I'm experiencing networking problem when Microsoft Endpoint manager is trying to deploy InTune management extension from https://endpoint.microsoft.com/ to a Win10 device within a company network.Extract from C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log:<![LOG[starting impersonation, session id = 2]LOG]!><time="10:12:27.0961922" date="4-16-2022" component="IntuneManagementExtension" context="" type="1" thread="4" file=""><![LOG[ After impersonation: DESKTOP-SEFFEL8\AdminAccount]LOG]!><time="10:12:27.0961922" date="4-16-2022" component="IntuneManagementExtension" context="" type="1" thread="4" file="">...<![LOG[Current proxy is http://company-proxy-url/]LOG]!><time="10:12:27.0961922" date="4-16-2022" component="IntuneManagementExtension" context="" type="1" thread="4" file="">...<![LOG[[IsWebExceptionRetryable] web exception status = SecureChannelFailure]LOG]!><time="10:12:27.2368570" date="4-16-2022" component="IntuneManagementExtension" context="" type="1" thread="4" file=""><![LOG[WebException occurs, and it's not retryable exception, exception is System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)at System.Net.HttpWebRequest.GetRequestStream()at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequestWithProxy>d__20.MoveNext()]LOG]!><time="10:12:27.2368570" date="4-16-2022" component="IntuneManagementExtension" context="" type="3" thread="4" file=""> The network in question relies on a "AutoConfigURL" registry setting for proxy auto-configuration script and a custom root certificate added to "Trusted Root Certificate Authorities" in certificate manager. I've already configured these settings for all interactive users and internet connectivity is tested to work from Microsoft Edge and C# code using System.Net.WebRequest and System.Net.HttpClient to access HTTPS content. The Win10 device is listed as connected on https://endpoint.microsoft.com/ , so the connectivity problem seem to be limited to just the InTune management extension. IntuneManagementExtension.log furthermore indicate that the agent is able to impersonate the logged-in admin account and use the correct proxy server, so I'm struggling to understand the reason for the networking problems. Computer details: Windows 10 IoT LTSC 2021 (x64). InTune management extension 1.53.204.0.

These are all the url's / IP's that you need to be able to access https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints . Also check the list of CDN's that should be accessible for Win32App/PowerShell scripts (And the Intune Management extension is installed on a client when using those).

Thanks for the tip Harm.I have a feeling that my problems are related to the "The inspection of SSL traffic is not supported to 'manage.microsoft.com' endpoint." note, since the network in question uses a custom root certificate to inspect SSL traffic.Is there a way to verify that assumption by enabling more verbose logging or similar?

Not sure if you can enable more verbose logging, can you bypass manage.microsoft.com in your firewall for testing purposes? If you deploy the Windows 10 device using a guest network/Wi-Fi hotspot or on another location without inspection, it does work then?

I've already verified that InTune management extension seem to work fine when deploying from a public network. I'm therefore quite sure that this problem is tied to proxy and/or SSL inspection restrictions on the company network in question.This still leaves me with the problem of more accurately pin-pointing the concrete problem. I'll need to know exactly what/how the management extension is failing in order to submit a change request for the company network infrastructure setup. Preferable with a minimal reproducer. Is this something you can help me with?

I think that you can point them to the Microsoft article which states all the endpoints that need to be accessible and that it's not supported to use inspection to the manage.microsoft.com endpoint. You can show them that it does work on a non-inspected network and that it's failing on the corporate network. You have all the information you need for them to do something about this issue...

forderud_ge

Copper Contributor

Apr 18, 2022

InTune management extension SecureChannelFailure (Could not create SSL/TLS secure channel)

I'm experiencing networking problem when Microsoft Endpoint manager is trying to deploy InTune management extension from https://endpoint.microsoft.com/ to a Win10 device within a company network.

Extract from C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log:

<![LOG[starting impersonation, session id = 2]LOG]!><time="10:12:27.0961922" date="4-16-2022" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
<![LOG[ After impersonation: DESKTOP-SEFFEL8\AdminAccount]LOG]!><time="10:12:27.0961922" date="4-16-2022" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
...
<![LOG[Current proxy is http://company-proxy-url/]LOG]!><time="10:12:27.0961922" date="4-16-2022" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
...
<![LOG[[IsWebExceptionRetryable] web exception status = SecureChannelFailure]LOG]!><time="10:12:27.2368570" date="4-16-2022" component="IntuneManagementExtension" context="" type="1" thread="4" file="">
<![LOG[WebException occurs, and it's not retryable exception, exception is System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
at System.Net.HttpWebRequest.GetRequestStream()
at Microsoft.Management.Services.IntuneWindowsAgent.AgentCommon.EmsServiceBase.<SendWebRequestWithProxy>d__20.MoveNext()]LOG]!><time="10:12:27.2368570" date="4-16-2022" component="IntuneManagementExtension" context="" type="3" thread="4" file="">

The network in question relies on a "AutoConfigURL" registry setting for proxy auto-configuration script and a custom root certificate added to "Trusted Root Certificate Authorities" in certificate manager. I've already configured these settings for all interactive users and internet connectivity is tested to work from Microsoft Edge and C# code using System.Net.WebRequest and System.Net.HttpClient to access HTTPS content.

The Win10 device is listed as connected on https://endpoint.microsoft.com/ , so the connectivity problem seem to be limited to just the InTune management extension. IntuneManagementExtension.log furthermore indicate that the agent is able to impersonate the logged-in admin account and use the correct proxy server, so I'm struggling to understand the reason for the networking problems.

Computer details: Windows 10 IoT LTSC 2021 (x64). InTune management extension 1.53.204.0.

Intune Management Extension

15 Replies

evanchatter37
Copper Contributor
Jun 15, 2022
The error is generic and there are many reasons why the SSL/TLS negotiation may fail. ServicePointManager.SecurityProtocol property selects the version of the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol to use for new connections; existing c# socket connections aren't changed. Make sure the ServicePointManager settings are made before the HttpWebRequest is created, else it will not work. Also, you have to enable other security protocol versions to resolve this issue:

ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
SecurityProtocolType.Tls
SecurityProtocolType.Tls11
SecurityProtocolType.Ssl3;

//createing HttpWebRequest after ServicePointManager settings
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://google.com/api/")

If you create HttpWebRequest before the ServicePointManager settings it will fail and shows the error message.
Harm_Veenstra
MVP
Apr 18, 2022
These are all the url's / IP's that you need to be able to access https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints . Also check the list of CDN's that should be accessible for Win32App/PowerShell scripts (And the Intune Management extension is installed on a client when using those).
- forderud_ge
  Copper Contributor
  Apr 19, 2022
  Thanks for the tip Harm.
  I have a feeling that my problems are related to the "The inspection of SSL traffic is not supported to 'manage.microsoft.com' endpoint." note, since the network in question uses a custom root certificate to inspect SSL traffic.
  
  Is there a way to verify that assumption by enabling more verbose logging or similar?
  - Harm_Veenstra
    MVP
    Apr 19, 2022
    Not sure if you can enable more verbose logging, can you bypass manage.microsoft.com in your firewall for testing purposes? If you deploy the Windows 10 device using a guest network/Wi-Fi hotspot or on another location without inspection, it does work then?

Forum Discussion

InTune management extension SecureChannelFailure (Could not create SSL/TLS secure channel)

15 Replies

Resources