AutoPilot Hybrid joined devices using Always-On VPN

theodorbrander 56

Hi,

I am trying out Windows Autopilot (User driven hybrid-joined) with VPN Support (Always On VPN) which should be supported. Anyone managed to fully configure Windows Autopilot user-driven Hybrid Azure AD Join with VPN, using Always On VPN? I do not know if this is the correct forum or not since I guess it is in between Intune and VPN connectivity?

What I have configured, tried and stuff like that:
I have configured Always On VPN for the organization, and deploy this via Intune. This works. The Always On Solution rely on a Workstation certificate for authentication, which I deploy using Intune NDES SCEP, which also work.

AutoPilot enrollment experience:
The "Device Configuration"-profiles are successfully deployed, and I can see that the device is created in my local AD and certificate and certificate chain is successfully deployed.

So everything appears to be OK, with exception from the VPN profile, which is a per user setting and thus are listed as "Not applicable".

When I browsed the web for any solutions I came across the option to create a 'Device Tunnel'-VPN Profile for Always On VPN instead and thought maybe this could solve my problem.

I deployed a new VPN profile where I enabled the Device-Tunnel setting and it was successfully deployed for my AutoPilot enrollment! However, there is no VPN profile from the Windows Login Screen. Maybe there should not be? But if so, why am I unable to login to my domain still?
My Radius server does not register any failed attempts from this client either.

Is there anyone here willing to share their success story deploying AutoPilot Hybrid joined devices using Always-On VPN? And if so, what am I missing :D

JKFrancis 81 Reputation points

2023-03-02T14:09:01.56+00:00
Yes, we can join the domain. Where is your step that it is failing. I had the same issue, but I think there was a trick that was done by one of our admin who did a SYSPREP after the initial VPN connection through Wi-Fi. Do not Generalize it, just do a SYSPREP and it will come back with the Login screen to enter the UPN name, then you will be able to.

I had the same issue. We are using the VPN Always ON with a device CERT and connected through Wi-Fi. But, there is no clear instructions in how to get a HAAD joined machine to get the ODJ Blob file. They say first try it being in the network with the DC line of sight, then you can try it from home. But, we have tested it from home and with Always ON VPN and also device cert installed. I do not see any kind of tunneling profile being pushed from our end, which I mentioned to my folks, but we never used it. I saw that there are three things that were needed.

VPN Client

Device Certificate

VPN Profile through Configuration Profile (which we did not do)

I know this is a late response, as I struggled with HAAD join and we moved to AAD join and we came back to HAAD join and then were successful, but still there are lot of issues with GPOs etc...

8 answers

theodorbrander 56 Reputation points

2021-06-04T06:10:04.073+00:00

Hi everyone,

Yes - in the end I did resolve it using device tunnel. I do not have access to the customers infrastructure as of now but if I remember correctly you do not need to "change" the connection to use VPN when you are using device tunnel, it just works. This can be a little bit confusing, but Richard Hicks have some info about this in this blog post.

However, third party applications have been more successful.

If you have a specific setup that does not work you can share some specifics and we can see if it jogs my memory :)
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Nitin Kumar 1 Reputation point

2021-06-08T06:37:51.13+00:00

Hi @theodorbrander ,

Thanks for the update. The specific issue is actually resolved now. The device tunnel connects fine and I can login using domain credentials.

We are also evaluating this set up for Autopilot roll out.

What I noticed is that the user tunnel keeps trying to connect while device tunnel is connected and eventually fails.

Did you come across this issue or anyone else experience this issue ?
Windows 10 Enterprise version 21H1
Please sign in to rate this answer.
theodorbrander 56 Reputation points

2021-06-08T07:13:51.527+00:00

Hmm, have you configured TDN on your User Tunnel?

If your User tunnel keeps trying to connect you should probably configure the Trusted Network Detection (TDN) to prevent it from attempting. Since the Device Tunnel does connect before the User Tunnel, it should not attempt at all - since it is already logged in.

Mark Blackburn 1 Reputation point

2021-06-25T14:01:16.97+00:00

How have you got this working?

When I tried setting it up the device tunnel worked fine, the machine would pick up its autopilot profile fine, get a machine name of prefix-%SERIAL% from the autopilot profile, get its certs through Intune configuration profiles and SCEP or PKCS including a device cert, pick up its Always ON device tunnel VPN profile from InTune and connect, then the Domain Join configuration Profile would run and rename the machine to Prefix-RandomString, join it to the domain fine and then the machine would reboot.

After reboot it would get to the user login prompt but the user could not log in as the device tunnel VPN would no longer work - the machine certificate subject (Prefix-%SERIAL%) no longer matched the machine name (Prefix-Randomstring) and so the VPN tunnel refuses to come up, the machine can't see a DC and the user can't log in.

How did you get round this?

Thanks.

theodorbrander 56 Reputation points

2021-06-25T16:02:31.36+00:00

Hello,
I am on the road traveling so I can’t confirm the settings but you should probably change the SCEP certificate profile if I understand your issue correctly. If you use the “FullyQualifiedDomainName” attribute for the certificate profile your certificate will wait with the certificate deployment until you get the new PC name.

https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep

Let me know the results and if it does not work I can confirm the settings when I get back to work on Monday. I recently configured this successfully for a client and got a working config.

BR
Theodor

Mark Blackburn 1 Reputation point

2021-06-25T16:57:20.707+00:00

God that's obtuse!!

Why is this stuff not defined in the documentation explicitly - all it would need is a single sentence

"If you need to obtain a certificate for use with Always On device tunnel, make sure to use {{FullyQualifiedDomainName}} as the certificate subject name"

Thanks for your help - I'll try it out.

Mark.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Nitin Kumar 1 Reputation point

2021-06-08T10:21:12.733+00:00

Yes I have configured Trusted Network on both Tunnels.

The idea is:

Device Tunnel will be used for onboarding using Autopilot. Device Tunnel will give limited access to the devices for initial user logon.

Once the user logs in, User tunnel gets pushed through Intune and it should connect giving full access to the network.

My understanding is that both tunnels can co-exist.
Please sign in to rate this answer.
theodorbrander 56 Reputation points

2021-06-08T11:26:31.05+00:00

Ahh, got it! Yea, it should be supported and its been a long process from what I gather.. It worked in one patch, stopped working in the next patch, got resolved in the next patch and then stopped working again. Should have been resolved in this patch KB4571744.

There is tons of discussion in this thread about this topic - perhaps you'll find some useful information in this thread.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

AutoPilot Hybrid joined devices using Always-On VPN

8 answers

Your answer