This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 38%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEN%3C/text%3E%3C/svg%3E)
Hi All, we have a Intune White Glove hybrid deployment setup that works nicely if the devices are connected to our internal network. We are now trying to deploying the devices without touching out network, so using vpn.
We currently have windows 10 Always on VPN deployed successfully with both a user and device policy connecting for users. However, with these policies in place freshly deployed devices are not able to connect to network. The white glove section completes successfully with the ad object created (although the usercertificate isn't created so the object doesn't sync back to azure ad), and during the user portion we get to the user logon screen, but can't logon because there is no connection to the domain (user vpn doesn't connect until after logon and device vpn is deployed bt not connecting). So
Thanks in advance,
Ed.
If the connection cannot be established before the user is required to logon on, then no as user logons to a domain require line of sight to a domain controller. This is a fundamental Windows domain join requirement and independent from Autopilot.
Have you explored using full AAD joining for your systems?
Thanks for your reply Jason. One day we will go for full aad join, but for now we have 20 years of badly organised file shares to sort out so hybrid is a must for us.
My question was more around if Windows 10 always on VPN is suitable for doing the domain join part? The online documentation seems to suggest is should do it, but there is very little out there from people using VPN's to do the hybrid join bit (still relatively new I guess).
Ed.
so hybrid is a must for us.
Why? AAD users on AAD joined devices can seamlessly access on-prem file shares with very little configuration; this is built into Windows: https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso
The requirement is simply line of sight to a domain controller. The network layer is irrelevant as long as the network traffic makes it back and forth.
The full list of requirements is listed at https://learn.microsoft.com/en-us/mem/autopilot/user-driven#requirements-1
An informal list of what VPN clients work is listed at https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-which-vpn-clients-work/. There is a section and link near the end of that post on how to set up and use the Microsoft always on VPN client.