The Update firewall configurations for new Intune network service endpoints will not run

Question

The Update firewall configurations for new Intune network service endpoints will not run

Trish Wood 0

tried to run Azure Front Door Connectivity Diagnostics Tool it would not, ran as a user and admin downloaded software PSTools.zip still didn't work. I am losing time and patience with this.

Trish Wood 0 Reputation points

2026-04-03T20:35:49.1733333+00:00

Already tried these suggestions and they will not run.
Vallepu Venkateswarlu 6,905 Reputation points Microsoft External Staff Moderator

2026-04-03T21:09:28.3533333+00:00
Hi @ Trish Wood,

Welcome to Microsoft Q&A Platform

As per the documentation, the Azure Front Door Connectivity Diagnostics Tool requires PowerShell version 5.1 or later. You can verify your local PowerShell version by running:

$PSVersionTable

If the version is below 5.1, please upgrade to a supported version and retry.

Common causes for Diagnostics Tool fail on your machine:

Corporate security blocking PSTools- PsExec often blocked by AV/Defender

Execution policy / SmartScreen-EXE silently blocked
Alternative troubleshooting approach

If the diagnostics tool is not working, you can still validate Azure Front Door connectivity using the following methods:

Test Front Door endpoint

curl -v https://<your-domain>

or

curl -v https://<frontdoor-endpoint>

Check for:

TLS handshake success

Response headers

Errors such as 403, 502, or timeouts.

Test backend directly (bypassing Front Door)

curl -v https://<backend-endpoint>

If the backend request fails, the issue is likely with the backend service rather than Azure Front Door.

Enable and review diagnostics logs

For deeper analysis, enable diagnostics logging for your Azure Front Door:

Go to Front Door resource → Diagnostic settings

Enable logs and send them to a Log Analytics workspace

Select all relevant categories

After enabling:

Wait ~30 minutes

Reproduce the issue

Review logs in Log Analytics

Please check the

Health probe logs

Failed backend responses

Routing and connectivity issues

These logs will help identify whether the issue is related to backend health, routing, or connectivity.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Trish Wood 0 Reputation points

2026-04-06T15:15:30.6666667+00:00

Yes I have attempted this but the script will not run.
Vallepu Venkateswarlu 6,905 Reputation points Microsoft External Staff Moderator

2026-04-06T18:06:23.34+00:00

Hi @ Trish Wood,

Could you please confirm the PowerShell version you are using?

If PowerShell is not working, you can try alternative troubleshooting steps, such as directly checking the process by enabling diagnostic settings or testing the Front Door custom domain endpoint to verify the result. You can also test the backend directly to isolate the issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

1 answer

Your answer

Trish Wood 0 Reputation points

2026-04-03T20:35:49.1733333+00:00

Already tried these suggestions and they will not run.
Vallepu Venkateswarlu 6,905 Reputation points Microsoft External Staff Moderator

2026-04-03T21:09:28.3533333+00:00

Hi @ Trish Wood,

Welcome to Microsoft Q&A Platform

As per the documentation, the Azure Front Door Connectivity Diagnostics Tool requires PowerShell version 5.1 or later. You can verify your local PowerShell version by running:

$PSVersionTable

If the version is below 5.1, please upgrade to a supported version and retry.

Common causes for Diagnostics Tool fail on your machine:

Corporate security blocking PSTools- PsExec often blocked by AV/Defender

Execution policy / SmartScreen-EXE silently blocked
Alternative troubleshooting approach

If the diagnostics tool is not working, you can still validate Azure Front Door connectivity using the following methods:

Test Front Door endpoint

curl -v https://<your-domain>

or

curl -v https://<frontdoor-endpoint>

Check for:

TLS handshake success

Response headers

Errors such as 403, 502, or timeouts.

Test backend directly (bypassing Front Door)

curl -v https://<backend-endpoint>

If the backend request fails, the issue is likely with the backend service rather than Azure Front Door.

Enable and review diagnostics logs

For deeper analysis, enable diagnostics logging for your Azure Front Door:

Go to Front Door resource → Diagnostic settings

Enable logs and send them to a Log Analytics workspace

Select all relevant categories

After enabling:

Wait ~30 minutes

Reproduce the issue

Review logs in Log Analytics

Please check the

Health probe logs

Failed backend responses

Routing and connectivity issues

These logs will help identify whether the issue is related to backend health, routing, or connectivity.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Trish Wood 0 Reputation points

2026-04-06T15:15:30.6666667+00:00

Yes I have attempted this but the script will not run.
Vallepu Venkateswarlu 6,905 Reputation points Microsoft External Staff Moderator

2026-04-06T18:06:23.34+00:00

Hi @ Trish Wood,

Could you please confirm the PowerShell version you are using?

If PowerShell is not working, you can try alternative troubleshooting steps, such as directly checking the process by enabling diagnostic settings or testing the Front Door custom domain endpoint to verify the result. You can also test the backend directly to isolate the issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

Answer 1

The Azure Front Door Connectivity Diagnostics Tool is a PowerShell script (Test-IntuneAFDConnectivity.ps1). To get it to run and use it to validate the new Intune network service endpoints, follow these steps and checks:

Confirm script location and execution
1. Download and extract the script to a local folder (for example, C:\Tools\IntuneAFD).
2. Open Windows PowerShell as Administrator.
3. Change to the folder where the script is stored:
```
      Set-Location C:\Tools\IntuneAFD
```
4. Run the script for public cloud:
```
      .\Test-IntuneAFDConnectivity.ps1
```
  For US Government/GCC High/DoD:
```
      .\Test-IntuneAFDConnectivity.ps1 -CloudType gov
```
Use detailed logging to see why it “won’t run” If the script exits immediately or returns an error, run with verbose and detailed logging to capture diagnostics:
```
   .\Test-IntuneAFDConnectivity.ps1 -LogLevel Detailed -OutputPath "C:\Logs" -Verbose
```
Then review the log files in C:\Logs for any PowerShell or connectivity errors.
Check PowerShell execution policy If the script is blocked by execution policy, set a temporary policy for the current process:
```
   Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
```
Then rerun the script from the same PowerShell window.
Validate firewall/proxy/VPN for Azure Front Door and Intune endpoints Even if the script starts, failures in its tests indicate network blocks:
- If Azure Front Door IP Address tests show failed IPs or ranges, ensure Azure Firewall or any upstream firewall/proxy/VPN allows outbound TCP 80 and 443 to the Azure Front Door IP ranges used by Intune. These are documented under the Intune client and host service entry (ID 163), including the Azure Front Door ranges:
  - 13.107.219.0/24
  - 13.107.227.0/24
  - 13.107.228.0/23
  - 150.171.97.0/24
  - 2620:1ec:40::/48
  - 2620:1ec:49::/48
  - 2620:1ec:4a::/47
- Ensure the Intune client and host service FQDNs and IP subnets are allowed outbound on TCP 80/443, for example:
  - *.manage.microsoft.com
  - manage.microsoft.com
  - *.dm.microsoft.com
  - EnterpriseEnrollment.manage.microsoft.com
  - And the associated IP subnets listed under ID 163.
Confirm no SSL inspection or HTTPS break/inspect on critical endpoints SSL inspection is not supported on some Intune-related endpoints (for example, Microsoft Store API and Defender for Endpoint). If the script reports “HTTPS endpoint unreachable”, check for:
- HTTPS inspection or TLS interception on:
  - Intune service FQDNs
  - Azure Front Door IP ranges used by Intune Disable inspection for these endpoints or add appropriate bypass rules.
Ensure firewall configuration is updated for upcoming Intune changes As part of the Secure Future Initiative, starting on or shortly after December 2, 2025, Intune network service endpoints will also use Azure Front Door IP addresses. For environments using Azure Firewall or other IP-based allowlists:
- Do not remove existing Intune endpoints.
- Add the Azure Front Door IP ranges for Intune (via the AzureFrontDoor.MicrosoftSecurity service tag in the Azure IP Ranges and Service Tags file for public cloud).
- Review and update any third-party firewall or proxy allowlists accordingly.
If the script still will not start at all If there is no output and no log file created even with -Verbose and -LogLevel Detailed:
- Re-download the script to ensure it is not corrupted.
- Confirm it is being run from PowerShell (not CMD) and that the current directory is the script directory.
- Verify that security software on the machine is not blocking PowerShell script execution.

Once the script runs successfully, use its exit code and detailed log output to identify any remaining blocked FQDNs or IP ranges, then adjust Azure Firewall and any other network devices to allow the required Intune and Azure Front Door endpoints on the specified ports.

References:

Share via

The Update firewall configurations for new Intune network service endpoints will not run

1 answer

Your answer