AutoPilot Hybrid joined devices using Always-On VPN

theodorbrander 51 Reputation points
2020-10-06T13:48:06.297+00:00

Hi,

I am trying out Windows Autopilot (User driven hybrid-joined) with VPN Support (Always On VPN) which should be supported. Anyone managed to fully configure Windows Autopilot user-driven Hybrid Azure AD Join with VPN, using Always On VPN? I do not know if this is the correct forum or not since I guess it is in between Intune and VPN connectivity?

What I have configured, tried and stuff like that:
I have configured Always On VPN for the organization, and deploy this via Intune. This works. The Always On Solution rely on a Workstation certificate for authentication, which I deploy using Intune NDES SCEP, which also work.

AutoPilot enrollment experience:
The "Device Configuration"-profiles are successfully deployed, and I can see that the device is created in my local AD and certificate and certificate chain is successfully deployed.

So everything appears to be OK, with exception from the VPN profile, which is a per user setting and thus are listed as "Not applicable".
30481-image.png

When I browsed the web for any solutions I came across the option to create a 'Device Tunnel'-VPN Profile for Always On VPN instead and thought maybe this could solve my problem.

I deployed a new VPN profile where I enabled the Device-Tunnel setting and it was successfully deployed for my AutoPilot enrollment! However, there is no VPN profile from the Windows Login Screen. Maybe there should not be? But if so, why am I unable to login to my domain still?
My Radius server does not register any failed attempts from this client either.

Is there anyone here willing to share their success story deploying AutoPilot Hybrid joined devices using Always-On VPN? And if so, what am I missing :D

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
413 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,277 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,734 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,412 questions

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 43,721 Reputation points Microsoft Vendor
    2020-10-07T01:47:41.443+00:00

    @theodorbrander , From your description, I know we want to deploy Windows Autopilot user-driven Hybrid Azure AD Join using a Always-ON VPN. For the VPN profile, it is a per user setting which will not deployed. Then we consider Device Tunnel'-VPN Profile for Always On VPN but it is not working. If there's any misunderstanding, please let us know.

    Based as I know, Device tunnel can only be configured on domain-joined devices running Windows 10 Enterprise or Education version 1709 or later. There is no support for third-party control of the device tunnel. Device tunnel does not support using the Name Resolution Policy table (NRPT) or Force tunnel. Also, device tunnel supports IKEv2 only with no support for SSTP fallback. Please make sure Device Tunnel reuirements and fetaures are all met in the following link:
    https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config

    I notice, the VPN profile is authenticated with certificate, please enable machine certificate authentication for VPN connections and define a root certification authority for authenticating incoming VPN connections. Also deploy the machine certificate to the device as well.

    In addition, as a test, to confirm the VPN profile is working well. we can deploy it to a device like Azure AD joined device to see if it is working to clarify our issue.

    Hope it can help.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. theodorbrander 51 Reputation points
    2020-10-07T08:44:25.047+00:00

    Hi Crystal, thanks for your reply!

    You have understood my problem correctly but what I want to really know if the device tunnel is the intended way to deploy Windows Autopilot user-driven Hybrid Azure AD Join using a Always-ON VPN?

    Q: Based as I know, Device tunnel can only be configured on domain-joined devices running Windows 10 Enterprise or Education version 1709 or later.

    **A: **This is Windows 10 enterprise v 2004.

    Q: There is no support for third-party control of the device tunnel.

    A: I do not use any third party tools? Maybe I am misunderstanding something here, what are you referring?

    Q: Device tunnel does not support using the Name Resolution Policy table (NRPT) or Force tunnel.

    A: This is not configured in my setup.

    Q: Also, device tunnel supports IKEv2 only with no support for SSTP fallback. Please make sure Device Tunnel reuirements and fetaures are all met in the following link:

    A: I use IKEv2 and have I have all the pre-reqs

    Q: I notice, the VPN profile is authenticated with certificate, please enable machine certificate authentication for VPN connections and define a root certification authority for authenticating incoming VPN connections. Also deploy the machine certificate to the device as well.

    A: The Root, intermediate and machine certificate is successfully published to the machine over Intune using NDES + SCEP + Intune. This is not a problem.

    **Q: ** In addition, as a test, to confirm the VPN profile is working well. we can deploy it to a device like Azure AD joined device to see if it is working to clarify our issue.

    **A: ** The device configuration deployment appears as successful in Intune but the problem is there is no VPN profile to choose from the lock screen, making it impossible to VPN to my on-premises network.

    Like, what I want to do is to use the device tunnel for the initial connection to my on-premises domain.

  3. Gerber Patrick BIT 1 Reputation point
    2021-05-15T09:34:47.47+00:00

    Same here. Any solutions?

    0 comments
  4. RK 1 Reputation point
    2021-05-17T18:39:54.823+00:00

    The VPN will never show at login because it's not using user credentials. Machine cert authentication ONLY. The user (or admin) can't see it until they get to a Windows desktop and look for the network interface. Or open rasphone and see if the VPN is listed there. Or try to access something on the remote network. ;-)

    We have this working--mostly. It's pretty buggy at the initial Autopilot setup. We suspect because the configurations don't apply in order. EG: domain join tries to run before a needed certificate, etc. There's no way to specify the order or timing. Frankly it all feels a little tinker-toy-esque. Not sure it's worth the trouble--until it works and a user in the hinterlands logs into the laptop we shipped them, and they get all the corporate policies and apps without shipping the machine twice, or IT having to make a dog sled trip to Duluth.

  5. Nitin Kumar 1 Reputation point
    2021-06-04T02:17:59.007+00:00

    @theodorbrander . Did you ever find a solution for this issue ?

    I am experiencing the same issue where the Intune shows the root, scep cert and the Device tunnel has been deployed but I dont see anything on the logon screen.

    Login in with domain credentials complain that the DC is not accessible.

    Thanks in advance.

    0 comments