Sometimes you need to see what’s going on as a device is joining Azure AD and enrolling in an MDM service. Since that process is typically done during OOBE, that means capturing network traffic during OOBE. Fortunately, Fiddler (the “legacy” version – haven’t spent enough time with the Fiddler Everywhere release yet to figure out how well it works) can be used to do that.
Since I typically want to see the network traffic “from the start,” I’m typically starting with a VM that doesn’t have a network connection. So the first question then is how to get the Fiddler installer onto the system. The simplest way is to put the installer into an ISO that you can attach to the VM. If you haven’t done that before, all it takes is the ADK to get the deployment tools, and more specifically OSCDIMG.EXE to create an ISO. The steps:
- Download the file(s) you want to put into the ISO (e.g. FiddlerSetup.exe).
- Put the file(s) into a folder.
- Open the “Deployment and imaging tools environment” command prompt (shortcut created by the ADK install).
- Run OSCDIMG.EXE with the “-n” switch specifying the folder and destination ISO name. For examples:
OSCDIMG.EXE –n C:\Source C:\MyNew.iso
Here’s my output:
Mount that ISO into your VM and you’re set to go. When you first get into OOBE, you can press Shift-F10 to open a command prompt. From there, you can run FiddlerSetup.exe. Specify a short path, e.g. C:\Fiddler:
Once the installation is finished, you can then run C:\Fiddler\Fiddler.exe. It will ask about enabling AppContainer capture. Click the WinConfig button then click “Exempt All” and “Save Changes” (just in case what you are trying to capture is running in an app container, e.g. a UWP app).
Next, from the Tools menu choose “Options.” Click on the HTTPS tab, and check the box that says “Decrypt HTTPS traffic.” That will cause some “scary dialogs” (yes, you should be doing this on a throw-away VM). First choose “Yes” to trust the Fiddler root certificate:
After you click “Yes” you’ll get one more warning, so choose “Yes” again:
And a third:
One other item that needs to be done, from the Fiddler documentation: Make sure WinHTTP traffic goes through Fiddler. To do that, you run the command “netsh winhttp set proxy 127.0.0.1:8888” like so:
At this point, it’s best to reboot to make sure everything is picked up, so close Fiddler, then run “shutdown.exe /r /t 0” from the command prompt. After the reboot, press Shift-F10 to open the command prompt again, then run C:\Fiddler\Fiddler.exe again.
Since the VM doesn’t yet have a network connection (purposely), you can advance through the first few OOBE screens (language, locale, keyboard, second keyboard), and it should then stop on a “Connect you to a network” page. Before you do that, Alt-Tab back to the Fiddler window so that you can see the network traffic that happens once you make the connection. Then connect the virtual Ethernet port. (Let it sit a while to see what it talks to.) In Fiddler, click on the “Inspectors” tab in the right-hand pane to see the details. Then alt-tab back to the connection page and click Next.
As the web traffic (HTTP, HTTPS) happens, you’ll see it in the list. To prove that everything is working, you can look for a request to “ztd.dds.microsoft.com” – the Autopilot service – to see whether or not the device is registered to Autopilot. In my case, this VM wasn’t, which I can see in the “807 – ZtdDeviceIsNotRegistered” response.
If you want to go further in the process, e.g. to do an Azure AD Join and MDM enrollment, you can, but you will see one complication after the MDM enrollment: To authenticate with the MDM service, Fiddler will ask for the client cert; that would need to be manually exported from the local machine certificate store into a file that Fiddler can read. Until that is done, you won’t be able to capture any MDM traffic.
Once you’re done with the tracing (save off the trace results to a file somewhere if needed), you can throw away the VM (or roll back to a previous checkpoint, e.g. one taken at the start of OOBE before any of this stuff transpired). Happy tracing.
Categories: Windows 10
I’m not sure I understand the choice of Fiddler. Does Fiddler have some feature that other network sniffers don’t have? I’m thinking of Wireshark.
Wireshark makes SSL inspection much more complicated. I can’t easily generate a file with the needed SSL details (e.g. install Chrome or Firefox, manually browse sites) as the sites I’m trying to trace don’t allow browsing.
LikeLiked by 1 person