Forum Discussion
Autopilot deployment - first login to on-premises AD with always on VPN
Hey everyone, maybe someone could help. We have hybrid AD (on-premises + azure). I'm trying to configure always on VPN to work without user interaction during autopilot deployment. When user deploys his new notebook at home and autopilot just finished (it is offline domain-joined to on-premises AD), he need to login to the system using domain account. But unfortunately at home it is impossible without VPN. I found that it can be fixed with device tunnel - always on VPN (https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) and tried to configure NDES service (https://msendpointmgr.com/2018/06/19/certificate-deployment-for-mobile-devices-using-microsoft-intune-part-1-overview/ )
Unfortunately when autopilot has finished at the Intune side for this computer there are device configuration profiles in pending state: SCEP certification request and deploy always on VPN profile.
When user goes to the office, autopilot finish the configuration (creates device certificate and deploys VPN profile), but at home there are two tasks always in pending state. Do you have any idea what could be wrong?
6 Replies
- Hi
I couldnt find information in your question (to be 100% sure) if this option is enabled: skip the AD connectivity check is enabled in the autopilot deployment profileRudy_Ooms_MVP thank you for your response. In Windows Autopilot deployment profile the setting Skip AD connectivity check (preview) is set to Yes.
- Are you perhaps able to re-configure that pre-login VPN so that the user can initiate the tunnel and authenticate via User Name/Password whilst leveraging MFA? Then the user should be able to reach the DC, complete login, and continue the autopilot process.
