App Installer fails because Intune/MDM is adding custom headers to the DoSvc downloads

[nbevans]

We're using Azure Blob Storage to host our files for App Installer but the DoSvc and Intune/MDM is adding a custom Authorization header to the DoSvc requests. This then causes Azure Blob Storage to HTTP 403 reject the request - even though the blob is publicly accessible and should never need any form of authentication.

This appears to be yet another oversight?

[nbevans]

I can't decide whether this is a bug in DoSvc or a bug in Azure Blob Storage. Certainly one party here is not properly honouring the HTTP specification for the Authorization header.

I feel like the onus should be on DoSvc to act defensively such that when it is adding custom Authorization headers (and, well, any custom headers) and that request then fails then it really ought to retry the request without those custom headers to see if that may be successful.

I am not sure why Intune MDM thinks it is okay to add custom Authorization headers to literally every DoSvc request.

There is so many potential ways to fix this problem as there is so many things involved in reproducing it.

In the meantime I have had to put our Azure Blob Storage behind Azure CDN and then create a custom Rule that strips off the Authorization header. This works around the issue and now the App Installer works on our customer's Intune MDM enterprise environment.

[shakersMSFT]

Thanks for letting us know. I've passed this information along to the Intune team.