Home

Always on VPN and Autopilot

%3CLINGO-SUB%20id%3D%22lingo-sub-320910%22%20slang%3D%22en-US%22%3EAlways%20on%20VPN%20and%20Autopilot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-320910%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20wondering%20if%20someone%20has%20any%20experience%20provisioning%20Always%20On%20VPN%20during%20Autopilot%20process%20with%20Intune%20Device%20Configuration%20Profile.%20What%20I%20am%20trying%20to%20achieve%20is%3A%3C%2FP%3E%3CUL%3E%3CLI%3EAutopilot%20provision%20new%20PCs%20with%20Windows%2010%201809%2C%20some%20AMDX%20Group%20Policies%20will%20be%20applied%20through%20%22Device%20Configuration%20Profiles%22%20but%20we%20would%20like%20more%20policies%20that%20only%20exists%20on%20our%20AD%20on%20premise%3C%2FLI%3E%3CLI%3EProvision%20Always%20On%20VPN%20in%20order%20for%20the%20new%20PC%20to%20connect%20to%20our%20Domain%20Controllers%20and%20ask%20the%20user%20to%20run%20GPUPDATE.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EPlease%20let%20me%20know%20if%20this%20makes%20sense.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJesus%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-320910%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1123855%22%20slang%3D%22en-US%22%3ERe%3A%20Always%20on%20VPN%20and%20Autopilot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1123855%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F86157%22%20target%3D%22_blank%22%3E%40Jesus%20Gonzalez%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20understand%20your%20question%2C%20are%20you%20looking%20for%20ways%20to%20use%20AutoPilot%20and%20enrolling%20Windows%20PCs%20out%20of%20the%20network%3F%20If%20yes%2C%20it's%20not%20supported%20at%20the%20moment%2C%20MSFT%20going%20to%20release%20this%20feature%20by%26nbsp%3BQ1%202020.%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20way%20it%20works%20with%20Hybrid%20Deployment%20right%20now%2C%20after%20entering%20O365%20Creds%2C%20the%20PC%20keeps%20pinging%20the%20ODJ%20connector%20internally%2C%20if%20it's%20not%20reachable%20the%20hybrid%20deployment%20fails.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20another%20answer%20if%20I%20was%20misunderstanding-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EYou%20can%20join%20the%20PCs%20Hybrid%20Azure%20AD%20which%20gives%20you%20ability%20to%20use%20Traditional%20GPOs%20and%20Configuration%20Profiles%20and%20Security%20Baseline%20in%20Intune.%3C%2FLI%3E%3CLI%3EYou%20can%20create%20VPN%20configuration%20profile%20and%20scope%20it%20for%20Always%20On%20VPN%2C%20and%20then%20apply%20PowerShell%20Script%20for%20gpupdate%20using%20Intune.%3C%2FLI%3E%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1122103%22%20slang%3D%22en-US%22%3ERe%3A%20Always%20on%20VPN%20and%20Autopilot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1122103%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20similar%20question%20to%20you%2C%20did%20you%20manage%20to%20get%20this%20working%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F86157%22%20target%3D%22_blank%22%3E%40Jesus%20Gonzalez%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Jesus Gonzalez
Frequent Visitor

Hi Guys

 

Just wondering if someone has any experience provisioning Always On VPN during Autopilot process with Intune Device Configuration Profile. What I am trying to achieve is:

  • Autopilot provision new PCs with Windows 10 1809, some AMDX Group Policies will be applied through "Device Configuration Profiles" but we would like more policies that only exists on our AD on premise
  • Provision Always On VPN in order for the new PC to connect to our Domain Controllers and ask the user to run GPUPDATE.

Please let me know if this makes sense.

 

Regards

 

Jesus

4 Replies

Hi, 

 

I have a similar question to you, did you manage to get this working?

 

@Jesus Gonzalez 

@Jesus Gonzalez 

 

To understand your question, are you looking for ways to use AutoPilot and enrolling Windows PCs out of the network? If yes, it's not supported at the moment, MSFT going to release this feature by Q1 2020. 

The way it works with Hybrid Deployment right now, after entering O365 Creds, the PC keeps pinging the ODJ connector internally, if it's not reachable the hybrid deployment fails. 

 

This is another answer if I was misunderstanding-

 

  • You can join the PCs Hybrid Azure AD which gives you ability to use Traditional GPOs and Configuration Profiles and Security Baseline in Intune.
  • You can create VPN configuration profile and scope it for Always On VPN, and then apply PowerShell Script for gpupdate using Intune.

@Moe_Kinani 

 

Hi, 

 

Would the Hybrid Deployment with offline Join work in this scenario for a machine not on the domain or on the intranet?

 

So, I want a new laptop sent out to a client outside of network, client switches on laptop, performs OOBC, logs in and joins hybrid domain?

Hi @Tee_2019 

 

You could, check first article. 

https://docs.microsoft.com/en-us/archive/blogs/mniehaus/trying-out-windows-autopilot-user-driven-hyb...

 

https://myignite.techcommunity.microsoft.com/sessions/81679?source=sessions This session confirms support of VPN and other new features soon.

 

Let me know if you have any questions!
Moe