pushes. Not sure it would be possible without an SSL Bypass setup for the Intune endpoints.

There is no real way to get around SSL or AUTH bypasses for Autopilot unless you can pre-load the certificate you are using to decrypt the SSL traffic.
Even then you might still need to Authenticate bypass the FQDN’s that Autopilot is using.

To get around it you can either create a Location with no enforced Authentication and SSL inspection. or run a bypass list.

my bypass list looks like this.

.aka.ms
.microsoft.com
.live.com
.azure.net
.intel.com
.amd.com
.digicert.com
.windowsupdate.com
.phicdn.net
.hwcdn.net
.windows.com
.akamaized.net
.akadns.net
.passport.net
.windowsphone.com
.msftconnecttest.com
.v0cdn.net
.gammacdn.net
.msauth.net
.microsoftonline.com
.msftauth.net
.entrust.net
.windows.net
.microsoft.com.edgesuite.net
.sfx.ms
.googleapis.com
.office.com
.gvt1.com
.azureedge.net
.live.net
.quovadisglobal.com
.comodoca.com
.verisign.com
.aadrm.com
.office.net

Hi, we are yet to get autopilot provisioning to work on the lan as all no-auth traffic is blocked by default. So until the user can authenticate with Z via the client connector, all traffic seemingly is blocked apart from certain URL’s required for SSO to sites.

We’re using a ZPA proxy which enables us to build off network and authenticate with the DC but this is only helpful when your off network, and we face the same issues when we plug the device back into the LAN. Any ideas?

Please, and thankyou