Inune Hybrid deployment over VPN

Ed Newman 191 Reputation points
2020-09-18T14:58:18.743+00:00

Hi All, we have a Intune White Glove hybrid deployment setup that works nicely if the devices are connected to our internal network. We are now trying to deploying the devices without touching out network, so using vpn.

We currently have windows 10 Always on VPN deployed successfully with both a user and device policy connecting for users. However, with these policies in place freshly deployed devices are not able to connect to network. The white glove section completes successfully with the ad object created (although the usercertificate isn't created so the object doesn't sync back to azure ad), and during the user portion we get to the user logon screen, but can't logon because there is no connection to the domain (user vpn doesn't connect until after logon and device vpn is deployed bt not connecting). So

  1. Is it possible to deploy hybrid devices using White Glove and Windows 10 Always on VPN.
  2. If it is possible, any clues as to why it's not working?

Thanks in advance,
Ed.

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,303 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,666 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Sandys 31,186 Reputation points Microsoft Employee
    2020-09-18T16:36:57.447+00:00

    If the connection cannot be established before the user is required to logon on, then no as user logons to a domain require line of sight to a domain controller. This is a fundamental Windows domain join requirement and independent from Autopilot.

    Have you explored using full AAD joining for your systems?

    0 comments
  2. Ed Newman 191 Reputation points
    2020-09-18T17:26:40.687+00:00

    Thanks for your reply Jason. One day we will go for full aad join, but for now we have 20 years of badly organised file shares to sort out so hybrid is a must for us.

    My question was more around if Windows 10 always on VPN is suitable for doing the domain join part? The online documentation seems to suggest is should do it, but there is very little out there from people using VPN's to do the hybrid join bit (still relatively new I guess).

    Ed.

    0 comments
  3. Jason Sandys 31,186 Reputation points Microsoft Employee
    2020-09-18T18:54:31.633+00:00

    so hybrid is a must for us.

    Why? AAD users on AAD joined devices can seamlessly access on-prem file shares with very little configuration; this is built into Windows: https://video2.skills-academy.com/en-us/azure/active-directory/devices/azuread-join-sso

    The requirement is simply line of sight to a domain controller. The network layer is irrelevant as long as the network traffic makes it back and forth.

    The full list of requirements is listed at https://video2.skills-academy.com/en-us/mem/autopilot/user-driven#requirements-1

    An informal list of what VPN clients work is listed at https://oofhours.com/2020/06/23/windows-autopilot-user-driven-hybrid-azure-ad-join-which-vpn-clients-work/. There is a section and link near the end of that post on how to set up and use the Microsoft always on VPN client.

    0 comments