Call4Cloud | MMP-C | Autopilot | Device Preparation

Close Encounters of Fiddler

Patch My Pc | install & update thousands of apps

Introduction: Enhancing Your Intune Troubleshooting Toolkit with Fiddler

Troubleshooting issues in Microsoft Intune can be challenging, especially when you’re dealing with complex configurations like conditional access policies, device settings, update management, and compliance rules. Misconfigurations or unexpected behavior can lead to significant disruptions, making it crucial to have effective tools and methods available. In this blog, I’ll show you how to use Fiddler, MDM, and PowerShell to diagnose and resolve issues within your Intune environment, giving you the insights needed to keep your systems running smoothly.

1. Capturing HTTPS Traffic for Troubleshooting

When troubleshooting Intune or any other cloud services, capturing HTTPS traffic can provide invaluable insights into what’s happening behind the scenes. To do this effectively, we’ll use Fiddler,a web debugging proxy that logs all HTTP(S) traffic between your computer and the internet.

Step 1: Capture HTTPS Connects

Start by downloading and installing Fiddler from Telerik’s website. Once installed, enable HTTPS traffic decryption in Fiddler, and allow the Proxy Certificate to be installed.

enable the option in fiddler to decrypt https traffic to capture all traffic to and from Intune and entra.

This step is essential, as without decrypt HTTPS traffic enabled, you won’t see the necessary details for troubleshooting.

Step 2: Monitoring Intune Traffic

With Fiddler set up, let’s test it by configuring a Conditional Access rule! Open the Intune web portal and create or modify a Conditional Access rule, device configuration, or other Intune settings. As you save changes, Fiddler will capture the traffic between your browser and the Intune service.

Switch to Fiddler and review the captured data, focusing on the “Inspectors” tab where you can view the traffic in text or raw format.

capturing graph traffic with Fiddler

This information can reveal whether the requests are being sent correctly, whether there are any unexpected errors, or whether specific settings are not being applied as intended.

A good example of how I used Fiddler to troubleshoot an issue in which the EPM agent wasn’t getting installed is this one

MMP-C Discovery failed | No valid Endpoint | EPM (call4cloud.nl)

If I didn’t had Fiddler in place, it would be hard to to know the proper and bad flow

2. Basic Fiddler Tips for Effective Troubleshooting

Before diving deeper into troubleshooting, it’s important to configure Fiddler correctly to avoid missing any critical information.

  • Exempt Immersive Apps: Ensure that immersive apps are exempted from HTTPS decryption to prevent them from being blocked. This is important for maintaining app functionality while troubleshooting.
exampt immersive apps in fiddler tp ensure all immersive apps are exempted from https decryption
  • Running Fiddler as System: If necessary, you can run Fiddler as a system process using Psexec, though in most cases, capturing traffic as the user should be sufficient.

  • Automatic Log Export: Configure Fiddler to automatically export logs every minute. This ensures that you have a complete record of traffic, which is essential for post-incident analysis.
configure the fiddler option to automatically save capture files every 1 minute
  • Redirect all traffic to Fiddler: Don’t forget to redirect all traffic to Fiddler. You can do so by entering this command: netsh winhttp set proxy 127.0.0.1:8888 
configure a proxy for fiddler with the command netsh winhttp set proxy 127.0.0.1:8888

3. Capturing MDM Traffic for Intune Troubleshooting

One of the more complex aspects of troubleshooting Intune is dealing with MDM traffic. Often, when you attempt to capture this traffic, you might encounter errors related to client certificates.

Fiddler would show us the message client certificate requested.
This indicates it needs a certificate to decrypt the intune traffic.

As shown above, Fiddler tells us that Client Certificate Requested for the server r.manage.microsoft.com. Here’s how to work around these issues.

Option 1: Exclude Specific Domains

To avoid errors when capturing traffic, you can exclude certain domains like manage.microsoft.com and r.manage.microsoft.com from HTTPS decryption. While this will prevent errors, it also means you won’t capture traffic from these domains, limiting your ability to troubleshoot certain issues.

excluding the r.manage.microsoft.com for decryption

Option 2: Use the Intune Client Certificate

A more comprehensive approach involves exporting the Microsoft Intune MDM device certificate. This certificate is essential for secure communication with Intune, and by configuring Fiddler to use it, you can decrypt and capture the MDM traffic.

  • Export the Certificate: Open the local computer certificate store and export the Intune MDM device certificate to a file (e.g., ClientCertificate.cer).
export the intune mdm device ca to a cer file so we can attach it to fiddler
  • Configure Fiddler: Place the certificate in the %username%\documents\fiddler2 folder and restart Fiddler. This setup allows Fiddler to decrypt and capture MDM traffic, giving you a clearer view of what’s happening between the client and Intune.
make sure the clientcertificate.cer is places in the fiddler2 folder so it can be picked up by fiddler

Please note, this trick will only work when you have started Fiddler as a user. When you execute Fiddler as a system, you can guess what’s missing: the system document folder. Besides the missing document folder, we also want to define some more URLs and redirect each URL to it’s own certificate. So, how do you do this?

Open the Fiddler Script editor by clicking on “Rules” and “customize rules”

we could also customize the rules and define each URL and redirect it to its own certificate. This way we can capture intune, entra and mmp-c traffic

Add this part to the “static function OnBeforeRequest(oSession: Session)” part

     if (oSession.HostnameIs("r.manage.microsoft.com")) {
            oSession["https-Client-Certificate"] = "C:\\test\\Intune.cer";
        } 
        if (oSession.HostnameIs("manage.microsoft.com")) {
            oSession["https-Client-Certificate"] = "C:\\test\\Intune.cer";
        } 
        if (oSession.HostnameIs("fef.amsua0702.manage.microsoft.com")) {
            oSession["https-Client-Certificate"] = "C:\\test\\Intune.cer";
        } 

Please ensure you change the fef.amsua0702.manage to your own URL or use a wildcard.It should look like this:

all fiddler rules in place to capture traffic to dm.microsoft.com, manage.microsoft.com and enterpriseregistration.windows.net

4. Troubleshooting Microsoft Store Apps with Fiddler

Fiddler isn’t just for capturing MDM traffic—it can also be used to troubleshoot issues with Microsoft Store apps. Whether you’re trying to identify problems with app downloads or deployment, Fiddler can help you see the underlying traffic.

Capturing Microsoft Store Traffic

  • Exempt Microsoft Store: Just like with MDM traffic, ensure the Microsoft Store is the only app exempted to reduce unnecessary traffic capture.
  • Monitor App Downloads: Start an app download from the Microsoft Store and switch to Fiddler to capture the traffic. Look for URLs related to the download, such as http://tlu.dl.delivery.mp.microsoft.com, which can give you insights into any issues with the download process.

Conclusion

Fiddler, MDM, and PowerShell are powerful tools for troubleshooting and resolving issues within your Intune environment. By capturing and analyzing HTTPS and MDM traffic, you can identify misconfigurations, resolve errors, and ensure that your Intune deployments are functioning as intended. Whether you’re dealing with Conditional Access rules, device configurations, or app deployments, these tools will help you get to the root of the problem quickly and effectively.

4 thoughts on “Close Encounters of Fiddler

  1. Pingback: OOBEAADV10 error when using Autopilot
  2. Hey Rudy,

    I’m trying to get this working to proxy Intune sync traffic and not having any luck. Does the private key have to be included in the “Microsoft Intune MDM Device CA” certificate for this to decrypt traffic? Every tool I’ve tried says the private key is not exportable.

    Thanks!

    1. Hi, when i need to decode the intuen traffic with fiddler (proxy) i only need to export the certificate. The private key is notexportable any longer and is not needed

Leave a Reply

Your email address will not be published. Required fields are marked *

1  +  3  =  

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.