question

IsmaelRodrguezLlave-1413 avatar image
0 Votes"
IsmaelRodrguezLlave-1413 asked Jason-MSFT answered

Hybrid Join over VPN not working with Always On VPN

Hi all, Currently we are facing issues to get join devices to our onprem domain during autopilot. We have the "Skip AD connectivity check" set to yes. We deploy Azure VPN Client and the VPN profile in a win32 package and it installs fine. But the problem is that we are not getting to make it work. Trying in a testing machine, the vpn needs to run the azure vpn client manually the first time in order to get the tokens, because it uses Azure AD Authentication. Once done this, you can run the vpn fine with one command. Is this vpn unsupported as it needs to run first time manually to get those tokens? Is there any way to run Azure VPN CLient with a script so i can automate it? Or we need to change VPN Authentication? Thanks in advance.

mem-intune-enrollmentazure-vpn-gatewayazure-ad-authenticationmem-autopilot
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

Technically, no VPN solution is supported; this is why we dubbed it "bring your own VPN". We only establish some minimum requirements. Specifically, that the VPN is auto-connecting once the client portion is deployed or configured (usually using a certificate) or that it can be initiated from the login screen. How each of those is accomplished is based on the VPN solution itself. From memory, there is no direct path to accomplish this using the Always On VPN client -- that's not to say that it can't be done, we just don't define a supported path to do so. I have heard of folks getting it to work, but it's not pretty and its supportability is questionable.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

IsmaelRodrguezLlave-1413 avatar image
0 Votes"
IsmaelRodrguezLlave-1413 answered

And could you point me to those folks? Or do you suggest to change the authentication mode? I mean, it’s a Microsoft VPN they should confirm if it’s a valid method or which method they recommend (only from their own VPN) or support for hybrid join, aren’t they?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

it’s a Microsoft VPN they should confirm if it’s a valid method or which method they recommend (only from their own VPN) or support for hybrid join, aren’t they?

No. Just because it's our solution doesn't automatically mean that it meets the necessary criteria. In fact, it's more or less the opposite. We know that the in-box Win 10 Always On VPN solution doesn't directly meet the criteria for the VPN portion of Autopilot + HAADJ. As is usually the case, with enough time, know-how, and tinkering, you can often "make" something work, but that doesn't mean it was designed to work or will be supported. As for which folks, don't know as I haven't paid any attention other than seeing a random tweet or post saying that someone did it. You'll have to use your search engine-fu to find them if you are truly interested.

Today, the only VPN solutions that can be configured to meet the requirements (in a supported way) are from third-parties. But we don't support those third-party solutions at all and make no claims that it will work with any particular third-party solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.