Hybrid Join over VPN not working with Always On VPN

Ismael Rodríguez Llave 1 Reputation point
2021-03-30T08:05:32.84+00:00

Hi all, Currently we are facing issues to get join devices to our onprem domain during autopilot. We have the "Skip AD connectivity check" set to yes. We deploy Azure VPN Client and the VPN profile in a win32 package and it installs fine. But the problem is that we are not getting to make it work. Trying in a testing machine, the vpn needs to run the azure vpn client manually the first time in order to get the tokens, because it uses Azure AD Authentication. Once done this, you can run the vpn fine with one command. Is this vpn unsupported as it needs to run first time manually to get those tokens? Is there any way to run Azure VPN CLient with a script so i can automate it? Or we need to change VPN Authentication? Thanks in advance.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,375 questions
Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
407 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,244 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,437 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Sandys 31,151 Reputation points Microsoft Employee
    2021-03-30T15:52:23.457+00:00

    Technically, no VPN solution is supported; this is why we dubbed it "bring your own VPN". We only establish some minimum requirements. Specifically, that the VPN is auto-connecting once the client portion is deployed or configured (usually using a certificate) or that it can be initiated from the login screen. How each of those is accomplished is based on the VPN solution itself. From memory, there is no direct path to accomplish this using the Always On VPN client -- that's not to say that it can't be done, we just don't define a supported path to do so. I have heard of folks getting it to work, but it's not pretty and its supportability is questionable.

    0 comments
  2. Ismael Rodríguez Llave 1 Reputation point
    2021-03-31T09:45:27.607+00:00

    And could you point me to those folks? Or do you suggest to change the authentication mode? I mean, it’s a Microsoft VPN they should confirm if it’s a valid method or which method they recommend (only from their own VPN) or support for hybrid join, aren’t they?

    0 comments
  3. Jason Sandys 31,151 Reputation points Microsoft Employee
    2021-03-31T14:46:03.527+00:00

    it’s a Microsoft VPN they should confirm if it’s a valid method or which method they recommend (only from their own VPN) or support for hybrid join, aren’t they?

    No. Just because it's our solution doesn't automatically mean that it meets the necessary criteria. In fact, it's more or less the opposite. We know that the in-box Win 10 Always On VPN solution doesn't directly meet the criteria for the VPN portion of Autopilot + HAADJ. As is usually the case, with enough time, know-how, and tinkering, you can often "make" something work, but that doesn't mean it was designed to work or will be supported. As for which folks, don't know as I haven't paid any attention other than seeing a random tweet or post saying that someone did it. You'll have to use your search engine-fu to find them if you are truly interested.

    Today, the only VPN solutions that can be configured to meet the requirements (in a supported way) are from third-parties. But we don't support those third-party solutions at all and make no claims that it will work with any particular third-party solution.

    0 comments