Introduction:
I was recently involved to setup Microsoft 365 POC (zero trust) and manage the endpoints such as windows, iOS, android using Microsoft Endpoint Manager (Intune).
The windows devices were set up using autopilot and are purely azure AD joined with Bitlocker keys in the cloud.
To secure the internet web traffic and to enforce the security policies such as tenant restrictions etc, this project uses Zscaler.
Though we had zscaler, we still went ahead and configured Windows Information Protection (WIP) to protect enterprise data along with the following configurations.
1. Device compliance policies.
2. Device configuration policies.
3. Endpoint security policies such as AV, defender, etc
4. Security baseline policies for windows 10, Microsoft Edge, and Defender.
5. Windows update for business (wufb)
Issue:
When the zscaler client connectivity application was installed during the device provisioning, users were unable to connect to the zscaler app.
Zscaler application launches automatically during the windows login, and it fails with the following error codes.
Can’t reach this page. Make sure the web address https://login.microsoftonline.com is correct
Can’t reach this page. Make sure the web address https://login.zscalerthree.com is correct
Navigation to the webpage was canceled.
Troubleshooting:
Initially, when I saw this error code, I thought it was something to do with the zscaler profile configuration; PAC file that was configured at the zscaler portal, or Windows 10 Network Isolation issue.
We even contemplated issues with Windows Defender Endpoint protection; Windows Defender AV or Windows Defender Application guard.
In order to confirm if the issue is at Microsoft Intune or Zscaler, I had installed the zscaler client connector app on a BYOD device that is not enrolled to Microsoft Intune. On the BYOD device, I can sign in to the Zscaler app. This confirms that the issue is happening only for intune enrolled devices.
To troubleshoot the issue further, I have used fiddler and Wireshark to trace the web traffic and also network traffic.
I had launched the fiddler, started to run the zscaler app, it can connect to the service successfully.
I have tried capturing the network trace using Wireshark, not had much success with it too.
Since all these external tools not helping much to trace the problem, I have started looking at the windows defender policies and excluded the zscaler client app. This did not help too.
During the investigation of this issue, I thought to exclude (test group where the user is a member of ) the WIP policy and try again. This time, it works fine.
So finally, figured out that, the issue lies in the boundaries of windows information protection.
Time to play with WIP policies and see what confirmation is blocking the connectivity.
First, I have added the following urls to cloud resources in the WIP policy.
.zscalerthree.net|.zscaler.net|login.microsoftonline.com|login.zscalerthree.net
This configuration did not help much.
The next configuration change is to add zscaler app into WIP protected application.
You can use the PowerShell command to get the publisher information which will be added to WIP policy as a desktop app.
Get-AppLockerFileInformation -Path "C:\Program Files (x86)\Zscaler\ZSATray\ZSATray.exe" | fl *
Path : %PROGRAMFILES%\ZSCALER\ZSATRAY\ZSATRAY.EXE
Publisher : O=ZSCALER, INC., L=SAN JOSE, S=CALIFORNIA, C=US\CLIENT CONNECTOR\ZSATRAY.EXE,3.4.1.4
Hash : SHA256 0xF3E5AA3EE62395DFE8BBE5D8CB5A56ADA1652D166F2739317B138750D412DDD8
AppX : False
Add this application into WIP policy, save changes.
Wait for the policy sync, launch the zscaler connectivity app. This time, the application will connect to zscaler service and function correctly.
The endpoint urls that are connecting to the Azure AD,zscaler service are now allowed.
It took couple of days to figure out where the issue is and the fix is to add the zscalar app into app protection policy (WIP).
Hope this helps!