Share via

The Update firewall configurations for new Intune network service endpoints will not run

Trish Wood 0 Reputation points
2026-04-03T20:30:11.2366667+00:00

tried to run Azure Front Door Connectivity Diagnostics Tool it would not, ran as a user and admin downloaded software PSTools.zip still didn't work. I am losing time and patience with this.

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.


3 answers

Sort by: Most helpful
  1. Ganesh Patapati 11,995 Reputation points Microsoft External Staff Moderator
    2026-04-09T18:42:15.1066667+00:00

    Hello Trish Wood

    The Azure Front Door Connectivity Diagnostics Tool you’re using is really just a PowerShell script under the covers, so if it “won’t run” it’s almost always one of these environment issues:

    1. PowerShell version
      • Run $PSVersionTable.PSVersion. You need at least Windows PowerShell 5.1 or PowerShell 7.x.
    2. Execution policy
      • If Get-ExecutionPolicy returns Restricted, do: Set-ExecutionPolicy RemoteSigned -Scope Process
    3. Unblock the downloaded files
      • Right-click the PSTools.zip you downloaded, choose Properties, click Unblock, then extract.
      • Also unblock any .ps1 files before running: Unblock-File -Path .\Update-IntuneEndpoints.ps1 (or whatever the script is named).
    4. Run in an elevated session
      • Open PowerShell as Administrator, cd into the folder, then execute the script with .\Update-IntuneEndpoints.ps1 (or via PsExec if that’s how the tool is designed).

    If you’re still seeing errors, here are a couple of alternatives to get your firewall updated:

    • Manually allow all Intune service endpoints (FQDNs and IP ranges) through your firewall by using the “Intune network configuration requirements and bandwidth” documentation.
    • Use the Az.FrontDoor PowerShell cmdlet instead of the downloadable script:
    1. Install-Module Az.FrontDoor -Scope CurrentUser
    2. Connect-AzAccount
    3. Test-AzFrontDoorConnectivity -ResourceGroupName '<yourRG>' -FrontDoorName '<yourFDName>' -SubscriptionId '<yourSubID>'

    Hope that helps unblock you! If it’s still failing, could you please share:

    • The exact error message or output you see when you run the .ps1
    • Your PowerShell version ($PSVersionTable)
    • Your execution policy (Get-ExecutionPolicy -List)
    • The OS version you’re on and whether any AppLocker/antivirus policies might be blocking scripts.

    MS docs: Azure Front Door Connectivity Diagnostics Tool


    Can you please update us if the action plan provided was helpful?

    If these answer your question, click "Upvote" and click "Accept Answer" which may be beneficial to other community members reading this thread.

    Was this answer helpful?


  2. Vallepu Venkateswarlu 10,180 Reputation points Microsoft External Staff Moderator
    2026-04-03T21:09:28.3533333+00:00

    Hi @ Trish Wood,

    Welcome to Microsoft Q&A Platform

    As per the documentation, the Azure Front Door Connectivity Diagnostics Tool requires PowerShell version 5.1 or later. You can verify your local PowerShell version by running:

    $PSVersionTable
    

    If the version is below 5.1, please upgrade to a supported version and retry.

    Common causes for Diagnostics Tool fail on your machine:

    • Corporate security blocking PSTools- PsExec often blocked by AV/Defender
    • Execution policy / SmartScreen-EXE silently blocked
      Alternative troubleshooting approach

    If the diagnostics tool is not working, you can still validate Azure Front Door connectivity using the following methods:

    Note: You can also troubleshoot Azure Front Door issues by reviewing the health probe logs. Additionally, you can check the Front Door endpoints or directly access the backend application URL to verify backend health.

    Test Front Door endpoint

    curl -v https://<your-domain>
    

    or

    curl -v https://<frontdoor-endpoint>
    

    Check for:

    • TLS handshake success
    • Response headers
    • Errors such as 403, 502, or timeouts.

    Test backend directly (bypassing Front Door)

    curl -v https://<backend-endpoint>
    

    If the backend request fails, the issue is likely with the backend service rather than Azure Front Door.

    Enable and review diagnostics logs

    For deeper analysis, enable diagnostics logging for your Azure Front Door:

    • Go to Front Door resource → Diagnostic settings
    • Enable logs and send them to a Log Analytics workspace
    • Select all relevant categories

    After enabling:

    • Wait ~30 minutes
    • Review logs in Log Analytics

    Please check the

    These logs will help identify whether the issue is related to backend health, routing, or connectivity.

    If the above steps did not help resolve your issue, please feel free to share the details in a private message so we can proceed with further troubleshooting over a Teams call. I am happy to connect with you on Teams to investigate and resolve the issue.

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

    0 comments No comments

  3. AI answer

    2026-04-03T20:30:30.72+00:00

    The Azure Front Door Connectivity Diagnostics Tool is a PowerShell script (Test-IntuneAFDConnectivity.ps1). To get it to run and use it to validate the new Intune network service endpoints, follow these steps and checks:

    1. Confirm script location and execution
      1. Download and extract the script to a local folder (for example, C:\Tools\IntuneAFD).
      2. Open Windows PowerShell as Administrator.
      3. Change to the folder where the script is stored:
              Set-Location C:\Tools\IntuneAFD
        
      4. Run the script for public cloud:
              .\Test-IntuneAFDConnectivity.ps1
        
        For US Government/GCC High/DoD:
              .\Test-IntuneAFDConnectivity.ps1 -CloudType gov
        
    2. Use detailed logging to see why it “won’t run” If the script exits immediately or returns an error, run with verbose and detailed logging to capture diagnostics:
         .\Test-IntuneAFDConnectivity.ps1 -LogLevel Detailed -OutputPath "C:\Logs" -Verbose
      
      Then review the log files in C:\Logs for any PowerShell or connectivity errors.
    3. Check PowerShell execution policy If the script is blocked by execution policy, set a temporary policy for the current process:
         Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
      
      Then rerun the script from the same PowerShell window.
    4. Validate firewall/proxy/VPN for Azure Front Door and Intune endpoints Even if the script starts, failures in its tests indicate network blocks:
      • If Azure Front Door IP Address tests show failed IPs or ranges, ensure Azure Firewall or any upstream firewall/proxy/VPN allows outbound TCP 80 and 443 to the Azure Front Door IP ranges used by Intune. These are documented under the Intune client and host service entry (ID 163), including the Azure Front Door ranges:
        • 13.107.219.0/24
        • 13.107.227.0/24
        • 13.107.228.0/23
        • 150.171.97.0/24
        • 2620:1ec:40::/48
        • 2620:1ec:49::/48
        • 2620:1ec:4a::/47
      • Ensure the Intune client and host service FQDNs and IP subnets are allowed outbound on TCP 80/443, for example:
        • *.manage.microsoft.com
        • manage.microsoft.com
        • *.dm.microsoft.com
        • EnterpriseEnrollment.manage.microsoft.com
        • And the associated IP subnets listed under ID 163.
    5. Confirm no SSL inspection or HTTPS break/inspect on critical endpoints SSL inspection is not supported on some Intune-related endpoints (for example, Microsoft Store API and Defender for Endpoint). If the script reports “HTTPS endpoint unreachable”, check for:
      • HTTPS inspection or TLS interception on:
        • Intune service FQDNs
        • Azure Front Door IP ranges used by Intune Disable inspection for these endpoints or add appropriate bypass rules.
    6. Ensure firewall configuration is updated for upcoming Intune changes As part of the Secure Future Initiative, starting on or shortly after December 2, 2025, Intune network service endpoints will also use Azure Front Door IP addresses. For environments using Azure Firewall or other IP-based allowlists:
      • Do not remove existing Intune endpoints.
      • Add the Azure Front Door IP ranges for Intune (via the AzureFrontDoor.MicrosoftSecurity service tag in the Azure IP Ranges and Service Tags file for public cloud).
      • Review and update any third-party firewall or proxy allowlists accordingly.
    7. If the script still will not start at all If there is no output and no log file created even with -Verbose and -LogLevel Detailed:
      • Re-download the script to ensure it is not corrupted.
      • Confirm it is being run from PowerShell (not CMD) and that the current directory is the script directory.
      • Verify that security software on the machine is not blocking PowerShell script execution.

    Once the script runs successfully, use its exit code and detailed log output to identify any remaining blocked FQDNs or IP ranges, then adjust Azure Firewall and any other network devices to allow the required Intune and Azure Front Door endpoints on the specified ports.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.