Hybrid Azure AD Join Autopilot Always On VPN

Matt Dillon 1,206 Reputation points

So I built out a Hybrid Azure AD Join Autopilot. When building remote, I cannot sign in the first time because of the lack of connectivity to a Domain controller.

We configured a SCEP server. I used the User and Web Server Certificate templates and deployed following the documentation here: https://learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure

We have added the Trusted Root certificates in Intune.

If I create a SCEP Certificate profile using these directions: https://learn.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep and then deploy the Trusted Root, the SCEP certificate profile, and the Always On VPN profile during Autopilot, should I then be able to sign in on my autopiloted devices that are built offsite?

I guess I am a bit confused by what this process actually accomplishes.

Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
359 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,521 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Simon Ren-MSFT 26,206 Reputation points Microsoft Vendor


    Thank you for posting in Microsoft Q&A forum.

    Initiating Autopilot from a remote location while hybrid Azure AD joining the endpoint is somewhat complex. Here are some similar threads for your reference:

    Always On VPN and Autopilot Hybrid Azure AD Join

    Success with remote Windows Autopilot and hybrid Azure Active Directory join

    AutoPilot Hybrid joined devices using Always-On VPN

    Thanks for your time. Have a nice day!

    Best regards,


    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Richard M. Hicks 41 Reputation points

    If you plan to use Autopilot with hybrid Azure AD join offline/remotely, then you will need to use the Always On VPN device tunnel to provide pre-logon connectivity to domain controllers on-premises. So, you must deploy an Always On VPN device tunnel profile using Intune. You must also provision a device certificate using PKCS (preferred) or SCEP. You will also need to deploy your root and any subordinate CA certificates as well.

    In addition, the endpoint must be running Windows Enterprise Edition. This is a requirement for the device tunnel. If you are running Windows Professional and planning to use step-up upgrade there's additional work to be done. Details here: https://directaccess.richardhicks.com/2021/04/19/always-on-vpn-and-autopilot-hybrid-azure-ad-join/.

    Hope that helps!

    0 comments No comments