Forum Discussion
Intune Management Extension Deployment
Hi Team, we have had previous issues with the IME deployment not passing through our firewall until a select few urls were added to the whitelist. I have been informed that we are now blocking login.live.com for whatever reason but this is now stopping the agent from deploying internally onto newly enrolled devices!!
My question is this, if this block remains in place (out with my control) will agents that are installed still be able to update and communicate correctly with the Azure servers?
From my understanding and testing it just needs the connection to the login.live.com once for initial deployment and also the Company Portal needs to make an initial contact but then remaining contact is made via manage.microsoft.com url and possibly another one?
hopefully looking form some guidance and advice to take forward to my management team
Hy Jamie,
So... Microsoft uses multiple CDN and management endpoints to ensure availability and redundancy.
The IME can failover between these endpoints if one is unreachable.:
- If login.live.com remains blocked, new device enrollments or new user authentications may fail, preventing fresh installations or re-enrollments.
- However, already installed IME agents should continue to update and communicate via manage.microsoft.com and CDN endpoints, assuming those URLs are allowed. i don't know if its suitable for a ,msi install.
back again, login.live.com is mainly needed once for initial authentication if this apply to the .msi installation, you need to test or go and watch traffic on fresh new installed Client in order to better understand this facts.
Good luck!
5 Replies
Hy Jamie,
So... Microsoft uses multiple CDN and management endpoints to ensure availability and redundancy.
The IME can failover between these endpoints if one is unreachable.:
- If login.live.com remains blocked, new device enrollments or new user authentications may fail, preventing fresh installations or re-enrollments.
- However, already installed IME agents should continue to update and communicate via manage.microsoft.com and CDN endpoints, assuming those URLs are allowed. i don't know if its suitable for a ,msi install.
back again, login.live.com is mainly needed once for initial authentication if this apply to the .msi installation, you need to test or go and watch traffic on fresh new installed Client in order to better understand this facts.
Good luck!
Hy,
- check on a Client under IntuneManagementExtension\Logs if the Logs are updated or not.
- Deploy a script or a win32 app via Intune in order to see if the IME logs are updated or not.
- check the link bellow to better understand the Topic
https://learn.microsoft.com/en-us/intune/intune-service/apps/intune-management-extension
Good luck!
thanks for the feedback :)
we can't check the logs as the folder will not exist unless the IME is installed, even when the first contact is made via the company portal the triggering of the W32 app or scripts won't initiate the IME deployment. From what i can tell it's definitely getting blocked by our firewall but the team responsible aren't using all of the endpoint whitelist.
At the moment we are pulling the agent down using reg hive entries to get the correct URL and then deploying manually to the endpoints, this in turn allows the devices to start receiving all required apps and scripts. but I am looking for technical knowledge to advise if this is still blocked would these agents still be able to update themselves??
Hy,
Based on your first comment, I assumed that you have some agents that already have IME that you can check.
The approach is completely wrong at this point as all management and traffic is done via IME and this service goes live and checks the CDG from Microsoft and the Intune backend.
Good luck!
