We have this Intune process that our team goes through every time a new PC is issued to the user. Essentially this is an autopilot program that after the client is wiped, it starts downloading programs that are pre defined in our Intune configuration package. Once all of these programs are installed the Intune process is completed successfully.
The problem we're seeing is that every time we run this process behind a palo alto firewall the downloading of the programs hangs. It gets stuck at installing 1 of 20 or 2 of 20 and after a while it eventually times out.
To get passed this, I have followed the guidance from Microsoft on whitelisting IPs and FQDNs that are used by the Intune process.
I have also whitelisted all IPs and FQDNs from Office 365:
The way I am applying these rules is that I am allowing all communication to the IP's that I grabbed from the above mentioned URLs, and allowed all communication to go through those IPs with no app-id or security profile restriction.
I also whitelisted all FQDNs (including wildcards) and I inserted them in the Service/URL Category in a separate policy. Same thing for this policy as well, no app-id or security profile restriction applied.
The order that these policies are applied:
1. Unrestricted Microsoft/Office 365 IP Whitelist
2. Restricted Policy for General use (Through app-id and security profiles)
3. Unrestricted Microsoft FQDN and Wildcard Whitelist.
The reason why I left Microsoft FQDN and Wildcard Whitelist last is because those Wildcards (specifically) sometimes resolve to AWS, Google, and Akamai IPs and I don't like that traffic being unprotected.
Note that for testing purposes I have moved the third policy that whitelists wildcards above the general internet policy, and I have experienced the same intuning issues.
I just wanted to see if other people are experiencing the same intune problems and what they've done to resolve it. The firewall policy that's in the middle of the screenshot below is where the traffic gets to be restricted through app-id and security profiles (including URL filtering that is blocking 20 different categories).
Hi @CCullhaj ,
Your approach seems correct.
Have you identified why the process hangs ? I mean, is there anything being blocked or dropped at the time ?
If you don't see anything in traffic/threat logs, then I'd recommend checking the global counters for drop counters.
Thanks for your reply. That's correct, I do not see any drops or denies.
I will have to check the global counters thought. My thinking is that all these CDNs and Proxy requests that could be going during the download process the firewall is blocking them somehow.
If the global counters show that requests are being blocked, what is the next step that you would recommend?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!