Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shahar_Grober
Advisor

R80.20 Updatable Objects - Intune + Autopilot

Jump to solution

Hi,

 

Are there updateable objects in R80.20 for Microsoft Intunes and Autopilot?

Intune:https://docs.microsoft.com/en-us/intune/network-bandwidth-use

Autopilot:https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements...

 

also, It would be nice if there could be a way to import/upload IP address xml, csv directly to the policy in R80.20 and not only via mgmt API. Or maybe there is something like this which I am not aware of

1 Solution

Accepted Solutions
Luke_Pattison
Explorer

Has anyone got this working for unattended out-of-the-box Autopilot deployments?

 

According to this link Intune is required for Autopilot:

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements...

 

There is an AppControl object for Intune, but look into the detail and HTTPS inspection is required. How do you get a cert on to the device for HTTPS inspection when the whole point of Autopilot is to do a zero touch deployment on a fresh machine?

 

I've tried allowing the updatable objects for Azure Services and Office365 Services, but still get a whole heap of dropped packets to something.deploy.static.akamaitechnologies.com that aren't recognised as any particular app or URL.

 

I'm starting to think that the only option is to provision a separate build network to each building and just blacklist a few categories for inappropriate or high risk apps and URLs rather than try and make white-listing work. Any other ideas?

View solution in original post

18 Replies
PhoneBoy
Admin
Admin
I believe we'll have some way to specify your Updatable Objects feed (or maybe upload one) in a later release.
As for Intune/Autopilot, I have not seen these listed in the services for Updatable Objects.
Doesn't mean it can't be added in the future.
Shahar_Grober
Advisor
Thanks PB,

Is it possible to share it with R&D. I believe it is not a lot of effort to add Intune/Autopilot as Updatable Objects
Dima_M
Employee
Employee

Hi Shahar and all,

We're here and listening 🙂  More use cases and vendor suggestions are always welcome.

I'll be glad to discuss the use case further on, please drop me an email...

 

Thanks,

Dima

 

Luke_Pattison
Explorer

Has anyone got this working for unattended out-of-the-box Autopilot deployments?

 

According to this link Intune is required for Autopilot:

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements...

 

There is an AppControl object for Intune, but look into the detail and HTTPS inspection is required. How do you get a cert on to the device for HTTPS inspection when the whole point of Autopilot is to do a zero touch deployment on a fresh machine?

 

I've tried allowing the updatable objects for Azure Services and Office365 Services, but still get a whole heap of dropped packets to something.deploy.static.akamaitechnologies.com that aren't recognised as any particular app or URL.

 

I'm starting to think that the only option is to provision a separate build network to each building and just blacklist a few categories for inappropriate or high risk apps and URLs rather than try and make white-listing work. Any other ideas?

View solution in original post

sajin
Contributor
Hi, Updatable Object for INTUNE is now available and still am getting blocked by deploy.static.akamaitechnologies.com. Do we need to allow Azure Cloud object along with INTUNE to work correctly.
Martin_Webster
Participant

Hi,

I'm getting very similar issues.  The following appear in my logs:

a104-75-172-68.deploy.static.akamaitechnologies.com (104.75.172.68)

a23-209-84-4.deploy.static.akamaitechnologies.com (23.209.84.4)

a23-216-100-183.deploy.static.akamaitechnologies.com (23.216.100.183)

a95-100-144-120.deploy.static.akamaitechnologies.com (95.100.144.120)

Intune has made a lot of noise go away.  

When will Autopilot be available as an Updatable Object?

PhoneBoy
Admin
Admin
Probably best to get the TAC involved if you haven't already.
0 Kudos
upmitnetworksec
Explorer
is a104-75-172-68.deploy.static.akamaitechnologies.com.working in Intune Updatebale objects because I can see above users' reply it is not working.
0 Kudos
Shahar_Grober
Advisor

the problem with intune and autopilot is that it uses many URLs that are not listed anywhere and unfortunately, you have to allow them manually

TAC will not able to assist in this case

a Tip from CPX: Try to contact Check Point overlay team via your local office, they might be able to assist 

0 Kudos
Shahar_Grober
Advisor

Quick update, I can see in SDB that Intune was added as an Updatable object.

There is a relatively new SK about it 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I am testing to see if it is solving intune/autopilot issues. Will update as soon ...

0 Kudos
upmitnetworksec
Explorer

Hello,

 

can anyone suggest if we allow Microsoft Intune + azure + office 365 updatable object then is it completing the requirement of Windows autopilot and is below URL;'s working when we allow those.

 

if not then how we can complete the project requirement in checkpoint(Allow Windows Autopilot )

 

Need urgent help on this.

 

a104-75-172-68.deploy.static.akamaitechnologies.com.

 

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements

0 Kudos
Shahar_Grober
Advisor
Intune updatable object should do the Job
and also remove https inspection if possible
0 Kudos
upmitnetworksec
Explorer
is a104-75-172-68.deploy.static.akamaitechnologies.com.workign in Intune Updatebale objects because i can see above users' reply it is not working.
0 Kudos
Shahar_Grober
Advisor
depends on your policy
This eventually should point you to Microsoft service
0 Kudos
upmitnetworksec
Explorer

Hello,

Thanks for reply,But i didn’t get your point what is the policy means ?

 

if i allow microsoft intune + azure + Office 365 updatebale objects so deploy.static.akami url work or not.

 

Because i can see when autopilot runs first request goes for Akami url’s.

If this will not allow Akami url,s the  window autopilot won’t work.

Have you tested in your environment while allowing updateable objects.

 

0 Kudos
Shahar_Grober
Advisor
on my environment it is working when we added intune updatable objects but we don't block access to Akamai. eventually akamai will resolve to a Microsoft/FQDN IP so the question if you block access to Akamai in your policy.
if you want to know if under the hood the updatable object contains this url, you will have to ask Check Point support.
I can tell you that we had some issues with https inspection and we had to exclude it from the networks that used for autopilot
0 Kudos
upmitnetworksec
Explorer

Hello,

 

we only allow the networks in firewall so could  you please tell me how i can allow the Akami in our firewall and as of now Url filtering is not enabled.

Also,we have any any drop in our firewall.(Clean up rule)

so not getting any idea how i can allow Akami in My firewall.

 Thanks,

0 Kudos
Netadmin2020
Contributor

It s been almost 2 years from the first post. Is there a solution? I have all microst, azure,I tune updatable objects attached but still there are some destinations that are dropped. Thank you

0 Kudos