Forum Discussion
InTune management extension SecureChannelFailure (Could not create SSL/TLS secure channel)
I'm experiencing networking problem when Microsoft Endpoint manager is trying to deploy InTune management extension from https://endpoint.microsoft.com/ to a Win10 device within a company network. ...
These are all the url's / IP's that you need to be able to access https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints . Also check the list of CDN's that should be accessible for Win32App/PowerShell scripts (And the Intune Management extension is installed on a client when using those).
Thanks for the tip Harm.
I have a feeling that my problems are related to the "The inspection of SSL traffic is not supported to 'manage.microsoft.com' endpoint." note, since the network in question uses a custom root certificate to inspect SSL traffic.
Is there a way to verify that assumption by enabling more verbose logging or similar?
I have a feeling that my problems are related to the "The inspection of SSL traffic is not supported to 'manage.microsoft.com' endpoint." note, since the network in question uses a custom root certificate to inspect SSL traffic.
Is there a way to verify that assumption by enabling more verbose logging or similar?
- Not sure if you can enable more verbose logging, can you bypass manage.microsoft.com in your firewall for testing purposes? If you deploy the Windows 10 device using a guest network/Wi-Fi hotspot or on another location without inspection, it does work then?
I've already verified that InTune management extension seem to work fine when deploying from a public network. I'm therefore quite sure that this problem is tied to proxy and/or SSL inspection restrictions on the company network in question.
This still leaves me with the problem of more accurately pin-pointing the concrete problem. I'll need to know exactly what/how the management extension is failing in order to submit a change request for the company network infrastructure setup. Preferable with a minimal reproducer. Is this something you can help me with?- I think that you can point them to the Microsoft article which states all the endpoints that need to be accessible and that it's not supported to use inspection to the manage.microsoft.com endpoint. You can show them that it does work on a non-inspected network and that it's failing on the corporate network. You have all the information you need for them to do something about this issue...