Close Menu
    Facebook X (Twitter) Instagram
    Sunday, July 13
    X (Twitter) LinkedIn
    All about Endpoint Management
    • Home
    All about Endpoint Management
    Home»Intune»App configuration policy»Microsoft Intune – zscaler client connector connectivity issues cant reach login.microsoftonline.com

    Microsoft Intune – zscaler client connector connectivity issues cant reach login.microsoftonline.com

    Eswar KonetiBy Eswar KonetiJuly 23, 8:59 pm3 Mins Read App configuration policy 8,263 Views
    Share
    Facebook Twitter LinkedIn Reddit

    Introduction:

    I was recently involved to setup Microsoft 365 POC (zero trust) and manage the endpoints such as windows, iOS, android using Microsoft Endpoint Manager (Intune).

    The windows devices were set up using autopilot and are purely azure AD joined with Bitlocker keys in the cloud.

    To secure the internet web traffic and to enforce the security policies such as tenant restrictions etc, this project uses Zscaler.

    Though we had zscaler, we still went ahead and configured Windows Information Protection (WIP) to protect enterprise data along with the following configurations.

    1. Device compliance policies.

    2. Device configuration policies.

    3. Endpoint security policies such as AV, defender, etc

    4. Security baseline policies for windows 10, Microsoft Edge, and Defender.

    5. Windows update for business (wufb)

    Issue:

    When the zscaler client connectivity application was installed during the device provisioning, users were unable to connect to the zscaler app.

    Zscaler application launches automatically during the windows login, and it fails with the following error codes.

    Can’t reach this page. Make sure the web address https://login.microsoftonline.com is correct

    Can’t reach this page. Make sure the web address https://login.zscalerthree.com is correct

    Navigation to the webpage was canceled.

    image

    image

    Troubleshooting:

    Initially, when I saw this error code, I thought it was something to do with the zscaler profile configuration; PAC file that was configured at the zscaler portal, or Windows 10 Network Isolation issue.

    We even contemplated issues with Windows Defender Endpoint protection; Windows Defender AV or Windows Defender Application guard.

    In order to confirm if the issue is at Microsoft Intune or Zscaler, I had installed the zscaler client connector app on a BYOD device that is not enrolled to Microsoft Intune. On the BYOD device, I can sign in to the Zscaler app. This confirms that the issue is happening only for intune enrolled devices.

    To troubleshoot the issue further, I have used fiddler and Wireshark to trace the web traffic and also network traffic.

    I had launched the fiddler, started to run the zscaler app, it can connect to the service successfully.

    I have tried capturing the network trace using Wireshark, not had much success with it too.

    Since all these external tools not helping much to trace the problem, I have started looking at the windows defender policies and excluded the zscaler client app. This did not help too.

    During the investigation of this issue, I thought to exclude (test group where the user is a member of ) the WIP policy and try again. This time, it works fine.

    So finally, figured out that, the issue lies in the boundaries of windows information protection.

    Time to play with WIP policies and see what confirmation is blocking the connectivity.

    First, I have added the following urls to cloud resources in the WIP policy.

    .zscalerthree.net|.zscaler.net|login.microsoftonline.com|login.zscalerthree.net

    This configuration did not help much.

    The next configuration change is to add zscaler app into WIP protected application.

    You can use the PowerShell command to get the publisher information which will be added to WIP policy as a desktop app.

    image

    Get-AppLockerFileInformation -Path "C:\Program Files (x86)\Zscaler\ZSATray\ZSATray.exe"  | fl *

    Path      : %PROGRAMFILES%\ZSCALER\ZSATRAY\ZSATRAY.EXE
    Publisher : O=ZSCALER, INC., L=SAN JOSE, S=CALIFORNIA, C=US\CLIENT CONNECTOR\ZSATRAY.EXE,3.4.1.4
    Hash      : SHA256 0xF3E5AA3EE62395DFE8BBE5D8CB5A56ADA1652D166F2739317B138750D412DDD8
    AppX      : False

    Add this application into WIP policy, save changes.

    image

    Wait for the policy sync, launch the zscaler connectivity app. This time, the application will connect to zscaler service and function correctly.

    The endpoint urls that are connecting to the Azure AD,zscaler service are now allowed.

    image

    It took couple of days to figure out where the issue is and the fix is to add the zscalar app into app protection policy (WIP).

    Hope this helps!

    applocker file information cannot reach the page intune login.microsoftonline.com M365 MEM Microsoft Intune windows information protection WIP zscaler
    Share. Twitter LinkedIn Email Facebook Reddit

    Related Posts

    Automating Intune Deployment Rings Using Entra ID Dynamic Groups and Regex

    July 01, 10:31 pm

    Exporting Intune Win32 Apps with All Properties Using PowerShell and Microsoft Graph

    June 30, 7:01 pm

    Optimize Your Intune Workflow with a Powerful Browser Extension

    March 22, 10:39 am

    Leave a ReplyCancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Sign Up

    Get email notifications for new posts.

    Author

    I’m Eswar Koneti ,a tech enthusiast, security advocate, and your guide to Microsoft Intune and Modern Device Management. My goal? To turn complex tech into actionable insights for a streamlined management experience. Let’s navigate this journey together!

    Support

    Awards

    Archives

    © Copyright 2009-2024 Eswar Koneti, All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.