From 353b86fed7a77a53091f7d4e505f4033d7160677 Mon Sep 17 00:00:00 2001 From: msarcletti <56821677+msarcletti@users.noreply.github.com> Date: Wed, 8 Mar 2023 17:05:55 +0100 Subject: [PATCH 1/3] Update policy-csp-networklistmanager.md Adjust the description to reflect changes in the Intune UI. Add additional information on how to test the NLS URLs. --- .../mdm/policy-csp-networklistmanager.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 44eecc6ae9..f70e301d37 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -37,23 +37,25 @@ ms.topic: reference -List of URLs (seperated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. +List of URLs to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. -When entering a list of TLS endpoints in Microsoft Intune, use the following format, even in the UI: +- The HTTPS endpoint must not have any more authentication checks, such as sign-in or multi-factor authentication. +- The HTTPS endpoint must be an internal address not accessible from outside the organizational network. +- The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store. +- A certificate shouldn't be a public certificate. + +Test the URL using this command, it MUST return a HTTP_STATUS_OK 200 + +`Invoke-webrequest https://nls.corp.contoso.com -Method get -UseBasicParsing -MaximumRedirection 0` + +When entering a list of TLS endpoints in Microsoft Intune using a configruation profile with a custom template and the OMA URI, the URLs must be seperated by Unicode character 0xF000. It must be this format: `` -- The HTTPS endpoint must not have any more authentication checks, such as sign-in or multi-factor authentication. - -- The HTTPS endpoint must be an internal address not accessible from outside the organizational network. - -- The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store. - -- A certificate shouldn't be a public certificate. From c633df3ebb07053843ac7387540e97867e7144a1 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 8 Mar 2023 14:13:44 -0500 Subject: [PATCH 2/3] Update windows/client-management/mdm/policy-csp-networklistmanager.md --- windows/client-management/mdm/policy-csp-networklistmanager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index f70e301d37..c10ddea1d6 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -37,7 +37,7 @@ ms.topic: reference -List of URLs to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. +List of URLs (seperated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. From 3388e82b335a52479354f2d0513be2b10349a729 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 8 Mar 2023 14:25:58 -0500 Subject: [PATCH 3/3] Update policy-csp-networklistmanager.md --- .../mdm/policy-csp-networklistmanager.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index c10ddea1d6..1c4f398a68 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -42,20 +42,19 @@ List of URLs (seperated by Unicode character 0xF000) to endpoints accessible onl - +- When entering a list of TLS endpoints in Microsoft Intune using a configuration profile with a custom template and the OMA URI, use the following format: `` - The HTTPS endpoint must not have any more authentication checks, such as sign-in or multi-factor authentication. - The HTTPS endpoint must be an internal address not accessible from outside the organizational network. - The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store. - A certificate shouldn't be a public certificate. -Test the URL using this command, it MUST return a HTTP_STATUS_OK 200 +To test the URL, use a PowerShell command similar to below: -`Invoke-webrequest https://nls.corp.contoso.com -Method get -UseBasicParsing -MaximumRedirection 0` - -When entering a list of TLS endpoints in Microsoft Intune using a configruation profile with a custom template and the OMA URI, the URLs must be seperated by Unicode character 0xF000. It must be this format: - -`` +```powershell +Invoke-WebRequest -Uri https://nls.corp.contoso.com -Method get -UseBasicParsing -MaximumRedirection 0 +``` +`StatusCode` return by the command must be 200 (`HTTP_STATUS_OK`).