Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Windows Autopilot User-Driven Hybrid Azure AD Join with VPN Support in Public Preview

In one form or another, the ability to perform a user-driven hybrid Azure AD join over a VPN connection has been in preview since 2019. Still, in public preview, the feature is now baked into the Windows 10 May 2020 Update (version 2004) and has been backported to Windows 10 versions 1903 and 1909 on devices where the December 2019 cumulative update or later is installed.

Hybrid Azure AD joined devices and Windows Autopilot

Windows 10 devices can be joined (connected) to an Azure Active Directory (AD) domain. Devices are usually connected to Azure AD when they are company-owned. In Bring Your Own Device (BYOD) scenarios, or on devices that are running operating systems other than Windows 10, there is the option to register with Azure AD instead. The main difference for users is that only on devices connected to Azure AD can they sign in using a Microsoft work or school account directly from the logon screen.

But because life isn’t simple, Windows 10 devices can also be hybrid Azure AD joined. These devices are joined to a Windows Server Active Directory domain but also registered with Azure AD.

Windows Autopilot, Microsoft’s suite of technologies designed to simplify setting up new Windows 10 devices, has several different modes. Windows Autopilot user-driven mode allows new Windows 10 devices to be taken from their initial state directly from the manufacturer to a point where they are ready to use without any intervention from IT.

For more details on Windows Autopilot, check out How to Manually Onboard Devices to Windows Autopilot – Part 1 and How to Manually Onboard Devices to Windows Autopilot – Part 2 on Petri. There’s also white-glove provisioning, which is similar to user-driven mode but faster for end users.

VPN support for user-driven hybrid Azure AD join

The Windows Autopilot user-driven hybrid Azure AD join process checks that the device can contact Windows Server Active Directory by pinging a domain controller. But if you are provisioning a new device and need to connect to the corporate network using a virtual private network (VPN), validation of Windows Server AD connectivity fails because the VPN hasn’t yet been set up on the device.

To solve this problem, Microsoft has introduced a new setting that allows you to skip the AD connectivity check when defining a Windows Autopilot deployment profile. Instead of performing the check, Windows 10 will reboot and display the Mobile Device Management (MDM) Enrollment Status Page (ESP) regardless of whether there is connectivity to Windows Server AD.

The ESP displays progress of configuration changes being performed on the device, like app and certificate installation. During the ESP phase a VPN also needs to be installed to provide the user with connectivity to the corporate network so that they can sign in to Windows Server AD. You can choose to install a VPN client, like Cisco AnyConnect, or perform any other configuration required to get a VPN working. The only provision is that the VPN connection must either be automatically established, like with a Windows 10 Always On VPN, or the VPN client must provide users with the ability to connect to the VPN server from the Windows 10 logon screen.

To learn how Windows 10 Always On VPN works, see Understanding Windows 10 Always On VPN on Petri.

Deploy VPN configuration using Microsoft Intune

Windows Autopilot user-driven hybrid Azure AD join with VPN support arrives at a good time as more of us are required to work at home because of the global health pandemic. The change Microsoft has made to facilitate VPN support is relatively simple. But if you haven’t already dealt with it, getting the VPN client installed or VPN configuration set might be more of a challenge. So, you will need to do some testing before you can benefit from VPN support in production.

For more detailed instructions about how to set up user-driven hybrid Azure AD join with VPN support, check out Microsoft’s documentation here.

by Russell Smith
Jun 29, 2020

Editorial Director at Petri IT Knowledgebase. Russell has more than 20 years' experience working in IT. From small business to large government IT infrastructure projects. Russell started his writing career for Windows IT Pro magazine in the early...

What is a Roaming User Profile on Windows?

Sep 1, 2023
Oct 24, 2023
How to Add Microsoft Store Apps to Intune

May 5, 2023
Microsoft Releases May 2023 Patch Tuesday Updates for Windows 11 and Windows 10

May 9, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.