This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shahar_Grober
Advisor
‎2019-04-16 04:06 AM
Jump to solution

R80.20 Updatable Objects - Intune + Autopilot

Hi,

 

Are there updateable objects in R80.20 for Microsoft Intunes and Autopilot?

Intune:https://docs.microsoft.com/en-us/intune/network-bandwidth-use

Autopilot:https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements...

 

also, It would be nice if there could be a way to import/upload IP address xml, csv directly to the policy in R80.20 and not only via mgmt API. Or maybe there is something like this which I am not aware of

1 Solution

Accepted Solutions
Luke_Pattison
Explorer
‎2019-04-26 04:47 AM
In response to Dima_M
Jump to solution

Has anyone got this working for unattended out-of-the-box Autopilot deployments?

 

According to this link Intune is required for Autopilot:

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements...

 

There is an AppControl object for Intune, but look into the detail and HTTPS inspection is required. How do you get a cert on to the device for HTTPS inspection when the whole point of Autopilot is to do a zero touch deployment on a fresh machine?

 

I've tried allowing the updatable objects for Azure Services and Office365 Services, but still get a whole heap of dropped packets to something.deploy.static.akamaitechnologies.com that aren't recognised as any particular app or URL.

 

I'm starting to think that the only option is to provision a separate build network to each building and just blacklist a few categories for inappropriate or high risk apps and URLs rather than try and make white-listing work. Any other ideas?

View solution in original post

19 Replies
PhoneBoy
Admin
Admin
‎2019-04-18 05:50 PM
Jump to solution

I believe we'll have some way to specify your Updatable Objects feed (or maybe upload one) in a later release.
As for Intune/Autopilot, I have not seen these listed in the services for Updatable Objects.
Doesn't mean it can't be added in the future.
Shahar_Grober
Advisor
‎2019-04-21 03:27 AM
In response to PhoneBoy
Jump to solution

Thanks PB,

Is it possible to share it with R&D. I believe it is not a lot of effort to add Intune/Autopilot as Updatable Objects
Dima_M
Employee
Employee
‎2019-04-22 04:50 AM
In response to Shahar_Grober
Jump to solution

Hi Shahar and all,

We're here and listening 🙂  More use cases and vendor suggestions are always welcome.

I'll be glad to discuss the use case further on, please drop me an email...

 

Thanks,

Dima

 

Luke_Pattison
Explorer
‎2019-04-26 04:47 AM
In response to Dima_M
Jump to solution

Has anyone got this working for unattended out-of-the-box Autopilot deployments?

 

According to this link Intune is required for Autopilot:

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements...

 

There is an AppControl object for Intune, but look into the detail and HTTPS inspection is required. How do you get a cert on to the device for HTTPS inspection when the whole point of Autopilot is to do a zero touch deployment on a fresh machine?

 

I've tried allowing the updatable objects for Azure Services and Office365 Services, but still get a whole heap of dropped packets to something.deploy.static.akamaitechnologies.com that aren't recognised as any particular app or URL.

 

I'm starting to think that the only option is to provision a separate build network to each building and just blacklist a few categories for inappropriate or high risk apps and URLs rather than try and make white-listing work. Any other ideas?

sajin
Contributor
‎2020-01-02 04:13 AM
In response to Luke_Pattison
Jump to solution

Hi, Updatable Object for INTUNE is now available and still am getting blocked by deploy.static.akamaitechnologies.com. Do we need to allow Azure Cloud object along with INTUNE to work correctly.
Martin_Webster
Participant
‎2020-01-13 03:59 AM
In response to sajin
Jump to solution

Hi,

I'm getting very similar issues.  The following appear in my logs:

a104-75-172-68.deploy.static.akamaitechnologies.com (104.75.172.68)

a23-209-84-4.deploy.static.akamaitechnologies.com (23.209.84.4)

a23-216-100-183.deploy.static.akamaitechnologies.com (23.216.100.183)

a95-100-144-120.deploy.static.akamaitechnologies.com (95.100.144.120)

Intune has made a lot of noise go away.  

When will Autopilot be available as an Updatable Object?

PhoneBoy
Admin
Admin
‎2020-01-20 01:34 PM
In response to Martin_Webster
Jump to solution

Probably best to get the TAC involved if you haven't already.
0 Kudos
upmitnetworksec
Explorer
‎2020-05-13 04:58 AM
In response to Martin_Webster
Jump to solution

is a104-75-172-68.deploy.static.akamaitechnologies.com.working in Intune Updatebale objects because I can see above users' reply it is not working.
0 Kudos
Shahar_Grober
Advisor
‎2020-02-04 09:53 PM
In response to sajin
Jump to solution

the problem with intune and autopilot is that it uses many URLs that are not listed anywhere and unfortunately, you have to allow them manually

TAC will not able to assist in this case

a Tip from CPX: Try to contact Check Point overlay team via your local office, they might be able to assist 

0 Kudos
Shahar_Grober
Advisor
‎2020-02-26 09:06 AM
In response to Shahar_Grober
Jump to solution

Quick update, I can see in SDB that Intune was added as an Updatable object.

There is a relatively new SK about it 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I am testing to see if it is solving intune/autopilot issues. Will update as soon ...

0 Kudos
upmitnetworksec
Explorer
‎2020-05-13 04:49 AM
In response to Shahar_Grober
Jump to solution

Hello,

 

can anyone suggest if we allow Microsoft Intune + azure + office 365 updatable object then is it completing the requirement of Windows autopilot and is below URL;'s working when we allow those.

 

if not then how we can complete the project requirement in checkpoint(Allow Windows Autopilot )

 

Need urgent help on this.

 

a104-75-172-68.deploy.static.akamaitechnologies.com.

 

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-requirements

0 Kudos
Shahar_Grober
Advisor
‎2020-05-13 04:52 AM
In response to upmitnetworksec
Jump to solution

Intune updatable object should do the Job
and also remove https inspection if possible
0 Kudos
upmitnetworksec
Explorer
‎2020-05-13 04:54 AM
In response to Shahar_Grober
Jump to solution

is a104-75-172-68.deploy.static.akamaitechnologies.com.workign in Intune Updatebale objects because i can see above users' reply it is not working.
0 Kudos
Shahar_Grober
Advisor
‎2020-05-13 07:42 AM
In response to upmitnetworksec
Jump to solution

depends on your policy
This eventually should point you to Microsoft service
0 Kudos
upmitnetworksec
Explorer
‎2020-05-13 09:30 AM
In response to Shahar_Grober
Jump to solution

Hello,

Thanks for reply,But i didn’t get your point what is the policy means ?

 

if i allow microsoft intune + azure + Office 365 updatebale objects so deploy.static.akami url work or not.

 

Because i can see when autopilot runs first request goes for Akami url’s.

If this will not allow Akami url,s the  window autopilot won’t work.

Have you tested in your environment while allowing updateable objects.

 

0 Kudos
Shahar_Grober
Advisor
‎2020-05-13 09:38 AM
In response to upmitnetworksec
Jump to solution

on my environment it is working when we added intune updatable objects but we don't block access to Akamai. eventually akamai will resolve to a Microsoft/FQDN IP so the question if you block access to Akamai in your policy.
if you want to know if under the hood the updatable object contains this url, you will have to ask Check Point support.
I can tell you that we had some issues with https inspection and we had to exclude it from the networks that used for autopilot
0 Kudos
upmitnetworksec
Explorer
‎2020-05-13 09:53 AM
In response to Shahar_Grober
Jump to solution

Hello,

 

we only allow the networks in firewall so could  you please tell me how i can allow the Akami in our firewall and as of now Url filtering is not enabled.

Also,we have any any drop in our firewall.(Clean up rule)

so not getting any idea how i can allow Akami in My firewall.

 Thanks,

0 Kudos
Netadmin2020
Collaborator
‎2021-03-25 11:23 AM
In response to upmitnetworksec
Jump to solution

It s been almost 2 years from the first post. Is there a solution? I have all microst, azure,I tune updatable objects attached but still there are some destinations that are dropped. Thank you

Giorgio_Giustoz
Participant
‎2021-10-26 11:29 PM
In response to Luke_Pattison
Jump to solution

Hi, I don't think this is the best solution after 2 years from (R80.20 to R81). There is some news or updates about this issue?

Thank you!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events