Always-on VPN with Intune, pre-logon connection

Rahul Sukumar 141 Reputation points
2020-07-22T23:57:43.51+00:00

We currently have remote users on Windows 10 Enterprise connecting to our corporate network using DirectAccess. This currently works extremely well.

I've read that MS is discontinuing development of DirectAccess and recommends now everyone use Always-On VPN. This sounded great to me at first since it didn't require we obtain a Win 10 Enterprise license for our remote users.

But, it appears that Always-On VPN only connects after the user logs on to the machine using cached credentials and then connects the VPN using a user certificate. This doesn't, in my mind, meet to definition of Always-On.

I further read that you can create a device connection that will connect pre-logon. BUT this type of VPN using the native Windows client still requires an Enterprise license.

We configure PCs on site and domain-join them. Then ship them to remote users to logon with their new credentials (which of course are not cached because the user has never logged on to that machine). This of course works fine with DirectAccess since it connects when the machine boots up and has an active connection to on-premise AD before the user logs on.

So, unless I am missing something, Always-On VPN can't be a replacement for our Windows 10 Pro remote PCs if we send them to users before the user logs on while on the corp network.

Please let me know if I am missing something. If not, we will just stick with DirectAccess until support for it is completely removed.

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,274 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
516 questions
0 comments
Accepted answer
  1. Candy Luo 12,656 Reputation points Microsoft Vendor
    2020-07-23T08:06:37.017+00:00

    Hi ,

    >>Always-On VPN can't be a replacement for our Windows 10 Pro remote PCs if we send them to users before the user logs on while on the corp network.

    Yes, you are right.

    Device tunnel can only be configured on domain-joined devices running Windows 10 Enterprise or Education version 1709 or later.

    However, DA and always on VPN device tunnel are both only supported windows 10 Enterprise.

    As the picture below:

    13433-3jdp.png

    So based on your situation, if you cannot use cached credentials, you would better use windows 10 enterprise OS version.

    Best Regards,

    Candy

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Richard M. Hicks 41 Reputation points
    2020-07-24T03:29:35.6+00:00

    For the record, you could deploy the Always On VPN device tunnel on a Windows 10 Professional client, it just won't connect automatically. As a workaround you could establish the device tunnel connection pro grammatically using a script or scheduled task. Not ideal, but it might work if you don't want to upgrade to Enterprise edition.

    1 person found this answer helpful.
    0 comments
  2. Garth K. Williams 1 Reputation point
    2021-03-08T21:27:34.863+00:00

    Good Afternoon. Sorry to trouble you all, but I am trying to create a "hybrid join over VPN" using Microsoft VPN

    Endpoint Windows version used: 20H2 Enterprise

    I have:

    1. Created an AAD profile/config/compliance/apps/bitlocker etc. endpoint builds out nice.
    2. Created a VPN "always on" profile (username/password) in Intune and tested that it deploys and creates the local VPN profile on endpoint AAD joined device
    3. Tested that the endpoint VPN profile created by Intune works and connects properly. Connected manually and using rasdial.exe [VPNEntryname].
      Can ping domain controller).

    4) Then, I created a hybrid join autopilot profile (which already works on a wired connection).

    The issue I have is that when I add my remote endpoint to the hybrid profile, the pre-login authentication icon does not appear no matter what I do. I've done this before using a third party Win32 app (check point (also using username/password)), but now I am trying an all native Microsoft solution.

    Am I fighting a losing battle because I have no PKI and am using username/password with Windows 10 Always on VPN?

    Does anyone know if this is supported (Win10 Always on VPN/Username/password/no machine cert)? I will open a ticket next with MS, but since I saw Richard on the thread (thanks for all your VPN postings, by the way!) I though I would ask.

    I am going to test a local GPO to run the startvpn.cmd (contains "rasdial VPNEntryname") and set to synchronous and display commands. I was hoping it would pop up connection prior to logging in).

    Then if that works, I was hoping to load the script and the policy programmatically.

    Thank you in advance.

    Garth

    0 comments