question

RahulSukumar-3862 avatar image
0 Votes"
RahulSukumar-3862 asked ·

Always-on VPN with Intune, pre-logon connection

We currently have remote users on Windows 10 Enterprise connecting to our corporate network using DirectAccess. This currently works extremely well.

I've read that MS is discontinuing development of DirectAccess and recommends now everyone use Always-On VPN. This sounded great to me at first since it didn't require we obtain a Win 10 Enterprise license for our remote users.

But, it appears that Always-On VPN only connects after the user logs on to the machine using cached credentials and then connects the VPN using a user certificate. This doesn't, in my mind, meet to definition of Always-On.

I further read that you can create a device connection that will connect pre-logon. BUT this type of VPN using the native Windows client still requires an Enterprise license.

We configure PCs on site and domain-join them. Then ship them to remote users to logon with their new credentials (which of course are not cached because the user has never logged on to that machine). This of course works fine with DirectAccess since it connects when the machine boots up and has an active connection to on-premise AD before the user logs on.

So, unless I am missing something, Always-On VPN can't be a replacement for our Windows 10 Pro remote PCs if we send them to users before the user logs on while on the corp network.

Please let me know if I am missing something. If not, we will just stick with DirectAccess until support for it is completely removed.

windows-10-networkwindows-server-infrastructure
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered ·

Hi ,

>>Always-On VPN can't be a replacement for our Windows 10 Pro remote PCs if we send them to users before the user logs on while on the corp network.

Yes, you are right.

Device tunnel can only be configured on domain-joined devices running Windows 10 Enterprise or Education version 1709 or later.

However, DA and always on VPN device tunnel are both only supported windows 10 Enterprise.

As the picture below:

13433-3jdp.png

So based on your situation, if you cannot use cached credentials, you would better use windows 10 enterprise OS version.

Best Regards,

Candy




3jdp.png (418.1 KiB)
· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for confirming. I suppose the only way to truly get a VPN for remote users on Windows 10 Pro that connects pre-logon is to use a third party VPN client that connects to our edge device.

0 Votes 0 ·

Yes…… In such case, third party VPN client might achieve your goal.

0 Votes 0 ·
RichardMHicks-1881 avatar image
1 Vote"
RichardMHicks-1881 answered ·

For the record, you could deploy the Always On VPN device tunnel on a Windows 10 Professional client, it just won't connect automatically. As a workaround you could establish the device tunnel connection pro grammatically using a script or scheduled task. Not ideal, but it might work if you don't want to upgrade to Enterprise edition.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GarthKWilliams-8013 avatar image
0 Votes"
GarthKWilliams-8013 answered ·

Good Afternoon. Sorry to trouble you all, but I am trying to create a "hybrid join over VPN" using Microsoft VPN

Endpoint Windows version used: 20H2 Enterprise

I have:
1) Created an AAD profile/config/compliance/apps/bitlocker etc. endpoint builds out nice.
2) Created a VPN "always on" profile (username/password) in Intune and tested that it deploys and creates the local VPN profile on endpoint AAD joined device
3) Tested that the endpoint VPN profile created by Intune works and connects properly. Connected manually and using rasdial.exe [VPNEntryname].
Can ping domain controller).

4) Then, I created a hybrid join autopilot profile (which already works on a wired connection).

The issue I have is that when I add my remote endpoint to the hybrid profile, the pre-login authentication icon does not appear no matter what I do. I've done this before using a third party Win32 app (check point (also using username/password)), but now I am trying an all native Microsoft solution.

Am I fighting a losing battle because I have no PKI and am using username/password with Windows 10 Always on VPN?

Does anyone know if this is supported (Win10 Always on VPN/Username/password/no machine cert)? I will open a ticket next with MS, but since I saw Richard on the thread (thanks for all your VPN postings, by the way!) I though I would ask.

I am going to test a local GPO to run the startvpn.cmd (contains "rasdial VPNEntryname") and set to synchronous and display commands. I was hoping it would pop up connection prior to logging in).

Then if that works, I was hoping to load the script and the policy programmatically.


Thank you in advance.

Garth

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.