question

ErikWold-3219 avatar image
0 Votes"
ErikWold-3219 asked ErikWold-3219 answered

Hybrid join in Intune with Always-on vpn User tunnel

Hi,
Is it possible with Hybrid join in Intune with Always-on vpn User tunnel? It's working perfectly with device tunnel but the customer requirement is that this should be done with a user tunnel vpn profile. Certificates are ok scep, azure root and ca root certificates are all deploying fine. If like other vpn providers a network logon icon on the sign-in screen was visible I think this could have been done. Does Windows always-on vpn user tunnel support this feature?

mem-intune-enrollment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CiciWu2-MSFT avatar image
0 Votes"
CiciWu2-MSFT answered

I have done some research but currently it only support device tunnel for hybrid Azure Active Directory join with Always On VPN. I will help deliver a feature request to product team. If there is any update for this feature, I will update to you.

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CiciWu2-MSFT avatar image
0 Votes"
CiciWu2-MSFT answered

Do you mean the user-driven mode for hybrid Azure Active Directory join with VPN support. Always On VPN can be used for this scenario. For more information, see the Deploy Always On VPN documentation. Note that Intune can't yet deploy the needed per-machine VPN profile.

Reference: User-driven mode for hybrid Azure Active Directory join with VPN support


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ErikWold-3219 avatar image
0 Votes"
ErikWold-3219 answered Jason-MSFT commented

Yes, I mean user-driven mode for hybrid Azure Active Directory join with Always On VPN. It works with device tunnel but but how to get the user tunnel to show at the login screen.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You don't. A user-tunnel requires authentication to AAD but prompting the user for their AAD credentials during OOBE doesn't make sense, would be confusing, and has security implications as well and so it's not possible to do this.

Within the current designs for both products (Win 10 Always on VPN and Autopilot) there is no technical possibility to enable this and there are no plans to change this. As of today, if you wish to use a user-initiated tunnel, you need to use a VPN product that allows this to happen per the doc that Cici linked to above.

0 Votes 0 ·
ErikWold-3219 avatar image
0 Votes"
ErikWold-3219 answered

Thank you, device tunnel it is then :) Although there's some debate around the security of device vs user tunnel I'll just plan for just enough for the DJ to go through.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.