Auto-Pilot VPN deployment

Hey everyone,

I’m looking for a direction on this new deployment we’re moving forward with.

Security has released a new app, Zscaler, and they want it deployed to all new machines during Autopilot. Once Zscaler is installed though, it halts all communication with the internet till the user logs in, which they can’t see cause the autopilot page is blocking them.

So the user deployment fails, ticket is created, and tier 1 team thinks they need to ship them a different computer.

Anyone have a idea on how I should deploy this software to eliminate these types of issues? I’m looking for articles that I can build my workflows off of from here.

Thanks!

Make sure intune and all msft services are whitelisted in ZScaler

The way we have Zscaler configured on our Autopilot devices:

1. All the Management URLs needed for Autopilot and Azure are whitelisted in the Zscaler management console, this was done by our Infosec/Networking team who share management of Zscaler
2. Zscaler is installed as a Required app to all Windows Autopilot Enrolled Devices with the install flags to force SSO and point to our Zscaler Instance

When a device is built Zscaler isn’t installed during the OOBE/ESP/Autopilot build, but installs pretty much immediately on user login. When we had Zscaler included in the ESP required apps load it was causing issues.

Maybe try to deploy it to All Devices rather than your AutoPilot group, that way it comes down after the user logs in.

We deploy it at the end of esp making other apps a dependency, it is a pain because we can’t pre provision but are still looking in to it too.

Do they have M365 policy applied in Zscaler to allow the management traffic?

I’ve seen this in one of my customers. and I would expect security team to handle this.

Are you able to influence this?

Been a while but doesn’t zscaler need to be configured to login before the user at system start?

With my SonicWall and Fortinets I have to use policies to get it to login at system startup before the user.

Install as an app with a dependency maybe, or just set the install script to have a delay.

We had a similar issue with another AV Client. We set a requirement rule to run after the ESP has finished, you could just build one for it.

Can you try configuring the ESP settings " Block device use until required apps are installed if they are assigned to user/device" and list out all the other mandatory apps except for the Zscaler app. So Autopilot will run and the listed apps will be installed and the desktop is presented to the user, after which it will install Zscaler in the background. So if your Zscaler prompts for a reboot then the user can reboot the machine and it will get installed successfully. I ran into a similar issue with the Adobe package and it got sorted out.

I’ve always found that installing VPN during any OSD method problematic. It will kill the network connection for a second which almost always breaks things.

I thought about that, but it’s not deployed to devices but users. So autopilot detects that the user needs it, installs, and causes it to error out since it can’t check back in.

Maybe. I’ll poke a few people and see what I can dig up.

Thanks for the info.

Why is it deployed to Users rather than devices?

The Zscaler licenses are user based, but you should be able to install the client with a device advertisement.

You’re welcome. Report back the feedback, if possible

I just got here. I haven’t been to one meeting about this and that’s what was decided way before I started.

We’ll sort it all out eventually.

Fair play, I know how that goes.

One option you could go with might be to give Zscaler a dependency on any app that installs after autopilot completes, that way its required but installs last. The poor man’s task sequence.