Introduction
Note: We’ve been using Windows Autopilot with Zscaler configured with Microsoft URLs whitelisted without issue for a long time, this latest problem is new. Read on for more…
I needed to setup a virtual machine for a colleague, and I wanted him to go through the Windows Autopilot experience (Intune managed, AAD joined). I setup a hyper-v host, created a Generation 2 virtual machine, captured the CSV file, imported it into Microsoft Intune, and verified it was assigned.
Problem
Next, I tested the Windows Autopilot OOBE (out of box experience). Instead of showing the usual ‘Welcome to <Your Tenant>’ it prompted me with this.
Clearly something was not right and denying the virtual machine access to verify with Microsoft’s cloud if this device was a Windows Autopilot device or not.
Troubleshooting
My first hunch was to verify the VLAN that this virtual machine was on, perhaps that was causing issues (as I had noted in the past) so I contacted the local network guys to get them to move it to the same VLAN as our regular clients. After that was done, even though the virtual machine got a new ip address which matched a known good VLAN, it made no difference.
Next, I reviewed the Windows Autopilot network requirements supplied by Microsoft here.
https://docs.microsoft.com/en-us/mem/autopilot/networking-requirements
I also found the following script, ran it but it said everything was OK.
I also tried this excellent script from fellow MVP Mattias Melkersen here https://github.com/mmelkersen/EndpointManager/blob/main/Fundamentals/Test-MicrosoftEndpointNetworks.ps1
but it too, told me everything was OK.
Clearly something was wrong. After discussing it with colleagues one of them had the bright idea to verify if Zscaler’s SSL inspection, was causing issues. We had the Zscaler guys verify that it was whitelisted for microsoft.com, it was.
But no matter what, the virtual machine failed every time. We also verified on a new Windows Autopilot laptop, and it too, showed the same problem, clearly something was wrong !
To try and isolate that the problem was related to Zscaler’s SSL inspection and nothing else we decided to manually import Zscalers root certificate into the certificate store on the troublesome virtual machine.
After doing that and issuing a
shutdown /s /t 0
and then starting Windows Autopilot OOBE again, what do you know, it worked !
The Zscaler guys have raised a ticket with Zscaler to see what is happening here. I’ll update once I know more.
until next time, adios !
Related reading
https://community.zscaler.com/t/windows-autopilot/11903/8