Trying Out Autopilot Hybrid Join Over VPN In Your Azure Lab

Published Aug 27 2020 06:14 AM 24.7K Views
Microsoft

As an IT admin you plan to ship new devices to end users which can join the on-premises AD (Active Directory) by leveraging Autopilot with Intune for device management.

This post is a walkthrough of evaluating the Autopilot Hybrid join over VPN scenario in a lab environment hosted in Azure.

 

Infrastructure

I have added steps to build the configurations and dependencies along the post, this can get complicated due to the number of components involved. Here is an agenda for this post along with a high-level network configuration of the setup:

image.png

 

For this lab exercise you will need:

Azure subscription

Sign up for a free Azure Subscription Or use your MSDN/MCT/Existing etc.

Intune license

Sign up for a free Intune trial or use MSDN/Existing etc.

Windows 10 Devices

Use VM’s or Physical devices as desired. Refer the OS prerequisites here.

 

Step1: Create an Azure Virtual Network

Let us start with setting up a networking infrastructure where we can place our VMs later. We will create a New Virtual Network.

image.png

 
  1. Choose your appropriate Azure Subscription.
  2. Create a new Resource Group for this lab.
  3. Specify a Name of the Virtual Network.
  4. Choose a Region you want to place this resource to.
  5. Click Review + Create (leaving defaults for IP Address, Security and Tags)

image.png

 
  • Click Create to finish creating the Virtual Network.

 

Step2: Create an Azure Virtual Network Gateway

We will now create a Virtual Network Gateway which acts as a software VPN.

image.png

 
  1. Choose your appropriate Azure Subscription.
  2. Specify a Name for the Virtual Network Gateway
  3. Select the same Region you chose while creating the Virtual Network in the previous exercise.
    • Leave the Gateway type to VPN
    • Leave VPN type to Route-based
    • Leave the SKU to default VpnGw1
    • Leave Generation to Generation1
  4. From the Virtual Network drop-down chose the name of the Virtual Network you created in Step1.
    • Leave the default the Gateway subnet address range.
    • Leave Create new under Public IP address
  5. Specify a Public IP address name
    • Leave Enable active-active mode to Disabled.
    • Leave Configure BGB ASN to Disabled.
  6. Click Review + Create.

image.png

  • Click Create to complete the task.

 

Note: This may take 20 minutes or up. Do not proceed before this activity completes.

 

Step3: Create Virtual Machines – Domain Controller & Member Server

Now we start preparing the on-premises infrastructure starting with a Domain Controller and a Member Server both hosted as an Azure VM.

  • Sign-in to https://portal.azure.com/
  • Click Create a resource and look for Virtual Machine under Compute to create one each by repeating the steps twice one for the Domain Controller and the other for the Member Server.

image.png

 
  1. Choose your appropriate Azure Subscription.
  2. Select the Resource Group from previous exercise.
  3.  Specify a Name of the VM
    • Region is auto populated based on the region you selected from step2.
    • Leave the default availability option. (No infrastructure redundancy required.)
  4. From the Image drop-down choose a Windows Server OS
    • Leave the Azure spot instance default to No
    • Choose a size as appropriate. (I am leaving the default suggested by Azure)
  5. Specify a Username and a password.
    • Leave the default inbound ports for RDP.
    • Leave default licensing.
  6. Click Review + Create.

image.png

 

The wizard automatically chooses the Networking from the same resource group we selected. Feel free to make any changes as desired.

  • Click Create to complete the process.

Once both the VM’s are successfully created, move to the next steps in configuring them.

 

Step4: Configure Virtual Machine 1 (Domain Controller)

On the first VM acting as a Domain Controller, install the following roles:

 

image.png

 
  • Create users on-prem and confirm synchronization in AAD. Do not forget to assign licenses.

 

image.png

 

 

Step5: Azure DNS Configuration

Once your custom domain is created, we need to configure Azure networking to support the custom DNS configuration.

  • Sign-in to https://portal.azure.com/
  • Browse the Virtual Network created earlier Contoso-VNET
    1. Choose DNS Servers from the blade.
    2. Select Custom.
    3. Specify the internal IP Address of VM1 (in my case it is 10.0.0.4)
    4. Click Save

image.png

 
  • Restart both the VMs connected to this network.

 

Step6: Configure Azure Virtual Machine 2 (Member Server)

On the second VM we will install a list of roles and features for our solution. One of the primary reasons for building this VM2 is the fact that you cannot co-locate both NDES and CA on the same server.

  1. Join this VM to the Domain created in Step4.

 

  1. Create and configure an NDES Service Account.

 

  1. Install the NDES Role for additional guidance refer the instructions from this blog post.

 

  1. Install an Azure AD Application Proxy Connector – Instead of a WAP (Web App Proxy server) for publishing NDES URL to the internet.

 

  1. Add and an AAD APP Proxy Application for NDES. Refer the instructions from this blog post.

 

  1. Request the NDES Web Certificate. Refer the instructions from this blog post.

 

  1. Install the Intune Certificate Connector – SCEP

 

  1. Install the Intune Domain Join Connector

 

Step7: Azure VPN Configuration

The above tasks prepare us to setup the Azure VPN user configuration.

  • Sign-in to https://portal.azure.com/
  • Browse the Virtual Network Gateway resource you created earlier we called it Contoso-VPN
  • Click the User VPN Configuration from the menu and click Configure now.

image.png

 
  1. Specify an Address pool for the VPN clients to connect.
  2. Under Tunnel type specify IKEv2
  3. For Authentication type, leave Azure certificate.

image.png

 
  1. Under Root Certificates specify a name (example Root) and for Public Certificate Data:
    1. Make sure that you exported the root certificate as a Base-64 encoded X.509 (.cer) file. You need to export the certificate in this format so you can open the certificate with text editor.
    2. Open the certificate with a text editor, such as Notepad. When copying the certificate data, make sure that you copy the text as one continuous line without carriage returns or line feeds. You may need to modify your view in the text editor to 'Show Symbol/Show all characters' to see the carriage returns and line feeds. Copy only the following section as one continuous line:

image.png

  1. Save the configuration.

image.png

 

Note: This may take 10 minutes or up to complete.

  1. Click Download VPN Client and save for later use.

 

 

Optional: VPN Validation

To reduce the complexity, it is a good idea to validate the VPN connection outside Intune configuration.

  • Build a Windows 10 VM or use a physical machine (meeting OS Prerequisites) which is not joined to the Domain we created above.
  • Copy the VPN client we downloaded in the previous exercise.

Instead of executing the installer of the VPN client, we will manually create the VPN configuration from the Generic folder with the file name called VPNSettings.xml

image.png

 

 

  • Use the following PowerShell cmdlet to manually create the VPN connection. Replace the highlighted values.

 

Add-VpnConnection -Name ContosoVPN -ServerAddress azuregateway-Replace_With_GUID.vpn.azure.com -AuthenticationMethod MachineCertificate -DnsSuffix domain.dns.com -SplitTunneling -TunnelType Ikev2

 

Add-VpnConnectionRoute -ConnectionName ContosoVPN -DestinationPrefix 10.0.0.0/16

 

  • Import a Client-Auth cert for this device with Common Name = Computer Name

For this step you may want to generate a Certificate Template with Computer Authentication capability with Name supply in request and the option to export the private key.

 

  • Connect VPN and try to ping/rdp/network-share or even join the machine to Domain.

 

Step8: Intune Configurations

Now that your base infrastructure configuration is complete, you can proceed with the Intune configuration.

image.png

 
  • Capture hardware hash import device and assign profile. Get-WindowsAutoPilotInfo. The sample below will capture the hash, upload in Intune, add to a group and assign to the deployment profile.

Get-WindowsAutopilotInfo –online -AddToGroup "AZ-XYZ" -Assign

 

 

Specify the Subject name format as CN={{FullyQualifiedDomainName}}

image.png

 
  • Create a VPN Configuration Profile and assign to the same AAD-Group. Refer the configuration settings from the VPN Client you downloaded under the folder named Generic with the file name called VPNSettings.xml

 

  1. Specify a Connection Name
  2. Under Servers Description, specify a Name.
  3. For Ip Address or FQDN, specify the VPNServer info from VPNSettings.xml
  4. Set Default server to True.
  5. Enable Register IP address with internal DNS
  6. Choose the Connection type as IKEv2
  7. Choose Always On to Enable
  8. Set the Authentication method to Machine Certificates.
  9. Under Authentication certificate choose the SCEP Certificate profile you created before.
  10. Enable Device Tunnel

image.png

 
  • Leave the following sections to defaults:
    • Apps and Traffic Rules
    • Conditional Access
  • Customize the DNS Settings by adding:
    1. Add the Domain name as your DNS Suffix.
    2. Add Name Resolution Policy table (NRPT) rule by specifying:
      1. Domain
      2. DNS Server IP

image.png

 
  • Leave the Proxy settings to defaults.
  • Under Split Tunneling:
    1. Enable the configuration.
    2. Under Destination prefix and Prefix size specify the subnet address under <Routes> by referring the VPNSettings.xml

image.png

  • Deploy to the AAD-Device group and proceed with testing/validation on a device.

 

 

Time for testing and evaluation!

 

 

Thanks,

Arnab Mitra

 

29 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1606723%22%20slang%3D%22en-US%22%3ETrying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1606723%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20an%20IT%20admin%20you%20plan%20to%20ship%20new%20devices%20to%20end%20users%20which%20can%20join%20the%20on-premises%20AD%20(Active%20Directory)%20by%20leveraging%20Autopilot%20with%20Intune%20for%20device%20management.%3C%2FP%3E%0A%3CP%3EThis%20post%20is%20a%20walkthrough%20of%20evaluating%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-autopilot%2Fuser-driven%23user-driven-mode-for-hybrid-azure-active-directory-join-with-vpn-support%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAutopilot%20Hybrid%20join%20over%20VPN%3C%2FA%3E%20scenario%20in%20a%20lab%20environment%20hosted%20in%20Azure.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%20id%3D%22toc-hId--1272272177%22%3EInfrastructure%3C%2FH2%3E%0A%3CP%3EI%20have%20added%20steps%20to%20build%20the%20configurations%20and%20dependencies%20along%20the%20post%2C%20this%20can%20get%20complicated%20due%20to%20the%20number%20of%20components%20involved.%20Here%20is%20an%20agenda%20for%20this%20post%20along%20with%20a%20high-level%20network%20configuration%20of%20the%20setup%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20846px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214169iB2B27B8E45D2E69B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20this%20lab%20exercise%20you%20will%20need%3A%3C%2FP%3E%0A%3CTABLE%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174px%22%20height%3D%2256px%22%3E%3CP%3EAzure%20subscription%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22503.2px%22%20height%3D%2256px%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Ffree%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESign%20up%20for%20a%20free%20Azure%20Subscription%3C%2FA%3E%20Or%20use%20your%20MSDN%2FMCT%2FExisting%20etc.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174px%22%20height%3D%2229px%22%3E%3CP%3EIntune%20license%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22503.2px%22%20height%3D%2229px%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fevalcenter%2Fevaluate-microsoft-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESign%20up%20for%20a%20free%20Intune%20trial%3C%2FA%3E%20or%20use%20MSDN%2FExisting%20etc.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174px%22%20height%3D%2256px%22%3E%3CP%3EWindows%2010%20Devices%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22503.2px%22%20height%3D%2256px%22%3E%3CP%3EUse%20VM%E2%80%99s%20or%20Physical%20devices%20as%20desired.%20Refer%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-autopilot%2Fuser-driven%23requirements-1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EOS%20prerequisites%20here%3C%2FA%3E.%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%20id%3D%22toc-hId-1215240656%22%3EStep1%3A%20Create%20an%20Azure%20Virtual%20Network%3C%2FH2%3E%0A%3CP%3ELet%20us%20start%20with%20setting%20up%20a%20networking%20infrastructure%20where%20we%20can%20place%20our%20VMs%20later.%20We%20will%20create%20a%20New%20Virtual%20Network.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESign-in%20to%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EClick%20%3CSTRONG%3ECreate%3C%2FSTRONG%3E%20a%20resource%20and%20look%20for%20%3CSTRONG%3EVirtual%20Network%3C%2FSTRONG%3E%20to%20create%20one.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20258px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214170i4764BFEECCEE6B9D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3COL%3E%0A%3CLI%3EChoose%20your%20appropriate%20Azure%20Subscription.%3C%2FLI%3E%0A%3CLI%3ECreate%20a%20new%20%3CSTRONG%3EResource%20Group%3C%2FSTRONG%3E%20for%20this%20lab.%3C%2FLI%3E%0A%3CLI%3ESpecify%20a%20Name%20of%20the%20Virtual%20Network.%3C%2FLI%3E%0A%3CLI%3EChoose%20a%20%3CSTRONG%3ERegion%3C%2FSTRONG%3E%20you%20want%20to%20place%20this%20resource%20to.%3C%2FLI%3E%0A%3CLI%3EClick%20%3CSTRONG%3EReview%20%2B%20Create%20%3C%2FSTRONG%3E(leaving%20defaults%20for%20IP%20Address%2C%20Security%20and%20Tags)%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20787px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214171iA7C61F54A9149803%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3EClick%20%3CSTRONG%3ECreate%3C%2FSTRONG%3E%20to%20finish%20creating%20the%20Virtual%20Network.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%20id%3D%22toc-hId--592213807%22%3EStep2%3A%20Create%20an%20Azure%20Virtual%20Network%20Gateway%3C%2FH2%3E%0A%3CP%3EWe%20will%20now%20create%20a%20Virtual%20Network%20Gateway%20which%20acts%20as%20a%20software%20VPN.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESign-in%20to%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EClick%20%3CSTRONG%3ECreate%3C%2FSTRONG%3E%20a%20resource%20and%20look%20for%20%3CSTRONG%3EVirtual%20Network%3C%2FSTRONG%3E%20%3CSTRONG%3EGateway%3C%2FSTRONG%3E%20to%20create%20one.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20279px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214172i9A3A4145B56D8A04%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_3%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3COL%3E%0A%3CLI%3EChoose%20your%20appropriate%20Azure%20Subscription.%3C%2FLI%3E%0A%3CLI%3ESpecify%20a%20%3CSTRONG%3EName%3C%2FSTRONG%3E%20for%20the%20Virtual%20Network%20Gateway%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20%3CU%3Esame%3C%2FU%3E%20%3CSTRONG%3ERegion%3C%2FSTRONG%3E%20you%20chose%20while%20creating%20the%20Virtual%20Network%20in%20the%20previous%20exercise.%3CUL%3E%0A%3CLI%3ELeave%20the%20Gateway%20type%20to%20VPN%3C%2FLI%3E%0A%3CLI%3ELeave%20VPN%20type%20to%20Route-based%3C%2FLI%3E%0A%3CLI%3ELeave%20the%20SKU%20to%20default%20VpnGw1%3C%2FLI%3E%0A%3CLI%3ELeave%20Generation%20to%20Generation1%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFrom%20the%20Virtual%20Network%20drop-down%20chose%20the%20name%20of%20the%20%3CSTRONG%3EVirtual%20Network%3C%2FSTRONG%3E%20you%20created%20in%20Step1.%3CUL%3E%0A%3CLI%3ELeave%20the%20default%20the%20Gateway%20subnet%20address%20range.%3C%2FLI%3E%0A%3CLI%3ELeave%20Create%20new%20under%20Public%20IP%20address%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3ESpecify%20a%20%3CSTRONG%3EPublic%20IP%20address%20name%3C%2FSTRONG%3E%3CUL%3E%0A%3CLI%3ELeave%20Enable%20active-active%20mode%20to%20Disabled.%3C%2FLI%3E%0A%3CLI%3ELeave%20Configure%20BGB%20ASN%20to%20Disabled.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EClick%20%3CSTRONG%3EReview%20%2B%20Create.%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20936px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214173iBFA5A6E241E1138E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EClick%20%3CSTRONG%3ECreate%20%3C%2FSTRONG%3Eto%20complete%20the%20task.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CEM%3E%3CFONT%20color%3D%22%23FF0000%22%3ENote%3A%20This%20may%20take%2020%20minutes%20or%20up.%20Do%20not%20proceed%20before%20this%20activity%20completes.%3C%2FFONT%3E%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%20id%3D%22toc-hId-1895299026%22%3EStep3%3A%20Create%20Virtual%20Machines%20%E2%80%93%20Domain%20Controller%20%26amp%3B%20Member%20Server%3C%2FH2%3E%0A%3CP%3ENow%20we%20start%20preparing%20the%20on-premises%20infrastructure%20starting%20with%20a%20Domain%20Controller%20and%20a%20Member%20Server%20both%20hosted%20as%20an%20Azure%20VM.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESign-in%20to%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EClick%20Create%20a%20resource%20and%20look%20for%20%3CSTRONG%3EVirtual%20Machine%3C%2FSTRONG%3E%20under%20Compute%20to%20create%20one%20each%20by%20repeating%20the%20steps%20twice%20one%20for%20the%20Domain%20Controller%20and%20the%20other%20for%20the%20Member%20Server.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20260px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214174i6108D21B8BE9C656%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_5%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3COL%3E%0A%3CLI%3EChoose%20your%20appropriate%20%3CSTRONG%3EAzure%20Subscription%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20%3CSTRONG%3EResource%20Group%3C%2FSTRONG%3E%20from%20previous%20exercise.%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3BSpecify%20a%20%3CSTRONG%3EName%3C%2FSTRONG%3E%20of%20the%20VM%3CUL%3E%0A%3CLI%3ERegion%20is%20auto%20populated%20based%20on%20the%20region%20you%20selected%20from%20step2.%3C%2FLI%3E%0A%3CLI%3ELeave%20the%20default%20availability%20option.%20(No%20infrastructure%20redundancy%20required.)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EFrom%20the%20%3CSTRONG%3EImage%3C%2FSTRONG%3E%20drop-down%20choose%20a%20Windows%20Server%20OS%3CUL%3E%0A%3CLI%3ELeave%20the%20Azure%20spot%20instance%20default%20to%20No%3C%2FLI%3E%0A%3CLI%3EChoose%20a%20size%20as%20appropriate.%20(I%20am%20leaving%20the%20default%20suggested%20by%20Azure)%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3ESpecify%20a%20%3CSTRONG%3EUsername%3C%2FSTRONG%3E%20and%20a%20%3CSTRONG%3Epassword%3C%2FSTRONG%3E.%3CUL%3E%0A%3CLI%3ELeave%20the%20default%20inbound%20ports%20for%20RDP.%3C%2FLI%3E%0A%3CLI%3ELeave%20default%20licensing.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EClick%20%3CSTRONG%3EReview%20%2B%20Create%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20741px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214175i7E140B30A1C65E1C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20wizard%20automatically%20chooses%20the%20Networking%20from%20the%20same%20resource%20group%20we%20selected.%20Feel%20free%20to%20make%20any%20changes%20as%20desired.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EClick%20%3CSTRONG%3ECreate%3C%2FSTRONG%3E%20to%20complete%20the%20process.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EOnce%20both%20the%20VM%E2%80%99s%20are%20successfully%20created%2C%20move%20to%20the%20next%20steps%20in%20configuring%20them.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%20id%3D%22toc-hId-87844563%22%3EStep4%3A%20Configure%20Virtual%20Machine%201%20(Domain%20Controller)%3C%2FH2%3E%0A%3CP%3EOn%20the%20first%20VM%20acting%20as%20a%20Domain%20Controller%2C%20install%20the%20following%20roles%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-ds%2Fdeploy%2Finstall-active-directory-domain-services--level-100-%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EActive%20Directory%20Domain%20Services%3C%2FA%3E%20%5BDomain%20Controller%5D%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-install-express%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EInstall%20Azure%20AD%20Connect%3C%2FA%3E%20to%20connect%20to%20Azure%20AD%20Tenant.%3COL%3E%0A%3CLI%3ERe-run%20AAD%20Connect%20to%20configure%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fhybrid-azuread-join-managed-domains%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHybrid%20Azure%20AD%20Join%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20280px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214176iF2893ABD07C10AF9%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_7%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3ECreate%20users%20on-prem%20and%20confirm%20synchronization%20in%20AAD.%20Do%20not%20forget%20to%20assign%20licenses.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EInstall%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fnetworking%2Fcore-network-guide%2Fcncg%2Fserver-certs%2Finstall-the-certification-authority%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EActive%20Directory%20Certificate%20Services%3C%2FA%3E%20%5BCA%3A%20Certificate%20Authority%5D%20Please%20choose%20Enterprise%20CA%20since%20Standalone%20is%20not%20supported%20for%20NDES.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20479px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214177i0C23CB717E840274%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_8%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3ECreate%20Certificate%20Templates%20for%20SCEP%20Profiles%20by%20following%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fsupport-tip-how-to-configure-ndes-for-scep-certificate%2Fba-p%2F455125%22%20target%3D%22_blank%22%3Einstructions%20from%20this%20blog%20post%3C%2FA%3E%20for%20setting%20up%20NDES%20for%20SCEP%20certificate%20deployments.%20We%20will%20reference%20this%20blog%20post%20at%20various%20phases%20during%20the%20setup.%3COL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fcertificates-scep-configure%23create-the-server-certificate-template%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWeb%20Server%20Certificate%3C%2FA%3E%20%E2%80%93%20For%20NDES%20Server%20(VM2)%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fcertificates-scep-configure%23create-the-client-certificate-template%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EClient%20Authentication%20Certificate%3C%2FA%3E%20%E2%80%93%20For%20NDES%20Server%20(VM2)%20you%20can%20even%20merge%20this%20with%20the%20Web%20Server%20Certificate%20by%20adding%20Client%20Auth.%20Capabilities%20instead%20of%20creating%20a%20new%20template.%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fcertificates-scep-configure%23create-the-scep-certificate-template%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESCEP%20Certificate%20Template%3C%2FA%3E%20%E2%80%93%20For%20Devices%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%20id%3D%22toc-hId--1719609900%22%3EStep5%3A%20Azure%20DNS%20Configuration%3C%2FH2%3E%0A%3CP%3EOnce%20your%20custom%20domain%20is%20created%2C%20we%20need%20to%20configure%20Azure%20networking%20to%20support%20the%20custom%20DNS%20configuration.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESign-in%20to%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EBrowse%20the%20Virtual%20Network%20created%20earlier%20Contoso-VNET%3COL%3E%0A%3CLI%3E%3CSPAN%3EChoose%20%3CSTRONG%3EDNS%20Servers%3C%2FSTRONG%3E%20from%20the%20blade.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESelect%20%3CSTRONG%3ECustom%3C%2FSTRONG%3E.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ESpecify%20the%20internal%20IP%20Address%20of%20VM1%20(in%20my%20case%20it%20is%2010.0.0.4)%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EClick%20%3CSTRONG%3ESave%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20627px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214178iAB1A7F9290C05BC0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_9%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3ERestart%20both%20the%20VMs%20connected%20to%20this%20network.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%20id%3D%22toc-hId-767902933%22%3EStep6%3A%20Configure%20Azure%20Virtual%20Machine%202%20(Member%20Server)%3C%2FH2%3E%0A%3CP%3EOn%20the%20second%20VM%20we%20will%20install%20a%20list%20of%20roles%20and%20features%20for%20our%20solution.%20One%20of%20the%20primary%20reasons%20for%20building%20this%20VM2%20is%20the%20fact%20that%20you%20cannot%20co-locate%20both%20NDES%20and%20CA%20on%20the%20same%20server.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EJoin%20this%20VM%20to%20the%20Domain%20created%20in%20Step4.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%222%22%3E%0A%3CLI%3ECreate%20and%20configure%20an%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-R2-and-2012%2Fhh831498(v%3Dws.11)%23to-create-a-domain-user-account-to-act-as-the-ndes-service-account%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ENDES%20Service%20Account%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3EInstall%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fcertificates-scep-configure%23set-up-ndes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ENDES%20Role%3C%2FA%3E%20for%20additional%20guidance%20refer%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fsupport-tip-how-to-configure-ndes-for-scep-certificate%2Fba-p%2F455125%22%20target%3D%22_blank%22%3Einstructions%20from%20this%20blog%20post%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3EInstall%20an%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fmanage-apps%2Fapplication-proxy-add-on-premises-application%23install-and-register-a-connector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20AD%20Application%20Proxy%20Connector%3C%2FA%3E%20%E2%80%93%20Instead%20of%20a%20WAP%20(Web%20App%20Proxy%20server)%20for%20publishing%20NDES%20URL%20to%20the%20internet.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%3EAdd%20and%20an%20AAD%20APP%20Proxy%20Application%20for%20NDES.%20Refer%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fsupport-tip-how-to-configure-ndes-for-scep-certificate%2Fba-p%2F455125%22%20target%3D%22_blank%22%3Einstructions%20from%20this%20blog%20post%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%226%22%3E%0A%3CLI%3ERequest%20the%20NDES%20Web%20Certificate.%20Refer%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintune-customer-success%2Fsupport-tip-how-to-configure-ndes-for-scep-certificate%2Fba-p%2F455125%22%20target%3D%22_blank%22%3Einstructions%20from%20this%20blog%20post%3C%2FA%3E.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%227%22%3E%0A%3CLI%3EInstall%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fcertificates-scep-configure%23install-the-intune-certificate-connector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIntune%20Certificate%20Connector%3C%2FA%3E%20%E2%80%93%20SCEP%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%20start%3D%228%22%3E%0A%3CLI%3EInstall%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fenrollment%2Fwindows-autopilot-hybrid%23install-the-intune-connector%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIntune%20Domain%20Join%20Connector%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%20id%3D%22toc-hId--1039551530%22%3EStep7%3A%20Azure%20VPN%20Configuration%3C%2FH2%3E%0A%3CP%3EThe%20above%20tasks%20prepare%20us%20to%20setup%20the%20Azure%20VPN%20user%20configuration.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ESign-in%20to%20%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EBrowse%20the%20%3CSTRONG%3EVirtual%20Network%3C%2FSTRONG%3E%20%3CSTRONG%3EGateway%3C%2FSTRONG%3E%20resource%20you%20created%20earlier%20we%20called%20it%20Contoso-VPN%3C%2FLI%3E%0A%3CLI%3EClick%20the%20%3CSTRONG%3EUser%20VPN%20Configuration%3C%2FSTRONG%3E%20from%20the%20menu%20and%20click%20%3CSTRONG%3EConfigure%20now%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20417px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214179i0DD5931DDE23F2DF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_10%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3COL%3E%0A%3CLI%3ESpecify%20an%20%3CSTRONG%3EAddress%20pool%3C%2FSTRONG%3E%20for%20the%20VPN%20clients%20to%20connect.%3C%2FLI%3E%0A%3CLI%3EUnder%20%3CSTRONG%3ETunnel%3C%2FSTRONG%3E%20type%20specify%20%3CSTRONG%3EIKEv2%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3EFor%20%3CSTRONG%3EAuthentication%20type%3C%2FSTRONG%3E%2C%20leave%20Azure%20certificate.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20340px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214180i468939BF0AAA9B95%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_11%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3COL%20start%3D%224%22%3E%0A%3CLI%3EUnder%20%3CSTRONG%3ERoot%20Certificates%3C%2FSTRONG%3E%20specify%20a%20name%20(example%20Root)%20and%20for%20Public%20Certificate%20Data%3A%3COL%3E%0A%3CLI%3EMake%20sure%20that%20you%20exported%20the%20root%20certificate%20as%20a%20%3CSTRONG%3EBase-64%20encoded%20X.509%20(.cer)%20file%3C%2FSTRONG%3E.%20You%20need%20to%20export%20the%20certificate%20in%20this%20format%20so%20you%20can%20open%20the%20certificate%20with%20text%20editor.%3C%2FLI%3E%0A%3CLI%3EOpen%20the%20certificate%20with%20a%20text%20editor%2C%20such%20as%20Notepad.%20When%20copying%20the%20certificate%20data%2C%20make%20sure%20that%20you%20copy%20the%20text%20as%20one%20continuous%20line%20without%20carriage%20returns%20or%20line%20feeds.%20You%20may%20need%20to%20modify%20your%20view%20in%20the%20text%20editor%20to%20'Show%20Symbol%2FShow%20all%20characters'%20to%20see%20the%20carriage%20returns%20and%20line%20feeds.%20Copy%20only%20the%20following%20section%20as%20one%20continuous%20line%3A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20628px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214181iAE824F6C3ACB1CF3%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%20start%3D%225%22%3E%0A%3CLI%3E%3CSTRONG%3ESave%3C%2FSTRONG%3E%20the%20configuration.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20404px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214182i76B3FBB26394BA6E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_13%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CEM%3E%3CSTRONG%3E%3CFONT%20color%3D%22%23FF0000%22%3ENote%3A%20This%20may%20take%2010%20minutes%20or%20up%20to%20complete.%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%0A%3COL%20start%3D%226%22%3E%0A%3CLI%3EClick%20%3CSTRONG%3EDownload%20VPN%20Client%3C%2FSTRONG%3E%20and%20save%20for%20later%20use.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%20id%3D%22toc-hId-1447961303%22%3EOptional%3A%20VPN%20Validation%3C%2FH2%3E%0A%3CP%3ETo%20reduce%20the%20complexity%2C%20it%20is%20a%20good%20idea%20to%20validate%20the%20VPN%20connection%20outside%20Intune%20configuration.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EBuild%20a%20Windows%2010%20VM%20or%20use%20a%20physical%20machine%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-autopilot%2Fuser-driven%23requirements-1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Emeeting%20OS%20Prerequisites%3C%2FA%3E)%20which%20is%20not%20joined%20to%20the%20Domain%20we%20created%20above.%3C%2FLI%3E%0A%3CLI%3ECopy%20the%20VPN%20client%20we%20downloaded%20in%20the%20previous%20exercise.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EInstead%20of%20executing%20the%20installer%20of%20the%20VPN%20client%2C%20we%20will%20manually%20create%20the%20VPN%20configuration%20from%20the%20Generic%20folder%20with%20the%20file%20name%20called%20%3CSTRONG%3EVPNSettings.xml%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20383px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214183i0B81B04797DAD176%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_14%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EUse%20the%20following%20PowerShell%20cmdlet%20to%20manually%20create%20the%20VPN%20connection.%20Replace%20the%20highlighted%20values.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CEM%3EAdd-VpnConnection%20-Name%20ContosoVPN%20-ServerAddress%20azuregateway-Replace_With_GUID.vpn.azure.com%20-AuthenticationMethod%20MachineCertificate%20-DnsSuffix%20domain.dns.com%20-SplitTunneling%20-TunnelType%20Ikev2%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CEM%3EAdd-VpnConnectionRoute%20-ConnectionName%20ContosoVPN%20-DestinationPrefix%2010.0.0.0%2F16%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EImport%20a%20Client-Auth%20cert%20for%20this%20device%20with%20Common%20Name%20%3D%20Computer%20Name%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CEM%3EFor%20this%20step%20you%20may%20want%20to%20generate%20a%20Certificate%20Template%20with%20Computer%20Authentication%20capability%20with%20Name%20supply%20in%20request%20and%20the%20option%20to%20export%20the%20private%20key.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EConnect%20VPN%20and%20try%20to%20ping%2Frdp%2Fnetwork-share%20or%20even%20join%20the%20machine%20to%20Domain.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%20id%3D%22toc-hId--359493160%22%3EStep8%3A%20Intune%20Configurations%3C%2FH2%3E%0A%3CP%3ENow%20that%20your%20base%20infrastructure%20configuration%20is%20complete%2C%20you%20can%20proceed%20with%20the%20Intune%20configuration.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnable%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fenrollment%2Fquickstart-setup-auto-enrollment%23set-up-windows-10-automatic-enrollment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIntune%20Automatic%20Enrollment%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EConfigure%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Fcustomize-branding%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETenant%20Branding%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EConfigure%20ESP%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fenrollment%2Fwindows-enrollment-status%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEnrollment%20Status%20Page%3C%2FA%3E)%3C%2FLI%3E%0A%3CLI%3ECreate%20an%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Ffundamentals%2Factive-directory-groups-create-azure-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAAD%20Group%3C%2FA%3E%20for%20Devices%3C%2FLI%3E%0A%3CLI%3ECreate%20Autopilot%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fenrollment%2Fenrollment-autopilot%23create-an-autopilot-deployment-profile%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EDeployment%20Profile%3C%2FA%3E%20for%20Hybrid%20VPN%20Join%20and%20assign%20to%20the%20above%20AAD-Group%2C%20preferably%20to%20All%20Devices.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20626px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214184i292A74534ED9A637%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_15%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3ECapture%20hardware%20hash%20import%20device%20and%20assign%20profile.%20%3CA%20href%3D%22https%3A%2F%2Fwww.powershellgallery.com%2Fpackages%2FGet-WindowsAutoPilotInfo%2F3.3%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EGet-WindowsAutoPilotInfo%3C%2FA%3E.%20The%20sample%20below%20will%20capture%20the%20hash%2C%20upload%20in%20Intune%2C%20add%20to%20a%20group%20and%20assign%20to%20the%20deployment%20profile.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CEM%3EGet-WindowsAutopilotInfo%20%E2%80%93online%20-AddToGroup%20%22AZ-XYZ%22%20-Assign%3C%2FEM%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ECreate%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fcertificates-configure%23to-create-a-trusted-certificate-profile%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERoot%20Cert%20Configuration%20Profile%3C%2FA%3E%20and%20assign%20to%20the%20same%20AAD-Group.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ECreate%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fcertificates-profile-scep%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESCEP%20Certificate%20Profile%3C%2FA%3E%20and%20assign%20to%20the%20same%20AAD-Group.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3ESpecify%20the%20Subject%20name%20format%20as%20%3CFONT%20color%3D%22%23FF0000%22%3ECN%3D%7B%7BFullyQualifiedDomainName%7D%7D%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CFONT%20color%3D%22%23FF0000%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20645px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214185i1CD7A0EC4A569F45%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_16%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3ECreate%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Fvpn-settings-windows-10%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EVPN%20Configuration%20Profile%3C%2FA%3E%20and%20assign%20to%20the%20same%20AAD-Group.%20Refer%20the%20configuration%20settings%20from%20the%20VPN%20Client%20you%20downloaded%20under%20the%20folder%20named%20%3CSTRONG%3EGeneric%3C%2FSTRONG%3E%20with%20the%20file%20name%20called%20%3CSTRONG%3EVPNSettings.xml%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ESpecify%20a%20%3CSTRONG%3EConnection%20Name%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3EUnder%20Servers%20Description%2C%20specify%20a%20%3CSTRONG%3EName%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EFor%20Ip%20Address%20or%20FQDN%2C%20specify%20the%20VPNServer%20info%20from%20%3CSTRONG%3EVPNSettings.xml%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3ESet%20Default%20server%20to%20%3CSTRONG%3ETrue%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EEnable%3C%2FSTRONG%3E%20Register%20IP%20address%20with%20internal%20DNS%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20Connection%20type%20as%20%3CSTRONG%3EIKEv2%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3CLI%3EChoose%20%3CSTRONG%3EAlways%20On%3C%2FSTRONG%3E%20to%20Enable%3C%2FLI%3E%0A%3CLI%3ESet%20the%20Authentication%20method%20to%20%3CSTRONG%3EMachine%20Certificates%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EUnder%20%3CSTRONG%3EAuthentication%20certificate%3C%2FSTRONG%3E%20choose%20the%20SCEP%20Certificate%20profile%20you%20created%20before.%3C%2FLI%3E%0A%3CLI%3EEnable%20%3CSTRONG%3EDevice%20Tunnel%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSTRONG%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20965px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214186i74D92293726B2BFA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_17%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3ELeave%20the%20following%20sections%20to%20defaults%3A%3CUL%3E%0A%3CLI%3EApps%20and%20Traffic%20Rules%3C%2FLI%3E%0A%3CLI%3EConditional%20Access%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3ECustomize%20the%20DNS%20Settings%20by%20adding%3A%3COL%3E%0A%3CLI%3EAdd%20the%20Domain%20name%20as%20your%20%3CSTRONG%3EDNS%20Suffix%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3EAdd%20%3CSTRONG%3EName%20Resolution%20Policy%20table%20(NRPT)%3C%2FSTRONG%3E%20rule%20by%20specifying%3A%3COL%3E%0A%3CLI%3EDomain%3C%2FLI%3E%0A%3CLI%3EDNS%20Server%20IP%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20916px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214187iC90211D92024FED7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorArnab%20Mitra_18%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CUL%3E%0A%3CLI%3ELeave%20the%20Proxy%20settings%20to%20defaults.%3C%2FLI%3E%0A%3CLI%3EUnder%20Split%20Tunneling%3A%3COL%3E%0A%3CLI%3E%3CSTRONG%3EEnable%3C%2FSTRONG%3E%20the%20configuration.%3C%2FLI%3E%0A%3CLI%3EUnder%20%3CSTRONG%3EDestination%20prefix%3C%2FSTRONG%3E%20and%20%3CSTRONG%3EPrefix%20size%3C%2FSTRONG%3E%20specify%20the%20subnet%20address%20under%20%3CROUTES%3E%20by%20referring%20the%20VPNSettings.xml%3C%2FROUTES%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20961px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F214188i7AA656BA5692C922%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDeploy%20to%20the%20AAD-Device%20group%20and%20proceed%20with%20testing%2Fvalidation%20on%20a%20device.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%20id%3D%22toc-hId--622260603%22%3ETime%20for%20testing%20and%20evaluation!%3C%2FH1%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EThanks%2C%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EArnab%20Mitra%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1606723%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20an%20IT%20admin%20you%20plan%20to%20ship%20new%20devices%20to%20end%20users%20which%20can%20join%20the%20on-premises%20AD%20(Active%20Directory)%20by%20leveraging%20Autopilot%20with%20Intune%20for%20device%20management.%3C%2FP%3E%0A%3CP%3EThis%20post%20is%20a%20walkthrough%20of%20evaluating%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-autopilot%2Fuser-driven%23user-driven-mode-for-hybrid-azure-active-directory-join-with-vpn-support%22%20rel%3D%22noopener%20noreferrer%22%20target%3D%22_blank%22%3EAutopilot%20Hybrid%20join%20over%20VPN%3C%2FA%3E%20scenario%20in%20a%20lab%20environment%20hosted%20in%20Azure.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1606723%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EArnabMitra%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1616593%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1616593%22%20slang%3D%22en-US%22%3E%3CP%3EFantastic%20blog.%20Thanks%20for%20sharing%2C%20Arnab%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1618033%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618033%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome%20Blogpost%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F179774%22%20target%3D%22_blank%22%3E%40Arnab%20Mitra%3C%2FA%3E%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1792530%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1792530%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20Demonstration%26nbsp%3B%20Cheers.!!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163490%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163490%22%20slang%3D%22en-US%22%3E%3CP%3EGREAT%20Blogpost%20!!!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2193867%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193867%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Arnab%2C%20have%20yo%20been%20able%20to%20successfully%20enable%20Always-ON%20VPN%26nbsp%3B%20with%20Windows%2010%20Pro%20during%20Autopilot%3F%20In%20my%20testing%20I%20had%20to%20use%20a%20Windows%20Ent%20ISO%20to%20build%20the%20VM%20for%20testing%2C%20or%20I%20had%20to%20do%20an%20edition%20upgrade%20with%20an%20MAK%20although%20the%20user%20was%20assigned%20an%20Enterprise%20license%20via%20subscription.%20OEMs%20only%20ship%20Pro%20edition%20however.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2193942%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193942%22%20slang%3D%22en-US%22%3E%3CP%3EMehboob%2C%20that's%20an%20expected%20behavior%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fremote%2Fremote-access%2Fvpn%2Fvpn-device-tunnel-config%23device-tunnel-requirements-and-features%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fremote%2Fremote-access%2Fvpn%2Fvpn-device-tunnel-config%23device-tunnel-requirements-and-features%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ESubscription%20license%20kicks%20in%20later%2C%20using%20edition%20upgrade%20using%20MAK%20is%20a%20better%20route%20in%20this%20scenario.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2214007%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2214007%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20an%20amazing%20guide%2C%20all%20implemented%20fine%20but%20we%20are%20having%20an%20issue%20when%20the%20client%20dials%20the%20connection%2C%20it%20will%20not%20connect%20and%20we%20receive%20Event%20ID%3A%2020227%20The%20error%20code%20returned%20on%20failure%20is13801.%20Any%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2214132%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2214132%22%20slang%3D%22en-US%22%3E%3CP%3EError%20code%2013801%20refers%20to%20%22IKE%20authentication%20credentials%20are%20unacceptable%22%20you%20probably%20want%20to%20refer%20the%20section%20%22Optional%3A%20VPN%20Validation%22%20to%20ensure%20the%20core%20VPN%20functionality%20is%20working%20as%20expected%20before%20moving%20to%20Intune%20Configurations.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2219987%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2219987%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20this%20write%20up.%20Do%20you%20know%20if%20this%20can%20be%20configured%20with%20the%20user%20signing%20into%20the%20VPN%20at%20the%20login%20screen%20-%20instead%20of%20the%20VPN%20being%20in%20%22Always%20On%22%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2220065%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2220065%22%20slang%3D%22en-US%22%3E%3CP%3EUser%20sign-in%20from%20the%20login%20screen%20is%20not%20available%20if%20you%20choose%20machine%20certificate%20authentication%20with%20VPN%20type%20IKEv2.%20This%20matches%20with%20the%20requirement%20of%20Azure%20VPN%20Tunnel%20type%20IKEv2.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2222840%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2222840%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20article.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20question%20regarding%20Autopilot%20with%20Always%20on%20VPN%20and%20Windows%2010%20license.%20Always%20On%20VPN%20auto%20connect%20doesn't%20work%20with%20Windows%2010%20Pro%3C%2FP%3E%3CP%3EYou%20say%2C%20it's%20%3CSPAN%3Ethat's%20an%20expected%20behavior%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20my%20customer%20doesn't%20use%20MAK%20license%20for%20Windows%2010%20entreprise%2C%20but%20they%20use%20KMS%20Licenses%20or%20Windows%2010%20Subscription%20activation%20with%20Azure%20AD%20License%20for%20Windows%2010%20Enteprises.%3C%2FP%3E%3CP%3EBoth%20are%20tested%20and%20doesn't%20work%3A%3C%2FP%3E%3CP%3EWith%20KMS%20activation%20by%20Intune%2C%20it's%20doesn't%20work%2C%20because%2C%20the%20KMS%20server%20is%20not%20available%20and%20windows%2010%20remains%20in%20Pro%20edition%20until%20the%20AD%20and%20kms%20servers%20can%20be%20contactacted.%20And%20they%20cannot%20be%20contacted%20because%26nbsp%3BVPN%20is%20not%20connected...%3C%2FP%3E%3CP%3EAlso%2C%20with%20Windows%2010%26nbsp%3BSubscription%20activation%2C%20the%20license%20enterprise%20is%20applied%20after%20user%20can%20logon%20on%20computer%2C%20but%20if%20the%20VPN%20is%20not%20connected%2C%20it's%20impossible%20to%20open%20a%20session...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20how%20we%20can%20deal%20in%20this%20situation%3F%20I%20think%20it's%20a%20misconfiguration%20from%20microsoft%20part%20for%20this%20particulary%20issue%20with%20Autopilot%20and%20Always%20On%20VPN%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22ms-editor-squiggler%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22ms-editor-squiggler%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2222887%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2222887%22%20slang%3D%22en-US%22%3E%3CP%3EDid%20you%20try%20this%3A%20specify%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fget-started%2Fkmsclientkeys%23windows-10-all-supported-semi-annual-channel-versions%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EKMS%20Client%20Setup%20Key%3C%2FA%3E%20using%20an%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Fedition-upgrade-configure-windows-10%23create-the-profile%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EEdition%20Upgrade%20Configuration%20Profile%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2222905%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2222905%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20it's%20doesn't%20work.%20Only%20Windows%2010%20MAK%20using%20an%20Intune%20Profile%20Edition%20Upgrade%20Configuration%20works%3C%2FP%3E%3CDIV%20class%3D%22ms-editor-squiggler%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2222922%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2222922%22%20slang%3D%22en-US%22%3E%3CP%3EFrom%20the%20prerequisites%20link%20of%20the%20docs%20article%20it%20does%20calls%20out%20as%20supported.%20You%20may%20want%20to%20work%20with%20support%20on%20this.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20780px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F265523i4EA9881E9B70F0CA%2Fimage-dimensions%2F780x188%3Fv%3Dv2%22%20width%3D%22780%22%20height%3D%22188%22%20role%3D%22button%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2231777%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2231777%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20the%20exact%20same%20question%2C%20we%20have%20Microsoft%20365%20E3%20licenses%20with%20Windows%2010%20E3%2C%20but%20when%20users%20will%20start%20Autopilot%20enrollment%20they%20start%20with%20Windows%2010%20Pro%20OEM.%20We%20dont%20have%20MAK%20or%20KMS%20keys%20for%20Windows%2010%2C%20how%20to%20use%20AutoVPN%20Device%20Tunnel%20before%20first%20logon%2C%20because%20users%20are%20at%20home.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2231904%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2231904%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20new%20test%20with%20KMS%20licence%20key%20with%20Intune%2C%20it's%20working.%20The%20issue%20comes%20from%20a%20wrong%20key%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20it's%20working%20With%20MAK%20and%20KMS%2C%20but%20how%20can%20we%20deal%20with%20Windows%2010%20suscription%20activation%20instead%20KMS%20or%20MAK%3F%3C%2FP%3E%3CP%3EDo%20we%20need%20to%20open%20a%20case%20on%20Microsoft%20Support%20or%20create%20an%20UserVoice%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%26nbsp%3B%3C%2FP%3E%3CP%3EJulien%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2232420%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2232420%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fdeployment%2Fwindows-10-subscription-activation%23how-it-works%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESubscription%20Activation%3C%2FA%3E%20kicks%20in%20when%20a%20licensed%20user%20signs-in%20to%20the%20device.%20In%20this%20scenario%20you%20need%20a%20VPN%20to%20establish%20a%20line%20of%20sight%20of%20DC%20to%20login.%20If%20Device%20tunnel%20is%20your%20choice%20of%20connecting%20to%20VPN%20then%20you%20have%20to%20honor%20its%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fremote%2Fremote-access%2Fvpn%2Fvpn-device-tunnel-config%23device-tunnel-requirements-and-features%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eprerequisites%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMZONDERLAND%20%E2%80%93%20You%20can%20use%20the%20KMS%20keys%20from%20this%20doc%20for%20a%20temporary%20activation.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fget-started%2Fkmsclientkeys%23windows-10-all-supported-semi-annual-channel-versions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EKMS%20client%20setup%20keys%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESomething%20to%20check%3A%20Validate%20if%20the%20device%20does%20gets%20activated%20via%20the%20Subscription%20Activation%20post%20a%20user%20sign-in.%20If%20it%20does%20not%2C%20open%20a%20user%20case%20and%20submit%20a%20user%20voice.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2232549%22%20slang%3D%22es-ES%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2232549%22%20slang%3D%22es-ES%22%3E%3CP%3EHello%2C%20hello.%20%3CBR%20%2F%3E%20I%20have%20configured%20my%20environment%20and%20it%20works%20correctly.%20%3CBR%20%2F%3E%20But%20I%20want%20that%20when%20autopilot%20finishes%20then%20the%20VPN%20it%20does%20not%20make%20any%20more%20automatic%20connections.%20%3CBR%20%2F%3E%20We%20don't%20want%20any%20more%20automatic%20VPN%20connections%20after%20the%20autopilot%20process%3C%2FP%3E%3CP%3ECan%20we%20remove%20the%20automatic%20VPN%20connection%20after%20finishing%20the%20process%3F%20If%20so%2C%20how%20can%20we%20do%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2232751%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2232751%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20modify%20the%20configurations%20with%20Intune%20as%20desired.%20Create%20a%20group%20for%20these%20devices%20and%20apply%20the%20desired%20VPN%20configuration%20profile.%3CBR%20%2F%3EUse%20a%20combination%20of%20Exclude%20group%20and%20PowerShell%20to%20force%20remove%20the%20existing%20VPN%20profile%20if%20exists.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2390753%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2390753%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Arnab%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreat%20post.%20I%20followed%20all%20your%20instructions%20and%20set%20up%20the%20Infra.%26nbsp%3B%3CBR%20%2F%3EWhen%20I%20autopilot%2C%20its%20just%20stuck%20on%20the%20Device%20Setup%20screen.%20The%20device%20object%20is%20created%20in%20AD%20(which%20means%20the%20VPN%20definitely%20worked)%2C%20I%20can%20see%20the%20devices%20in%20AAD%20and%20Intune%20portal%20but%20its%20stuck%20on%20the%20Device%20setup.%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20suggestions%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mkaif22_0-1622110151729.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F284237iA0EBAC5969FCB6EF%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22mkaif22_0-1622110151729.png%22%20alt%3D%22mkaif22_0-1622110151729.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EKaif%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2391881%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2391881%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kaif%2C%20execute%20the%20ESP%20PowerShell%20script%20to%20view%20the%20current%20state%20where%20its%20stuck%3C%2FP%3E%0A%3CP%3E%3CEM%3EInstall-Script%20get-autopilotESPstatus%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3Eget-autopilotESPstatus%20-online%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2392032%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2392032%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Arnab.%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20response.%20I%20fixed%20the%20issue.%20I%20did%20not%20update%20the%20Server%20URL%20in%20the%20SCEP%20profile%20and%20I%20missed%20the%20'%3CSPAN%3E%2Fcertsrv%2Fmscep%2Fmscep.dll'%20part.%20My%20Bad.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20cert%20installed%20and%20autopilot%20completed%20but%20then%20when%20I%20try%20to%20login%20using%20my%20domain%20credentials%20its%20says%20it%20cannot%20log%20me%20in%20as%20the%20domain%20isn't%20available.%20The%20VPN%20profile%20should%20have%20connected%20automatically%20right%3F%20Or%20am%20I%20missing%20something%20here%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2392627%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2392627%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20troubleshooting%2C%20follow%20the%20instructions%20under%20Optional%3A%20VPN%20Validation%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2397149%22%20slang%3D%22fr-FR%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2397149%22%20slang%3D%22fr-FR%22%3E%3CP%3EAlways%20on%20VPN%3C%2FP%3E%3CP%3EEverything%20look%20green%2C%20but%20when%20I%20arrived%20at%20the%20login%20screen%20the%20windows%20it%20says%3A%20%22We%20can't%20sign%20you%20with%20this%20credential.....%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Edo%20i%20need%20to%20have%20that%20icon%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AlwaysOnVPN_icon.ps1.jpg%22%20style%3D%22width%3A%20174px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F284738i5F949BA9994DBC73%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22AlwaysOnVPN_icon.ps1.jpg%22%20alt%3D%22AlwaysOnVPN_icon.ps1.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Ei%20though%20if%20i%20was%20using%20those%20settings%20it%20should%20be%20automatic%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22AlwaysOnVPN_config.ps1.jpg%22%20style%3D%22width%3A%20601px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F284740iE965154B8A8679E6%2Fimage-dimensions%2F601x216%3Fv%3Dv2%22%20width%3D%22601%22%20height%3D%22216%22%20role%3D%22button%22%20title%3D%22AlwaysOnVPN_config.ps1.jpg%22%20alt%3D%22AlwaysOnVPN_config.ps1.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProfile%20configuration%20of%20my%20device%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22vpn%20configuration.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F284735i9C03E83BA55A4109%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22vpn%20configuration.jpg%22%20alt%3D%22vpn%20configuration.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EThx%20for%20the%20help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2397197%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2397197%22%20slang%3D%22en-US%22%3E%3CP%3EEric%2C%20your%20understanding%20is%20right.%20The%20VPN%20device%20tunnel%20and%20Always%20On%20will%20automatically%20establish%20the%20connection.%3C%2FP%3E%0A%3CP%3EWith%20this%20configuration%2C%20you%20won%E2%80%99t%20see%20the%20VPN%20icon%20during%20the%20login%20screen.%20Hope%20you%20are%20on%20a%20%3CU%3EWindows%2010%20Enterprise%20SKU%3C%2FU%3E%2C%20PRO%20doesn%E2%80%99t%20support%20device%20tunnel.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20suggest%20for%20troubleshooting%2C%20follow%20the%20instructions%20under%20Optional%3A%20VPN%20Validation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2399241%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2399241%22%20slang%3D%22en-US%22%3E%3CP%3EWorks%20perfectly...%20Thanks%20Arnab.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2599028%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2599028%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20guys%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20this%20is%20a%20great%20post%20but%20I%20am%20stuck%20on%20some%20cert%20issue.%20I%20have%20already%20created%20the%20NDES%20server%20and%20cert%20templates.%3C%2FP%3E%3CP%3EThe%20Azure%20VPN%20its%20failing%20to%20connect%20and%20I%20think%20its%20a%20cert%20issue%20with%20the%20error%20%22%3CSPAN%3EThe%20error%20code%20returned%20on%20failure%20is13801%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20see%20those%20device%20profiles%2C%20with%20much%20appreciation%20can%20someone%20explain%2C%20what%20is%20this%20profile%20for%20%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E1.%20VPN-Intermediate%20CA%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E2.PKCS%20Computer%20Certificate%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E3.%20Root%20CA%20profile%26nbsp%3B%3C%2FP%3E%3CP%3E%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ashahini_1-1627932754961.png%22%20style%3D%22width%3A%20748px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F299968i910405FD92ADD393%2Fimage-dimensions%2F748x171%3Fv%3Dv2%22%20width%3D%22748%22%20height%3D%22171%22%20role%3D%22button%22%20title%3D%22ashahini_1-1627932754961.png%22%20alt%3D%22ashahini_1-1627932754961.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20do%20those%20profiles%20apply%20to%20the%20machine%20during%20the%20enrollment%20page%20or%20after%20that%3F%3C%2FP%3E%3CP%3Ethe%20last%20question%20is%20the%20base%20image%20must%20be%20Windows%20Enterprise%20for%20this%20to%20work%20%3F%3C%2FP%3E%3CP%3EMy%20apologies%20if%20I%20am%20asking%20too%20many%20questions%2C%20I%20am%20trying%20to%20get%20somewhere%20fixing%20this%20painful%20issue%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAndrin%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2600475%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2600475%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Andrin%2C%20i%20suggest%20ensuring%20the%20VPN%20functionality%20is%20working%20in%20the%20%22Optional%20VPN%20Validation%22%20section%20of%20the%20blog%20post.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20thats%20working%20just%20fine%2C%20deploy%20the%20Intune%20profiles%20to%20an%20existing%20device%20to%20ensure%20a%20success%20deployment%20before%20moving%20to%20Autopilot%20scenario.%3CBR%20%2F%3EAssigning%20these%20to%20the%20Device%20group%20ensures%20they%20are%20executed%20in%20the%20Device%20ESP%20phase.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEnterprise%20edition%20supports%20device%20tunnel.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2604093%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20Out%20Autopilot%20Hybrid%20Join%20Over%20VPN%20In%20Your%20Azure%20Lab%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2604093%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20quick%20response%20Arnab!%3C%2FP%3E%3CP%3EI%20am%20working%20on%20that%20VPN%20part%2C%20trying%20to%20fix%20that%20as%20soon%20as%20I%20can.%20Just%20to%20clarify%20something%20those%20are%20all%20Intune%20profiles%20that%20I%20need%20to%20create%20right%20regarding%20certs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22ashahini_0-1627992244222.png%22%20style%3D%22width%3A%20835px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F300135i71124BDE4B59DC12%2Fimage-dimensions%2F835x191%3Fv%3Dv2%22%20width%3D%22835%22%20height%3D%22191%22%20role%3D%22button%22%20title%3D%22ashahini_0-1627992244222.png%22%20alt%3D%22ashahini_0-1627992244222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20the%20device%20during%20the%20enrollment%20must%20have%20Windows%2010%20enterprise%20version%2C%20is%20that%20correct%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAndrin%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 27 2020 06:48 AM
Updated by: